|
| 1 | +apiVersion: phenix.sandia.gov/v1 |
| 2 | +kind: Image |
| 3 | +metadata: |
| 4 | + name: caldera |
| 5 | +spec: |
| 6 | + format: qcow2 |
| 7 | + release: bookworm |
| 8 | + mirror: http://ftp.us.debian.org/debian/ |
| 9 | + deb_append: ' --components=main,restricted,universe,multiverse' |
| 10 | + packages: |
| 11 | + - curl |
| 12 | + - dbus |
| 13 | + - ifupdown |
| 14 | + - init |
| 15 | + - initramfs-tools |
| 16 | + - iproute2 |
| 17 | + - iputils-ping |
| 18 | + - isc-dhcp-client |
| 19 | + - less |
| 20 | + - linux-headers-amd64 |
| 21 | + - linux-image-amd64 |
| 22 | + - net-tools |
| 23 | + - netbase |
| 24 | + - openssh-server |
| 25 | + - tcpdump |
| 26 | + - vim |
| 27 | + - wget |
| 28 | + script_order: |
| 29 | + - POSTBUILD_NO_ROOT_PASSWD |
| 30 | + - POSTBUILD_PHENIX_HOSTNAME |
| 31 | + - POSTBUILD_PHENIX_BASE |
| 32 | + - INSTALL_CALDERA |
| 33 | + - POSTBUILD_APT_CLEANUP |
| 34 | + scripts: |
| 35 | + INSTALL_CALDERA: | |
| 36 | + export DEBIAN_FRONTEND=noninteractive |
| 37 | +
|
| 38 | + # Installing xfce4 here to avoid issues that occur if it's included in the base install. |
| 39 | + apt update && apt install -y \ |
| 40 | + ca-certificates firefox-esr git nodejs npm python3-dev python3-pip xfce4 xfce4-terminal |
| 41 | +
|
| 42 | + wget -O /tmp/go.tgz https://golang.org/dl/go1.24.0.linux-amd64.tar.gz \ |
| 43 | + && tar -C /usr/local -xzf /tmp/go.tgz && rm /tmp/go.tgz \ |
| 44 | + && ln -s /usr/local/go/bin/* /usr/local/bin \ |
| 45 | + && export GOROOT=/usr/local/go |
| 46 | +
|
| 47 | + mkdir -p /go/src /go/bin |
| 48 | + chmod -R 777 /go |
| 49 | +
|
| 50 | + git clone --recursive --branch 5.1.0 https://github.com/mitre/caldera.git /opt/caldera |
| 51 | + cd /opt/caldera && python3 -m pip install --break-system-packages -r requirements.txt |
| 52 | +
|
| 53 | + git submodule add -b facts https://github.com/activeshadow/caldera-modbus.git plugins/modbus |
| 54 | + git submodule add -b main https://github.com/activeshadow/caldera-dnp3.git plugins/dnp3 |
| 55 | + git submodule add -b main https://github.com/activeshadow/caldera-ot.git plugins/ot |
| 56 | + git submodule add -b main https://github.com/activeshadow/caldera-phenix.git plugins/phenix |
| 57 | +
|
| 58 | + cat > /etc/systemd/system/caldera.service <<EOF |
| 59 | + [Unit] |
| 60 | + Description=CALDERA Framework |
| 61 | +
|
| 62 | + [Service] |
| 63 | + WorkingDirectory=/opt/caldera |
| 64 | + ExecStart=/usr/bin/python3 server.py --insecure --build --log INFO |
| 65 | +
|
| 66 | + [Install] |
| 67 | + WantedBy=multi-user.target |
| 68 | + EOF |
| 69 | +
|
| 70 | + mkdir -p /etc/systemd/system/multi-user.target.wants |
| 71 | + ln -s /etc/systemd/system/caldera.service /etc/systemd/system/multi-user.target.wants/caldera.service |
| 72 | +
|
| 73 | + # Default screen resolution to 1600x900 |
| 74 | + mkdir -p /root/.config/xfce4/xfconf/xfce-perchannel-xml |
| 75 | + cat > /root/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml <<EOF |
| 76 | + <?xml version="1.0" encoding="UTF-8"?> |
| 77 | + <channel name="displays" version="1.0"> |
| 78 | + <property name="ActiveProfile" type="string" value="Default"/> |
| 79 | + <property name="Default" type="empty"> |
| 80 | + <property name="Virtual-1" type="string" value="Virtual-1"> |
| 81 | + <property name="Active" type="bool" value="true"/> |
| 82 | + <property name="EDID" type="string" value=""/> |
| 83 | + <property name="Resolution" type="string" value="1600x900"/> |
| 84 | + <property name="RefreshRate" type="double" value="60.000000"/> |
| 85 | + <property name="Rotation" type="int" value="0"/> |
| 86 | + <property name="Reflection" type="string" value="0"/> |
| 87 | + <property name="Primary" type="bool" value="true"/> |
| 88 | + <property name="Scale" type="empty"> |
| 89 | + <property name="X" type="double" value="1.000000"/> |
| 90 | + <property name="Y" type="double" value="1.000000"/> |
| 91 | + </property> |
| 92 | + <property name="Position" type="empty"> |
| 93 | + <property name="X" type="int" value="0"/> |
| 94 | + <property name="Y" type="int" value="0"/> |
| 95 | + </property> |
| 96 | + </property> |
| 97 | + </property> |
| 98 | + <property name="Fallback" type="empty"> |
| 99 | + <property name="Virtual-1" type="string" value="Virtual-1"> |
| 100 | + <property name="Active" type="bool" value="true"/> |
| 101 | + <property name="EDID" type="string" value=""/> |
| 102 | + <property name="Resolution" type="string" value="1600x900"/> |
| 103 | + <property name="RefreshRate" type="double" value="60.000000"/> |
| 104 | + <property name="Rotation" type="int" value="0"/> |
| 105 | + <property name="Reflection" type="string" value="0"/> |
| 106 | + <property name="Primary" type="bool" value="true"/> |
| 107 | + <property name="Scale" type="empty"> |
| 108 | + <property name="X" type="double" value="1.000000"/> |
| 109 | + <property name="Y" type="double" value="1.000000"/> |
| 110 | + </property> |
| 111 | + <property name="Position" type="empty"> |
| 112 | + <property name="X" type="int" value="0"/> |
| 113 | + <property name="Y" type="int" value="0"/> |
| 114 | + </property> |
| 115 | + </property> |
| 116 | + </property> |
| 117 | + </channel> |
| 118 | + EOF |
| 119 | + POSTBUILD_APT_CLEANUP: | |
| 120 | + apt clean || apt-get clean || echo "unable to clean apt cache" |
| 121 | + POSTBUILD_NO_ROOT_PASSWD: | |
| 122 | + sed -i 's/nullok_secure/nullok/' /etc/pam.d/common-auth |
| 123 | + sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config |
| 124 | + sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords yes/' /etc/ssh/sshd_config |
| 125 | + sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config |
| 126 | + sed -i 's/PermitEmptyPasswords no/PermitEmptyPasswords yes/' /etc/ssh/sshd_config |
| 127 | + passwd -d root |
| 128 | + POSTBUILD_PHENIX_BASE: | |
| 129 | + cat > /etc/systemd/system/phenix.service <<EOF |
| 130 | + [Unit] |
| 131 | + Description=phenix startup service |
| 132 | + After=network.target systemd-hostnamed.service |
| 133 | + [Service] |
| 134 | + Environment=LD_LIBRARY_PATH=/usr/local/lib |
| 135 | + ExecStart=/usr/local/bin/phenix-start.sh |
| 136 | + RemainAfterExit=true |
| 137 | + StandardOutput=journal |
| 138 | + Type=oneshot |
| 139 | + [Install] |
| 140 | + WantedBy=multi-user.target |
| 141 | + EOF |
| 142 | + mkdir -p /etc/systemd/system/multi-user.target.wants |
| 143 | + ln -s /etc/systemd/system/phenix.service /etc/systemd/system/multi-user.target.wants/phenix.service |
| 144 | + mkdir -p /usr/local/bin |
| 145 | + cat > /usr/local/bin/phenix-start.sh <<EOF |
| 146 | + #!/bin/bash |
| 147 | + for file in /etc/phenix/startup/*; do |
| 148 | + echo \$file |
| 149 | + bash \$file |
| 150 | + done |
| 151 | + EOF |
| 152 | + chmod +x /usr/local/bin/phenix-start.sh |
| 153 | + mkdir -p /etc/phenix/startup |
| 154 | + POSTBUILD_PHENIX_HOSTNAME: | |
| 155 | + echo "phenix" > /etc/hostname |
| 156 | + sed -i 's/127.0.1.1 .*/127.0.1.1 phenix/' /etc/hosts |
| 157 | + cat > /etc/motd <<EOF |
| 158 | +
|
| 159 | + ██████╗ ██╗ ██╗███████╗███╗ ██╗██╗██╗ ██╗ |
| 160 | + ██╔══██╗██║ ██║██╔════╝████╗ ██║██║╚██╗██╔╝ |
| 161 | + ██████╔╝███████║█████╗ ██╔██╗██║██║ ╚███╔╝ |
| 162 | + ██╔═══╝ ██╔══██║██╔══╝ ██║╚████║██║ ██╔██╗ |
| 163 | + ██║ ██║ ██║███████╗██║ ╚███║██║██╔╝╚██╗ |
| 164 | + ╚═╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚══╝╚═╝╚═╝ ╚═╝ |
| 165 | +
|
| 166 | + EOF |
| 167 | + echo "\nBuilt with phenix image on $(date)\n\n" >> /etc/motd |
| 168 | + size: 50G |
| 169 | + variant: minbase |
| 170 | + |
0 commit comments