Configuration options
Artemis can be configured by setting the following variables in the .env
file (in the form of VARIABLE_NAME=VARIABLE_VALUE
directives, e.g. SCANNING_PACKETS_PER_SECOND=5
):
Data
- LEGACY_MONGODB_CONN_STR
Connection string to the MongoDB database. MongoDB is not used anymore - it is present here to seamlessly migrate data from older Artemis versions to PostgreSQL.
- POSTGRES_CONN_STR
Connection string to the PostgreSQL database.
- REDIS_CONN_STR
Connection string to Redis.
Limits
- REQUESTS_PER_SECOND
Default: 0
E.g. when set to 2, Artemis will make sure no more than 2 HTTP/MySQL connect/… requests take place per second, sleeping if needed.
- REQUEST_TIMEOUT_SECONDS
Default: 10
Default request timeout (for all protocols).
- SCANNING_PACKETS_PER_SECOND
Default: 100
E.g. when set to 100, Artemis will send no more than 100 port scanning packets per seconds per port scanner instance.
- TASK_TIMEOUT_SECONDS
Default: 21600
What is the maximum task run time (after which it will get killed).
Locking
- LOCK_SCANNED_TARGETS
Default: False
Whether Artemis should strive to make at most one module scan a target at a given time. Therefore when locking is enabled, setting e.g. SCANNING_PACKETS_PER_SECOND to 100 and SECONDS_PER_REQUEST to 2 will cause that no IP receives 100 port scanning packets per second and 1 HTTP/MySQL/… request per 2 seconds. Due to the way this behavior is implemented, we cannot guarantee that a host will never be scanned by more than one module.
- LOCK_SLEEP_MAX_SECONDS
Default: 0.5
see LOCK_SLEEP_MIN_SECONDS.
- LOCK_SLEEP_MIN_SECONDS
Default: 0.1
Requires LOCK_SCANNED_TARGETS to be enabled. When a resource is locked using artemis.resource_lock.ResourceLock, a retry will be performed in the next LOCK_SLEEP_MIN_SECONDS..LOCK_SLEEP_MAX_SECONDS seconds.
- SCAN_DESTINATION_LOCK_MAX_TRIES
Default: 2
Requires LOCK_SCANNED_TARGETS to be enabled. Amount of times module will try to get a lock on scanned destination (with sleeps inbetween) before rescheduling task for later.
Miscellaneous
- API_TOKEN
Default: None
The token to authenticate to the API. Provide one to use the API.
- BLOCKLIST_FILE
Default: None
A file that determines what should not be scanned or reported
- CONTENT_PREFIX_SIZE
Default: 102400
In order not to overload the DB and bandwidth, this determines how long the downloaded content would be (in bytes).
- CUSTOM_USER_AGENT
Default:
Custom User-Agent string used by Artemis (if not set, the library defaults will be used, different for requests, Nuclei etc.)
- LOGGING_FORMAT_STRING
Default: [%(levelname)s] - [%(asctime)s] %(filename)s - in %(funcName)s() (line %(lineno)d): %(message)s
Logging format string (according to the syntax in https://docs.python.org/3/library/logging.html#logrecord-attributes)
- MAX_NUM_TASKS_TO_PROCESS
Default: 200
After this number of tasks processed, each scanning module will get restarted. This is to prevent situations such as slow memory leaks.
- MODULES_DISABLED_BY_DEFAULT
Default: example,humble
Artemis modules that are disabled by default (but may easily be enabled in the UI)
- NUM_DNS_RESOLVER_RETRIES
Default: 3
Number of times a DNS query will be retried if failed. This helps reduce the number of e.g. mail-related false positives, where a failed DNS query may result with a “no DMARC” message.
- SUBDOMAIN_ENUMERATION_TTL_DAYS
Default: 10
If we request a domain for subdomain enumeration, we will save that it has already been enumerated, so that e.g. if we requested crtsh enumeration on example.com and received www.example.com, crtsh enumeration on www.example.com won’t happen in SUBDOMAIN_ENUMERATION_TTL_DAYS days. This is the TTL of such markers.
- VERIFY_REVDNS_IN_SCOPE
Default: True
By default, Artemis will check whether the reverse DNS lookup for an IP matches the original domain. For example, if we encounter the 1.1.1.1 ip which resolves to new.example.com, Artemis will check whether it is a subdomain of the original task domain. This is to prevent Artemis from randomly walking through the internet after encountering a misconfigured Reverse DNS record (e.g. pointing to a completely different domain). The downside of that is that when you don’t provide original domain (e.g. provide an IP to be scanned), the domain from the reverse DNS lookup won’t be scanned. Therefore this behavior is configurable and may be turned off.
Modules
Bruter
- BRUTER_FALSE_POSITIVE_THRESHOLD
Default: 0.1
A threshold in case bruter finds too many files on a server and we want to skip this as a false positive. 0.1 means 10%.
- BRUTER_FOLLOW_REDIRECTS
Default: True
If set to True, bruter will follow redirects. If to False, a redirect will be interpreted that a URL doesn’t exist, thus decreasing the number of false positives at the cost of losing some true positives.
- BRUTER_OVERRIDE_PATHS_FILE
Default: None
A custom file that will override the list of paths used by bruter.
Crtsh
- CRTSH_NUM_RETRIES
Default: 10
How many times should we try to obtain subdomains list.
- CRTSH_SLEEP_ON_RETRY_SECONDS
Default: 30
How long to sleep between tries.
DNSScanner
- ZONE_TRANSFER_SIZE_REPORTING_THRESHOLD
Default: 2
The number of domains below which zone transfer won’t be reported.
DomainExpirationScanner
- DOMAIN_EXPIRATION_TIMEFRAME_DAYS
Default: 30
The scanner warns if the domain’s expiration date falls within this time frame from now.
Gau
- GAU_ADDITIONAL_OPTIONS
Default:
Additional command-line options that will be passed to gau (https://github.com/lc/gau).
Humble
- HUMBLE_HEADERS_TO_REPORT
Default: Content-Security-Policy,Strict-Transport-Security,X-Content-Type-Options
The list of headers that are considered more important and will be mentioned in the generated text reports (all of the missing headers will be visible in the UI).
Nuclei
- NUCLEI_ADDITIONAL_TEMPLATES
Default: http/exposures/configs/dompdf-config.yaml,http/exposures/configs/ftp-credentials-exposure.yaml,http/exposures/configs/prometheus-metrics.yaml,http/exposures/files/core-dump.yaml,http/exposures/files/ds-store-file.yaml,http/exposures/logs/roundcube-log-disclosure.yaml,http/miscellaneous/defaced-website-detect.yaml,http/misconfiguration/django-debug-detect.yaml,http/misconfiguration/mixed-active-content.yaml,http/misconfiguration/mysql-history.yaml,http/misconfiguration/elasticsearch.yaml,http/misconfiguration/proxy/open-proxy-external.yaml,http/misconfiguration/server-status-localhost.yaml,http/misconfiguration/server-status.yaml,http/misconfiguration/shell-history.yaml,http/misconfiguration/springboot/springboot-auditevents.yaml,http/misconfiguration/springboot/springboot-dump.yaml,http/misconfiguration/springboot/springboot-env.yaml,http/misconfiguration/springboot/springboot-httptrace.yaml,http/misconfiguration/springboot/springboot-logfile.yaml,http/misconfiguration/springboot/springboot-threaddump.yaml,http/misconfiguration/springboot/springboot-trace.yaml,http/vulnerabilities/generic/basic-xss-prober.yaml,http/vulnerabilities/generic/xss-fuzz.yaml
A comma-separated list of Nuclei templates to be used besides the standard list. vulnerabilities/generic/crlf-injection.yaml was present here but is not anymore due to a significant number of false positives.
- NUCLEI_CHECK_TEMPLATE_LIST
Default: True
Whether to check that the downloaded Nuclei template list is not empty (may fail e.g. on Github CI when the Github API rate limits are spent).
- NUCLEI_MAX_BATCH_SIZE
Default: 10
How many sites to scan at once. This is the maximum batch size - we will try to obtain NUCLEI_MAX_BATCH_SIZE sites to scan from the queue, but if per-IP locking is enabled, then we will filter ones that are already scanned by other modules.
- NUCLEI_MAX_NUM_LINKS_TO_PROCESS
Default: 100
Maximum number of links to be checked with the templates provided in NUCLEI_TEMPLATES_TO_RUN_ON_HOMEPAGE_LINKS (if more are seen, random NUCLEI_MAX_NUM_LINKS_TO_PROCESS are chosen).
- NUCLEI_SUSPICIOUS_TEMPLATES
Default: custom:xss-inside-tag-top-params,http/miscellaneous/defaced-website-detect.yaml,http/misconfiguration/google/insecure-firebase-database.yaml,http/cnvd/2020/CNVD-2020-23735.yaml,http/vulnerabilities/other/ecshop-sqli.yaml,group:sql-injection
A comma-separated list of Nuclei templates to be reviewed manually if found as they are known to return false positives.
- NUCLEI_TEMPLATES_TO_RUN_ON_HOMEPAGE_LINKS
Default: http/vulnerabilities/generic/top-xss-params.yaml,http/vulnerabilities/generic/basic-xss-prober.yaml,/opt/artemis/modules/data/nuclei_templates_custom/xss-inside-tag-top-params.yaml,http/vulnerabilities/generic/error-based-sql-injection.yaml,/opt/artemis/modules/data/nuclei_templates_custom/error-based-sql-injection.yaml
Normally, Nuclei templates are ran only on the root url. These templates will also run on all URLs linked from the root URL to detect vulnerabilities on non-root pages.
- NUCLEI_TEMPLATES_TO_SKIP
Default: dns/azure-takeover-detection.yaml,dns/elasticbeantalk-takeover.yaml,http/cves/2021/CVE-2021-43798.yaml,http/exposed-panels/pagespeed-global-admin.yaml,http/cves/2021/CVE-2021-24917.yaml,http/exposures/files/travis-ci-disclosure.yaml,http/vulnerabilities/other/rockmongo-xss.yaml,http/exposed-panels/adobe/aem-sling-login.yaml,http/exposed-panels/alfresco-detect.yaml,http/exposed-panels/backpack/backpack-admin-panel.yaml,http/exposed-panels/bolt-cms-panel.yaml,http/exposed-panels/concrete5/concrete5-panel.yaml,http/exposed-panels/contao-login-panel.yaml,http/exposed-panels/craftcms-admin-panel.yaml,http/exposed-panels/django-admin-panel.yaml,http/exposed-panels/dokuwiki-panel.yaml,http/exposed-panels/drupal-login.yaml,http/exposed-panels/ez-publish-panel.yaml,http/exposed-panels/joomla-panel.yaml,http/exposed-panels/kentico-login.yaml,http/exposed-panels/liferay-portal.yaml,http/exposed-panels/magnolia-panel.yaml,http/exposed-panels/neos-panel.yaml,http/exposed-panels/netlify-cms.yaml,http/exposed-panels/strapi-panel.yaml,http/exposed-panels/tikiwiki-cms.yaml,http/exposed-panels/typo3-login.yaml,http/exposed-panels/umbraco-login.yaml,http/exposed-panels/wordpress-login.yaml,http/exposed-panels/axigen-webmail.yaml,http/exposed-panels/squirrelmail-login.yaml,http/exposed-panels/horde-webmail-login.yaml,http/exposed-panels/horde-login-panel.yaml,http/exposed-panels/zimbra-web-login.yaml,http/exposed-panels/zimbra-web-client.yaml,http/exposed-panels/icewarp-panel-detect.yaml,http/exposed-panels/tomcat/tomcat-exposed-docs.yaml,http/exposed-panels/arcgis/arcgis-rest-api.yaml,http/exposed-panels/fortinet/fortinet-fortigate-panel.yaml,http/exposed-panels/checkpoint/ssl-network-extender.yaml,http/exposed-panels/pulse-secure-panel.yaml,http/exposed-panels/pulse-secure-version.yaml,http/exposed-panels/cisco/cisco-anyconnect-vpn.yaml,http/exposed-panels/cas-login.yaml,http/exposed-panels/casdoor-login.yaml,http/exposed-panels/openam-panel.yaml,http/exposed-panels/sonicwall-sslvpn-panel.yaml,http/exposed-panels/webeditors-check-detect.yaml,http/exposed-panels/dynamicweb-panel.yaml,http/exposed-panels/jira-detect.yaml,http/exposed-panels/kanboard-login.yaml,http/exposed-panels/magento-admin-panel.yaml,http/exposed-panels/mantisbt-panel.yaml,http/exposed-panels/mautic-crm-panel.yaml,http/exposed-panels/opencart-panel.yaml,http/exposed-panels/osticket-panel.yaml,http/exposed-panels/redmine-panel.yaml,http/exposed-panels/bigbluebutton-login.yaml,http/exposed-panels/ilias-panel.yaml,http/exposed-panels/office-webapps-panel.yaml,http/exposed-panels/onlyoffice-login-panel.yaml,http/exposed-panels/opensis-panel.yaml,http/exposed-panels/projectsend-login.yaml,http/exposed-panels/rocketchat-panel.yaml,custom:CVE-2019-1579,custom:xss-inside-tag-top-params.yaml
Comma-separated list of Nuclei templates not to be executed. See artemis/config.py for the rationale behind skipping particular templates.
- NUCLEI_TEMPLATE_GROUPS_FILE
Default: /opt/artemis/modules/data/nuclei_template_groups.json
A path (inside Docker container) of a file with JSON dictionary of template group assignments: {“template1”: “group1”, “template2”: “group2”, …}. If a template is assigned to a group, instead of the template, the whole group will be reported as the detected template name. Therefore, due to findings deduplication, only one instance of such vulnerability will be reported. This is useful to detect situations when multiple .env detectors detect a single file or multiple XSS templates are triggered on a single page.
PortScanner
- CUSTOM_PORT_SCANNER_PORTS
Default:
Custom port list to scan in CSV form (replaces default list).
- PORT_SCANNER_MAX_NUM_PORTS
Default: 100
The number of open ports we consider to be too much and a false positive - if we observe more open ports, we trim by performing an intersection of the result with the list of 100 most popular ones.
- PORT_SCANNER_TIMEOUT_MILLISECONDS
Default: 5000
Port scanner: milliseconds to wait before timing out
Postman
- POSTMAN_MAIL_FROM
Default: from@example.com
Sender e-mail address that will be used to test whether a server is an open relay or allows sending e-mails to any address.
- POSTMAN_MAIL_TO
Default: to@example.com
Recipient e-mail address, e.g. for open relay testing.
SSHBruter
- ADDITIONAL_BRUTE_FORCE_SLEEP_SECONDS
Default: 20
Some SSH servers drop connections after a large number of tries in a short time period. This is to combat this behavior.
Shodan
- SHODAN_API_KEY
Default:
Shodan API key so that Shodan vulnerabilities will be displayed in Artemis.
VCS
- VCS_MAX_DB_SIZE_BYTES
Default: 5242880
Maximum size of the VCS (e.g. SVN) db file.
WordPressBruter
- WORDPRESS_BRUTER_STRIPPED_PREFIXES
Default: www
Wordpress_bruter extracts the site name to brute-force passwords. For example, if it observes projectname.example.com it will bruteforce projectname123, projectname2023, … This list describes what domain prefixes to strip (e.g. www) so that we bruteforce projectname123, not www123, when testing www.projectname.example.com.
WordPressPlugins
- WORDPRESS_SKIP_VERSION_CHECK_ON_LESS_POPULAR_PLUGINS
Default: False
Some plugins have wrong versions in the README. For the most popular 1500 plugins, Artemis team monitors such cases and excludes the plugins that have wrong versions in the README from scanning. For the less popular plugins (e.g. if one can be identified by /wp- content/plugins/xyz/ URL in the website source), such cases can be a source of false positives. If this option is set to True, version check for such plugins will not be performed.
WordPressScanner
- WORDPRESS_VERSION_AGE_DAYS
Default: 90
After what number of days we consider the WordPress version to be obsolete. This is a long threshold because WordPress maintains a separate list of insecure versions, so “old” doesn’t mean “insecure” here.
PublicSuffixes
- ADDITIONAL_PUBLIC_SUFFIXES
Default:
Additional domains that will be treated as public suffixes (even though they’re not on the default Public Suffix List).
- ALLOW_SCANNING_PUBLIC_SUFFIXES
Default: False
Whether we will scan a public suffix (e.g. .pl) if it appears on the target list. This may cause very large number of domains to be scanned.
Reporting
- ADDITIONAL_SEVERITY_FILE
Default: None
A path (inside Docker container) of a file with JSON dictionary containing severities of additional report types: ‘{“report_type1”: “high”, “report_type2”: “medium”, …}’.
- MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_HIGH
Default: 60
If a high-severity report has already been seen earlier - how much time needs to pass for a second report to be generated.
- MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_LOW
Default: 240
If a low-severity report has already been seen earlier - how much time needs to pass for a second report to be generated.
- MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_MEDIUM
Default: 120
If a medium-severity report has already been seen earlier - how much time needs to pass for a second report to be generated.
- REPORTING_DEDUPLICATION_COMMON_HTTP_PORTS
Default: 80,443
Ports that we will treat as “standard http/https ports” when deduplicating vulnerabilities - that is, if we observe identical vulnerability of two standard ports (e.g. on 80 and on 443), we will treat such case as the same vulnerability. This is configurable because e.g. we observed some hostings serving mirrors of content from port 80 on ports 81-84.
- REPORTING_MAX_VULN_AGE_DAYS
Default: 60
When creating e-mail reports, what is the vulnerability maximum age (in days) for it to be reported.
- REPORTING_SEPARATE_INSTITUTIONS
Default:
Sometimes even if we scan example.com, we want to report subdomain.example.com to a separate contact, because it is a separate institution. This variable should contain a comma-separated list of such subdomains.
Blocklist
You may exclude some systems from being scanned or included in the reports. To do that, set the BLOCKLIST_FILE
environment
variable to a path to a blocklist file (it needs to be placed in the ./shared
directory which is mounted to all scanning containers
as /shared
).
The blocklist file is a yaml
file with the following syntax:
- mode: 'block_scanning_and_reporting' (to block both scanning and reporting) or
'block_reporting_only' (if you want the scanning to be performed but want the
issues to be skipped from automatic e-mail reports)
domain_and_subdomains: null or the domain to be filtered (this will also filter its
subdomains)
subdomains: null or a domain - this setting will filter out only subdomains of this domain,
but not the domain itself
ip_range: null or the ip range to be filtered (to filter a single ip address,
use the xxx.xxx.xxx.xxx/32 syntax)
until: null or a date (YYYY-MM-DD) until which the filter will be active
karton_name: null or the name of a scanning module
report_target_should_contain: null or the string that must occur in the target for
the report to be blocklisted - this parameter can be used only when 'mode' is set
to 'block_reporting_only'.
report_type: null (which will block all reports) or a string containing
the type of reports that will be blocked (e.g. "misconfigured_email") - this
parameter can be used only when 'mode' is 'block_reporting_only'.
There may be multiple entries in a blocklist file, each with syntax described above.
Advanced: Karton configuration
Artemis is based on the Karton framework (https://github.com/CERT-Polska/karton). Please refer to the Karton documentation for more information.