From f50f184280f934274a2b5495084e98a6186d5a96 Mon Sep 17 00:00:00 2001 From: Petr Ruzicka Date: Wed, 1 May 2024 08:00:01 +0200 Subject: [PATCH] feat(gha): update gha, update Dockerfile and add clamv, tree outputs --- .github/renovate.json5 | 4 +- .github/workflows/mega-linter.yml | 5 +- .github/workflows/renovate.yml | 9 +-- .github/workflows/semantic-pull-request.yml | 11 +++- .github/workflows/stale.yml | 1 + .mega-linter.yml | 2 +- Dockerfile | 26 ++++++--- README.md | 63 +++++++++++---------- 8 files changed, 71 insertions(+), 50 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 1117e58..1a30636 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -1,14 +1,16 @@ { $schema: "https://docs.renovatebot.com/renovate-schema.json", + // Keep the extends started with ":" at the end of the list to allow overriding extends: [ "config:recommended", "docker:pinDigests", "helpers:pinGitHubActionDigestsToSemver", "security:openssf-scorecard", ":disableDependencyDashboard", - ":docker", ":disableRateLimiting", + ":docker", ":enableVulnerabilityAlertsWithLabel(security)", + ":pinSkipCi", ], "git-submodules": { enabled: true, diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 098688f..35299cd 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -38,8 +38,9 @@ jobs: chmod a+x README.sh - name: 💡 MegaLinter - uses: oxsecurity/megalinter@a7a0163b6c8ff7474a283d99a706e27483ddd80f # v7.10.0 + uses: oxsecurity/megalinter@03986e6993ccf699a22451118520680b438e7d2a # v7.11.1 env: GITHUB_COMMENT_REPORTER: false - GITHUB_STATUS_REPORTER: true + # Disabled due to error: [GitHub Status Reporter] Error posting Status for REPOSITORY with ...: 403 + GITHUB_STATUS_REPORTER: false GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index f9b67b2..e8a92c0 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -20,7 +20,7 @@ on: - main - "!renovate/*" schedule: - - cron: "0 0,2,4 * * 0" + - cron: "0 0-3 * * 0" env: # https://docs.renovatebot.com/troubleshooting/#log-debug-levels @@ -45,6 +45,7 @@ jobs: runs-on: ubuntu-latest concurrency: group: ${{ github.workflow }}-${{ github.ref }} + permissions: write-all steps: - name: Checkout uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 @@ -53,9 +54,9 @@ jobs: id: app-token with: app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }} - private-key: "${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}" + private-key: ${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }} - name: 💡 Self-hosted Renovate - uses: renovatebot/github-action@2d90417499f45ff78a09586f7b9874b19817dba3 # v40.1.0 + uses: renovatebot/github-action@89bd050bafa5a15de5d9383e3129edf210422004 # v40.1.5 with: - token: "${{ steps.app-token.outputs.token }}" + token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/semantic-pull-request.yml b/.github/workflows/semantic-pull-request.yml index fbaa8d1..abd2947 100644 --- a/.github/workflows/semantic-pull-request.yml +++ b/.github/workflows/semantic-pull-request.yml @@ -2,6 +2,7 @@ name: semantic-pull-request on: + workflow_dispatch: pull_request_target: types: - opened @@ -15,6 +16,12 @@ jobs: semantic-pull-request: runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0 + - uses: actions/create-github-app-token@7bfa3a4717ef143a604ee0a99d859b8886a96d00 # v1.9.3 + id: app-token + with: + app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }} + private-key: ${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }} + + - uses: amannn/action-semantic-pull-request@cfb60706e18bc85e8aec535e3c577abe8f70378e # v5.5.2 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 6814ecf..5acceea 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -2,6 +2,7 @@ name: stale on: + workflow_dispatch: schedule: - cron: "9 9 * * *" diff --git a/.mega-linter.yml b/.mega-linter.yml index 24bf598..493531b 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -33,7 +33,7 @@ REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS16 REPOSITORY_KICS_ARGUMENTS: --fail-on high -REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yaml --severity HIGH,CRITICAL +REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yaml --severity HIGH,CRITICAL --ignore-unfixed TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES: - GITHUB_TOKEN diff --git a/Dockerfile b/Dockerfile index 9f03484..baec61d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ -FROM python:3.12.0-alpine3.17@sha256:fc34b07ec97a4f288bc17083d288374a803dd59800399c76b977016c9fe5b8f2 as build +FROM python:3.12-alpine3.19 as build -ENV XMRIG_VERSION="6.20.0" +ENV XMRIG_VERSION="6.21.3" # xmrig RUN set -eux && \ @@ -12,7 +12,7 @@ RUN set -eux && \ # Compile own version of xmrig cryptominer RUN set -eux && \ if [ "$(uname -m)" = "x86_64" ]; then \ - apk add --no-cache git make cmake libstdc++ gcc g++ libuv-dev openssl-dev hwloc-dev && \ + apk add --no-cache automake autoconf cmake g++ gcc git libstdc++ libtool linux-headers make && \ git clone --branch "v${XMRIG_VERSION}" https://github.com/xmrig/xmrig && \ sed -i \ -e 's/APP_ID.*/APP_ID "myxmrig"/' \ @@ -20,9 +20,11 @@ RUN set -eux && \ -e 's/APP_DESC.*/APP_DESC "My XMRig miner"/' \ -e 's/APP_VERSION.*"\(.*\)"/APP_VERSION "\1-my"/' \ xmrig/src/version.h && \ - cmake -S xmrig -B xmrig/build && make -C xmrig/build -j"$(nproc)" && \ - ./xmrig/build/xmrig --version && \ - mv ./xmrig/build/xmrig /mnt/xmrig/my-xmrig ; \ + mkdir xmrig/build && \ + ( cd xmrig/scripts && ./build_deps.sh ) && \ + ( cd xmrig/build && cmake .. -DXMRIG_DEPS=scripts/deps -DBUILD_STATIC=ON && make -j"$(nproc)" ) && \ + xmrig/build/xmrig --version && \ + mv xmrig/build/xmrig /mnt/xmrig/my-xmrig ; \ fi # eicar @@ -44,7 +46,7 @@ RUN set -eux && \ # Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.10, Code page: 1252, Title: Password List for March 26th 1999, Subject: Adult Website Passwords, Author: John Holmes, Keywords: 73 sites in this list, Comments: Password List for March 26th 1999, Template: Normal.dot, Last Saved By: Him, Revision Number: 2, Name of Creating Application: Microsoft Word 8.0, Create Time/Date: Fri Mar 26 11:39:00 1999, Last Saved Time/Date: Fri Mar 26 11:39:00 1999, Number of Pages: 2, Number of Words: 745, Number of Characters: 4249, Security: 0 wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Virus/Melissa.doc" -O /mnt/Melissa.doc && \ # Mach-O 64-bit x86_64 executable, flags: - wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.6614978ab256f922d7b6dbd7cc15c6136819f4bcfb5a0fead480561f0df54ca6" -O /mnt/TrojanSpy.MacOS.XCSSET.A && \ + wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.6614978ab256f922d7b6dbd7cc15c6136819f4bcfb5a0fead480561f0df54ca6" -O /mnt/TrojanSpy.MacOS.XCSSET.A.bin && \ # DOS executable (COM) wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Virus/Walker.com" -O /mnt/Walker.com && \ # PE32 executable (GUI) Intel 80386, for MS Windows @@ -81,14 +83,20 @@ RUN set -eux && \ # Java archive data (JAR) wget -q "https://github.com/HonbraDev/fractureiser-samples/raw/221bcc4bf45d5896f8908b21d5a8f3e7fcbc2875/stage-0-infected-DisplayEntityEditor-1.0.4.jar" -O /mnt/Trojan.Java.Fractureiser.MTB.jar +RUN set -eux && \ + apk add --no-cache clamav file tree && \ + freshclam --quiet && \ + tree --dirsfirst /mnt/ && \ + file /mnt/eicar/* /mnt/xmrig/* /mnt/* && \ + ( clamscan --infected --no-summary --recursive /mnt/ || true ) + COPY img /mnt/img COPY README.md /mnt/ RUN set -eux && \ - # Bug with versions: https://github.com/joeyespo/grip/issues/377 # renovate: datasource=pypi depName=grip GRIP_VERSION="4.6.2" && \ - pip install --no-cache-dir grip=="${GRIP_VERSION}" flask==2.3.3 werkzeug==2.3.7 && \ + pip install --no-cache-dir grip=="${GRIP_VERSION}" && \ grip /mnt/README.md --export /mnt/index.html ################################################################################ diff --git a/README.md b/README.md index 79adcfe..080cc0e 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ Security tools should be able to scan the image and discover harmful files. > do not "activate" / "execute" the malware. - Container Image: - - [quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2](https://quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2) + - [quay.io/petr_ruzicka/malware-cryptominer-container:2.2.0](https://quay.io/petr_ruzicka/malware-cryptominer-container:2.2.0) - Container Registry: - - Container build pipeline: @@ -54,18 +54,26 @@ The malware/crypto miner are located in the `/usr/share/nginx/html` directory: ```text /usr/share/nginx/html +├── eicar +│   ├── eicar.com [EICAR virus test files] +│   ├── eicar.com.txt [EICAR virus test files] +│   └── eicarcom2.zip [Zip archive data, at least v1.0 to extract] +├── xmrig +│   ├── my-xmrig [ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped] +│   ├── xmrig [ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped] +│   └── xmrig-linux-static-x64.tar.gz [gzip compressed data, from Unix, original size modulo 2^32 8291840] ├── ILOVEYOU.vbs [C source, ASCII text] ├── Invoke-ConPtyShell.ps1 [ASCII text, with very long lines (361)] ├── L0Lz.bat [DOS batch file, ASCII text] ├── Linux.Trojan.Multiverze.elf.x86 [ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, with debug_info, not stripped] -├── MadMan.exe [MS-DOS executable] +├── MadMan.exe [MS-DOS executable, MZ for MS-DOS] ├── Melissa.doc [Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.10, Code page: 1252, Title: Password List for March 26th 1999, Subject: Adult Website Passwords, Author: John Holmes, Keywords: 73 sites in this list, Comments: Password List for March 26th 1999, Template: Normal.dot, Last Saved By: Him, Revision Number: 2, Name of Creating Application: Microsoft Word 8.0, Create Time/Date: Fri Mar 26 11:39:00 1999, Last Saved Time/Date: Fri Mar 26 11:39:00 1999, Number of Pages: 2, Number of Words: 745, Number of Characters: 4249, Security: 0] ├── Py.Trojan.NecroBot.py [Python script, ASCII text executable, with very long lines (4330), with CRLF line terminators] -├── TrojanSpy.MacOS.XCSSET.A [Mach-O 64-bit x86_64 executable, flags:] -├── Trojan.Java.Fractureiser.MTB.jar [Trojan:Java/Fractureiser!MTB] +├── Trojan.Java.Fractureiser.MTB.jar [Java archive data (JAR)] +├── TrojanSpy.MacOS.XCSSET.A.bin [Mach-O 64-bit x86_64 executable, flags:] ├── Txt.Malware.Sustes.sh [Bourne-Again shell script, ASCII text executable] ├── Unix.Downloader.Rocke.sh [POSIX shell script, ASCII text executable] -├── Unix.Malware.Kaiji.elf.arm [ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=9fdmXJhReUX31Gj9ZEYg/ufudXOOpAambiyMItr13/otwZTTTdWsnO_OuvAAn-/qn6mMLxbKwGft_Ecoum6, stripped] +├── Unix.Malware.Kaiji.elf.arm [ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go, stripped] ├── Unix.Trojan.Mirai.elf.m68k [ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped] ├── Unix.Trojan.Mirai.elf.mips [ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped] ├── Unix.Trojan.Mirai.elf.ppc [ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped] @@ -73,20 +81,21 @@ The malware/crypto miner are located in the `/usr/share/nginx/html` directory: ├── Unix.Trojan.Mirai.elf.x86_64 [ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped] ├── Unix.Trojan.Spike.elf.arm [ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, with debug_info, not stripped] ├── Walker.com [DOS executable (COM), start instruction 0xe9cd04e8 5400e871] -├── WannaCry.exe [PE32 executable (GUI) Intel 80386, for MS Windows] +├── WannaCry.exe [PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections] ├── Win.Trojan.Perl.perl [Perl script text executable] -├── Zloader.xlsm [Microsoft Excel 2007+] -├── eicar -│   ├── eicar.com [EICAR virus test files] -│   ├── eicar.com.txt [EICAR virus test files] -│   └── eicarcom2.zip [Zip archive data, at least v1.0 to extract] -└── xmrig - ├── xmrig [ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped] - └── xmrig-linux-static-x64.tar.gz [gzip compressed data, last modified: Sun Oct 23 10:50:44 2022, from Unix, original size modulo 2^32 8898560] +└── Zloader.xlsm [Microsoft Excel 2007+] ``` List of malware/ransomware/crypto miner files: +- [eicar](https://secure.eicar.org/eicar.com) + [EICAR virus test files] + - [Virustotal](https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f) + - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/) +- [xmrig](https://xmrig.com/) + [ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped] + - [Virustotal](https://www.virustotal.com/gui/file/0ad68d5804804c25a6f6f3d87cc3a3886583f69b7115ba01ab7c6dd96a186404) + - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/0ad68d5804804c25a6f6f3d87cc3a3886583f69b7115ba01ab7c6dd96a186404) - [ILOVEYOU.vbs](https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Email-Worm/ILOVEYOU.vbs) [C source, ASCII text] - [Virustotal](https://www.virustotal.com/gui/file/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1) @@ -174,22 +183,14 @@ List of malware/ransomware/crypto miner files: [PE32 executable (GUI) Intel 80386, for MS Windows] - [Virustotal](https://www.virustotal.com/gui/file/be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844) -- [Zloader.xlsm](https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Banking-Malware/Zloader.xlsm) - [Microsoft Excel 2007+] - - [Virustotal](https://www.virustotal.com/gui/file/90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c) - - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c) - [Win.Trojan.Perl.perl](https://github.com/timb-machine/linux-malware/raw/main/malware/binaries/Win.Trojan.Perl/9aed7ab8806a90aa9fac070fbf788466c6da3d87deba92a25ac4dd1d63ce4c44.perl) [Perl script text executable] - [Virustotal](https://www.virustotal.com/gui/file/9aed7ab8806a90aa9fac070fbf788466c6da3d87deba92a25ac4dd1d63ce4c44) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/9aed7ab8806a90aa9fac070fbf788466c6da3d87deba92a25ac4dd1d63ce4c44) -- [eicar](https://secure.eicar.org/eicar.com) - [EICAR virus test files] - - [Virustotal](https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f) - - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/) -- [xmrig](https://xmrig.com/) - [ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped] - - [Virustotal](https://www.virustotal.com/gui/file/0ad68d5804804c25a6f6f3d87cc3a3886583f69b7115ba01ab7c6dd96a186404) - - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/0ad68d5804804c25a6f6f3d87cc3a3886583f69b7115ba01ab7c6dd96a186404) +- [Zloader.xlsm](https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Banking-Malware/Zloader.xlsm) + [Microsoft Excel 2007+] + - [Virustotal](https://www.virustotal.com/gui/file/90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c) + - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c) ## Deployment of the vulnerable image @@ -206,7 +207,7 @@ export AWS_DEFAULT_REGION="eu-central-1" aws cloudformation deploy --capabilities CAPABILITY_IAM \ --stack-name "${USER}-malware-cryptominer-container-ec2" \ - --parameter-overrides "ContainerImage=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2" \ + --parameter-overrides "ContainerImage=quay.io/petr_ruzicka/malware-cryptominer-container:2.2.0" \ --template-file EC2InstanceWithDockerSample.yaml \ --tags "Name=${USER}-malware-cryptominer-container-ec2" @@ -222,7 +223,7 @@ example: export AWS_DEFAULT_REGION="eu-central-1" copilot init --app "${USER}-malware-cryptominer-app" --name "${USER}-malware-cryptominer" \ - --image quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2 \ + --image quay.io/petr_ruzicka/malware-cryptominer-container:2.2.0 \ --type 'Load Balanced Web Service' --port 8080 --deploy # copilot app delete --name "${USER}-malware-cryptominer-app" @@ -238,7 +239,7 @@ export CLUSTER_NAME="${USER}-malware-cryptominer-eks" export KUBECONFIG="/tmp/kubeconfig-${CLUSTER_NAME}.conf" eksctl create cluster --name "${CLUSTER_NAME}" --instance-types t3a.small --kubeconfig "${KUBECONFIG}" -kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2 +kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:2.2.0 # eksctl delete cluster --name "${CLUSTER_NAME}" ``` @@ -813,7 +814,7 @@ End Date: 2023:01:04 08:06:51 ## Verify image integrity ```bash -IMAGE="quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2" +IMAGE="quay.io/petr_ruzicka/malware-cryptominer-container:2.2.0" cosign verify "${IMAGE}" | jq cosign verify "${IMAGE}" | jq -r '.[].optional| .Issuer + " | " + .Subject + " | " + .githubWorkflowRef + " | https://rekor.tlog.dev/?logIndex=" + (.Bundle.Payload.logIndex|tostring)' @@ -848,5 +849,5 @@ docker run -it --rm --entrypoint=/bin/sh --user root -p 8080:8080 malware-crypto Run in Kubernetes: ```bash -kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2 +kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:2.2.0 ```