Skip to content

Instantly share code, notes, and snippets.

Avatar

Kinnaird McQuade kmcquade

View GitHub Profile
@kmcquade
kmcquade / jetbrains-live-templates.md
Last active Sep 22, 2021
My Intellij Live Templates || VSCode Code snippets for Terraform
View jetbrains-live-templates.md
@kmcquade
kmcquade / requirements.txt
Created Sep 20, 2021
Run Terraform get recursively using python-terraform
View requirements.txt
python_terraform==0.10.1
@kmcquade
kmcquade / systemd_service_hardening.md
Created Apr 29, 2019 — forked from ageis/systemd_service_hardening.md
Options for hardening systemd service units
View systemd_service_hardening.md

A common and reliable pattern in service unit files is thus:

NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
ProtectHome=read-only
ProtectControlGroups=yes
ProtectKernelModules=yes
View explanation.md

This explains a current issue in the ZAP Automation Framework where ZAP will perform tests even when they are explicitly excluded from the scan results - that is, even when you set defaultThreshold (which is supposed to apply as the default for all scan rules) or threshold (rule-specific settings) to 'Off', the checks are still performed.

Instructions

  • mkdir -p /tmp/zap/
  • Save the template.yaml YAML file to /tmp/zap/template.yaml
  • Run these commands to trigger the scan:
@kmcquade
kmcquade / template.yaml
Created Jul 17, 2021
ZAP Automation Template example - works with v0.4, runs against Google firing range
View template.yaml
--- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.org/docs/automate/automation-framework/
env: # The environment, mandatory
contexts : # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
urls: # A mandatory list of top level urls, everything under each url will be included
- https://public-firing-range.appspot.com/
includePaths: # An optional list of regexes to include
excludePaths: # An optional list of regexes to exclude
authentication: # TBA: In time to cover all auth configs
vars: # List of 1 or more variables, can be used throughout the config
@kmcquade
kmcquade / template.yml
Created Jun 23, 2021
2021-06-23: ZAP Automation Framework troubleshooting
View template.yml
---
# OWASP ZAP automation configuration file, for more details see https://www.zaproxy.com/docs/(TBA)
env: # The environment, mandatory
contexts: # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
url: http://demo.testfire.net # The top level url, mandatory, everything under this will be included
includePaths: # TBA: An optional list of regexes to include
excludePaths: # TBA: An optional list of regexes to exclude
authentication: # TBA: In time to cover all auth configs
parameters:
View zap-template.yaml
--- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.com/docs/(TBA)
env: # The environment, mandatory
contexts: # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
url: http://demo.testfire.net # The top level url, mandatory, everything under this will be included
includePaths: # TBA: An optional list of regexes to include
excludePaths: # TBA: An optional list of regexes to exclude
authentication: # TBA: In time to cover all auth configs
parameters:
failOnError: true # If set exit on an error
View zap-template-question.yaml
--- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.com/docs/(TBA)
env: # The environment, mandatory
contexts: # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
url: http://demo.testfire.net/ # The top level url, mandatory, everything under this will be included
includePaths: # TBA: An optional list of regexes to include
excludePaths: # TBA: An optional list of regexes to exclude
authentication: # TBA: In time to cover all auth configs
parameters:
failOnError: true # If set exit on an error
@kmcquade
kmcquade / original.conf
Last active May 15, 2021
ZAP Full scan config
View original.conf
# zap-full-scan rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Active scan rules set to IGNORE will not be run which will speed up the scan
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
0 WARN (Directory Browsing - Active/release)
10003 WARN (Vulnerable JS Library - Passive/release)
10010 WARN (Cookie No HttpOnly Flag - Passive/release)
10011 WARN (Cookie Without Secure Flag - Passive/release)
10015 WARN (Incomplete or No Cache-control Header Set - Passive/release)