Support
Authentication Verifier Agents

Starting the AuthVerifier on Docker using a Docker Scan Agent

This document is for:
Invicti Enterprise On-Demand

A Docker Scan Agent can be used to start an instance of the AuthVerifier on Docker by setting the AgentMode as Verifier. This guide shows you how to install and run the Invicti Enterprise On-Demand scan agent using Docker and then run the scan agent as an AuthVerifier.

NOTE: To detect out-of-band vulnerabilities via Invicti Hawk, please allowlist the following ports on your agent server: TCP 80 and 443, UDP 53. For more information about Invicti Hawk, refer to How Invicti Hawk Finds Vulnerabilities.

Prerequisites

  • Docker installed. To find out if your OS has Docker installed, type the following code in Powershell: docker -v
  • Install 7z to extract the downloaded scan agent TAR installation file. 
  • Administrator privileges to run the required commands.

Downloading and installing the agent

There are three steps in this process:
  1. Downloading the scan agent for Docker
  2. Installing the scan agent with Docker
  3. Running the scan agent as an Auth Verifier

Step 1. How to download a scan agent in Invicti Enterprise On-Demand

NOTE: You need to download the installation files of the agent to a machine on your internal network.

  1. Log in to Invicti Enterprise.
  2. From the main menu, go to Agents > Manage Verifiers > Configure New Agent.
  3. From the Agent section, select Docker to download the file.

Step 2. How to install a scan agent in Invicti Enterprise

  1. Extract the TAR file: 7z x Invicti_Enterprise_Scanner_Docker_Agent.tar
  1. Navigate to the extracted file and run the following command to load the image file.

docker load < InvictiEnterprise_Scan_Agent.tar

After entering the command, the system starts to load the image. It may take some time. Once complete, a welcome message is displayed.

NOTE: If you are on Windows, skip step 3 and continue with step 4 (creating a folder for logs).

  1. Create a user and a group called “invicti”. These are required, as the docker agent runs with a non-root user. Then, add this new user to the docker group.

groupadd -g 1001 invicti

useradd -u 1001 -r -g 1001 -d /home/invicti -s /bin/bash invicti

mkdir -p /home/invicti > create home directory for user

chown -R invicti:invicti /home/invicti

usermod -aG docker invicti

  1. Switch to the invicti user and create a directory to save the logs consistently in the same path.

su - invicti

mkdir invictiLogs # creates a folder to store agent logs

Step 3. How to run the scan agent as an AuthVerifier

Now that the latest version of the scan agent's Docker image is installed, the next step is to run a container.

docker run -d --name {container name} --restart=always \

--volume "$(pwd)/invictiLogs:/app/Logs" \

-e "ApiRootUrl={AVHubServiceURL}" \

-e "ApiToken={api token}" \

-e "AgentName={agent name}" \

-e "AgentMode=Verifier" \

-e "IgnoreSslCertificateErrors=false" \

agent:latest


The command docker run boots up a container. The table below lists and explains the parameters required to further configure the container.

Parameter

Description

-d:

This denotes daemon mode. The container will work in the background.

--name: 

This gives a name to the container.

--user

This instructs the container to run with this user.

--restart=always:

This makes the container start automatically when the Docker service starts.

--volume:

The parameters mount a directory in the container with a directory in the host. This setting allows you to see agent reports.

-e:

This parameter is used to set the environment variable for the container. The ApiToken, ApiRootUrl, and AgentName settings will be used by the scan agent.

AgentName: This can be anything you want. This text will be displayed when you are starting a new Scan. (If you plan to install more than one instance of the agent, make sure you set a unique AgentName value for each instance, as it will be needed later.)

ApiToken: In Invicti Enterprise, the Agent Token is displayed on the Configure New Agent page. Copy this value into the ApiToken. (From the main menu, go to Agents > Manage Agents > Configure New Agent. In the Agent Token field, select Copy to clipboard.)

ApiRootUrl: This is the URL of the Auth Verifier Hub Service.

ScanDataFolderPath: This is your scan data folder. (This is optional.)

If you want to change the default folder for saving the scan data, add the following parameter before running the container: -e "ScanDataFolderPath={Scan data folder}"\

IgnoreSslCertificateErrors: This ignores any SSL certificate errors on the scan target website.

agent:{tag}: 

This is the image name from which the container will be created. The name of the image is agent, whereas {tag} is the version number of the image. In the example below we use 'latest' to pull the latest version of the image.

After the command is executed, the container is created. To see the result, you can execute the command below.

docker container ls

The scan agent container is now installed. You can check its status in Invicti Enterprise by going to Agents > Manage Verifiers.

        

Now you can start a scan through the scan agent you just installed. To do that, navigate to Scans > New Scan and select a website with the agent mode as Internal. Then with other settings that are required to start a scan, you can also select which agent will be used to scan the target.