The Fedora Security Lab is around for a very long time now…but there as still missing something: The counter-part. the dark side, the evil, or the Yang. It’s nice to have a tool set like the Fedora Security Lab but without a Work bench it’s not much fun. We want to change that now and would like to introduce the Fedora Security Lab Test bench. At this point in time it’s a proof-of-concept but already working.
The Fedora Security Lab Test bench is a system which provides various vulnerable PHP application (DVWA, bWAPP, SQLI Labs, and SQLol), some PHP shells, some low-interaction honeypots (Microsoft Windows XP, Microsoft Windows 2003 Server, and Linux 2.4.20), and some helper tools (linfo, phpmyadmin, CGI, and log viewer). For easy interaction with the system there is a bootstrap-based web interface available.
We use Ansible to setup the FSL Test bench on a minimal Fedora installation. All playbooks are available in the Fedora Security Lab Test bench git repository. At the moment we focus on setting up the Fedora Security Lab test bench on a single machine to make it easy for end-users to setup their own Test bench. Support for virtual machines on top of a libvirt-enabled host and using multiple systems to separate the applications or to run in a class room environment is on the way.