►
From YouTube: Demo of SAST in an Air-gapped/offline environment
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
B
A
A
A
A
A
D
A
A
We
can
set
up
some
firewall
rules
that
basically
allow
Internet
access
and
SSH
access,
but
I've
had
issues
with
UFW,
namely
it
like
darker,
ignores
the
firewall
entirely,
which
is
fun
so
the
easiest
things
seem
to
be
just
disallowing
all
access
on
the
host,
but
to
use
the
host
we
should
use
it.
We
should
interact
with
it
somehow
so
whitelisting
a
single
IP.
Instead
of
why
low,
seeing
everyone's
IP,
who
wants
to
interact
with
the
host,
seemed
like
a
tighter
air
gap.
D
A
To
in
jsh,
currently
I'm
connecting
directly
to
it
the
so
this
this
firewall
rule
right
now
is
just
disallowing
egress
traffic
from
the
host.
Ideally,
we
should
be
going
through
the
vast
yawn
I
haven't
gotten
that
set
up
yet
okay.
So
currently
we
don't
really
use
a
bastion
for
anything
but
I
plan
to,
namely
will
will
connect
over
here
to
that
one
as
well.
A
A
Okay,
so
this
this
is
essentially
the
script
that
I've
put
together
on
the
fast
Yan
to
pull
over
or
analyzers.
What
this
does.
Is
it
iterates
over
the
list
of
analyzers?
It
pulls
them
down,
because
the
bastille
an
has
internet
access
and
the
host
should
not.
It
saves
them
and
exports
to
a
tar
file,
and
then
it
adds
right
access
to
that
from
there.
We.
A
A
A
Within
this
an
only
upload
a
couple
analyzers,
so
let's
go
ahead
and
start
with
the
SAS
one.
Here's
the
e
s1
analyzer.
This
is
just
the
readme
file,
so
I
just
created
this
project
to
hold
the
containers
and
there's
not
really
any
reason
to
actually
reflect
the
way
that
we
host
containers.
This
is
mostly
just
because
it
was
a
bit
easier
to
set
up
this
way.
A
So
the
default
analyzer
is
lint
and
disabled,
daughter
and
daughter.
There's
one
other
job
here,
which
is
Chuck
air
gap,
and
this
is
just
to
make
sure
that
we
are
running
a
job
that
tries
to
reach
out
to
registry
and
fails
and
exit
one
if
it
actually
reaches
the
registry.
So
this
is
our
job
demonstrating
that
the
air
gap
is
tight.
A
D
D
A
A
B
A
A
Yeah
Tandi
charts,
so
we
go
through
our
Bastian
host
and
we
can
set
up
a
port
forward
tunnel
to
actually
forward
443
on
the
air
gapped
host.
Actually,
this
one
goes
this
one
here.
It
goes
here,
but
we
expose
port
443
on
the
Bastiaan
host,
which
port
forwards
straight
through
to
the
air
gapped
host,
and
so
all
traffic
to
the
air
gap.
E
Yeah
that
makes
sense
to
me
the
other
way
that
you
could
do
this
is
set
up
instead
of
like
a
bastion
host,
is
set
up
like
a
remote
desktop,
so
that
you
remote
desktop
into
a
Serb
until
I
get
like
a
Windows
machine
or
a
Mac
machine
or
whatever,
and
so
that
would
open
up
that
port
on
a
remote
desktop
for
it.
But
then
your
networks
completely
cut
off
other
than
that
remote
desktop,
for
it
make
sense.
Yeah.
A
The
first
step
is
something
like
install
git
live
EE
and
you
like
an
app
install,
Gil
IBE.
So
how
that
actual
step
works,
I'm,
not
entirely
sure
I,
don't
know
if
that's
some
runs
on
a
hard
drive
and
then
hot
swaps
the
hard
drive
in
the
air
gapped
host,
or
we
need
to
get
more
specific
about
that.
But
once
once
that
step
is
done,
then
you
kind
of
need
you
to
do
that.
Docker
saved,
docker
and
load
side
loading
containers
over
like
SCP
or
something
so
that's
the
only
part
that
I
isn't
I.
A
A
Okay,
the
current
problem
I
was
running
into
here,
and
this
is
mostly
just
because
I
don't
know
what
I'm
doing
for
dependency
scanning.
A
D
I'm,
not
quite
sure
the
Tunisian
tmdb
local
path
should
be
change,
might
be
wrong
and
that's
per
family
of
this,
but
am
I
assuming
this
was
just
for
comparing
where
we
want
to
put
the
local
clone
in
the
image
it's
more
useful
when
building
the
image
itself,
but
I'm
sure
it's
considered
at
run
time
anyway,
when
I.
Thank
you
by
the
way.
Thank
you
for
trying
out
a
different
system,
but
I
know
we
have
some.
B
D
A
A
Cool,
so
these
credentials
are
in
the
team
mode
as
well.
I
didn't
bother
creating
that
wasn't
route,
but
here's
the
here's,
the
IP
for
the
hosts
that
should
be
accessible.
A
A
A
A
We
need
to
a
docker
push
within
here
then.
The
sub
path
needs
to
match
a
project
path
for
the
registry,
because
we
don't
have
like
Drew,
for
instance,
level
registries,
so
you
could
just
push
it
to
any.
One
of
these
really
I
just
think
that
it's
a
bit
easier
to
keep
those
separate.
It
may
not
be
necessary.
D
A
Don't
know
of
any
issues
a
would
cause,
but
that
that's
a
fair
assumption
I
did
secure
this
already.
So
that's
non
default
password
and
new
user
signups
are
disabled
wherever
that
is
so,
it
should
be,
should
be
good.
I,
don't
really
know
how
to
create
users
through
here.
I've
never
had
to
do
that
before,
but
it's
probably
an
option.
You.
A
A
D
Do
we
have
any
more
and
things
we
want
to
be
part
of
the
recording
where
we
got
to
this
set
up
like
well
I
think
we
could
have
this
conversation
separately
I'm
just
what
is
the
effort
for
you
to
put
this
together?
My
question
is
following
up
everyone
from
Tomas,
which
is:
is
it
easy
to
set
up
a
senior
environment
for
each
team
to
be
more
autonomous,
or
should
we
make
effort
to
work
on
the
same
one
I.
A
Think
it's
pretty
straightforward,
but
I
would
be
curious
if
other
people
think
so
I
think
it
would
be
a
actually
I
would
I
would
encourage
it
because
I've
been
very
curious
if
the
QuickStart
instructions
where
I
capture,
that
makes
sense.
So
if
someone
wants
to
follow
those
and
see
if
they
can
still
went
up,
then
cool,
but
if
time
is
an
issue,
feel
free
to
use
this
one.
How.
A
A
D
Okay,
I
mean
I'm
fine,
trying
this
and
in
the
worst
case
scenario,
I
will
just
data
gate
to
existing
all
the
demo
that
are
not
using
zan
environments
and
make
sure
that
we
are
I
mean
we
ever
will
be
responsible
for
doing.
The
live
session
will
be
able
to
delivery.
Such
environments
I.
A
Might
incur
in
terms
of
getting
something
working,
I
think
that
this
test,
Python
project
is
closed.
I,
don't
know
what
to
do
to
get
it
working
from
there,
so
I
might
just
try
and
get
it
working
on
the
existing
projects,
and
maybe
second
step
would
be
I'm.
Sorry,
you
need
to
use
the
IP
address.
The
second
step
would
be
trying
to
set
up
a
dedicated
one,
but
if
time
is
a
factor,
I
think
this
is
close.
D
E
I
mean
one
of
my
criticisms
would
be
that
you're
still
accessing
an
HTTP
host
or
HTTP
host,
so
it's
not
showing
that
it's
locked
down.
That's
why
the
proposal
of
using
RDP
or
remote
desktop,
which
is
completely
different
port
than
any
kind
of
other
communication,
might
further
illustrate
that
this
more
air
gap
I
think
technically,
what
we're
saying
is
is
correct,
but
you
know
that's
just
a
an
area.
You
can
argue
like
hey.
You
still
have
you
know
these
HTTP
ports
opened.
D
E
You
know,
maybe
one
of
the
other
options
is
that
we
access
that
read
the
HTTP
over
just
a
strange
port
number
that
we
just
make
up
and
say
hey.
This
is
on
port
9000,
not
in
the
software
program
to
access
or
used
before
9,000
reverse
proxy
on
ingress
yep,
and
that
way
the
egress
obviously
wouldn't
know
how
to
get
out
right.
Yeah.
A
That
was
my
original
playing
list.
I.
Have
it
bound
at
eight
four,
four
three
on
which
probably
isn't
the
most
obscure
port,
but
let's
wait
on
the
Bastiaan,
but
I
still
haven't
anyone's,
take
a
shot
at
throwing
that
a
ton
on
there
or
just
change
the
default
port.
The
only
change
in
the
e4
port
I
want
to
double-check
on
exactly
how
the
runners
communicate
in
with
the
post
with
the
rails
app
and
see.
If
that
would
explode.
E
B
E
So
we
would
have
whatever
port
number-
let's
say
it's
9,000
going
in
and
then
inside
the
network.
You
use
regular
port
numbers
and
that
way,
for
example,
if
there's
something
that
we
forgot
on
the
scanner
that's
trying
to
access
out
on
port
80
or
HTTP
or
HTTPS.
That's
not
gonna.
That's
not
gonna
work.