Clouditor integration

6f2a990f · Matevz Erzen · Zitnik, Anze · e478923e · 6f2a990f · 6f2a990f
Commit 6f2a990f authored 3 years ago by Matevz Erzen Committed by Zitnik, Anze 3 years ago
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ wazuh-ansible/
 *.swp
 *.retry
 ansible/opendistro/
+*.log
\ No newline at end of file
--- a/Makefile
+++ b/Makefile
@@ -12,17 +12,11 @@ clone-wazuh:
 	-git clone https://github.com/wazuh/wazuh-ansible.git > /dev/null 2>&1
 	cd wazuh-ansible && git checkout tags/v4.1.5

-reprovision:
-	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS)  $(ANSIBLE_DIR)/provision-reset.yml
-
 provision-managers:
 	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-managers.yml

 provision-agents:
 	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-agents.yml

-provision-evidence-collector:
-	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-evidence-collector.yml
-
 provision:
 	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision.yml
\ No newline at end of file
--- a/README.md
+++ b/README.md
-# Security Monitoring
+# Security Monitoring Demo

-This project is meant for quickly setting up Wazuh instance using Ansible scripts
-on top infrastructure provisioned using Vagrant.
+This project is meant for quickly setting up a demo of evidence collection with Wazuh.

-In addition to Wazuh, ClamAV is also installed to agent machines (for testing purposes).
+Project is deployed using Ansible scripts on top of infrastructure provisioned with Vagrant.
+
+It creates 4 VMs: a Wazuh server (manager), two machines acting as Wazuh agents, the Evidence Collector, and Clouditor.
+
+In addition to Wazuh, ClamAV is also installed on agent machines (for testing purposes).

 ## Requirements

@@ -26,6 +29,11 @@ $ git checkout tags/v4.1.5

 Then select your `ENVIRONMENT` in `Makefile`. Set it to `full-setup` or `no-collector`.

+If the case of `full-setup`, installation of additional Ansible roles is required:
+```
+$ ansible-galaxy install --roles-path ansible/ gantsign.golang
+```
+
 1. Provision Wazuh server and Wazuh agents:

 ```
@@ -46,13 +54,29 @@ $ PORT=8088 npx http-echo-server

 ## Using Evidence Collector

-To see Evidence Collector's output, `ssh` to it's machine and open Docker logs:
+To see Evidence Collector's output, `ssh` to its machine and open Docker logs:

 ```
 $ make ssh-evidence-collector
 $ docker logs -ft evidence-collector
 ```

+## Testing with Clouditor
+
+Clouditor starts automatically when clouditor VM is provisioned.
+
+To see Clouditor's output, `ssh` to its machine and examine the log file:  
+
+```
+$ make ssh-clouditor
+$ tail /var/log/clouditor.log
+```
+
+To manually start clouditor (normally not needed), you can use the following command on the clouditor VM (in `/home/vagrant/`):
+```
+$ make run
+```
+
 ## Potential issues
 
 ### ClamAV (re)start failed/timed out
@@ -109,3 +133,22 @@ ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.11"
 ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.12"
 ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.13"
 ```
+
+### Virtual networking problem
+
+If your Vagrant / hypervisor for whatever reason doesn't make the `192.168.33.0` virtual network
+directly accessible from the host, you need to manually specify the IP address and port for SSH 
+connections to each of the VMs.
+
+After the VMs have been created, the SSH connection parameters can be seen with the `vagrant ssh-config` command:
+```
+$ cd environments/full-setup/
+$ vagrant ssh-config
+```
+
+Edit `environments/full-setup/inventory.txt` and add `ansible_host` and `ansible_port` parameters 
+to each of the VMs. Example:
+```
+[wazuh_managers]
+192.168.33.10 ansible_host=127.0.0.1 ansible_port=2222 public_ip=192.168.33.10 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/full-setup/.vagrant/machines/manager/virtualbox/private_key
+```
--- a/ansible/clouditor/Makefile
+++ b/ansible/clouditor/Makefile
+run:
+	cd clouditor && go run cmd/engine/engine.go --db-in-memory
\ No newline at end of file
--- a/ansible/provision-agents.yml
+++ b/ansible/provision-agents.yml
--- a/ansible/provision-clouditor.yml
+++ b/ansible/provision-clouditor.yml
+---
+# Clouditor
+  - hosts: clouditor
+    tasks:
+      - name: Install yum packages
+        yum:
+          name:
+            - git
+            - gcc
+            - wget
+            - make
+          state: present
+        become: yes
+      - name: Download Golang installer
+        get_url:
+          url: https://storage.googleapis.com/golang/getgo/installer_linux
+          dest: ~/installer_linux
+          mode: '0555'
+      - name: Run Golang installer
+        raw: ./installer_linux && source ~/.bashrc
+      - name: Create dir
+        file:
+          path: /home/vagrant/clouditor
+          state: directory
+      - name: Clone Clouditor repo
+        git:
+          repo: https://github.com/clouditor/clouditor.git
+          dest: /home/vagrant/clouditor
+      - name: Copy Makefile
+        copy:
+          src: ./clouditor/Makefile
+          dest: ~/Makefile
+      - name: Create Clouditor log file
+        file:
+          path: /var/log/clouditor.log
+          mode: 0666
+          state: touch
+          owner: vagrant
+        become: yes
+      - name: Run Clouditor in background
+        shell:
+          chdir: ~/clouditor
+          executable: /bin/bash
+          cmd: "(nohup ~/.go/bin/go run cmd/engine/engine.go --db-in-memory </dev/null >/var/log/clouditor.log 2>&1 & sleep 1)"
+          # see https://ansibledaily.com/execute-detached-process-with-ansible/
\ No newline at end of file
--- a/ansible/provision-evidence-collector.yml
+++ b/ansible/provision-evidence-collector.yml
--- a/ansible/provision-managers.yml
+++ b/ansible/provision-managers.yml
--- a/ansible/provision.yml
+++ b/ansible/provision.yml
@@ -5,5 +5,8 @@
 - name: Start provision of the Wazuh Agents
  import_playbook: provision-agents.yml

- name: Start provision of Evidence Collector
+- name: Start provision of the Evidence Collector
  import_playbook: provision-evidence-collector.yml
+
+- name: Start provision of the Clouditor
+  import_playbook: provision-clouditor.yml
\ No newline at end of file
--- a/environments/full-setup/Vagrantfile
+++ b/environments/full-setup/Vagrantfile
@@ -13,14 +13,14 @@ servers=[
    :hostname => "agent1",
    :ip => "192.168.33.11",
    :box => "centos/8",
-    :ram => 1024,
+    :ram => 512,
    :cpu => 1
  },
  {
    :hostname => "agent2",
    :ip => "192.168.33.12",
    :box => "centos/8",
-    :ram => 1024,
+    :ram => 512,
    :cpu => 1
  },
  {
@@ -29,6 +29,13 @@ servers=[
    :box => "centos/8",
    :ram => 1024,
    :cpu => 2
+  },
+  {
+    :hostname => "clouditor",
+    :ip => "192.168.33.14",
+    :box => "centos/8",
+    :ram => 512,
+    :cpu => 1
  }
 ]


--- a/environments/full-setup/full-setup.mk
+++ b/environments/full-setup/full-setup.mk
@@ -19,3 +19,12 @@ ssh-agent2:

 ssh-evidence-collector:
 	@$(VAGRANT_RUN) ssh evidence-collector
+
+ssh-clouditor:
+	@$(VAGRANT_RUN) ssh clouditor
+
+provision-evidence-collector:
+	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-evidence-collector.yml
+
+provision-clouditor:
+	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-clouditor.yml
\ No newline at end of file
--- a/environments/full-setup/inventory.txt
+++ b/environments/full-setup/inventory.txt
@@ -16,3 +16,9 @@ ansible_ssh_common_args='-o StrictHostKeyChecking=no'

 [evidence_collector:vars]
 ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+
+[clouditor]
+192.168.33.14 public_ip=192.168.33.14 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/full-setup/.vagrant/machines/clouditor/virtualbox/private_key
+
+[clouditor:vars]
+ansible_ssh_common_args='-o StrictHostKeyChecking=no'
\ No newline at end of file