search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.36k stars 161 forks source link

Upgrade instructions 5.4.0 --> 5.6.3 #86

Closed tbennett6421 closed 4 years ago

tbennett6421 commented 4 years ago

Greetings,

Looking at the upgrade notes here: https://docs.vectr.io/Upgrading-an-existing-VECTR-installation/

I notice my vectr_tomcat pulls latest. When bringing docker down and back up it doesn't seem to pull the latest version.

My question is chould I change image: vectr_tomcat:latest to one of the following, and issue docker down/docker up image: securityriskadvisors/vectr_tomcat:5.5.7 or image: securityriskadvisors/vectr_tomcat:latest

See the following docker-compose.yml

version: '3'

services:
  mongo:
    image: mongo:3.4
    networks:
      vectr_bridge:
        aliases:
          - vectr-mongo
          - oauth2-mongo
    volumes:
      - /opt/vectr/vectr-deploy/app/dumpfiles:/opt/vectr/dumpfiles

  tomcat:
    build:
      context: ./
    networks:
      vectr_bridge:
        aliases:
          - vectr.example.com
    image: vectr_tomcat:latest
    volumes:
      - /opt/vectr/vectr-deploy/app/wars:/usr/local/tomcat/webapps/
      - /opt/vectr/vectr-deploy/app/config:/usr/local/tomcat/app_conf
      - /opt/vectr/vectr-deploy/app/cas/:/etc/cas/
      - /opt/vectr/vectr-deploy/app/backup:/opt/vectr/backup/
      - /opt/vectr/vectr-deploy/app/migrationlogs:/opt/vectr/migrationlogs/
      - /opt/vectr/vectr-deploy/app/migrationbackups:/opt/vectr/migrationbackups
      - /opt/vectr/vectr-deploy/taxii/certs/:/opt/taxii/certs/
      - /opt/vectr/vectr-deploy/app/tools:/opt/vectr/tools
      - /opt/vectr/vectr-deploy/app/uploads:/opt/vectr/uploads
      - /opt/vectr/vectr-deploy/app/static:/opt/vectr/static
    depends_on:
      - mongo

networks:
  vectr_bridge:
    ipam:
      driver: default
      config:
       - subnet: 10.0.27.0/24
SRAPSpencer commented 4 years ago

We wouldn't recommend using latest. We're still adding additional features and making changes that might require modifications to the docker compose. It's best to have your compose manually configured to the specific container version that compose is intended for.

tbennett6421 commented 4 years ago

Okay. I tried 

  image: securityriskadvisors/vectr_tomcat:5.6.3

and brought the solution down and back up, it didn't say tomcat was up to date so I assume it tried to pull that version, but the vectr instance still shows the old version.

ubuntu@host:/opt/vectr/vectr-deploy/app$ sudo docker-compose -f docker-compose.yml -f devSsl.yml -p vectr up -d
vectr_mongo is up-to-date
Creating vectr_tomcat ...
Creating vectr_tomcat ... done

image

Is there some command I need to run to start the upgrade, or do I need to download the zip from git and attempt to deploy a new vectr and export/import our existing data?

https://github.com/SecurityRiskAdvisors/VECTR/releases/tag/ce-5.6.3

tbennett6421 commented 4 years ago

Ah wait, I see a migration process in the docs, for 5.4 upwards. Let me try that out and report back

SRAPSpencer commented 4 years ago

Yeah, you'll need to follow those instructions. To clarify we don't currently use the "latest" tag as some containers do. Using "latest" won't return any container images and won't work. If we decide to change this in the future we'll update our documentation accordingly.

Let us know if you need any help with the 5.4 migration.

tbennett6421 commented 4 years ago

hmm, It looks like I'm getting a CAS error. I dropped my ssl.key and ssl.crt into <VECTR_DEPLOY_DIR>/user/certs

image

# export PRI=user/certs/ssl.key
# export PUB=user/certs/ssl.crt

# file $PRI
user/certs/ssl.key: ASCII text

# openssl rsa -in $PRI -text | head
RSA Private-Key: (4096 bit, 2 primes)
modulus:
    00:c3:ea:e5:bc:a5:ca:6c:fd:94:ca:fe:5e:f4:80:
    33:87:88:be:ac:1e:4c:c2:8b:90:c5:5d:cc:a5:12:

# file $PUB
user/certs/ssl.crt: PEM certificate

# openssl x509 -in $PUB -text | head
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            14:f9:a3:52:7d:c3:74:e4:c6:70:48:1b:76:c3:aa:90:45:f4:a5:e6
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = PA, L = Philadelphia, O = SRA, OU = VECTR, CN = ca, emailAddress = certs@example.com
        Validity
            Not Before: Mar 11 15:43:20 2020 GMT
            Not After : Mar  9 15:43:20 2030 GMT

# openssl rsa -noout -modulus -in $PRI | openssl sha1
(stdin)= 86e0caf0984009281a7cef8bb65ad82b89f3d41a

# openssl x509 -noout -modulus -in $PUB | openssl sha1
(stdin)= 86e0caf0984009281a7cef8bb65ad82b89f3d41a

# cat $PRI | head -n 2
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDD6uW8pcps/ZTK

# cat $PUB | head -n 2
-----BEGIN CERTIFICATE-----
MIIGgDCCBGigAwIBAgIUFPmjUn3DdOTGcEgbdsOqkEX0peYwDQYJKoZIhvcNAQEL

Since the issuer is Issuer: C = US, ST = PA, L = Philadelphia, O = SRA, OU = VECTR, CN = ca, emailAddress = certs@example.com Do I need to add something to the env to configure it properly.

tbennett6421 commented 4 years ago

For reference vectrRootCA.key does not appear to be encrypted.

cat user/certs/vectrRootCA.key
-----BEGIN RSA PRIVATE KEY-----
SRAPSpencer commented 4 years ago

Application not authorized is often caused by a load balancer or hostname issue. Is your .env file configured to reflect the hostname and port you're navigating to?

tbennett6421 commented 4 years ago

VECTR_HOSTNAME, VECTR_PORT are correct, and there is no load-balancer in place.

VECTR_HOSTNAME is vectr.example.com VECTR_PORT is 443 ssl.crt has a CN=vectr.example.com and a SAN entry for dns:vectr.example.com

Browsing to https://vectr.example.com

SRAPSpencer commented 4 years ago

See this comment for potential fixes.

https://github.com/SecurityRiskAdvisors/VECTR/issues/74#issuecomment-661874588

If you're still having issues email us at vectrops@securityriskadvisors.com for further assistance.

tbennett6421 commented 4 years ago

I sent you guys an email.