1. Ansible allows running automated tasks on remote servers using SSH, but running shell scripts introduces security risks if the Ansible controller is compromised. 2. Vagrant and Packer help create and distribute virtual machine images but early versions had security issues like hardcoding HTTP downloads and lack of signed checksums. Standards have improved but offline usage remains important. 3. Working offline can significantly speed up development workflows by avoiding network latency and issues, through techniques like freezing dependencies, caching packages locally, and disabling online repositories.

2. Summary
1. Ansible
2. Vagrant/Packer
3. Going of ine

4. IRMA
(Incident Response and Malware Analysis)
https://github.com/quarkslab/irma
Private platform (as it's open-source)
Multi-Analysis engine
Extendable

7. Summary
1. From one week to two days
2. From two days to 6 hours
3. From 6 hours to few minutes

8. 1. From one week to two days

9. What's Ansible?
Agentless Automation platform (and Open-source)
Use SSH to access servers/…
Run tasks (written in yaml) in sequence

10. Where's the problem?
Role example:
- name: Install Software
shell: curl http://get.mysoftware.com | sudo bash

11. CVE-2016-9587
CVE-2016-9587 is rated as HIGH in risk,
as a compromised remote system being
managed via Ansible can lead to
commands being run on the Ansible
controller (as the user running the ansible
or ansible-playbook command).

12. 2. From two days to 6 hours
(Virtual Machines O The
Shelf)

13. Vagrant

14. What's a Vagrant Box?
$ tar -tf ~/libvirt.box
box.img
metadata.json

15. How to connect to a Vagrant box out-of-
the-box?
At rst it was a good idea to set up some common SSH keys...

16. One year later…

17. And three years later, some progress has been made!

18. Best practice from mitchellh:
( )https://github.com/mitchellh/vagrant/tree/master/keys
“If you're working with a team or
company or with a custom box and you
want more secure SSH, you should create
your own keypair and con gure the
private key in the Vagrant le with
'con g.ssh.private_key_path'.”

19. Home-made boxes

21. I'll use Packer, and even more, boxcutter because they're so
famous!
But I shouldn't have... because of that:
$ cd boxcutter/debian/script && grep http: *
cmtool.sh: wget -O - http://bootstrap.saltstack.org | sudo sh
cmtool.sh: curl -L http://bootstrap.saltstack.org | sudo sh -s -- git $CM_VERSION
cmtool.sh: wget http://apt.puppetlabs.com/${DEB_NAME}

22. Boxes in the rightful cloud

23. Atlas Cloud

24. $ vagrant box add ubuntu/trusty64
==> box: Loading metadata for box 'ubuntu/trusty64'
box: URL: https://atlas.hashicorp.com/ubuntu/trusty64
==> box: Adding box 'ubuntu/trusty64' (v20170208.0.0) for
provider: virtualbox
box: Downloading: https://atlas.hashicorp.com/ubuntu/boxes
/trusty64/versions/20170208.0.0/providers/virtualbox.box
==> box: Successfully added box 'ubuntu/trusty64' (v20170208.0.0)
for 'virtualbox'!

25. From https://www.vagrantup.com/docs/cli/box.html
“For boxes from HashiCorp's Atlas, the
checksums are embedded in the
metadata of the box. The metadata itself
is served over TLS and its format is
validated.”

27. But wait... Let's look at this checksum story...

28. From
https://www.vagrantup.com/docs/boxes/format.html
“You do not need to manually make the
metadata. If you have an account with
HashiCorp's Atlas, you can create boxes
there, and HashiCorp's Atlas
automatically creates the metadata for
you.”

29. From
https://www.vagrantup.com/docs/boxes/format.html
It is a JSON document, structured in the
following way:”
{"name": "hashicorp/precise64",
"description": "This box contains Ubuntu 12.04 LTS 64-bit.",
"versions": [{
"version": "0.1.0",
"providers": [{
"name": "virtualbox",
"url": "http://somewhere.com/precise64_010_virtualbox.box"
"checksum_type": "sha1",
"checksum": "foo"
}]}]}

30. Great, I like that, so I should nd it here for example on
:
Nope...
https://atlas.hashicorp.com/ubuntu/boxes/trusty64.json

31. Erf, let's look into some Hashicorp box instead on
Still nope...
https://atlas.hashicorp.com/hashicorp/boxes/precise64.json

33. Let's try one last thing...
$ cat imdesperate.json
{"name": "hashicorp/precise64",
"versions": [{
"version": "1.1.0",
"providers": [{
"name": "virtualbox",
"url": "https://atlas.hashicorp.com/hashicorp/boxes/pre
cise64/versions/1.1.0/providers/virtualbox.box",
"checksum_type": "sha1",
"checksum": "imdesperate"}]}]}
$ vagrant box add imdesperate.json
==> box: Loading metadata for box 'imdesperate.json'
box: URL: file:///home/user/imdesperate.json
==> box: Adding box 'hashicorp/precise64' (v1.1.0) for provider:
virtualbox
box: Downloading: https://atlas.hashicorp.com/hashicorp/box
es/precise64/versions/1.1.0/providers/virtualbox.box
...

34. ...
box: Calculating and comparing box checksum...
The checksum of the downloaded box did not match the expected
value. Please verify that you have the proper URL setup and that
you're downloading the proper file.
Expected: imdesperate
Received: 034f4af281e648cd65ca6e8d731128b7d2b3ed40

35. We did it better
GPG signed checksums data
Metadata les served over TLS with checksum
information
https://github.com/quarkslab/packer-ubuntu#security

36. 3. From 6 hours to few
minutes

37. DevOps: when the Internet is on

38. DevOps: when the Internet is broken

39. You can save a bunch of minutes with o ine mode!
No more latency
No more bandwidth bottleneck
No more side-effect

40. Worst error of the dev people?

41. Pip dependencies
Freeze speci c versions and do not upgrade unless
you check the new versions
Do not download exotic packages even from PyPi
Do not rely on Github repos or things like that
Use of ine package
$ mkdir toto
$ pip install -d ./toto mypackage
#move the folder on the offline node
$ pip install --no-index --find-links ./toto mypackage

42. Apt dependencies
Just use
It will be:
Quickier
More secure
More stable
https://packages.debian.org/jessie/apt-of ine

43. The result
$ git clone https://github.com/quarkslab/irma.git
$ cd ansible && vagrant up