CFEngine 3.11.01b on Bashbunny

This is meant for autonomous non-networked systems where we
take the advantage of CFEngine and Bashbunny automation. I liked this exercise as it shows
the great potential of CFEngine as well as the Bashbunny. Now the Bashbunny is an attacking tool, and Im not going to exploit any systems here with CFEngine, rather we put it to good use and use the “evil” device as our policy hub.

Assuming we all know how to configure Bashbunny :)

Check the bunny hostname is correctly set in /etc/hosts on the Bashbunny
if not add to /etc/hosts (Otherwise cf-serverd will have issues)

172.16.64.1 bunny

Check the /etc/dhcp/dhcpd.conf   range 172.16.64.10  172.16.64.12 and set to only one value range 172.16.64.64  172.16.64.64

Make sure to set a sane date as the Bashbunny does not know what time it is

root@bunny:~# date -s "20170618 09:00"

# apt-get update
# apt-get -y install autoconf bison build-essential curl git-core libapr1
 libaprutil1 libcurl4-openssl-dev libgmp3-dev libpcap-dev libpq-dev
 libreadline6-dev libsqlite3-dev libssl-dev libsvn1 libtool libxml2
 libxml2-dev libxslt-dev libyaml-dev locate ncurses-dev openssl wget
 xsel zlib1g zlib1g-dev

Lets build CFEngine on armv7l (no pre-built binaries for arm on CFEgnine webpage)

root@bunny:~#mkdir CFENGINE
root@bunny:~CFENGINE# wget https://cfengine-package-repos.s3.amazonaws.com/tarballs/cfengine-3.11.0b1.tar.gz

Run configure

root@bunny:~/CFENGINE/cfengine-3.11.0b1# ./configure
 <---snip---->
 checking for getconf... /usr/bin/getconf
 checking for the pthreads library -lpthreads... no
 checking whether pthreads work without any flags... no
 checking whether pthreads work with -Kthread... no
 checking whether pthreads work with -kthread... no
 checking for the pthreads library -llthread... no
 checking whether pthreads work with -pthread... yes
 checking for joinable pthread attribute... PTHREAD_CREATE_JOINABLE
 checking if more special flags are required for pthreads... no
 checking for PQconnectdb in -lpq... yes
 checking libpq-fe.h usability... yes
 checking libpq-fe.h presence... yes
 checking for libpq-fe.h... yes
 which: no mysql_config in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/alpha-unknown-linux-gnu/gcc-bin/4.9.3)
 checking for mysql_real_connect in -lmysqlclient... no
 checking mysql.h usability... no
 checking mysql.h presence... no
 checking for mysql.h... no
 checking for EVP_CIPHER_CTX_init in -lmysqlclient... no
 checking for mdb_dbi_open in -llmdb... no
 configure: error: Cannot find Lightning MDB

Get lmdb

root@bunny:~/CFENGINE/cfengine-3.11.0b1# wget https://github.com/LMDB/lmdb/archive/mdb.master.zip
root@bunny:~/CFENGINE/lmdb-mdb.mster/libraries/liblmdb# make

gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -c mdb.c
INIT: Id "hvc0" respawning too fast: disabled for 5 minutes
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -c midl.c
ar rs liblmdb.a mdb.o midl.o
ar: creating liblmdb.a
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -fPIC -c mdb.c -o mdb.lo
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -fPIC -c midl.c -o midl.lo
gcc -pthread -shared -o liblmdb.so mdb.lo midl.lo
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -c mdb_stat.c
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized mdb_stat.o liblmdb.a -o mdb_stat
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -c mdb_copy.c
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized mdb_copy.o liblmdb.a -o mdb_copy
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -c mdb_dump.c
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized mdb_dump.o liblmdb.a -o mdb_dump
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -c mdb_load.c
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized mdb_load.o liblmdb.a -o mdb_load
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -c mtest.c
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized mtest.o liblmdb.a -o mtest
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -c mtest2.c
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized mtest2.o liblmdb.a -o mtest2
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -c mtest3.c
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized mtest3.o liblmdb.a -o mtest3
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -c mtest4.c
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized mtest4.o liblmdb.a -o mtest4
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -c mtest5.c
gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized mtest5.o liblmdb.a -o mtest5

root@bunny:~/CFENGINE/lmdb-mdb.mster/libraries/liblmdb# make install

mkdir -p /usr/local/bin
mkdir -p /usr/local/lib
mkdir -p /usr/local/include
mkdir -p /usr/local/share/man/man1
for f in mdb_stat mdb_copy mdb_dump mdb_load; do cp $f /usr/local/bin; done
for f in liblmdb.a liblmdb.so; do cp $f /usr/local/lib; done
for f in lmdb.h; do cp $f /usr/local/include; done
for f in mdb_stat.1 mdb_copy.1 mdb_dump.1 mdb_load.1; do cp $f /usr/local/share/man/man1; done

Return to cfengine configure

root@bunny:~/CFENGINE/cfengine-3.11.0b1# ./configure

Summary:
 > Version: 3.11.0b1
 > Required libraries
 -> OpenSSL: default path
 -> PCRE: default path
 > Optional libraries
 -> MySQL connector: disabled
 -> PostgreSQL connector: default path
 -> DB: Lightning MDB: default path
 -> libvirt: disabled
 -> libacl: default path
 -> libcurl: disabled
 -> libyaml: default path
 -> libxml2: default path
 -> User promises: PAM/user* tools
 -> Enterprise extensions: Plugin or not included
 -> init.d script: disabled
 -> Systemd service: disabled
 -> Workdir: /var/cfengine
 -> Masterdir: default
 -> Inputdir: default
 -> Logdir: /var/cfengine
 -> Piddir: /var/cfengine
 -> Statedir: default

DONE: Configuration done. Run make/gmake to build CFEngine Community

root@bunny:~/CFENGINE/cfengine-3.11.0b1# make && make install

Get masterfiles

# wget https://cfengine-package-repos.s3.amazonaws.com/tarballs/cfengine-masterfiles-3.11.0b1.tar.gz
# cd cfengine-masterfiles-3.11.0b1
# make
# make install

Run some final configurations

root@bunny:/var/cfengine# ./bin/cf-key

Now edit the cf-serverd configuration part in masterfiles

vi /var/cfengine/masterfiles/controls/cf_serverd.cf

And set the following values for allowconnects, allowallconnects, bindtointerface and access

allowconnects => { "127.0.0.1" , "172.16.64.64"};
allowallconnects => { "127.0.0.1" , "172.16.64.64"};
bindtointerface => "172.16.64.1";

bundle server access_rules()

{
 access:

any::

"$(def.dir_masterfiles)"
 handle => "server_access_grant_access_policy",
 shortcut => "masterfiles",
 comment => "Grant access to the policy updates",
 admit => { "172.16.64.64" };

"$(def.dir_software)"
 handle => "server_access_grant_access_datafiles",
 comment => "Grant access to software updates",
 admit => { "172.16.64.64" };

"$(def.dir_bin)"
 handle => "server_access_grant_access_binary",
 comment => "Grant access to binary for cf-runagent",
 admit => { "172.16.64.64" };

"$(def.dir_modules)"
 handle => "server_access_grant_access_modules",
 shortcut => "modules",
 comment => "Grant access to modules directory",
 admit => { "172.16.64.64" };

"$(def.dir_plugins)"
 handle => "server_access_grant_access_plugins",
 comment => "Grant access to plugins directory",
 admit => { "172.16.64.64" };

"$(def.dir_templates)"
 handle => "server_access_grant_access_templates",
 shortcut => "templates",
 comment => "Grant access to templates directory",
 admit => { "172.16.64.64" };

enterprise_edition.policy_server::
 "collect_calls"
 resource_type => "query",
 admit_ips => { "172.16.64.64" };
root@bunny:/var/cfengine# cp -r promises.cf ../inputs
 root@bunny:/var/cfengine# /var/cfengine/bin/cf-agent -KI

Prepare the cfengine distributioin folder on the Bashbunny to serve to clients
(Go back home)

root#bunny:~# mkdir cfengine && cd cfengine
root#bunny:~/cfengine#

Download all deb and RPMs from https://cfengine.com/product/community/

root@bunny:/var/cfengine# wget https://cfengine-package-repos.s3.amazonaws.com/community_binaries/cfengine-community_3.11.0b1-1_i386.deb
root@bunny:/var/cfengine# wget https://cfengine-package-repos.s3.amazonaws.com/community_binaries/cfengine-community_3.11.0b1-1_amd64.deb
root@bunny:/var/cfengine# https://cfengine-package-repos.s3.amazonaws.com/community_binaries/cfengine-community-3.11.0b1-1.i386.rpm
root@bunny:/var/cfengine# https://cfengine-package-repos.s3.amazonaws.com/community_binaries/cfengine-community-3.11.0b1-1.x86_64.rpm

Create an installer script called cfengine-install.sh for CFEngine on clients (Debian based checker only), place this shellscript in the /root/CFENGINE/ directory

#!/bin/bash
 #This script is only for debian based systems now .. feel free to expand

if [ "$(uname -m)" == "x86_64" ] && [ "$(gawk -F= '/^ID_LIKE/{print $2}' /etc/os-release)" == "debian" ];
 then
 wget -nc http://172.16.64.1/root/cfengine/cfengine-community_3.10.1-1_amd64-debian7.deb && dpkg -i cfengine-community_3.10.1-1_amd64.deb
 exit 0
 elif [ "$(uname -m)" == "x86_64" ] && [ "$(gawk -F= '/^ID_LIKE/{print $2}' /etc/os-release)" == "ubuntu" ];
 then
 wget -nc http://172.16.64.1/root/cfengine/cfengine-community_3.10.1-1_amd64-debian7.deb && dpkg -i cfengine-community_3.10.1-1_amd64.deb
 exit 0

elif [ "$(uname -m)" == "i686" ] && [ "$(gawk -F= '/^ID_LIKE/{print $2}' /etc/os-release)" == "debian" ];
 then
 wget -nc http://172.16.64.1/root/cfengine/cfengine-community_3.10.1-1_i386.deb && dpkg -i cfengine-community_3.10.1-1_i386.deb
 exit 0
 elif [ "$(uname -m)" == "i686" ] && [ "$(gawk -F= '/^ID_LIKE/{print $2}' /etc/os-release)" == "ubuntu" ];
 then
 wget -nc http://172.16.64.1/root/cfengine/cfengine-community_3.10.1-1_i386.deb && dpkg -i cfengine-community_3.10.1-1_i386.deb
 exit 0
 else
 echo "Unknown architecture"
 fi

Next Create your fisrst promises for Bashbunny CFEngine automation, you can use the nice documentation https://docs.cfengine.com/docs/3.10/

On the Bashbunny do setup your (switch1 or switch 2) payload.txt

ATTACKMODE HID STORAGE ECM_ETHERNET
 #Set some current time ..... check your watch
 date -s "20170618 21:23"

LED ATTACK
 python -m SimpleHTTPServer 80 &
 /var/cfengine/bin/cf-serverd &&
 LED FINISH

LED R 300
 Q ALT F2
 Q DELAY 3000
 # Im using xterm in my example, this is intended for a Window manager environment on Xorg
 Q STRING xterm
 Q ENTER
 Q DELAY 200
 Q ENTER
 Q STRING wget -nc http://172.16.64.1/root/cfengine/cfengine-install.sh
 Q ENTER
 Q DELAY 500
 Q STRING chmod +x cfengine-install.sh
 Q ENTER
 Q DELAY 200
 Q STRING
 Q ENTER
 Q STRING cat
 Q ENTER
 Q STRING Now you can run the installer script to boot-strap your system
 Q ENTER
 Q STRING Please elevate to root or sudo the installer afterwards and run
 Q ENTER
 Q STRING the cf-install.sh script in your path
 Q ENTER
 Q CTRL C
 Q STRING ls -ls cfengine-install.sh
 Q ENTER
 LED G
 LED FINISH

On the host once the Bashbunny finishes please run the following sequence to get fully bootsrapped to the cf-serverd running inside the Bashbunny.

# /etc/init.d/cfengine3 status
 cf-execd is not running
 cf-serverd is not running
 cf-monitord is not running
 # /etc/init.d/cfengine3 start
 No policy found in /var/cfengine/inputs/promises.cf, not starting core daemons
 # cp -r /var/cfengine/masterfiles/* /var/cfengine/inputs/
 # /etc/init.d/cfengine3 start
 Starting cf-execd...
 Starting cf-serverd...
 Starting cf-monitord...
 #cf-agent --bootstrap 172.16.64.1

Attaching a video demonstration of the Bashbunny and CFEngine

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s