Configuration
Configuration
This page describes the process of configuring a host for running the Haaukins daemon, hknd
.
The daemon has only been tested on a Linux host with systemd
, but binaries for other operating systems can be build as well.
For the remainder of the Wiki, we assume a user hknd
user exists with home directory /home/hknd
.
Files and directory structure
The following is the default directory structure:
.
|-- config.yml
|-- events
| |-- test-10-04-19
| | |-- 005850db.log
| |-- test-10-04-19.yml
|-- exercises.yml
|-- frontends.yml
|-- hknd
`-- users.yml
The hknd
file is the binary, and by default is uses config.yml
in the working directory as its primary configuration file.
The following YAML
files must be created manually and serve as configuration files for hknd
:
Configuration file | Purpose |
---|---|
config.yml | The main configuration file |
exercises.yml | The specification of the exercises |
frontends.yml | The specification of the existing frontends |
The users.yml
acts as a database that stores the information of CLI users.
The event
directory serves as a database for events, such as the registered teams, the progress of teams and the monitored mouse clicks and key strokes.
config.yml
Example
host:
http: <wildcard-domain> # will be used for event creation
grpc: <server-endpoint> # grpc endpoint
port:
insecure: <insecure-port>
secure: <secure-port>
tls:
enabled: true
certfile: "<path-cert-file>"
certkey: "<path-cert-key>"
cafile: "<path-cert-ca>"
files:
ova-directory: "<frontends.yml-file-location>"
users-file: "<users.yml-file-location>"
exercises-file: "<exercises.yml-file-location>"
frontends-file: "<frontends.yml-file-location>"
db-config:
grpc: "<database-endpint>"
db-auth-key: <database-auth-key>
db-sign-key: <database-sign-key>
tls:
enabled: true
certfile: "<database-endpoint-cert-file-location>"
certkey: "<database-endpoint-cert-key-location>"
cafile: "<database-endpoint-cert-ca-location>"
sign-key: <sign-key>
docker-repositories:
- username: <private-registry-user-name>
password: <private-registry-password>
serveraddress: <private-registry-endpoint>
The daemon can listen on two different host names for the reverse proxy and the gRPC traffic. In case a HTTPS connection is preferred, the TLS configuration must be enabled, and both the secure (HTTP) and insecure (HTTPS) port must be configured.
If TLS is enabled, the acme
field must be filled in, which ensures that hknd
manages the TLS certificates.
- Note - as of now, only Cloudflare is supported as the ACME DNS provider.
The docker-repositories
and ova-directory
specify from which Docker repository and path on the filesystem hknd
retrieves the images for the virtual instances.
For all (latest) configuration options, take a look at the Config struct
in Golang source code.
exercises.yml
Example
exercises:
- name: Cross-site Request Forgery
tags:
- csrf
docker:
- image: <image name>
dns:
- name: formalbank.com
type: A
memoryMB: 80
flag:
- tag: csrf-1
name: Cross-site Request Forgery
env: APP_FLAG
points: 12
This file contains a list of all exercises that can be run on Haaukins.
For all (latest) configuration options, take a look at the Exercise struct
in the Golang source code.
frontends.yml
Example
frontends:
- image: kali
memoryMB: 4096
cpu: 2
Contains a list of all frontends that Haaukins.
The value of image
can be used as a tag when creating a new event from the CLI.
The daemon searches for the path <ova-directory>/<image name>.ova
, where ova-directory
is retrieved from the config.yml
, and the image name
is provided by the CLI user.
IP Tables Configuration
In case hknd
does not listen on the default HTTP(s) ports (i.e. 80 and 443), you can specify forwarding rules in iptables
as follows for HTTP
sudo iptables -t nat -A PREROUTING -i <network interface> -p tcp -m tcp --dport 80 -j DNAT --to <ip address>:<port>
and HTTPS
sudo iptables -t nat -A PREROUTING -i <network interface> -p tcp -m tcp --dport 443 -j DNAT --to <ip address>:<port>