diff --git a/.gitignore b/.gitignore
index 75db421843374a62cd204cb430694a79c296781c..9874ca41083b20e78b7ce149b9d68f36cae72ca3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ wazuh-ansible/
*.swp
*.retry
ansible/opendistro/
+*.log
\ No newline at end of file
diff --git a/Makefile b/Makefile
index b1d23320ab5c8f612acc3f5861f043c3a5ac0dbf..365b18fe066c2c11b33f1af72be94ca094fd3885 100644
--- a/Makefile
+++ b/Makefile
@@ -12,17 +12,11 @@ clone-wazuh:
-git clone https://github.com/wazuh/wazuh-ansible.git > /dev/null 2>&1
cd wazuh-ansible && git checkout tags/v4.1.5
-reprovision:
- @ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-reset.yml
-
provision-managers:
@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-managers.yml
provision-agents:
@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-agents.yml
-provision-evidence-collector:
- @ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-evidence-collector.yml
-
provision:
@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision.yml
\ No newline at end of file
diff --git a/README.md b/README.md
index a588564179e0e01e4675e2094d3006f2f867bb92..a92aa791da6153a5b3a4c6d87023eb2b1b69d6c0 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,12 @@
-# Security Monitoring
+# Security Monitoring Demo
-This project is meant for quickly setting up Wazuh instance using Ansible scripts
-on top infrastructure provisioned using Vagrant.
+This project is meant for quickly setting up a demo of evidence collection with Wazuh.
-In addition to Wazuh, ClamAV is also installed to agent machines (for testing purposes).
+Project is deployed using Ansible scripts on top of infrastructure provisioned with Vagrant.
+
+It creates 4 VMs: a Wazuh server (manager), two machines acting as Wazuh agents, the Evidence Collector, and Clouditor.
+
+In addition to Wazuh, ClamAV is also installed on agent machines (for testing purposes).
## Requirements
@@ -26,6 +29,11 @@ $ git checkout tags/v4.1.5
Then select your `ENVIRONMENT` in `Makefile`. Set it to `full-setup` or `no-collector`.
+If the case of `full-setup`, installation of additional Ansible roles is required:
+```
+$ ansible-galaxy install --roles-path ansible/ gantsign.golang
+```
+
1. Provision Wazuh server and Wazuh agents:
```
@@ -46,13 +54,29 @@ $ PORT=8088 npx http-echo-server
## Using Evidence Collector
-To see Evidence Collector's output, `ssh` to it's machine and open Docker logs:
+To see Evidence Collector's output, `ssh` to its machine and open Docker logs:
```
$ make ssh-evidence-collector
$ docker logs -ft evidence-collector
```
+## Testing with Clouditor
+
+Clouditor starts automatically when clouditor VM is provisioned.
+
+To see Clouditor's output, `ssh` to its machine and examine the log file:
+
+```
+$ make ssh-clouditor
+$ tail /var/log/clouditor.log
+```
+
+To manually start clouditor (normally not needed), you can use the following command on the clouditor VM (in `/home/vagrant/`):
+```
+$ make run
+```
+
## Potential issues
### ClamAV (re)start failed/timed out
@@ -108,4 +132,23 @@ ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.10"
ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.11"
ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.12"
ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.13"
-```
\ No newline at end of file
+```
+
+### Virtual networking problem
+
+If your Vagrant / hypervisor for whatever reason doesn't make the `192.168.33.0` virtual network
+directly accessible from the host, you need to manually specify the IP address and port for SSH
+connections to each of the VMs.
+
+After the VMs have been created, the SSH connection parameters can be seen with the `vagrant ssh-config` command:
+```
+$ cd environments/full-setup/
+$ vagrant ssh-config
+```
+
+Edit `environments/full-setup/inventory.txt` and add `ansible_host` and `ansible_port` parameters
+to each of the VMs. Example:
+```
+[wazuh_managers]
+192.168.33.10 ansible_host=127.0.0.1 ansible_port=2222 public_ip=192.168.33.10 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/full-setup/.vagrant/machines/manager/virtualbox/private_key
+```
diff --git a/ansible/clouditor/Makefile b/ansible/clouditor/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..64ed440e2a6dccfa59d9f08a54ed9ff23eecf2ea
--- /dev/null
+++ b/ansible/clouditor/Makefile
@@ -0,0 +1,2 @@
+run:
+ cd clouditor && go run cmd/engine/engine.go --db-in-memory
\ No newline at end of file
diff --git a/ansible/provision-agents.yml b/ansible/provision-agents.yml
index b5f7fc61f052dfcb81506f8dac3e67cd226b3350..be2d4da10a60571c5107f98dae462bdc1b9292b2 100644
--- a/ansible/provision-agents.yml
+++ b/ansible/provision-agents.yml
@@ -3,7 +3,7 @@
- hosts: wazuh_agents
become: yes
pre_tasks:
- - import_tasks: "{{ ansible_dir }}/globals/vars.yml"
+ - import_tasks: "{{ ansible_dir }}/globals/vars.yml"
roles:
- ../wazuh-ansible/roles/wazuh/ansible-wazuh-agent
- docker
diff --git a/ansible/provision-clouditor.yml b/ansible/provision-clouditor.yml
new file mode 100644
index 0000000000000000000000000000000000000000..be610251203edc0b2816ce26c0e35fdf9fb9876a
--- /dev/null
+++ b/ansible/provision-clouditor.yml
@@ -0,0 +1,45 @@
+---
+# Clouditor
+ - hosts: clouditor
+ tasks:
+ - name: Install yum packages
+ yum:
+ name:
+ - git
+ - gcc
+ - wget
+ - make
+ state: present
+ become: yes
+ - name: Download Golang installer
+ get_url:
+ url: https://storage.googleapis.com/golang/getgo/installer_linux
+ dest: ~/installer_linux
+ mode: '0555'
+ - name: Run Golang installer
+ raw: ./installer_linux && source ~/.bashrc
+ - name: Create dir
+ file:
+ path: /home/vagrant/clouditor
+ state: directory
+ - name: Clone Clouditor repo
+ git:
+ repo: https://github.com/clouditor/clouditor.git
+ dest: /home/vagrant/clouditor
+ - name: Copy Makefile
+ copy:
+ src: ./clouditor/Makefile
+ dest: ~/Makefile
+ - name: Create Clouditor log file
+ file:
+ path: /var/log/clouditor.log
+ mode: 0666
+ state: touch
+ owner: vagrant
+ become: yes
+ - name: Run Clouditor in background
+ shell:
+ chdir: ~/clouditor
+ executable: /bin/bash
+ cmd: "(nohup ~/.go/bin/go run cmd/engine/engine.go --db-in-memory </dev/null >/var/log/clouditor.log 2>&1 & sleep 1)"
+ # see https://ansibledaily.com/execute-detached-process-with-ansible/
\ No newline at end of file
diff --git a/ansible/provision-evidence-collector.yml b/ansible/provision-evidence-collector.yml
index 627cbbe5eecc3654e96a378a4ac7f4fb489c468e..fa13074a6eae484b0943811654fad3a33047d8f5 100644
--- a/ansible/provision-evidence-collector.yml
+++ b/ansible/provision-evidence-collector.yml
@@ -3,7 +3,7 @@
- hosts: evidence_collector
become: yes
pre_tasks:
- - import_tasks: "{{ ansible_dir }}/docker/credentials/vars.yml"
+ - import_tasks: "{{ ansible_dir }}/docker/credentials/vars.yml"
roles:
- docker
tasks:
diff --git a/ansible/provision-managers.yml b/ansible/provision-managers.yml
index 31edada492d9d5af1c5f592114084eb7bf56687f..1d8947259847cd8a4e430231565cc0b0c987892f 100644
--- a/ansible/provision-managers.yml
+++ b/ansible/provision-managers.yml
@@ -4,7 +4,7 @@
become: yes
become_user: root
pre_tasks:
- - import_tasks: "{{ ansible_dir }}/globals/vars.yml"
+ - import_tasks: "{{ ansible_dir }}/globals/vars.yml"
roles:
- role: ../wazuh-ansible/roles/opendistro/opendistro-elasticsearch
- role: ../wazuh-ansible/roles/wazuh/ansible-wazuh-manager
diff --git a/ansible/provision.yml b/ansible/provision.yml
index 6901c339d3bad30efd718058f10e2e26e5369f31..a06d9089e2055386bac9b22d53f64ad4a72b2e32 100644
--- a/ansible/provision.yml
+++ b/ansible/provision.yml
@@ -5,5 +5,8 @@
- name: Start provision of the Wazuh Agents
import_playbook: provision-agents.yml
-- name: Start provision of Evidence Collector
- import_playbook: provision-evidence-collector.yml
\ No newline at end of file
+- name: Start provision of the Evidence Collector
+ import_playbook: provision-evidence-collector.yml
+
+- name: Start provision of the Clouditor
+ import_playbook: provision-clouditor.yml
\ No newline at end of file
diff --git a/environments/full-setup/Vagrantfile b/environments/full-setup/Vagrantfile
index 2b311d4158b39a74ff057a0b6c99714bd93d5e31..de5e3ef3fb53f7d29abd64218fecd344856073a9 100644
--- a/environments/full-setup/Vagrantfile
+++ b/environments/full-setup/Vagrantfile
@@ -13,14 +13,14 @@ servers=[
:hostname => "agent1",
:ip => "192.168.33.11",
:box => "centos/8",
- :ram => 1024,
+ :ram => 512,
:cpu => 1
},
{
:hostname => "agent2",
:ip => "192.168.33.12",
:box => "centos/8",
- :ram => 1024,
+ :ram => 512,
:cpu => 1
},
{
@@ -29,6 +29,13 @@ servers=[
:box => "centos/8",
:ram => 1024,
:cpu => 2
+ },
+ {
+ :hostname => "clouditor",
+ :ip => "192.168.33.14",
+ :box => "centos/8",
+ :ram => 512,
+ :cpu => 1
}
]
diff --git a/environments/full-setup/full-setup.mk b/environments/full-setup/full-setup.mk
index cf5009bb77e1e293c46321646e8509af8d9f0c12..4932cf8400d7ac752438fb79cea2cc05c87d90e7 100644
--- a/environments/full-setup/full-setup.mk
+++ b/environments/full-setup/full-setup.mk
@@ -18,4 +18,13 @@ ssh-agent2:
@$(VAGRANT_RUN) ssh agent2
ssh-evidence-collector:
- @$(VAGRANT_RUN) ssh evidence-collector
\ No newline at end of file
+ @$(VAGRANT_RUN) ssh evidence-collector
+
+ssh-clouditor:
+ @$(VAGRANT_RUN) ssh clouditor
+
+provision-evidence-collector:
+ @ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-evidence-collector.yml
+
+provision-clouditor:
+ @ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-clouditor.yml
\ No newline at end of file
diff --git a/environments/full-setup/inventory.txt b/environments/full-setup/inventory.txt
index cea1c6b98ce6f4712d9641a31cfc2ecd3e68ddcc..58aa44970fba348721c0b9ac7ff7441443c3c447 100644
--- a/environments/full-setup/inventory.txt
+++ b/environments/full-setup/inventory.txt
@@ -15,4 +15,10 @@ ansible_ssh_common_args='-o StrictHostKeyChecking=no'
192.168.33.13 public_ip=192.168.33.13 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/full-setup/.vagrant/machines/evidence-collector/virtualbox/private_key
[evidence_collector:vars]
+ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+
+[clouditor]
+192.168.33.14 public_ip=192.168.33.14 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/full-setup/.vagrant/machines/clouditor/virtualbox/private_key
+
+[clouditor:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
\ No newline at end of file