Configuring Acunetix 360 for Linux on Amazon Web Services (Ubuntu)

Acunetix 360 can be configured to run scanner agents on Amazon Web Services (AWS). When you launch a new scan, Acunetix 360 creates a new Linux instance for the target scan and terminates it automatically once the scan is completed.

This document explains how to configure Acunetix 360 for Linux on AWS to run scanner agents. For more information about using Cloud Providers with Invicti Enterprise, refer to Cloud Provider Settings.

There are 6 stages to this process:

  1. Select a region
  2. Create S3 buckets
  3. Create IAM users
  4. Create an AMI for the scanner agent
  5. Configure Acunetix 360
  6. Update the scanner agent

Step 1. Selecting a region

Acunetix 360 uses AWS S3 buckets for object storage and EC2 service for launching new instances.

For information on how to select a region, refer to Amazon's EMR documentation.

NOTE: S3 and EC2 resources need to be in the same AWS region. Choose an AWS region and create all resources in that same region.

Step 2. Creating S3 buckets

Acunetix 360 needs three different buckets to store scan data. Follow the steps below to create S3 buckets.

  1. Open the AWS console and navigate to the S3 service.
  2. Create 3 buckets for raw scan data, screenshots, and customizations. For example, you can use bucket names like this:
  • exampleinc.acx.scandata (for raw scan data)
  • exampleinc.acx.scanscreenshots (for form authentication screenshots)
  • exampleinc.acx.customizations (for customizations)

You can apply the following precautions to harden your buckets.

  1. Enable Encryption: Amazon provides a default encryption service or you can use your own keys. For further information, Amazon S3 default encryption for S3 buckets.
  2. Monitoring and Auditing: Amazon provides ways to monitor and audit S3 buckets. For further information, Amazon S3 Monitoring and Auditing Best Practices.

Step 3. Create IAM Users & Policies

During this step, you need to create the following:

3.1 How to create an access policy for the web application

  1. Go to the AWS console and navigate to the IAM service.
  2. Select Policies.
  3. Click Create Your Own Policy.
  4. Enter a policy name (e.g. ACXWebAppPolicy).
  5. Enter your bucket names in the following policy template code and paste the code into the Policy Document field.

{

    "Statement": [

        {

            "Action": [

                "s3:*"

            ],

            "Effect": "Allow",

            "Resource": [

                "arn:aws:s3:::exampleinc.acx.scandata/*",

                "arn:aws:s3:::exampleinc.acx.scanscreenshots/*",

                "arn:aws:s3:::exampleinc.acx.customizations/*"

            ]

        },

        {

            "Action": [

                "ec2:CreateTags",

                "ec2:DeleteTags",

                "ec2:DescribeInstances",

                "ec2:RunInstances",

                "ec2:TerminateInstances"

            ],

            "Effect": "Allow",

            "Resource": "*"

        }

    ],

    "Version": "2012-10-17"

}

  1. Select Create Policy.

3.2 How to create an access policy for the scanner agent

  1. Select Policies.
  2. Select Create Your Own Policy.
  3. Enter a policy name for scanner agent (e.g. ACXAgentPolicy).
  4. Enter your bucket names into the following policy template code and paste the code into the Policy Document field.

{

    "Statement": [

        {

            "Action": [

                "s3:DeleteObject",

                "s3:PutObject"

            ],

            "Effect": "Allow",

            "Resource": [

                "arn:aws:s3:::exampleinc.acx.scandata/*",

                "arn:aws:s3:::exampleinc.acx.scanscreenshots/*"

            ]

        },

        {

            "Action": [

                "s3:ListBucket"

            ],

            "Effect": "Allow",

            "Resource": [

                "arn:aws:s3:::exampleinc.acx.customizations",

                "arn:aws:s3:::exampleinc.acx.scandata",

                "arn:aws:s3:::exampleinc.acx.scanscreenshots"

            ]

        },

        {

            "Action": [

                "s3:GetObject"

            ],

            "Effect": "Allow",

            "Resource": [

                "arn:aws:s3:::exampleinc.acx.customizations/*",

                "arn:aws:s3:::exampleinc.acx.scandata/*",

                "arn:aws:s3:::exampleinc.acx.scanscreenshots/*"

            ]

        }

    ],

    "Version": "2012-10-17"

}

  1. Select Create Policy.

3.3 How to create a user for the web application

  1. Select Users.
  2. Select Add User.
  3. Enter a user name (e.g. ACXWebApp).
  4. After creating the user, select Permissions
  5. Select “Attach policies directly” and use the Customer managed filter
  6. Select the previously created web app policy (e.g. NEWebAppPolicy).
  7. Click Attach existing policies directly.

  1. Click Next to create the web app user.
  2. To create your Access Keys, select the NEWebapp user from the IAM page.

  1. Open the Security credentials tab, scroll down to Access Keys, and select the option Application running on an AWS compute service.

  1. Copy those into your notes for the Cloud Provider settings

3.4 How to create a user for the scanner agent

  1. Click Users.
  2. Click Add User.
  3. Enter a user name (e.g. ACXAgent).
  4. After creating the user, select Permissions.
  5. Select “Attach policies directly” and use the Customer managed filter
  6. Select the previously created web app policy (e.g. NEAgentPolicy).
  7. Click Attach existing policies directly.

  1. Click Next to create the NEAgent user.
  2. Select the NEAgent user from the IAM page to create your Access Keys.
  3. Select Security, scroll down to Access Keys, then select the option Application running on an AWS compute service.
  4. Copy those into your notes for the Cloud Provider settings.

Step 4: Create an AMI for the Scanner Agent

There are three steps to this process:

  1. Launch an instance for the scanner agent
  2. Configure the scanner agent instance
  3. Creating a scanner agent image

4.1 How to launch an instance for a scanner agent

  1. Navigate to the EC2 service.
  2. From the main menu, select Instances.
  3. Select Launch Instance.
  4. Choose Ubuntu instance base as the AMI.

  1. Select Choose Instance Type and choose an Instance Type (c4.large is recommended).
  2. Select Configure Instance.
  3. Set the Auto-assign Public IP drop-down to Enable. (This is needed for RDP connections.)

  1. Select Next: Add Storage and set the Disk Size (a minimum of 30 GB is recommended).
  2. Select Next: Add Tags.
  3. Select Next: Configure Security Group.
  4. Select Review and Launch.

4.2 How to configure a scanner agent instance

You need to install the Acunetix 360 Scanner Agent to the target EC2 instance. There are three steps to install the agent on your Ubuntu instance.

4.2.1 Configuring Scanner Agent Instance

  1. Navigate to the EC2 service.
  2. Select Instances from the main menu.
  3. Right-click the previously launched scanner agent instance, and select Connect.

  1. Connect to your instance with the supplied RDP information.
  2. Ensure that you can connect to your on-premises Acunetix 360 web application from this instance.
  3. Update the following operating system application repositories:

sudo apt update && sudo apt upgrade -y

  1. Install the following dependent packages:

sudo apt-get install p7zip-full
sudo apt install -y wget gss-ntlmssp nano mono-complete apt-transport-https

Ensure your Mono version is version 5.20 or above. For more information, refer to How to update Mono at the very end of this document.

  1. Create folder for Acunetix Scanner dependency:

sudo mkdir -p /home/ubuntu/.local/share/Netsparker_Ltd

sudo chown -R ubuntu /home/ubuntu/.local/share/Netsparker_Ltd

  1. Install the Headless Chrome browser dependencies:

sudo apt install -y gconf-service libasound2 libatk1.0-0 libatk-bridge2.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 libgcc1 libgconf-2-4 libgdk-pixbuf2.0-0 libglib2.0-0 libgtk-3-0 libnspr4 libpango-1.0-0 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6 ca-certificates fonts-liberation libappindicator1 libnss3 lsb-release xdg-utils libgdiplus

  1. Next, extract the TAR file:
  1. Download invicti-agent-release-onpremises-2.3.0.0.tar onto your Linux instance.
  2. To extract the scan agent, run the following commands:

tar xf invicti-agent-release-onpremises-2.3.0.0.tar

chmod +x .local-chromium/Linux-*/chrome-linux/chrome

IMPORTANT: You must change the agent folder name to invicti-agent after extracting the invicti-agent-release-onpremises-2.3.0.0.tar.

Open the appsettings.json file to enter the necessary information, such as ApiToken:

sudo nano appsettings.json

You need to configure the AgentInfo section of the appsetting.json file in the following way:

  • AgentName: This must be invicti-agent
  • AgentType: Navigate to the AgentInfo section and set agentType to Cloud.
  • ApiToken: In the Acunetix 360 On-Premises, the Agent Token is displayed on the Configure New Agent page. Copy the value into the apiToken.
  • ApiRootUrl: This is the URL of the Acunetix 360 On-Premises.

4.2.2 Setting agent as a Linux service

A cloud agent should be configured as a Linux service so that it can poll the Acunetix 360 servers regularly and can take the scan initiation command from the server.

4.2.3 Add a Unit File for an Acunetix 360 Agent

  1. Open a terminal
  2. cd /etc/systemd/system
  3. sudo touch invicti-agent.service
  4. sudo nano invicti-agent.service

IMPORTANT: The AgentName in the appsetting.json file, the unit file name for the agent, and the agent folder name must be the same. This is required to start the scan agent as a Linux service.

  1. Add the following script into invicti-agent.service

[Unit]

Description=netsparker.service description

[Service]

Type=notify

KillMode=process

Restart=always

RestartSec=30

SyslogIdentifier= ubuntu

KillSignal=SIGINT

User=[YOUR_USER]

WorkingDirectory= [YOUR_AGENT_DIRECTORY_PATH]

ExecStart= /home/ubuntu/Netsparker.Cloud.Agent

ExecStop=/usr/bin/pkill -f

/home/ubuntu/Nhs/NetsparkerHelperService.exe

[Install]

WantedBy=multi-user.target

  1. Save and close the document.

4.3 How to create a scanner agent image

  1. Open the EC2 instances page on the AWS console.
  2. Select the EC2 instance and from the Actions menu click Instance State > Stop/ Wait for the agent instance to be stopped.
  3. Once the agent instance has stopped, right-click on it, and click Create Image. Enter a name for your image and click Create Image.

  1. Navigate to the AMIs page and save your AMI ID (you will need it later).

Step 5. Configuring Acunetix 360

Follow these steps to configure Acunetix 360 AWS settings.

  1. Create an RDP connection to your Acunetix 360 web application server.
  2. Log in to Acunetix 360.
  3. Select Settings > Cloud Provider from the left-side menu.
  4. Enter your AWS settings.
  • You can find the settings for the Instance Type, Subnet ID, and Key Pair Name in your stopped instance’s details in AWS.
  • Click Security Group to get the Security Group id (e.g. sg-abc3fec2).

  1. You can now run new scans on your AWS environment.

Step 6: Updating the Scanner Agent

Next, you need to update the scanner agent.

  1. In the AWS EC2 console, open the AMI page. Right-click on your current scanner agent’s AMI and launch an instance.
  2. Once your scanner agent instance is ready, make an RDP connection to it.
  3. Download the Invicti Enterprise installation bundle. After downloading and extracting the invicti-agent-release-onpremises-2.3.0.0.tar file, configure your scanner agent instance as described in How to configure a scanner agent instance.
  4. Next, log in to Acunetix 360.
  5. From the main menu, select Settings > Cloud Provider Settings.
  6. Enter your new AMI and select Save.

How to update Mono

You need to update Mono so that the Netsparker Helper Service can work properly. You can update Mono as specified below:

For Ubuntu 18.04:

  1. sudo apt install gnupg ca-certificates
  2. sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
  3. echo "deb https://download.mono-project.com/repo/ubuntu stable-bionic/snapshots/5.20 main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list
  4. sudo apt update
  5. sudo apt install mono-runtime

« Back to the Acunetix Support Page