Skip to content
Snippets Groups Projects
Commit 6f2a990f authored by Matevz Erzen's avatar Matevz Erzen Committed by Zitnik, Anze
Browse files

Clouditor integration

parent e478923e
No related branches found
No related tags found
No related merge requests found
......@@ -3,3 +3,4 @@ wazuh-ansible/
*.swp
*.retry
ansible/opendistro/
*.log
\ No newline at end of file
......@@ -12,17 +12,11 @@ clone-wazuh:
-git clone https://github.com/wazuh/wazuh-ansible.git > /dev/null 2>&1
cd wazuh-ansible && git checkout tags/v4.1.5
reprovision:
@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-reset.yml
provision-managers:
@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-managers.yml
provision-agents:
@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-agents.yml
provision-evidence-collector:
@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-evidence-collector.yml
provision:
@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision.yml
\ No newline at end of file
# Security Monitoring
# Security Monitoring Demo
This project is meant for quickly setting up Wazuh instance using Ansible scripts
on top infrastructure provisioned using Vagrant.
This project is meant for quickly setting up a demo of evidence collection with Wazuh.
In addition to Wazuh, ClamAV is also installed to agent machines (for testing purposes).
Project is deployed using Ansible scripts on top of infrastructure provisioned with Vagrant.
It creates 4 VMs: a Wazuh server (manager), two machines acting as Wazuh agents, the Evidence Collector, and Clouditor.
In addition to Wazuh, ClamAV is also installed on agent machines (for testing purposes).
## Requirements
......@@ -26,6 +29,11 @@ $ git checkout tags/v4.1.5
Then select your `ENVIRONMENT` in `Makefile`. Set it to `full-setup` or `no-collector`.
If the case of `full-setup`, installation of additional Ansible roles is required:
```
$ ansible-galaxy install --roles-path ansible/ gantsign.golang
```
1. Provision Wazuh server and Wazuh agents:
```
......@@ -46,13 +54,29 @@ $ PORT=8088 npx http-echo-server
## Using Evidence Collector
To see Evidence Collector's output, `ssh` to it's machine and open Docker logs:
To see Evidence Collector's output, `ssh` to its machine and open Docker logs:
```
$ make ssh-evidence-collector
$ docker logs -ft evidence-collector
```
## Testing with Clouditor
Clouditor starts automatically when clouditor VM is provisioned.
To see Clouditor's output, `ssh` to its machine and examine the log file:
```
$ make ssh-clouditor
$ tail /var/log/clouditor.log
```
To manually start clouditor (normally not needed), you can use the following command on the clouditor VM (in `/home/vagrant/`):
```
$ make run
```
## Potential issues
### ClamAV (re)start failed/timed out
......@@ -109,3 +133,22 @@ ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.11"
ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.12"
ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.13"
```
### Virtual networking problem
If your Vagrant / hypervisor for whatever reason doesn't make the `192.168.33.0` virtual network
directly accessible from the host, you need to manually specify the IP address and port for SSH
connections to each of the VMs.
After the VMs have been created, the SSH connection parameters can be seen with the `vagrant ssh-config` command:
```
$ cd environments/full-setup/
$ vagrant ssh-config
```
Edit `environments/full-setup/inventory.txt` and add `ansible_host` and `ansible_port` parameters
to each of the VMs. Example:
```
[wazuh_managers]
192.168.33.10 ansible_host=127.0.0.1 ansible_port=2222 public_ip=192.168.33.10 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/full-setup/.vagrant/machines/manager/virtualbox/private_key
```
run:
cd clouditor && go run cmd/engine/engine.go --db-in-memory
\ No newline at end of file
---
# Clouditor
- hosts: clouditor
tasks:
- name: Install yum packages
yum:
name:
- git
- gcc
- wget
- make
state: present
become: yes
- name: Download Golang installer
get_url:
url: https://storage.googleapis.com/golang/getgo/installer_linux
dest: ~/installer_linux
mode: '0555'
- name: Run Golang installer
raw: ./installer_linux && source ~/.bashrc
- name: Create dir
file:
path: /home/vagrant/clouditor
state: directory
- name: Clone Clouditor repo
git:
repo: https://github.com/clouditor/clouditor.git
dest: /home/vagrant/clouditor
- name: Copy Makefile
copy:
src: ./clouditor/Makefile
dest: ~/Makefile
- name: Create Clouditor log file
file:
path: /var/log/clouditor.log
mode: 0666
state: touch
owner: vagrant
become: yes
- name: Run Clouditor in background
shell:
chdir: ~/clouditor
executable: /bin/bash
cmd: "(nohup ~/.go/bin/go run cmd/engine/engine.go --db-in-memory </dev/null >/var/log/clouditor.log 2>&1 & sleep 1)"
# see https://ansibledaily.com/execute-detached-process-with-ansible/
\ No newline at end of file
......@@ -5,5 +5,8 @@
- name: Start provision of the Wazuh Agents
import_playbook: provision-agents.yml
- name: Start provision of Evidence Collector
- name: Start provision of the Evidence Collector
import_playbook: provision-evidence-collector.yml
- name: Start provision of the Clouditor
import_playbook: provision-clouditor.yml
\ No newline at end of file
......@@ -13,14 +13,14 @@ servers=[
:hostname => "agent1",
:ip => "192.168.33.11",
:box => "centos/8",
:ram => 1024,
:ram => 512,
:cpu => 1
},
{
:hostname => "agent2",
:ip => "192.168.33.12",
:box => "centos/8",
:ram => 1024,
:ram => 512,
:cpu => 1
},
{
......@@ -29,6 +29,13 @@ servers=[
:box => "centos/8",
:ram => 1024,
:cpu => 2
},
{
:hostname => "clouditor",
:ip => "192.168.33.14",
:box => "centos/8",
:ram => 512,
:cpu => 1
}
]
......
......@@ -19,3 +19,12 @@ ssh-agent2:
ssh-evidence-collector:
@$(VAGRANT_RUN) ssh evidence-collector
ssh-clouditor:
@$(VAGRANT_RUN) ssh clouditor
provision-evidence-collector:
@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-evidence-collector.yml
provision-clouditor:
@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-clouditor.yml
\ No newline at end of file
......@@ -16,3 +16,9 @@ ansible_ssh_common_args='-o StrictHostKeyChecking=no'
[evidence_collector:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
[clouditor]
192.168.33.14 public_ip=192.168.33.14 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/full-setup/.vagrant/machines/clouditor/virtualbox/private_key
[clouditor:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment