Skip to content
Snippets Groups Projects
Commit 08c1873e authored by Zitnik, Anze's avatar Zitnik, Anze
Browse files

Merge branch 'resource-id-mapping' into 'master'

Resource ID mapping

See merge request medina/security-monitoring!8
parents ba070252 e69e6f5f
Branches
No related tags found
No related merge requests found
...@@ -34,7 +34,15 @@ In addition to Wazuh, ClamAV is also installed on agent machines. ...@@ -34,7 +34,15 @@ In addition to Wazuh, ClamAV is also installed on agent machines.
> Note: Docker registry credentials used for pulling Evidence Collector are located in `/ansible/docker/credentials/credentials.yml`. They don't need to be changed unless you explicitly want to use other registry. > Note: Docker registry credentials used for pulling Evidence Collector are located in `/ansible/docker/credentials/credentials.yml`. They don't need to be changed unless you explicitly want to use other registry.
3. Create and provision VMs: 3. If you're using `full-setup` environment, you can set custom environment variable (that will be passed to `evidence-collector`) in `/environments/full-setup/.env`.
If you wish to set or remove custom resource ID mapping scheme used by `evidence-collector`, you can change mapped values inside `/environments/full-setup/resource-id-map.json`.
See [Evidence collector's documentation](https://git.code.tecnalia.com/medina/wp3/task_3.2/evidence-collector) for more information.
> Note: neither of these two files has to be changed for `security-monitoring` to work. You can (and should; in case of `.env`) leave them unchanged.
4. Create and provision VMs:
``` ```
$ make create provision $ make create provision
...@@ -173,7 +181,11 @@ Wazuh manager and Evidence collector should be installed on the same, clean mach ...@@ -173,7 +181,11 @@ Wazuh manager and Evidence collector should be installed on the same, clean mach
| `elasticsearch_host_ip` | IP of the machine running Elasticsearch (same as Wazuh manager). | | `elasticsearch_host_ip` | IP of the machine running Elasticsearch (same as Wazuh manager). |
| `wazuh_manager_ip` | IP of the machine running Wazuh manager. | | `wazuh_manager_ip` | IP of the machine running Wazuh manager. |
6. Provision: 6. Set custom resource ID mapping scheme used by `evidence-collector`. Change it in `/custom-provision/resource-id-map.json`.
> Note: this doesn't need to be changed or set for it to work.
7. Provision:
``` ```
$ make -B custom-provision $ make -B custom-provision
...@@ -187,7 +199,7 @@ To troubleshoot in more details, check the logs in `/var/ossec/logs/ossec.log` a ...@@ -187,7 +199,7 @@ To troubleshoot in more details, check the logs in `/var/ossec/logs/ossec.log` a
Two of the most common problems (often times in tandem) are [missing open ports](https://documentation.wazuh.com/current/user-manual/agent-enrollment/troubleshooting.html#testing-communication-with-wazuh-manager) and [invalid agent names](https://documentation.wazuh.com/current/user-manual/agent-enrollment/troubleshooting.html#invalid-agent-name-for-enrollment) (if agent machine's hostname matches hostname of any already existing Wazuh machine). Two of the most common problems (often times in tandem) are [missing open ports](https://documentation.wazuh.com/current/user-manual/agent-enrollment/troubleshooting.html#testing-communication-with-wazuh-manager) and [invalid agent names](https://documentation.wazuh.com/current/user-manual/agent-enrollment/troubleshooting.html#invalid-agent-name-for-enrollment) (if agent machine's hostname matches hostname of any already existing Wazuh machine).
To enable required ports, run the following commands on Wazuh manager machine: Current version of `security-monitoring` automatically opens required ports on the manager (using Ansible, see `ansible/provision-managers.yml`). However, if that fails, run the following commands on Wazuh manager machine to enable required ports:
``` ```
$ sudo firewall-cmd --zone=public --add-port=1514/tcp --permanent $ sudo firewall-cmd --zone=public --add-port=1514/tcp --permanent
......
...@@ -20,14 +20,20 @@ ...@@ -20,14 +20,20 @@
ansible_python_interpreter: /usr/bin/python3.6 ansible_python_interpreter: /usr/bin/python3.6
- name: Create 'evidence-collector' directory - name: Create 'evidence-collector' directory
file: file:
path: /home/security-monitoring path: /home/evidence-collector
state: directory state: directory
owner: "{{ ansible_ssh_user }}" owner: "{{ ansible_ssh_user }}"
group: "{{ ansible_ssh_user }}" group: "{{ ansible_ssh_user }}"
- name: Copy .env file - name: Copy .env file
copy: copy:
src: "{{ environment_dir }}/.env" src: "{{ environment_dir }}/.env"
dest: /home/security-monitoring/.env dest: /home/evidence-collector/.env
owner: "{{ ansible_ssh_user }}"
group: "{{ ansible_ssh_user }}"
- name: Copy resource-id-map.json file
copy:
src: "{{ environment_dir }}/resource-id-map.json"
dest: /home/evidence-collector/resource-id-map.json
owner: "{{ ansible_ssh_user }}" owner: "{{ ansible_ssh_user }}"
group: "{{ ansible_ssh_user }}" group: "{{ ansible_ssh_user }}"
- name: Log in to Docker image registry - name: Log in to Docker image registry
...@@ -44,6 +50,7 @@ ...@@ -44,6 +50,7 @@
state: started state: started
pull: yes pull: yes
restart_policy: always restart_policy: always
env_file: /home/security-monitoring/.env env_file: /home/evidence-collector/.env
volumes: /home/evidence-collector/resource-id-map.json:/evidence-collector/resource_id_map.json
vars: vars:
ansible_python_interpreter: /usr/bin/python3.6 ansible_python_interpreter: /usr/bin/python3.6
\ No newline at end of file
...@@ -31,3 +31,24 @@ ...@@ -31,3 +31,24 @@
node1: node1:
name: node-1 # Important: must be equal to elasticsearch_node_name. name: node-1 # Important: must be equal to elasticsearch_node_name.
ip: "{{ elasticsearch_host_ip }}" ip: "{{ elasticsearch_host_ip }}"
tasks:
- name: Install firewalld
action: yum name=firewalld state=installed
- name: Enable firewalld on system reboot
service: name=firewalld enabled=yes
- name: Start service firewalld, if not started
service:
name: firewalld
state: started
- name: Enable required ports
firewalld:
permanent: yes
immediate: yes
port: "{{item.port}}/{{item.proto}}"
state: "{{item.state}}"
zone: "{{item.zone}}"
with_items:
- {port: "1514", proto: "tcp", state: "enabled", zone: "public"}
- {port: "1515", proto: "tcp", state: "enabled", zone: "public"}
- {port: "55000", proto: "tcp", state: "enabled", zone: "public"}
- {port: "5601", proto: "tcp", state: "enabled", zone: "public"}
\ No newline at end of file
{
"manager": "wazuh_manager",
"agent1": "wazuh_agent_1",
"agent2": "wazuh_agent_2"
}
\ No newline at end of file
{
"manager": "test_wazuh_manager",
"agent1": "test_wazuh_agent_1",
"agent2": "test_wazuh_agent_2"
}
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment