Threats count

README.md

@@ -16,14 +16,17 @@ In addition to Wazuh, ClamAV is also installed on agent machines.
 
 ## Requirements
 
- * Vagrant 2.2.14
- * Ansible 2.9.16
+ * Vagrant `2.2.19`
+ * VirtualBox `6.1.32`
+ * Ansible `>=2.9.6`
  * (optional / integrations) `npm` / `npx` in order to run the simple HTTP server for the integrations
 
 ---
 
 ## Setting up the demo
 
+> Important: make sure you have installed the right versions of Vagrant and VirtualBox!
+
 1. Checkout Wazuh's tag `v4.1.5` into the current directory:
 
     ```
@@ -48,6 +51,8 @@ In addition to Wazuh, ClamAV is also installed on agent machines.
     $ make create provision
     ```
 
+    > Note: `create` command also adds `/etc/vbox/networks.conf` config required by Vagrant/VirtualBox.
+
 ---
 
 ## Using demo components
@@ -69,14 +74,15 @@ Clouditor starts automatically when Clouditor VM is provisioned.
 To see Clouditor's output, `ssh` to its machine and examine the log file:  
 
 ```
-$ make ssh-clouditor
-$ tail /var/log/clouditor.log
+$ make logs-clouditor
 ```
 
 To manually (re)start Clouditor (normally not needed), you can use the following command on the Clouditor VM (inside `/home/vagrant/clouditor`):
 
 ```
-$ make run
+$ make ssh-clouditor    # on host machine
+
+$ make run              # on VM
 ```
 
 ### Evidence Collector
@@ -84,8 +90,7 @@ $ make run
 To see Evidence Collector's output, `ssh` to its machine and open Docker logs:
 
 ```
-$ make ssh-evidence-collector
-$ docker logs -ft evidence-collector
+$ make logs-evidence-collector
 ```
 
 ### Wazuh

ansible/globals/globals.yml

@@ -4,3 +4,4 @@ custom_integration_alert_level: 10
 custom_integration_alert_format: 'json'
 elasticsearch_host_ip: '192.168.33.10'
 wazuh_manager_ip: '192.168.33.10'
+wazuh_check_interval: 300
\ No newline at end of file

ansible/provision-managers.yml

@@ -13,9 +13,7 @@
       - role: custom-integration
     vars:
       single_node: true
-      ## Set-up integrations
       wazuh_manager_integrations:
-        # custom-integration
         - name: custom-integration
           hook_url: "{{ custom_integration_hook }}"
           alert_level: "{{ custom_integration_alert_level }}"
@@ -27,6 +25,35 @@
       elasticsearch_network_host: "0.0.0.0"
       filebeat_node_name: node-1
       filebeat_output_elasticsearch_hosts: "{{ elasticsearch_host_ip }}"
+      wazuh_manager_vulnerability_detector:
+        enabled: 'yes'
+        interval: "{{ wazuh_check_interval }}"
+        ignore_time: "{{ wazuh_check_interval }}"
+        run_on_start: 'yes'
+        providers:
+          - enabled: 'yes'
+            os:
+              - 'trusty'
+              - 'xenial'
+              - 'bionic'
+            update_interval: "{{ wazuh_check_interval }}"
+            name: '"canonical"'
+          - enabled: 'yes'
+            os:
+              - 'wheezy'
+              - 'stretch'
+              - 'jessie'
+              - 'buster'
+            update_interval: "{{ wazuh_check_interval }}"
+            name: '"debian"'
+          - enabled: 'yes'
+            update_from_year: '2010'
+            update_interval: "{{ wazuh_check_interval }}"
+            name: '"redhat"'
+          - enabled: 'yes'
+            update_from_year: '2010'
+            update_interval: "{{ wazuh_check_interval }}"
+            name: '"nvd"'
       instances:
         node1:
           name: node-1       # Important: must be equal to elasticsearch_node_name.
@@ -52,3 +79,4 @@
           - {port: "1515", proto: "tcp", state: "enabled", zone: "public"}
           - {port: "55000", proto: "tcp", state: "enabled", zone: "public"}
           - {port: "5601", proto: "tcp", state: "enabled", zone: "public"}
+          - {port: "9200", proto: "tcp", state: "enabled", zone: "public"}
\ No newline at end of file

custom-provision/.env

@@ -15,3 +15,4 @@ clouditor_port=9090
 clouditor_oauth2_port=8080
 clouditor_client_id=clouditor
 clouditor_client_secret=clouditor
+wazuh_check_interval=300
\ No newline at end of file

environments/full-setup/.env

@@ -15,3 +15,4 @@ clouditor_port=9090
 clouditor_oauth2_port=8080
 clouditor_client_id=clouditor
 clouditor_client_secret=clouditor
+wazuh_check_interval=300
\ No newline at end of file

environments/full-setup/Vagrantfile

@@ -6,7 +6,6 @@ servers=[
     :hostname => "manager",
     :ip => "192.168.33.10",
     :box => "centos/stream8",
-    :forward_ports => [{:guest => 55000, :host => 55000}, {:guest => 9200, :host => 9200}],
     :ram => 2048,
     :cpu => 2
   },  
@@ -35,7 +34,6 @@ servers=[
     :hostname => "clouditor",
     :ip => "192.168.33.14",
     :box => "centos/stream8",
-    :forward_ports => [{:guest => 9090, :host => 9090}],
     :ram => 1024,
     :cpu => 1
   }
@@ -44,9 +42,6 @@ servers=[
 Vagrant.configure(2) do |config|
   servers.each do |machine|
       config.vm.define machine[:hostname] do |node|
-          # node.vm.provision "ansible" do |ansible|
-          #   ansible.playbook = "../../ansible/provision.yml"
-          # end
           node.vm.box = machine[:box]
           node.vm.hostname = machine[:hostname]
           node.vm.network "private_network", ip: machine[:ip]

environments/full-setup/full-setup.mk

@@ -3,6 +3,9 @@ SSH_PRIVATE_KEY = $(HOME)/.vagrant.d/insecure_private_key
 SSH_USER = vagrant
 
 create:
+	sudo mkdir -p /etc/vbox
+	sudo touch /etc/vbox/networks.conf
+	grep -Fxq "* 192.168.33.0/24" /etc/vbox/networks.conf || sudo sh -c 'echo "* 192.168.33.0/24\n" >> /etc/vbox/networks.conf' 
 	@$(VAGRANT_RUN) up
 
 delete:

environments/no-collector/no-collector.mk

@@ -3,6 +3,9 @@ SSH_PRIVATE_KEY = $(HOME)/.vagrant.d/insecure_private_key
 SSH_USER = vagrant
 
 create:
+	sudo mkdir -p /etc/vbox
+	sudo touch /etc/vbox/networks.conf
+	grep -Fxq "* 192.168.33.0/24" /etc/vbox/networks.conf || sudo sh -c 'echo "* 192.168.33.0/24\n" >> /etc/vbox/networks.conf' 
 	@$(VAGRANT_RUN) up
 
 delete: