Bring Your Own Provisioner
Last updated
Last updated
Ax comes with several Packer Provisioners (JSON or HCL), to help you get up and running quickly. However, once you become comfortable with the system, it is highly recommended to build your own Provisioner. This reduces the risk of a successful supply chain attack against the Default (and other) Provisioners.
Supply Chain Security: AttackSurge is cautious about what tools and dependencies are installed through the Default Provisioner to minimize risks associated with supply chain attacks. We have adopted Docker modules for many Python scripts requiring software dependencies, which helps isolate and manage these dependencies more securely. However, this approach does come with trade-offs, such as increased image size, which can lead to slower build and provisioning times.
For Go tools, we typically use go install to pull in the latest versions directly to the instance's environment. While this method reduces some risks by sourcing dependencies directly from their original repositories, it is not foolproof. There's still a potential risk that a tool or one of its dependencies could pull in release files or other opaque sources, bypassing the visibility and security of a full Git commit history. This could allow malicious code to be introduced without detection.
Despite these precautions, no system is entirely immune to supply chain attacks. The tools we install, or their dependencies, could still be compromised if a trusted developer's account is hacked, or if a developer unknowingly includes a malicious package. Such scenarios could lead to the introduction of harmful code, potentially compromising the instances.
Importantly, any compromise of a JSON or HCL Provisioner would be contained within disposable instances. The Ax Controller, which stores cloud account credentials, remains isolated and secure from these instances, unless an entirely separate vulnerability is discovered that specifically targets the Ax Controller.
Given these challenges, one significant benefit of bringing your own Provisioner is the ability to tailor the security measures and controls to your specific needs.
To that point, its highly recommenced to create your own Provisioner. To quickly create your own Provisioner, we recommend using the Barebones Provisioner as a template. This Provisioner installs the following tools via apt get.
Oh My Zsh is also installed, followed by Golang, Docker, Interlace (required for One-Shot Modules) and nmap.
We are confident that this approach substantially reduces the risk, although this Provisioner (Barebones) doesn't come with many pre-installed tools.
One easy way to add extra tools is to copy and paste select lines from the Default or Extras Provisioners and add them to a copy of the Barebones Provisioner. It is recommended to add them to any line after the Optimizing SSH Connections section.
Now that we have a new Provisioner with some our of favorite tools, SecList and Trickest DNS resolvers, we can run ax build --setup , select custom and enter the name of your new Provisioner.
Or my personal preference just type ax build $name-of-new-Provisioner
