Appsec vm deployment form MarketPlace: When deploying an AppSec We need to Increase the the bucket size for the server names hash tables Paramter for the profile: name: agent.rpmanager.nginxIncludeLines value: server_names_hash_bucket_size 128 Adding secrer to AWS Secret Manager: Name: private key ,value: openssl base64 –A –in -out ( copy an paste the data in the output file) Tag Name: certificate , Value: ARN of the certificate (from AWS certificate manager) Kubernetes ingress demo: Intall AWS cli v2 Install AWS v2 CLI on Ububntu apt-get update apt-get install zip unzip curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install aws --version Intall ekscli curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp sudo mv /tmp/eksctl /usr/local/bin eksctl version Inatall kubectl curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.19.6/2021-01-05/bin/linux/amd64/kubectl chmod +x ./kubectl mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc kubectl version --short --client EKS Create Cluster eksctl create cluster -f cluster.yaml *** Yaml file *** apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: EKS-cluster region: us-wast-1 nodeGroups: name: ng-1 instanceType: t2.small desiredCapacity: 2 ssh: # use existing EC2 key publicKeyName: cp-californina Install Helm mkdir helm && cd helm curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash helm repo update kubectl create namespace checkmates-kube kubectl config set-context --current --namespace=checkmates-kube kubectl apply -f juice-shop.yaml ## Deploy Juiceshop apiVersion: apps/v1 kind: Deployment metadata: name: juice-shop annotations: marketplace.cloud.google.com/verification: test spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app: juice-shop template: metadata: labels: app: juice-shop spec: containers: - image: bkimminich/juice-shop imagePullPolicy: Always name: juice-shop ports: - containerPort: 3000 protocol: TCP resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} terminationGracePeriodSeconds: 30 --- apiVersion: v1 kind: Service metadata: name: juice-shop spec: ports: - port: 8080 protocol: TCP targetPort: 3000 selector: app: juice-shop sessionAffinity: None type: ClusterIP helm repo add cpAppSec https://raw.githubusercontent.com/CheckPointSW/Infinity-Next/main/deployments helm search repo -l Helm charts provide the ability to deploy a collection of Kubernetes services and containers with a single command. This helm chart deploys an Nginx-based (1.19) ingress controller integrated with the Check Point container images that include an Nginx Reverse Proxy container integrated with the Check Point CloudGuard AppSec nano agent container helm install cpappsec cpAppSec/cpappsec --set agentToken="cp-2f40f7b2-c404-4a5d-ac69-bbd5b6e15a8ed75200dd-52df-40a4-966d-9066bb521ec1" --set platform="EKS" openssl base64 -A -in privatekey.key -out fileout64.key apiVersion: v1 kind: Secret metadata: name: store-secret type: kubernetes.io/tls data: tls.key: "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRRGMrVVkrd2R6clFqZk8KUWpuMXZRZjdlTlRCdGxvN0sxRFpiVHpIZTJPQUIvL0FIVjZGTFNET1Izb2gycmRTeG1YSUVrVGg0czBRNWJjdgpsOHFNU0tOVElOMjgvRHZTSUx2V2ZvQ1diVHBaMW9WY2czSWNLN3BkVmQ2SWVxS2FrTjU3M3JLVFZ5ajNGUUN6Cks2TWlLSHBZTURBZ0dHcTd0NzQvMDROZ1pCaEhoVTNTN3paakZjVmFrWFFZUURqZmt2enpsQk43QXdyV2VxZGIKTXl1S0crRm9TMldMTXhxN25XcmQ3S3JVem1aaXdwbzB1Sk1UVEw5SnNsVkh4YVljNVlZcXZkZFpsbzl3dk1tOApzUTZEWWNuWUZsNWFjTythV0Zya3V4dGhCelhISEVVRnhjUXlPUkJBZjRzRWZzTjdZN3FURHVqT3FsRjFOMTgrCk1NeHdiVHNaQWdNQkFBRUNnZ0VBS0N5ZHk4MGRLQng2M3VJRmZacm5kNTNKT0lxNXJ1WTZKYjJKZms3OWtRcGoKUWY5VTd1dDhlbVJlWFFkUnF4ZnM2MG4vQWY1ay8veHpxSkIxUDduNUQ2VDdDMS9rVkZpbExlTUQ1OVZsOVcxZQpBNnJXTlM3eURBUVBtRXFMZzRSeEhwNG5ZMGhHWjEySEtndjE5Y0RjTldwVlpaQnEzMFFScjdMNXdLMlNDSFpxClcrdVRIamMvQ0dZZE9EYjZxZ2lLMzAyVWNPRnk4UFVNM29qblFGempHd1p2N1RVelUwcFhLeU1KcnZNYWJwQ1YKbVE0RUF6azJmUm1CdFdodDFib2FBQ1I2TDhIelowSlNGR1Z1dXY4bE9pT2hiSXlrUk5sdkxNd1hEVURINE5ZTQp6Z0ZFdmkxS2xjSVB1TFNERkRUQWw2dU1yOXNPVDBjMUlCUWJzSVVIVFFLQmdRRDJ3Y2dmck1RTzdRd3l6MWRXCldvTWdjUGJ4SytXQVp0eDRtYmYwMzV5ZjNCNWdGWWxRNXhSVlNEZk8vdlFwZDNWb2NWZ284Y09GOXRCTWt2RFEKNVBPNk5DOHpsR216bTk2ZjJIWVE2dndzTG1FVlA1RDhsbVZscEhZOW50QlRrVVduVWZ5bXZsajIvTlhuOU9PdAorZ1ZTMVlmWUYralJRRXc2ZTJPMm5pQ1djd0tCZ1FEbFFFQVkyQUFyY2hLQ1VIMWxOMGVwU3NOaVBYVG5uQ2hXCm1VN3FQSHo5Y0xvcEo1cUZzR2R0bWNqSG1LVVRHQTQzZ2ZDbE80ZFc0WkdDcVBmcDNONW1zbFNVS3F0OXJXMGsKZTdhK2x5eklKN2xLaitld0h0VjFOcjdIUVlVTGpvSzVCOXRjbHNualJTY2FJNFNTWXFCcHdEdFNOdXdxNFdvbwpSMGFjd2pENVF3S0JnQ0lyTlQ0Rm0yU0J1S1cwaG1DRHloS004ZlQxWWlORW14VHNIRWdCU3R2c0RCeTcvcmJBCk9OV1NXWUFGVitRQ0ViVHp0UVIrYmRlNEZLSDEydmppSzBuR2ZoN0RWMXV5b3NJNXBDZTFrbE8vM0Z1bjRMakoKVHFNamdlZ0lmTXFGbkVLT0hORXVISDJmQnpQR2VseVYrWFM5OHNDZWx2T2Exck5tY0tsUi9pczNBb0dBSEVuawpYdXh3Z092dm1zTUI1alovRWtYV2ZFM25HaGxyNU52QUlDbGNwdzE4KzAwV3hUNXlWTlR3TUtrR1hhZlBRVXc0CmZMc3V4U3JLZ053RzA0WGNyOEY3ckZqamxudUxCMEI0MldYZ01jYXRGNlZRU3F4VFhNWm5ua0RZZ1FlUjIvRTcKUVY2ZUJQeG9pZEl1THI0YTIxSE1RQ1hrMkptK05zQXMxM1VqQSs4Q2dZQVBrcWN5TlFWZ3A1M0UvSlM0YytIagozOU10TW9LdUowZW9FTUJ2SS9ienJZeWgzRGlpS2hMS3RETjUvVis5dlByWE9jMUNxek9MblhMQWxkbFNiaGtXCkF4QkNFeEZaQk42Nnc2OUJWbWhCYmRocG8wNVFkOU1sbFV2MVk1S1BOQ05iSlBtY2xZWVR5MEtqNmh4aTJ4NXcKcGhIQTc1OVBVTU1UeklsMnZ4ZHZxZz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K" tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZMRENDQkJTZ0F3SUJBZ0lTQklLR0dwNlRPYlFMM0VjamxCSzVBOWg0TUEwR0NTcUdTSWIzRFFFQkN3VUEKTURJeEN6QUpCZ05WQkFZVEFsVlRNUll3RkFZRFZRUUtFdzFNWlhRbmN5QkZibU55ZVhCME1Rc3dDUVlEVlFRRApFd0pTTXpBZUZ3MHlNVEEyTWpNd09USXdOVGhhRncweU1UQTVNakV3T1RJd05UZGFNQjR4SERBYUJnTlZCQU1UCkUycDFhV05sTG1Od1lYQndjMlZqTG5OcGRHVXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUsKQW9JQkFRRGMrVVkrd2R6clFqZk9Ram4xdlFmN2VOVEJ0bG83SzFEWmJUekhlMk9BQi8vQUhWNkZMU0RPUjNvaAoycmRTeG1YSUVrVGg0czBRNWJjdmw4cU1TS05USU4yOC9EdlNJTHZXZm9DV2JUcFoxb1ZjZzNJY0s3cGRWZDZJCmVxS2FrTjU3M3JLVFZ5ajNGUUN6SzZNaUtIcFlNREFnR0dxN3Q3NC8wNE5nWkJoSGhVM1M3elpqRmNWYWtYUVkKUURqZmt2enpsQk43QXdyV2VxZGJNeXVLRytGb1MyV0xNeHE3bldyZDdLclV6bVppd3BvMHVKTVRUTDlKc2xWSAp4YVljNVlZcXZkZFpsbzl3dk1tOHNRNkRZY25ZRmw1YWNPK2FXRnJrdXh0aEJ6WEhIRVVGeGNReU9SQkFmNHNFCmZzTjdZN3FURHVqT3FsRjFOMTgrTU14d2JUc1pBZ01CQUFHamdnSk9NSUlDU2pBT0JnTlZIUThCQWY4RUJBTUMKQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUdDQ3NHQVFVRkJ3TUNNQXdHQTFVZEV3RUIvd1FDTUFBdwpIUVlEVlIwT0JCWUVGR2F0VFRuaTZUZGIvcFZmbDBVU3hwbU9tM05FTUI4R0ExVWRJd1FZTUJhQUZCUXVzeGUzCldGYkxybEFKUU9ZZnI1MkxGTUxHTUZVR0NDc0dBUVVGQndFQkJFa3dSekFoQmdnckJnRUZCUWN3QVlZVmFIUjAKY0RvdkwzSXpMbTh1YkdWdVkzSXViM0puTUNJR0NDc0dBUVVGQnpBQ2hoWm9kSFJ3T2k4dmNqTXVhUzVzWlc1agpjaTV2Y21jdk1CNEdBMVVkRVFRWE1CV0NFMnAxYVdObExtTndZWEJ3YzJWakxuTnBkR1V3VEFZRFZSMGdCRVV3ClF6QUlCZ1puZ1F3QkFnRXdOd1lMS3dZQkJBR0MzeE1CQVFFd0tEQW1CZ2dyQmdFRkJRY0NBUllhYUhSMGNEb3YKTDJOd2N5NXNaWFJ6Wlc1amNubHdkQzV2Y21jd2dnRUVCZ29yQmdFRUFkWjVBZ1FDQklIMUJJSHlBUEFBZGdEMgpYSlF2MFhjd0loUlVHQWd3bEZhTzQwMFRHVE8vM3d3dklBdk1UdkZrNHdBQUFYbzRZeUcyQUFBRUF3QkhNRVVDCklDVzBnK3RSQXFDcHYxeVBCcFpLYm96RGF4SmZTMFpac1F1b2lUakRuZ2daQWlFQXB3R1QwZS9LcHlIYlByN3QKMDRVR21TQkV5UWlqeEFqc1dCRkhiRTdNVGlFQWRnQkVsR1V1c083T3I4UkFCOWlvL2lqQTJ1YUN2dGpMTWJVLwowek9XdGJhQnFBQUFBWG80WXlIZEFBQUVBd0JITUVVQ0lRRE5wYjdPSTE2QUc4Y082UmVnQ253aU5mcElYdEN0CmcvZ3ZFWTdYRHd6N0JRSWdMRXU2Szg0MzE0SDF0eXo0Y0xJdThpUUVWclljb2drMUIxZEhocTBLR3dzd0RRWUoKS29aSWh2Y05BUUVMQlFBRGdnRUJBQnpoVTVJb2N0MC9aSXliUm1wNXhUN05vd2ZFUVYwZHlPQ3p3U2hGSjBOawpkZlhER2pXTGtRZjl0REs3L20vdm16V3FiZFVEeEFEUUdpMSt5eVZMOWY3UE9rdVEvR3V0YzZOQWdBQkcrR2h2CkdWZHIxZlJPZ25wQTNpejYvcnd0ZUNkS1NoZDYvN3BSVVJ1bGlPRWZmSWpZV0ZuSkFhdzRTUGp4Z002eEFXaTQKdW1iNkVXWFVLZFQxRWgwdm1Rc0Y1MzJrSU54VXBXV24rV3Z1TnFGdmg1a3MzWEtBRzJFVkFwWXZGUjA5WlV5bwowVHNWN0UreXlFWS9hbWdnSmFHZVNUckJZL3pWdE1lbEp1QWE5QlBnMURLa1lXR0xsMlF6NndvQXBhVE12NmdLCjZEN0I2dTBLNFM4Z0M5QUljK3ZqeXkzNU5yemhvYmNnN0Z5OEIrams1NWc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" kubectl apply -f ingress.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: cpappsec-cp-ingress labels: app.kubernetes.io/name: store.cpappsec.site spec: tls: - hosts: - "juice.cpappsec.site" secretName: store-secret rules: - host: "juice.cpappsec.site" http: paths: - path: / backend: serviceName: juice-shop servicePort: 8080 kubectl get svc (copy the fqdn of the load balaner) , create a cname for juice to point on the fqdn of the load balancer. access the web site over https simulate an attack by clicking on the login and put in the name: system inject ls pwd usr , put any password that you want , click login and check the Appsec logs.