Configuration options

Artemis can be configured by setting the following variables in the .env file (in the form of VARIABLE_NAME=VARIABLE_VALUE directives, e.g. SCANNING_PACKETS_PER_SECOND=5):

Data

Autoarchiver

AUTOARCHIVER_INTERVAL_SECONDS

Default: 3600

How frequently the archive process is triggered (in seconds)

AUTOARCHIVER_MIN_AGE_SECONDS

Default: 6912000

How old the task results need to be to be archived (in seconds)

AUTOARCHIVER_OUTPUT_PATH

Default: /opt/archived-task-results/

Where the archived task results will be saved (remember that this is a path inside the container).

AUTOARCHIVER_PACK_SIZE

Default: 20000

How many task results will go into single .json.gz archive. If there are not that many old task results, archiving will not be performed.

LEGACY_MONGODB_CONN_STR

Connection string to the MongoDB database. MongoDB is not used anymore - it is present here to seamlessly migrate data from older Artemis versions to PostgreSQL.

POSTGRES_CONN_STR

Connection string to the PostgreSQL database.

REDIS_CONN_STR

Connection string to Redis.

Limits

REQUESTS_PER_SECOND

Default: 0

E.g. when set to 2, Artemis will make sure no more than 2 HTTP/MySQL connect/… requests take place per second, sleeping if needed.

REQUEST_TIMEOUT_SECONDS

Default: 10

Default request timeout (for all protocols).

SCANNING_PACKETS_PER_SECOND

Default: 100

E.g. when set to 100, Artemis will send no more than 100 port scanning packets per seconds per port scanner instance.

TASK_TIMEOUT_SECONDS

Default: 21600

What is the maximum task run time (after which it will get killed).

Locking

LOCK_SCANNED_TARGETS

Default: False

Whether Artemis should strive to make at most one module scan a target at a given time. Therefore when locking is enabled, setting e.g. SCANNING_PACKETS_PER_SECOND to 100 and SECONDS_PER_REQUEST to 2 will cause that no IP receives 100 port scanning packets per second and 1 HTTP/MySQL/… request per 2 seconds. Due to the way this behavior is implemented, we cannot guarantee that a host will never be scanned by more than one module.

LOCK_SLEEP_MAX_SECONDS

Default: 0.5

see LOCK_SLEEP_MIN_SECONDS.

LOCK_SLEEP_MIN_SECONDS

Default: 0.1

Requires LOCK_SCANNED_TARGETS to be enabled. When a resource is locked using artemis.resource_lock.ResourceLock, a retry will be performed in the next LOCK_SLEEP_MIN_SECONDS..LOCK_SLEEP_MAX_SECONDS seconds.

SCAN_DESTINATION_LOCK_MAX_TRIES

Default: 2

Requires LOCK_SCANNED_TARGETS to be enabled. Amount of times module will try to get a lock on scanned destination (with sleeps inbetween) before rescheduling task for later.

Miscellaneous

API_TOKEN

Default: None

The token to authenticate to the API. Provide one to use the API.

BLOCKLIST_FILE

Default: None

A file that determines what should not be scanned or reported

CONTENT_PREFIX_SIZE

Default: 102400

In order not to overload the DB and bandwidth, this determines how long the downloaded content would be (in bytes).

CUSTOM_USER_AGENT

Default:

Custom User-Agent string used by Artemis (if not set, the library defaults will be used, different for requests, Nuclei etc.)

LOGGING_FORMAT_STRING

Default: [%(levelname)s] - [%(asctime)s] %(filename)s - in %(funcName)s() (line %(lineno)d): %(message)s

Logging format string (according to the syntax in https://docs.python.org/3/library/logging.html#logrecord-attributes)

LOG_LEVEL

Default: INFO

Log level (e.g. INFO or DEBUG) - for available levels browse to https://docs.python.org/3/library/logging.html#logging-levels

MAX_NUM_TASKS_TO_PROCESS

Default: 200

After this number of tasks processed, each scanning module will get restarted. This is to prevent situations such as slow memory leaks.

MODULES_DISABLED_BY_DEFAULT

Default: example,humble

Artemis modules that are disabled by default (but may easily be enabled in the UI)

NUM_DNS_RESOLVER_RETRIES

Default: 3

Number of times a DNS query will be retried if failed. This helps reduce the number of e.g. mail-related false positives, where a failed DNS query may result with a “no DMARC” message.

REMOVE_LOGS_AFTER_DAYS

Default: 30

After what number of days the logs in karton-logs are removed.

SUBDOMAIN_ENUMERATION_TTL_DAYS

Default: 10

If we request a domain for subdomain enumeration, we will save that it has already been enumerated, so that e.g. if we requested crtsh enumeration on example.com and received www.example.com, crtsh enumeration on www.example.com won’t happen in SUBDOMAIN_ENUMERATION_TTL_DAYS days. This is the TTL of such markers.

VERIFY_REVDNS_IN_SCOPE

Default: True

By default, Artemis will check whether the reverse DNS lookup for an IP matches the original domain. For example, if we encounter the 1.1.1.1 ip which resolves to new.example.com, Artemis will check whether it is a subdomain of the original task domain. This is to prevent Artemis from randomly walking through the internet after encountering a misconfigured Reverse DNS record (e.g. pointing to a completely different domain). The downside of that is that when you don’t provide original domain (e.g. provide an IP to be scanned), the domain from the reverse DNS lookup won’t be scanned. Therefore this behavior is configurable and may be turned off.

Modules

Bruter

BRUTER_FALSE_POSITIVE_THRESHOLD

Default: 0.1

A threshold in case bruter finds too many files on a server and we want to skip this as a false positive. 0.1 means 10%.

BRUTER_FILE_LIST

Default: short

Possible values: ‘full’ or ‘short’. Whether a short or full file list will be used to brute- force paths.

BRUTER_FOLLOW_REDIRECTS

Default: True

If set to True, bruter will follow redirects. If to False, a redirect will be interpreted that a URL doesn’t exist, thus decreasing the number of false positives at the cost of losing some true positives.

Crtsh

CRTSH_NUM_RETRIES

Default: 10

How many times should we try to obtain subdomains list.

CRTSH_SLEEP_ON_RETRY_SECONDS

Default: 30

How long to sleep between tries.

DNSScanner

ZONE_TRANSFER_SIZE_REPORTING_THRESHOLD

Default: 2

The number of domains below which zone transfer won’t be reported.

DomainExpirationScanner

DOMAIN_EXPIRATION_TIMEFRAME_DAYS

Default: 30

The scanner warns if the domain’s expiration date falls within this time frame from now.

FTPBruter

FTP_BRUTER_TEST_FILE_NAME_PREFIX

Default: test-

The prefix that will be added to the name of the file the module will attempt to create (to check whether writing is possible).

Gau

GAU_ADDITIONAL_OPTIONS

Default:

Additional command-line options that will be passed to gau (https://github.com/lc/gau).

Humble

HUMBLE_HEADERS_TO_REPORT

Default: Content-Security-Policy,Strict-Transport-Security,X-Content-Type-Options

The list of headers that are considered more important and will be mentioned in the generated text reports (all of the missing headers will be visible in the UI).

Nuclei

NUCLEI_ADDITIONAL_TEMPLATES

Default: http/exposures/configs/dompdf-config.yaml,http/exposures/configs/ftp-credentials-exposure.yaml,http/exposures/configs/prometheus-metrics.yaml,http/exposures/files/core-dump.yaml,http/exposures/files/ds-store-file.yaml,http/exposures/logs/roundcube-log-disclosure.yaml,http/miscellaneous/defaced-website-detect.yaml,http/misconfiguration/django-debug-detect.yaml,http/misconfiguration/mixed-active-content.yaml,http/misconfiguration/mysql-history.yaml,http/misconfiguration/elasticsearch.yaml,http/misconfiguration/proxy/open-proxy-external.yaml,http/misconfiguration/server-status-localhost.yaml,http/misconfiguration/server-status.yaml,http/misconfiguration/shell-history.yaml,http/misconfiguration/springboot/springboot-auditevents.yaml,http/misconfiguration/springboot/springboot-dump.yaml,http/misconfiguration/springboot/springboot-env.yaml,http/misconfiguration/springboot/springboot-httptrace.yaml,http/misconfiguration/springboot/springboot-logfile.yaml,http/misconfiguration/springboot/springboot-threaddump.yaml,http/misconfiguration/springboot/springboot-trace.yaml,http/vulnerabilities/generic/basic-xss-prober.yaml,http/vulnerabilities/generic/xss-fuzz.yaml

A comma-separated list of Nuclei templates to be used besides the standard list. vulnerabilities/generic/crlf-injection.yaml was present here but is not anymore due to a significant number of false positives.

NUCLEI_CHECK_TEMPLATE_LIST

Default: True

Whether to check that the downloaded Nuclei template list is not empty (may fail e.g. on Github CI when the Github API rate limits are spent).

NUCLEI_MAX_BATCH_SIZE

Default: 10

How many sites to scan at once. This is the maximum batch size - we will try to obtain NUCLEI_MAX_BATCH_SIZE sites to scan from the queue, but if per-IP locking is enabled, then we will filter ones that are already scanned by other modules.

NUCLEI_MAX_NUM_LINKS_TO_PROCESS

Default: 100

Maximum number of links to be checked with the templates provided in NUCLEI_TEMPLATES_TO_RUN_ON_HOMEPAGE_LINKS (if more are seen, random NUCLEI_MAX_NUM_LINKS_TO_PROCESS are chosen).

NUCLEI_SUSPICIOUS_TEMPLATES

Default: custom:xss-inside-tag-top-params,http/miscellaneous/defaced-website-detect.yaml,http/misconfiguration/google/insecure-firebase-database.yaml,http/cnvd/2020/CNVD-2020-23735.yaml,http/vulnerabilities/other/ecshop-sqli.yaml,group:sql-injection

A comma-separated list of Nuclei templates to be reviewed manually if found as they are known to return false positives.

NUCLEI_TEMPLATES_TO_RUN_ON_HOMEPAGE_LINKS

Default: http/vulnerabilities/generic/top-xss-params.yaml,http/vulnerabilities/generic/xss-fuzz.yaml,http/vulnerabilities/generic/basic-xss-prober.yaml,http/vulnerabilities/generic/error-based-sql-injection.yaml,/opt/artemis/modules/data/nuclei_templates_custom/error-based-sql-injection.yaml

Normally, Nuclei templates are ran only on the root url. These templates will also run on all URLs linked from the root URL to detect vulnerabilities on non-root pages.

NUCLEI_TEMPLATES_TO_SKIP

Default: dns/azure-takeover-detection.yaml,dns/elasticbeantalk-takeover.yaml,http/cves/2021/CVE-2021-43798.yaml,http/exposed-panels/pagespeed-global-admin.yaml,http/cves/2021/CVE-2021-24917.yaml,http/exposures/files/travis-ci-disclosure.yaml,http/vulnerabilities/other/rockmongo-xss.yaml,http/exposed-panels/adobe/aem-sling-login.yaml,http/exposed-panels/alfresco-detect.yaml,http/exposed-panels/backpack/backpack-admin-panel.yaml,http/exposed-panels/bolt-cms-panel.yaml,http/exposed-panels/concrete5/concrete5-panel.yaml,http/exposed-panels/contao-login-panel.yaml,http/exposed-panels/craftcms-admin-panel.yaml,http/exposed-panels/django-admin-panel.yaml,http/exposed-panels/dokuwiki-panel.yaml,http/exposed-panels/drupal-login.yaml,http/exposed-panels/ez-publish-panel.yaml,http/exposed-panels/joomla-panel.yaml,http/exposed-panels/kentico-login.yaml,http/exposed-panels/liferay-portal.yaml,http/exposed-panels/magnolia-panel.yaml,http/exposed-panels/neos-panel.yaml,http/exposed-panels/netlify-cms.yaml,http/exposed-panels/strapi-panel.yaml,http/exposed-panels/tikiwiki-cms.yaml,http/exposed-panels/typo3-login.yaml,http/exposed-panels/umbraco-login.yaml,http/exposed-panels/wordpress-login.yaml,http/exposed-panels/axigen-webmail.yaml,http/exposed-panels/squirrelmail-login.yaml,http/exposed-panels/horde-webmail-login.yaml,http/exposed-panels/horde-login-panel.yaml,http/exposed-panels/zimbra-web-login.yaml,http/exposed-panels/zimbra-web-client.yaml,http/exposed-panels/icewarp-panel-detect.yaml,http/exposed-panels/tomcat/tomcat-exposed-docs.yaml,http/exposed-panels/arcgis/arcgis-rest-api.yaml,http/exposed-panels/fortinet/fortios-panel.yaml,http/exposed-panels/fortinet/fortinet-fortigate-panel.yaml,http/exposed-panels/checkpoint/ssl-network-extender.yaml,http/exposed-panels/pulse-secure-panel.yaml,http/exposed-panels/pulse-secure-version.yaml,http/exposed-panels/cisco/cisco-anyconnect-vpn.yaml,http/exposed-panels/cas-login.yaml,http/exposed-panels/casdoor-login.yaml,http/exposed-panels/openam-panel.yaml,http/exposed-panels/sonicwall-sslvpn-panel.yaml,http/exposed-panels/webeditors-check-detect.yaml,http/exposed-panels/dynamicweb-panel.yaml,http/exposed-panels/jira-detect.yaml,http/exposed-panels/kanboard-login.yaml,http/exposed-panels/linshare-panel.yaml,http/exposed-panels/magento-admin-panel.yaml,http/exposed-panels/mantisbt-panel.yaml,http/exposed-panels/mautic-crm-panel.yaml,http/exposed-panels/opencart-panel.yaml,http/exposed-panels/osticket-panel.yaml,http/exposed-panels/redmine-panel.yaml,http/exposed-panels/bigbluebutton-login.yaml,http/exposed-panels/ilias-panel.yaml,http/exposed-panels/office-webapps-panel.yaml,http/exposed-panels/onlyoffice-login-panel.yaml,http/exposed-panels/opensis-panel.yaml,http/exposed-panels/projectsend-login.yaml,http/exposed-panels/rocketchat-panel.yaml,custom:CVE-2019-1579,custom:xss-inside-tag-top-params.yaml

Comma-separated list of Nuclei templates not to be executed. See artemis/config.py for the rationale behind skipping particular templates.

NUCLEI_TEMPLATE_GROUPS_FILE

Default: /opt/artemis/modules/data/nuclei_template_groups.json

A path (inside Docker container) of a file with JSON dictionary of template group assignments: {“template1”: “group1”, “template2”: “group2”, …}. If a template is assigned to a group, instead of the template, the whole group will be reported as the detected template name. Therefore, due to findings deduplication, only one instance of such vulnerability will be reported. This is useful to detect situations when multiple .env detectors detect a single file or multiple XSS templates are triggered on a single page.

PortScanner

CUSTOM_PORT_SCANNER_PORTS

Default:

Custom port list to scan in CSV form (replaces default list).

PORT_SCANNER_MAX_NUM_PORTS

Default: 100

The number of open ports we consider to be too much and a false positive - if we observe more open ports, we trim by performing an intersection of the result with the list of 100 most popular ones.

PORT_SCANNER_PORT_LIST

Default: short

Chosen list of ports to scan (can be ‘short’ or ‘long’)

PORT_SCANNER_TIMEOUT_MILLISECONDS

Default: 5000

Port scanner: milliseconds to wait before timing out

Postman

POSTMAN_MAIL_FROM

Default: from@example.com

Sender e-mail address that will be used to test whether a server is an open relay or allows sending e-mails to any address.

POSTMAN_MAIL_TO

Default: to@example.com

Recipient e-mail address, e.g. for open relay testing.

SSHBruter

ADDITIONAL_BRUTE_FORCE_SLEEP_SECONDS

Default: 20

Some SSH servers drop connections after a large number of tries in a short time period. This is to combat this behavior.

Shodan

SHODAN_API_KEY

Default:

Shodan API key so that Shodan vulnerabilities will be displayed in Artemis.

VCS

VCS_MAX_DB_SIZE_BYTES

Default: 5242880

Maximum size of the VCS (e.g. SVN) db file.

WordPressBruter

WORDPRESS_BRUTER_STRIPPED_PREFIXES

Default: www

Wordpress_bruter extracts the site name to brute-force passwords. For example, if it observes projectname.example.com it will bruteforce projectname123, projectname2023, … This list describes what domain prefixes to strip (e.g. www) so that we bruteforce projectname123, not www123, when testing www.projectname.example.com.

WordPressPlugins

WORDPRESS_SKIP_VERSION_CHECK_ON_LESS_POPULAR_PLUGINS

Default: False

Some plugins have wrong versions in the README. For the most popular 1500 plugins, Artemis team monitors such cases and excludes the plugins that have wrong versions in the README from scanning. For the less popular plugins (e.g. if one can be identified by /wp- content/plugins/xyz/ URL in the website source), such cases can be a source of false positives. If this option is set to True, version check for such plugins will not be performed.

WordPressScanner

WORDPRESS_VERSION_AGE_DAYS

Default: 90

After what number of days we consider the WordPress version to be obsolete. This is a long threshold because WordPress maintains a separate list of insecure versions, so “old” doesn’t mean “insecure” here.

PublicSuffixes

ADDITIONAL_PUBLIC_SUFFIXES

Default:

Additional domains that will be treated as public suffixes (even though they’re not on the default Public Suffix List).

ALLOW_SCANNING_PUBLIC_SUFFIXES

Default: False

Whether we will scan a public suffix (e.g. .pl) if it appears on the target list. This may cause very large number of domains to be scanned.

Reporting

ADDITIONAL_SEVERITY_FILE

Default: None

A path (inside Docker container) of a file with JSON dictionary containing severities of additional report types: ‘{“report_type1”: “high”, “report_type2”: “medium”, …}’.

MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_HIGH

Default: 60

If a high-severity report has already been seen earlier - how much time needs to pass for a second report to be generated.

MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_LOW

Default: 240

If a low-severity report has already been seen earlier - how much time needs to pass for a second report to be generated.

MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_MEDIUM

Default: 120

If a medium-severity report has already been seen earlier - how much time needs to pass for a second report to be generated.

REPORTING_DEDUPLICATION_COMMON_HTTP_PORTS

Default: 80,443

Ports that we will treat as “standard http/https ports” when deduplicating vulnerabilities - that is, if we observe identical vulnerability of two standard ports (e.g. on 80 and on 443), we will treat such case as the same vulnerability. This is configurable because e.g. we observed some hostings serving mirrors of content from port 80 on ports 81-84.

REPORTING_MAX_VULN_AGE_DAYS

Default: 60

When creating e-mail reports, what is the vulnerability maximum age (in days) for it to be reported.

REPORTING_SEPARATE_INSTITUTIONS

Default:

Sometimes even if we scan example.com, we want to report subdomain.example.com to a separate contact, because it is a separate institution. This variable should contain a comma-separated list of such subdomains.

Blocklist

You may exclude some systems from being scanned or included in the reports. To do that, set the BLOCKLIST_FILE environment variable to a path to a blocklist file (it needs to be placed in the ./shared directory which is mounted to all scanning containers as /shared).

The blocklist file is a yaml file with the following syntax:

- mode: 'block_scanning_and_reporting' (to block both scanning and reporting) or
    'block_reporting_only' (if you want the scanning to be performed but want the
    issues to be skipped from automatic e-mail reports)
  domain_and_subdomains: null or the domain to be filtered (this will also filter its
     subdomains)
  subdomains: null or a domain - this setting will filter out only subdomains of this domain,
     but not the domain itself
  ip_range: null or the ip range to be filtered (to filter a single ip address,
    use the xxx.xxx.xxx.xxx/32 syntax)
  until: null or a date (YYYY-MM-DD) until which the filter will be active
  karton_name: null or the name of a scanning module

  report_target_should_contain: null or the string that must occur in the target for
    the report to be blocklisted - this parameter can be used only when 'mode' is set
    to 'block_reporting_only'.
  report_type: null (which will block all reports) or a string containing
     the type of reports that will be blocked (e.g. "misconfigured_email") - this
     parameter can be used only when 'mode' is 'block_reporting_only'.

There may be multiple entries in a blocklist file, each with syntax described above.

Advanced: Karton configuration

Artemis is based on the Karton framework (https://github.com/CERT-Polska/karton). Please refer to the Karton documentation for more information.