From ebd5e4a0deb64d04ff9ae9fe2e3ce4b5f7fd4ce7 Mon Sep 17 00:00:00 2001
From: donal <donalspring@gmail.com>
Date: Wed, 18 Apr 2018 16:04:16 +0200
Subject: [PATCH] FIXES based on MR conflicts
---
exercises/4-an-enslaved-hope/README.md | 66 ++++++++++++++++++++++++++++++++-
1 files changed, 64 insertions(+), 2 deletions(-)
diff --git a/exercises/4-an-enslaved-hope/README.md b/exercises/4-an-enslaved-hope/README.md
index 75fe5cf..68d107f 100644
--- a/exercises/4-an-enslaved-hope/README.md
+++ b/exercises/4-an-enslaved-hope/README.md
@@ -21,6 +21,8 @@
1. [Pipeline](https://jenkins.io/doc/book/pipeline/) - Overview of the Jenkinsfile approach
1. [Pipeline Syntax](https://jenkins.io/doc/book/pipeline/syntax/) - Documentation for the declarative pipeline
1. [Groovy](http://groovy-lang.org/) - Groovy is a powerful, optionally typed and dynamic language, with static-typing and static compilation capabilities, for the Java platform aimed at improving developer productivity thanks to a concise, familiar and easy to learn syntax. It integrates smoothly with any Java program, and immediately delivers to your application powerful features, including scripting capabilities, Domain-Specific Language authoring, runtime and compile-time meta-programming and functional programming.
+1. [Zed Attack Proxy](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) - The OWASP Zed Attack Proxy (ZAP) is one of the world���s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
+1. [Arachni Crawler](http://www.arachni-scanner.com/) - Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications. It is free, with its source code public and available for review. It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform. In addition, its simple REST API makes integration a cinch.
## Big Picture
This exercise begins cluster containing blah blah
@@ -147,12 +149,72 @@
2. Set the trigger to scan every minute as done previously. Save the configuration and we should see the collection of Jobs as shown below.
-3. Run the jobs and validate the app is working as expected in the `test` environment!
+2. Run the jobs and validate the app is working as expected in the `test` environment!
### Part 2 - Security Scanning Slaves
> _This exercise focuses on updating the `enablement-ci-cd` repo with some new jenkins-slave pods for use in future exercise_
-3. TODO!
+#### Part 2a - OWASP ZAP
+> _OWASP ZAP (Zed Attack Proxy) is a free open source security tool used for finding security vulnerabilities in web applications._
+
+
+3. First we're going to take the generic jenkins slave template from our exercise4/zap branch and the params.
+```bash
+$ git checkout exercise4/zap-and-arachni params/ templates/jenkins-slave-generic-template.yml
+```
+
+3. This should have created the following files:
+ - `templates/jenkins-slave-generic-template.yml`
+ - `params/zap-build-pod` and `params/arachni-build-pod`
+
+3. Create an object in `inventory/host_vars/ci-cd-tooling.yml` called `zap-build-pod` and add the following content:
+```yaml
+ - name: "zap-build-pod"
+ namespace: "{{ ci_cd_namespace }}"
+ template: "{{ playbook_dir }}/templates/jenkins-slave-generic-template.yml"
+ params: "{{ playbook_dir }}/params/zap-build-pod"
+ tags:
+ - zap
+```
+<p class="tip">
+NOTE- Install your Openshift Applier dependency if it's disappeared.
+```
+$ ansible-galaxy install -r requirements.yml --roles-path=roles
+```
+</p>
+
+3. Run the ansible playbook filtering with tag `zap` so only the zap build pods are run.
+```bash
+$ ansible-playbook apply.yml -e target=tools \
+ -i inventory/ \
+ -e "filter_tags=zap"
+```
+
+3. Head to (https://console.somedomain.com/console/project/<YOUR_NAME>-ci-cd/browse/builds) on Openshift and you should see `zap-build-pod`.
+include screenshot here.
+
+#### Part 2b - Arachni Scan
+> _Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications._
+
+3. Create an object in `inventory/host_vars/ci-cd-tooling.yml` called `arachni-build-pod` with the following content:
+```yaml
+ - name: "arachni-build-pod"
+ namespace: "{{ ci_cd_namespace }}"
+ template: "{{ playbook_dir }}/templates/jenkins-slave-generic-template.yml"
+ params: "{{ playbook_dir }}/params/arachni-build-pod"
+ tags:
+ - arachni
+```
+
+3. Run the ansible playbook filtering with tag `arachni` so only the arachni build pods are run.
+```bash
+$ ansible-playbook apply.yml -e target=tools \
+ -i inventory/ \
+ -e "filter_tags=arachni"
+```
+
+3. Head to (https://console.somedomain.com/console/project/<YOUR_NAME>-ci-cd/browse/builds) on Openshift and you should see `arachni-build-pod`.
+
_____
--
Gitblit v1.9.3