Skip to content

Latest commit

 

History

History
76 lines (62 loc) · 2.79 KB

Chef-environment.md

File metadata and controls

76 lines (62 loc) · 2.79 KB
Raw

Chef environment

Here is an example to deploy a basic Chef environment, including the Chef Server, the Chef workstation and nodes provisioned with wargames cookbooks

Use the chef-environment pentestrc resource file to spawn the environment:

> PENTESTRC=examples/chef-environment.pentestrc vagrant status
Current machine states:

chef-server               not created (virtualbox)
chef-workstation          not created (virtualbox)
cs-dvwa                   not created (virtualbox)
cs-webgoat                not created (virtualbox)
cs-gruyere                not created (virtualbox)
cs-vicnum                 not created (virtualbox)
cs-bricks                 not created (virtualbox)

This environment represents multiple VMs. The VMs are all listed
above with their current state. For more information about a specific
VM, run `vagrant status NAME`.

First, we create and provision the Chef server, then the workstation:

> export PENTESTRC=examples/chef-environment.pentestrc
> vagrant up chef-server
...
> vagrant up chef-workstation

The Chef Server is provisioned with chef-solo, the workstation with chef-solo to bootstrap the server and configure the workstation, then chef-client to register the node to the server.

The workstation will throw a 403 Forbidden when trying to update the Chef node on the Chef server. This is because the created client doesn't have sufficient permission to update the node. We will fix that for all nodes at the end of provisioning with knife-acl

Once both server & workstation are provisioned, we can deploy wargames nodes, provisioned with chef-client:

> vagrant up cs-dvwa
> vagrant up cs-webgoat
> vagrant up cs-gruyere
> vagrant up cs-vicnum
> vagrant up cs-bricks

All machines will fails with the 403 Forbidden error

Post provisioning

To fix the permission issue, connect to the workstation and setup acl on the server:

> vagrant ssh chef-workstation
$ sudo su
# for n in workstation dvwa webgoat gruyere vicnum bricks; do knife acl add client $n nodes $n read,update; done

This way, each clients can update their node's attribute on the server at the and of converge.

Leave the workstation and provision machines to ensure permissions are set:

> vagrant provision chef-workstation
> vagrant provision cs-dvwa
> vagrant provision cs-webgoat
> vagrant provision cs-gruyere
> vagrant provision cs-vicnum
> vagrant provision cs-bricks

This should run without errors, check on the workstation the environment status:

> vagrant ssh chef-workstation -- sudo knife status
3 minutes ago, workstation, debian 9.0.
2 minutes ago, dvwa, ubuntu 14.04.
2 minutes ago, webgoat, ubuntu 14.04.
1 minute  ago, gruyere, ubuntu 14.04.
1 minute  ago, vicnum, ubuntu 14.04.
1 minute  ago, bricks, ubuntu 14.04.