Build from master and started it, but it seems to be broken.

[t3chn0m4g3]

After starting tanner I immediately get the following error, ideas?

tanner          |       _________    _   ___   ____________
tanner          |      /_  __/   |  / | / / | / / ____/ __ \
tanner          |       / / / /| | /  |/ /  |/ / __/ / /_/ /
tanner          |      / / / ___ |/ /|  / /|  / /___/ _, _/
tanner          |     /_/ /_/  |_/_/ |_/_/ |_/_____/_/ |_|
tanner          | 
tanner          |     
tanner          | Debug logs will be stored in /tmp/tanner/tanner.log
tanner          | Error logs will be stored in /tmp/tanner/tanner.err
tanner          | Data logs will be stored in /var/log/tanner/tanner_report.json
tanner          | Traceback (most recent call last):
tanner          |   File "/usr/bin/tanner", line 4, in <module>
tanner          |     __import__('pkg_resources').run_script('Tanner==0.6.0', 'tanner')
tanner          |   File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 666, in run_script
tanner          |     self.require(requires)[0].run_script(script_name, ns)
tanner          |   File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 1469, in run_script
tanner          |     exec(script_code, namespace, namespace)
tanner          |   File "/usr/lib/python3.6/site-packages/Tanner-0.6.0-py3.6.egg/EGG-INFO/scripts/tanner", line 35, in <module>
tanner          |   File "/usr/lib/python3.6/site-packages/Tanner-0.6.0-py3.6.egg/EGG-INFO/scripts/tanner", line 30, in main
tanner          |   File "/usr/lib/python3.6/site-packages/Tanner-0.6.0-py3.6.egg/tanner/server.py", line 27, in __init__
tanner          |   File "/usr/lib/python3.6/site-packages/Tanner-0.6.0-py3.6.egg/tanner/emulators/base.py", line 25, in __init__
tanner          | KeyError: 'php_object_injection'

[rjt-gupta]

Sorry, Im not able to reproduce this. Have you tried python setup.py install?

[t3chn0m4g3]

Thanks for your support, yes.

[afeena]

I guess this is the problem with config in Docker https://github.com/mushorg/tanner/blob/master/docker/tanner/dist/config.py

@rjt-gupta Could you please check&update?

[rjt-gupta]

I guess this is the problem with config in Docker https://github.com/mushorg/tanner/blob/master/docker/tanner/dist/config.py

@rjt-gupta Could you please check&update?

On it.

[t3chn0m4g3]

@afeena Good catch, did not realize options had changed 😨

[afeena]

@t3chn0m4g3 Thanks for reporting :)

[t3chn0m4g3]

Found the changes, adjusted the config, images are now building.

Fingers crossed :)

[t3chn0m4g3]

Well, at least on the right track :bowtie:

tanner          |       _________    _   ___   ____________
tanner          |      /_  __/   |  / | / / | / / ____/ __ \
tanner          |       / / / /| | /  |/ /  |/ / __/ / /_/ /
tanner          |      / / / ___ |/ /|  / /|  / /___/ _, _/
tanner          |     /_/ /_/  |_/_/ |_/_/ |_/_____/_/ |_|
tanner          | 
tanner          |     
tanner          | Debug logs will be stored in /tmp/tanner/tanner.log
tanner          | Error logs will be stored in /tmp/tanner/tanner.err
tanner          | Data logs will be stored in /var/log/tanner/tanner_report.json
tanner          | Traceback (most recent call last):
tanner          |   File "/usr/bin/tanner", line 4, in <module>
tanner          |     __import__('pkg_resources').run_script('Tanner==0.6.0', 'tanner')
tanner          |   File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 666, in run_script
tanner          |     self.require(requires)[0].run_script(script_name, ns)
tanner          |   File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 1469, in run_script
tanner          |     exec(script_code, namespace, namespace)
tanner          |   File "/usr/lib/python3.6/site-packages/Tanner-0.6.0-py3.6.egg/EGG-INFO/scripts/tanner", line 35, in <module>
tanner          |   File "/usr/lib/python3.6/site-packages/Tanner-0.6.0-py3.6.egg/EGG-INFO/scripts/tanner", line 30, in main
tanner          |   File "/usr/lib/python3.6/site-packages/Tanner-0.6.0-py3.6.egg/tanner/server.py", line 27, in __init__
tanner          |   File "/usr/lib/python3.6/site-packages/Tanner-0.6.0-py3.6.egg/tanner/emulators/base.py", line 29, in __init__
tanner          |   File "/usr/lib/python3.6/site-packages/Tanner-0.6.0-py3.6.egg/tanner/emulators/template_injection.py", line 15, in __init__
tanner          |   File "/usr/lib/python3.6/site-packages/Tanner-0.6.0-py3.6.egg/tanner/utils/aiodocker_helper.py", line 12, in __init__
tanner          |   File "/usr/lib/python3.6/site-packages/aiodocker/docker.py", line 82, in __init__
tanner          |     "Missing valid docker_host."
tanner          | ValueError: Missing valid docker_host.Either DOCKER_HOST or local sockets are not available.

[t3chn0m4g3]

@afeena @rjt-gupta What triggers the usage of docker within tanner? Can we disable it (just for the sake of using it in a docker image)?

[rjt-gupta]

@afeena @rjt-gupta What triggers the usage of docker within tanner? Can we disable it (just for the sake of using it in a docker image)?

I guess only the emulators use docker for the execution part. They can be disabled using the config file.

[afeena]

Emulator with docker: lfi, template injection, cmd, as far as I remember

[t3chn0m4g3]

thanks, on it.

[mainnika]

@t3chn0m4g3 did you use docker-compose or built&run docker image manually?

[rjt-gupta]

@afeena @rjt-gupta What triggers the usage of docker within tanner? Can we disable it (just for the sake of using it in a docker image)?

I think you will only need to disable template_injection emulator as it is the only one who requires building the custom image. (according to traceback)

[t3chn0m4g3]

@mainnika docker-compose, building the whole stack at once (snare, tanner, phpox,...) @rjt-gupta @rjt-gupta Disabled the ones from the old config and additionally template_injection. Seems to work properly now. Will PR within the hour and run some tests before that.

Thank you 😃

[rjt-gupta]

@rjt-gupta @rjt-gupta Disabled the ones from the old config and additionally template_injection. Seems to work properly now. Will PR within the hour and run some tests before that.

Thank you 😃

Awesome! :)

[mainnika]

@t3chn0m4g3 the problem is that tanner inside docker doesn't have access to the docker itself. then just add to a tanner service in docker-compose:

    volumes:
        - "/var/run/docker.sock:/var/run/docker.sock:rw"

[t3chn0m4g3]

@mainnika You are correct. From a security perspective however (at least for my use case within T-Pot, but probably also in general) you would want to avoid giving a container access to the docker socket, especially with r/w persmission.

[mainnika]

@t3chn0m4g3 absolutely true.

but if we assume tanner is safe, then it's ok to give RW for a tanner container only. in this case we use docker just as a more comfortable way to run tanner.

in the best case it should be an external safe docker server.

[t3chn0m4g3]

@mainnika Personal preference, however before you do ... https://www.cisecurity.org/cis-benchmarks/ https://github.com/docker/docker-bench-security https://dev.to/petermbenjamin/docker-security-best-practices-45ih

[t3chn0m4g3]

@afeena @rjt-gupta Works fine here, however a test on your side cannot hurt.

Thanks again for getting a grip on this.

[mainnika]

@mainnika Personal preference, however before you do ... https://www.cisecurity.org/cis-benchmarks/ https://github.com/docker/docker-bench-security https://dev.to/petermbenjamin/docker-security-best-practices-45ih

yep it's all about «general app». but if the app was specially developed to use docker it's another case. let's check docker/docker-bench-security, e.g. they advise to run docker container as

docker run -it --net host --pid host --userns host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /etc:/etc \
    -v /usr/bin/docker-containerd:/usr/bin/docker-containerd \
    -v /usr/bin/docker-runc:/usr/bin/docker-runc \
    -v /usr/lib/systemd:/usr/lib/systemd \
    -v /var/lib:/var/lib \
    -v /var/run/docker.sock:/var/run/docker.sock \
    --label docker_bench_security \
    docker/docker-bench-security

wow so insecure