vmayoral/alurity.yml

## alurity.yml
############
# Networks
############
networks:

  # Level 1: Control Networks, connect controllers and control stations
  #  for each controller, we expect a dedicated control-network
  - network:
    - name: control-network_c1_s1
    - driver: overlay
    - internal: true
    - encryption: false
    - subnet: 12.0.0.0/24
  - network:
    - name: control-network_c2_s2
    - driver: overlay
    - internal: true
    - encryption: false
    - subnet: 12.0.2.0/24
  - network:
    - name: control-network_c4_s4
    - driver: overlay
    - internal: true
    - encryption: false
    - subnet: 12.0.4.0/24
  - network:
    - name: control-network_c5_s5
    - driver: overlay
    - internal: true
    - encryption: false
    - subnet: 12.0.5.0/24

  # Level 2: Process Network
  - network:
    - name: process-network
    - driver: overlay
    - internal: true
    - encryption: false
    - subnet: 13.0.0.0/24

  # Level 3: DMZ 2 sub-network
  # NOTE: used to interface Process Network with machines in DMZ 2
  #  (e.g. a historian, additional servers and related)
  - network:
    - name: dmz2
    - driver: overlay
    - internal: true
    - encryption: false
    - subnet: 14.0.0.0/24

  # Level 4: IT Network
  - network:
    - name: it-network
    - driver: overlay
    - encryption: false
    - internal: true
    - subnet: 15.0.0.0/24

  # Level 3: DMZ 1 sub-network
  # NOTE: used used to interface IT Network with central control station
  - network:
    - name: dmz1
    - driver: overlay
    - encryption: false
    - internal: true
    - subnet: 16.0.0.0/24

  # Beyond lvl4: Cloud
  - network:
    - name: cloud-network
    - driver: overlay
    - encryption: false
    - internal: false
    - subnet: 17.0.0.0/24

#################################
# Firewalls and network elements
#################################
firewalls:
     - container:
       - name: firewall-it-dmz1
       - ingress: it-network
       - egress: dmz1
       - rules:
         - iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
         - iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
         - iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
         - iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
         - iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
         - iptables -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
         - iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
         - route add 13.0.0.20 gw 16.0.0.254 eth2
     - container:
       - name: firewall-process-dmz2
       - ingress: process-network
       - egress: dmz2
       - rules:
         - iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
         - iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
         - iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
         - iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

############
# Containers
############
containers:

  #
  # Controllers
  #
  # C1
  - container:
    - name: "c1"
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.13.0
         # - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.12.1
         # - base: registry.gitlab.com/aliasrobotics/offensive/projects/rosin-redros-i:3.12.1-controller
         - network:
           - control-network_c1_s1
           # - field-network_r1_c1
    - ip: 12.0.0.20  # assign manually an ip address
    - cpus: 4
    - memory: 2048
    - mount: Controller:/root/.urcaps/

  # C^2
  - container:
    - name: "c2"
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.13.0
         # - base: registry.gitlab.com/aliasrobotics/offensive/projects/rosin-redros-i:3.12.1-controller
         - network:
           - control-network_c2_s2
           # - field-network_r2_c2
    - cpus: 4
    - memory: 2048
    - mount: /tmp/ris_install:/tmp/ris_install
    - extra-options: SYS_PTRACE
  # C3
  - container:
    - name: "c3"
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.13.0
         - network:
           - process-network
           # - field-network_r3_c3
    - ip: 13.0.0.30  # manually assign an ip address
    - cpus: 4
    - memory: 2048
    - extra-options: SYS_PTRACE
  # C4
  - container:
    - name: "c4"
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.13.0
         - network:
           - control-network_c4_s4
           # - field-network_r4_c4
    - cpus: 4
    - memory: 2048
  # C^5
  - container:
    - name: "c5"
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.13.0
         - network:
           - control-network_c5_s5
           # - field-network_r5_c5
    - cpus: 4
    - memory: 2048
    - mount: /tmp/ris_install:/tmp/ris_install
    - extra-options: SYS_PTRACE
  # C^6
  - container:
    - name: "c6"
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.13.0
         - network:
           - process-network
           # - field-network_r6_c6
    - cpus: 4
    - memory: 2048
    - mount: /tmp/ris_install:/tmp/ris_install
    - extra-options: SYS_PTRACE

  #
  # Control stations
  #
  # S1
  - container:
    - name: "s1"
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:melodic-scenario
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros_ur:melodic-official-scenario
         - network:
           - control-network_c1_s1
           - process-network

    - ip:
      - 12.0.0.50  # ip for control-network_c1_s1
      - 13.0.0.5  # ip in process-network
    - cpus: 4
    - memory: 4096
    - extra-options: NET_ADMIN
  # S^2
  - container:
    - name: "s2"
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:melodic-scenario-hardened
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros_ur:melodic-official-scenario
         - network:
           - control-network_c2_s2
           - process-network
    - ip:
        - 12.0.2.50  # ip for control-network_c2_s2
        # - 13.0.0.6  # ip for process-network
    - cpus: 4
    - memory: 4096
    - extra-options: NET_ADMIN
  # S^4
  - container:
    - name: "s4"
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:melodic-scenario-hardened
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros_ur:melodic-official-scenario
         - network:
           - control-network_c4_s4
           - process-network
    - ip: 12.0.4.50  # ip for control-network_c4_s4
    - cpus: 4
    - memory: 4096
    - extra-options: NET_ADMIN
  # S5
  - container:
    - name: "s5"
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:melodic-scenario
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros_ur:melodic-official-scenario
         - network:
           - control-network_c5_s5
           - process-network
    - ip: 12.0.5.50  # ip for control-network_c5_s5
    - cpus: 4
    - memory: 4096

  # S7
  - container:
    - name: "s7"
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:melodic-scenario
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros_ur:melodic-official-scenario
         - network:
           - dmz1
           - process-network
    - ip:
      - 16.0.0.20  # ip in dmz1
      - 13.0.0.20  # ip in process-network
    - cpus: 4
    - memory: 4096
    - extra-options: NET_ADMIN

  #
  # Development stations
  #
  # D1
  - container:
    - name: "d1"
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:melodic-scenario
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros_ur:melodic-official-scenario
         - network:
           - it-network
           - dmz1
           - cloud-network
           # - process-network  # bypass firewall restrictions by connecting directly
    - ip:
      - 15.0.0.30  # ip in IT
      - 16.0.0.30  # ip in dmz1
      - 17.0.0.30  # ip in cloud
      # - 13.0.0.9
    - cpus: 4
    - memory: 4096
    - extra-options: NET_ADMIN

  #
  # Attackers
  #
  - container:
    - name: attacker_cloud
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/alurity:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_robosploit/expl_robosploit:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_nmap:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_binwalk:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_icssploit:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_rospento:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_rosploit:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_metasploit:latest
         - network:
           # - it-network
           - cloud-network
    - extra-options: ALL

  - container:
    - name: attacker_dmz1
    - modules:
         # - base: registry.gitlab.com/aliasrobotics/offensive/alurity/alurity:latest
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:melodic-scenario
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_nmap:latest
         - network:
           - dmz1
           - process-network
    - extra-options: ALL

  #
  # extra elements
  #

  # connector of
  #  - it-network
  #  - dmz2
  #  - dmz1
  - container:
    - name: firewall-it-dmz1
    - modules:
      - base: registry.gitlab.com/aliasrobotics/offensive/projects/rosin-redros-i:firewall-three-net
      - network:
        - it-network
        - dmz2
        - dmz1
    - extra-options: NET_ADMIN
    - ip:
      - 15.0.0.254
      - 14.0.0.254
      - 16.0.0.254
  # DMZ machine
  - container:
    - name: dmz-server
    - modules:
      - base: registry.gitlab.com/aliasrobotics/offensive/projects/rosin-redros-i:dmz
      - network: dmz2
    - extra-options: NET_ADMIN
    - ip: 14.0.0.20
  # Connector of process-network and dmz2
  - container:
    - name: firewall-process-dmz2
    - modules:
      - base: registry.gitlab.com/aliasrobotics/offensive/projects/rosin-redros-i:firewall-two
      - network:
        - dmz2
        - process-network
    - extra-options: NET_ADMIN
    - ip:
      - 14.0.0.253
      - 13.0.0.254
	############
	# Networks
	############
	networks:

	# Level 1: Control Networks, connect controllers and control stations
	# for each controller, we expect a dedicated control-network
	- network:
	- name: control-network_c1_s1
	- driver: overlay
	- internal: true
	- encryption: false
	- subnet: 12.0.0.0/24
	- network:
	- name: control-network_c2_s2
	- driver: overlay
	- internal: true
	- encryption: false
	- subnet: 12.0.2.0/24
	- network:
	- name: control-network_c4_s4
	- driver: overlay
	- internal: true
	- encryption: false
	- subnet: 12.0.4.0/24
	- network:
	- name: control-network_c5_s5
	- driver: overlay
	- internal: true
	- encryption: false
	- subnet: 12.0.5.0/24

	# Level 2: Process Network
	- network:
	- name: process-network
	- driver: overlay
	- internal: true
	- encryption: false
	- subnet: 13.0.0.0/24

	# Level 3: DMZ 2 sub-network
	# NOTE: used to interface Process Network with machines in DMZ 2
	# (e.g. a historian, additional servers and related)
	- network:
	- name: dmz2
	- driver: overlay
	- internal: true
	- encryption: false
	- subnet: 14.0.0.0/24

	# Level 4: IT Network
	- network:
	- name: it-network
	- driver: overlay
	- encryption: false
	- internal: true
	- subnet: 15.0.0.0/24

	# Level 3: DMZ 1 sub-network
	# NOTE: used used to interface IT Network with central control station
	- network:
	- name: dmz1
	- driver: overlay
	- encryption: false
	- internal: true
	- subnet: 16.0.0.0/24

	# Beyond lvl4: Cloud
	- network:
	- name: cloud-network
	- driver: overlay
	- encryption: false
	- internal: false
	- subnet: 17.0.0.0/24

	#################################
	# Firewalls and network elements
	#################################
	firewalls:
	- container:
	- name: firewall-it-dmz1
	- ingress: it-network
	- egress: dmz1
	- rules:
	- iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
	- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
	- iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
	- iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
	- iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
	- iptables -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
	- iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
	- route add 13.0.0.20 gw 16.0.0.254 eth2
	- container:
	- name: firewall-process-dmz2
	- ingress: process-network
	- egress: dmz2
	- rules:
	- iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
	- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
	- iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
	- iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

	############
	# Containers
	############
	containers:

	#
	# Controllers
	#
	# C1
	- container:
	- name: "c1"
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.13.0
	# - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.12.1
	# - base: registry.gitlab.com/aliasrobotics/offensive/projects/rosin-redros-i:3.12.1-controller
	- network:
	- control-network_c1_s1
	# - field-network_r1_c1
	- ip: 12.0.0.20 # assign manually an ip address
	- cpus: 4
	- memory: 2048
	- mount: Controller:/root/.urcaps/

	# C^2
	- container:
	- name: "c2"
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.13.0
	# - base: registry.gitlab.com/aliasrobotics/offensive/projects/rosin-redros-i:3.12.1-controller
	- network:
	- control-network_c2_s2
	# - field-network_r2_c2
	- cpus: 4
	- memory: 2048
	- mount: /tmp/ris_install:/tmp/ris_install
	- extra-options: SYS_PTRACE
	# C3
	- container:
	- name: "c3"
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.13.0
	- network:
	- process-network
	# - field-network_r3_c3
	- ip: 13.0.0.30 # manually assign an ip address
	- cpus: 4
	- memory: 2048
	- extra-options: SYS_PTRACE
	# C4
	- container:
	- name: "c4"
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.13.0
	- network:
	- control-network_c4_s4
	# - field-network_r4_c4
	- cpus: 4
	- memory: 2048
	# C^5
	- container:
	- name: "c5"
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.13.0
	- network:
	- control-network_c5_s5
	# - field-network_r5_c5
	- cpus: 4
	- memory: 2048
	- mount: /tmp/ris_install:/tmp/ris_install
	- extra-options: SYS_PTRACE
	# C^6
	- container:
	- name: "c6"
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.13.0
	- network:
	- process-network
	# - field-network_r6_c6
	- cpus: 4
	- memory: 2048
	- mount: /tmp/ris_install:/tmp/ris_install
	- extra-options: SYS_PTRACE

	#
	# Control stations
	#
	# S1
	- container:
	- name: "s1"
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:melodic-scenario
	- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros_ur:melodic-official-scenario
	- network:
	- control-network_c1_s1
	- process-network

	- ip:
	- 12.0.0.50 # ip for control-network_c1_s1
	- 13.0.0.5 # ip in process-network
	- cpus: 4
	- memory: 4096
	- extra-options: NET_ADMIN
	# S^2
	- container:
	- name: "s2"
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:melodic-scenario-hardened
	- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros_ur:melodic-official-scenario
	- network:
	- control-network_c2_s2
	- process-network
	- ip:
	- 12.0.2.50 # ip for control-network_c2_s2
	# - 13.0.0.6 # ip for process-network
	- cpus: 4
	- memory: 4096
	- extra-options: NET_ADMIN
	# S^4
	- container:
	- name: "s4"
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:melodic-scenario-hardened
	- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros_ur:melodic-official-scenario
	- network:
	- control-network_c4_s4
	- process-network
	- ip: 12.0.4.50 # ip for control-network_c4_s4
	- cpus: 4
	- memory: 4096
	- extra-options: NET_ADMIN
	# S5
	- container:
	- name: "s5"
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:melodic-scenario
	- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros_ur:melodic-official-scenario
	- network:
	- control-network_c5_s5
	- process-network
	- ip: 12.0.5.50 # ip for control-network_c5_s5
	- cpus: 4
	- memory: 4096

	# S7
	- container:
	- name: "s7"
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:melodic-scenario
	- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros_ur:melodic-official-scenario
	- network:
	- dmz1
	- process-network
	- ip:
	- 16.0.0.20 # ip in dmz1
	- 13.0.0.20 # ip in process-network
	- cpus: 4
	- memory: 4096
	- extra-options: NET_ADMIN

	#
	# Development stations
	#
	# D1
	- container:
	- name: "d1"
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:melodic-scenario
	- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros_ur:melodic-official-scenario
	- network:
	- it-network
	- dmz1
	- cloud-network
	# - process-network # bypass firewall restrictions by connecting directly
	- ip:
	- 15.0.0.30 # ip in IT
	- 16.0.0.30 # ip in dmz1
	- 17.0.0.30 # ip in cloud
	# - 13.0.0.9
	- cpus: 4
	- memory: 4096
	- extra-options: NET_ADMIN

	#
	# Attackers
	#
	- container:
	- name: attacker_cloud
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/alurity/alurity:latest
	- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_robosploit/expl_robosploit:latest
	- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_nmap:latest
	- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_binwalk:latest
	- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_icssploit:latest
	- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_rospento:latest
	- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_rosploit:latest
	- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_metasploit:latest
	- network:
	# - it-network
	- cloud-network
	- extra-options: ALL

	- container:
	- name: attacker_dmz1
	- modules:
	# - base: registry.gitlab.com/aliasrobotics/offensive/alurity/alurity:latest
	- base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:melodic-scenario
	- volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_nmap:latest
	- network:
	- dmz1
	- process-network
	- extra-options: ALL

	#
	# extra elements
	#

	# connector of
	# - it-network
	# - dmz2
	# - dmz1
	- container:
	- name: firewall-it-dmz1
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/projects/rosin-redros-i:firewall-three-net
	- network:
	- it-network
	- dmz2
	- dmz1
	- extra-options: NET_ADMIN
	- ip:
	- 15.0.0.254
	- 14.0.0.254
	- 16.0.0.254
	# DMZ machine
	- container:
	- name: dmz-server
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/projects/rosin-redros-i:dmz
	- network: dmz2
	- extra-options: NET_ADMIN
	- ip: 14.0.0.20
	# Connector of process-network and dmz2
	- container:
	- name: firewall-process-dmz2
	- modules:
	- base: registry.gitlab.com/aliasrobotics/offensive/projects/rosin-redros-i:firewall-two
	- network:
	- dmz2
	- process-network
	- extra-options: NET_ADMIN
	- ip:
	- 14.0.0.253
	- 13.0.0.254