Minion is an open source Security Automation platform. The 0.3 release of Minion allows Development, QA, and Security team members to perform automated web security scans with a set of tools, and re-execute those scans as needed.
The 0.3 release incorporates significant changes, including a migration away from Django and Bootstrap to a Flask and Angular.js based application. It also involves significant improvements in back-end performance and scaling, and an updated plugin architecture.
This is the first Minion release that is ready for large scale adoption with access management features to constrain which users can access scan results, and an invitation system to actively engage new users.
Minion should be easy to use.
A user should be able to log into Minion and immediately start to launch scans against sites available to them. Results should be easy to discover and contain detailed explanations.
The target audience for Minion should be developers
Developers should be able to use Minion the moment they have code written that can be tested. The initial focus will be on supporting web applications and services, but this should extend to other applications with the cohort feature set. The initial guidance surfaced by the default reporting engine should be useful, accurate, and actionable by developers, and meaningful to other audiences (QA, Security, Management).
Minion is a platform, not a security tool
Minion is an extensible platform that allows automation of security tasks. As such the focus should be on providing strong abstractions and a reliable, extensible platform without binding the platform to a specific suite of tools. All security testing functionality should be external to Minion and implemented via plugins.
Minion is scalable and extensible
It should be simple to add support for unsupported tools. In addition to the ease with which plugins can be authored, the plugin architecture must isolate plugin related issues from the core platform and allow delegation out to separate infrastructure, and must support scaling from small teams to enterprises that may deliver services to third parties.
Minion is a secure tool
Ongoing security testing and security assessment should be performed on Minion. Major releases and milestones should be accompanied with a detailed explanation of data collected, and risks or threats posed by the tools and plugins that are shipped by the core development team.
Minion is open
Minion is an open source platform, and the core team actively encourages developers, security professionals, and interested parties to provide feedback and feature requests.
The Minion Front-End is an Angular.js based application that invokes a set of API on the backend. The backend is comprised of a set of services that are collectively referred to as the Task Engine, and a set of plugins. The architecture is designed to be distributed so the plugins can run on any platform that can expose the correct API, ensuring that tools can be incorporated into Minion regardless of operating system dependencies.
- Site Ownership Verification
- Results Reporting Improvements
- Reporting Plugins
- Landing Pages
- Deferred Execution Plugins
- Scan Intensity Level
- Cohort PoC
- Historical Issue Tracking
- Interpolation Engine
- Common Configuration Schema (Extending DEX-JSON)
- Site and User Data Privacy
- Minion Event Model Extensions (simple extensibility)
- Scramble - interactive script for generating plugins
This information is preserved from an early iteration of the project. The information is obsolete and in most cases invalid, but the core concepts remain the same.
All of the following are publicly accessible:
- Source code: https://github.com/mozilla/minion
- Email list: http://groups.google.com/group/mozilla-minion-dev
- We also use the #websectools channel on irc.mozilla.org
default ip: 192.168.33.50
As we continue, we will upload a vagrant box and a vanilla ova. We will consider building one weekly.
Getting Started with the VM
STEP 1: Log in to the VM
If this is your first time using the VM, or you have just restarted / powered-up the VM, you need to issue
startsuper to get Minion up and running again.
$ ssh email@example.com $ startsuper
By default, we shipped the VM with supervisor to manage Minion servers and queue workers. The
startsuper command is an alias that we have defined in
~/.bash_aliases. We will explain other aliases later; let's move on to the next step.
STEP 2: Populate your Minion database
$ benv $ minion-db-init
Minion is a Python application and for development purpose we have built a virtual environment for backend and frontend individually.
benv is the name of the virtual environment for the backend. The second command
minion-db-init is called to engage an interactive session to populate your database.
You need to provide answers to the following three questions. You need to have a Persona account because Minion uses Persona for authentication.
Enter the administrator's Persona email: Enter the administrator's name: You have the options to import sites and groups:  import security testing sites (default)  import Mozilla sites  import all Enter the option number:
You can choose to import any sites, but for development purpose you can import the first one. In the future we might remove the Mozilla option.
STEP 3: Visit your Minion on browser
You should now be able to login with your administrator account (the one you just filled out) by visiting:
Minion VM comes with a few handy aliases for common things such as sourcing into a virtual environment.
|minion||cd into /opt/minion which holds various repos and scripts.|
|backend||cd into minion-backend repo|
|frontend||cd into minion-frontend repo|
|plugins||cd into a directory currently holding a bunch of minion plugins.|
|benv||alias for sourcing into backend's virtualenv.|
|fenv||alias for sourcing into frontend's virtualenv.|
|super||alias for calling supervisorctl. You can restart minion-backend process by calling |
|startsuper||alias to start supervisord (in order to start the console you must have the daemon running first).|
Most of the time you will be dealing with the virtual environments, super and startsuper. If you are not familiar with supervisor, you can get help by:
$ super help default commands (type help <topic>): ===================================== add clear fg open quit remove restart start stop update avail exit maintail pid reload reread shutdown status tail version
To check all processes, you call
$ super status minion-backend RUNNING pid 8500, uptime 2 days, 4:47:45 minion-frontend-server RUNNING pid 8340, uptime 2 days, 4:47:45 minion-plugin-worker RUNNING pid 8467, uptime 2 days, 4:47:45 minion-scan-worker RUNNING pid 8514, uptime 2 days, 4:47:45 minion-state-worker RUNNING pid 8468, uptime 2 days, 4:47:45
Should you have more questions on how to use these aliases, please don't hesitate to contact us on
All log files are under
/var/log/supervisor. Most of the logs are logged into minion-*.stderr.log.
We are currently fixing stderr log is not generated.
(This issue is fixed by editing /etc/supervisord/conf.d/minion-frontend.supervisor.conf to give stderr_log the same parent path as stdout_log)
To get around with this problem, as a developer I normally do this after starting up all minion services (using
$ fenv && super stop minion-frontend-server && minion-frontend -a 0.0.0.0 -d
There is an additional complexity when you deal with our aliases and our supervisord. Here is the plain, vanilla guide on how to get Minion running:
$ ssh firstname.lastname@example.org $ benv && minion-backend-api runserver -d (terminal #1) $ benv && minion-plugin-worker (terminal #2) $ benv && minion-scan-worker (terminal #3) $ benv && minion-state-worker (terminal #4) $ fenv && minion-frontend runserver -d -a 0.0.0.0 (terminal #5)
Some might find this workflow easier!
I (yeukhon) has my own development workflow relying on supervisor with three terminals:
$ ssh email@example.com --- assume I have database setup --- $ tail -f /var/log/supervisor/minion-backend.stderr.log (do this on terminal #1) $ startsuper && super restart all && fenv && super stop minion-frontend-server && minion-frontend -a 0.0.0.0 -d (do this on terminal #2) $ tail -f /var/log/supervisor/minion-plugin-worker.stderr.log (do this on terminal #3) --- now do some editing, then --- $ startsuper && super restart all && fenv && super stop minion-frontend-server && minion-frontend -a 0.0.0.0 -d (do this on terminal #2)
The first will watch the backend log, the second will start all minion services, stop only the frontend server, and run the frontend server without daemonizing it. The last tail will watch the plugin log. This log is helpful when you are developing a plugin. When I am done editing I usually restart all and run the frontend without daemonizing it again.
Again, don't force yourself to adopt to either workflow. Whatever works for you, that's the best workflow!
You can find most of us on #websectools or on Github.
- Stefan Arentz (st3fan)
- Simon Bennetts (psiinon)
- Yeuk Hon Wong (yeukhon)
- Matthew Fuller
- Mark Goodwin (mgoodwin)
List of plugins
The following projects are optional plugins for minion that add more functionality or wrap existing tools:
https://github.com/mozilla/minion-zap-plugin https://github.com/mozilla/minion-ssl-plugin https://github.com/mozilla/minion-skipfish-plugin https://github.com/mozilla/minion-nmap-plugin https://github.com/mozilla/minion-breach-plugin https://github.com/mozilla/minion-garmr-plugin https://github.com/mozilla/minion-zest-plugin