From 6f2a990fd4625178e0fd0f9a98441c22f5ee4f2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matev=C5=BE=20Er=C5=BEen?= <matevz.erzen@xlab.si>
Date: Mon, 22 Nov 2021 09:59:52 +0000
Subject: [PATCH] Clouditor integration

---
 .gitignore                               |  1 +
 Makefile                                 |  6 ---
 README.md                                | 55 +++++++++++++++++++++---
 ansible/clouditor/Makefile               |  2 +
 ansible/provision-agents.yml             |  2 +-
 ansible/provision-clouditor.yml          | 45 +++++++++++++++++++
 ansible/provision-evidence-collector.yml |  2 +-
 ansible/provision-managers.yml           |  2 +-
 ansible/provision.yml                    |  7 ++-
 environments/full-setup/Vagrantfile      | 11 ++++-
 environments/full-setup/full-setup.mk    | 11 ++++-
 environments/full-setup/inventory.txt    |  6 +++
 12 files changed, 130 insertions(+), 20 deletions(-)
 create mode 100644 ansible/clouditor/Makefile
 create mode 100644 ansible/provision-clouditor.yml

diff --git a/.gitignore b/.gitignore
index 75db421..9874ca4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ wazuh-ansible/
 *.swp
 *.retry
 ansible/opendistro/
+*.log
\ No newline at end of file
diff --git a/Makefile b/Makefile
index b1d2332..365b18f 100644
--- a/Makefile
+++ b/Makefile
@@ -12,17 +12,11 @@ clone-wazuh:
 	-git clone https://github.com/wazuh/wazuh-ansible.git > /dev/null 2>&1
 	cd wazuh-ansible && git checkout tags/v4.1.5
 
-reprovision:
-	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS)  $(ANSIBLE_DIR)/provision-reset.yml
-
 provision-managers:
 	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-managers.yml
 
 provision-agents:
 	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-agents.yml
 
-provision-evidence-collector:
-	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-evidence-collector.yml
-
 provision:
 	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision.yml
\ No newline at end of file
diff --git a/README.md b/README.md
index a588564..a92aa79 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,12 @@
-# Security Monitoring
+# Security Monitoring Demo
 
-This project is meant for quickly setting up Wazuh instance using Ansible scripts
-on top infrastructure provisioned using Vagrant.
+This project is meant for quickly setting up a demo of evidence collection with Wazuh.
 
-In addition to Wazuh, ClamAV is also installed to agent machines (for testing purposes).
+Project is deployed using Ansible scripts on top of infrastructure provisioned with Vagrant.
+
+It creates 4 VMs: a Wazuh server (manager), two machines acting as Wazuh agents, the Evidence Collector, and Clouditor.
+
+In addition to Wazuh, ClamAV is also installed on agent machines (for testing purposes).
 
 ## Requirements
 
@@ -26,6 +29,11 @@ $ git checkout tags/v4.1.5
 
 Then select your `ENVIRONMENT` in `Makefile`. Set it to `full-setup` or `no-collector`.
 
+If the case of `full-setup`, installation of additional Ansible roles is required:
+```
+$ ansible-galaxy install --roles-path ansible/ gantsign.golang
+```
+
 1. Provision Wazuh server and Wazuh agents:
 
 ```
@@ -46,13 +54,29 @@ $ PORT=8088 npx http-echo-server
 
 ## Using Evidence Collector
 
-To see Evidence Collector's output, `ssh` to it's machine and open Docker logs:
+To see Evidence Collector's output, `ssh` to its machine and open Docker logs:
 
 ```
 $ make ssh-evidence-collector
 $ docker logs -ft evidence-collector
 ```
 
+## Testing with Clouditor
+
+Clouditor starts automatically when clouditor VM is provisioned.
+
+To see Clouditor's output, `ssh` to its machine and examine the log file:  
+
+```
+$ make ssh-clouditor
+$ tail /var/log/clouditor.log
+```
+
+To manually start clouditor (normally not needed), you can use the following command on the clouditor VM (in `/home/vagrant/`):
+```
+$ make run
+```
+
 ## Potential issues
  
 ### ClamAV (re)start failed/timed out
@@ -108,4 +132,23 @@ ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.10"
 ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.11"
 ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.12"
 ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.13"
-```
\ No newline at end of file
+```
+
+### Virtual networking problem
+
+If your Vagrant / hypervisor for whatever reason doesn't make the `192.168.33.0` virtual network
+directly accessible from the host, you need to manually specify the IP address and port for SSH 
+connections to each of the VMs.
+
+After the VMs have been created, the SSH connection parameters can be seen with the `vagrant ssh-config` command:
+```
+$ cd environments/full-setup/
+$ vagrant ssh-config
+```
+
+Edit `environments/full-setup/inventory.txt` and add `ansible_host` and `ansible_port` parameters 
+to each of the VMs. Example:
+```
+[wazuh_managers]
+192.168.33.10 ansible_host=127.0.0.1 ansible_port=2222 public_ip=192.168.33.10 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/full-setup/.vagrant/machines/manager/virtualbox/private_key
+```
diff --git a/ansible/clouditor/Makefile b/ansible/clouditor/Makefile
new file mode 100644
index 0000000..64ed440
--- /dev/null
+++ b/ansible/clouditor/Makefile
@@ -0,0 +1,2 @@
+run:
+	cd clouditor && go run cmd/engine/engine.go --db-in-memory
\ No newline at end of file
diff --git a/ansible/provision-agents.yml b/ansible/provision-agents.yml
index b5f7fc6..be2d4da 100644
--- a/ansible/provision-agents.yml
+++ b/ansible/provision-agents.yml
@@ -3,7 +3,7 @@
   - hosts: wazuh_agents
     become: yes
     pre_tasks:
-    - import_tasks: "{{ ansible_dir }}/globals/vars.yml" 
+      - import_tasks: "{{ ansible_dir }}/globals/vars.yml" 
     roles:    
       - ../wazuh-ansible/roles/wazuh/ansible-wazuh-agent
       - docker
diff --git a/ansible/provision-clouditor.yml b/ansible/provision-clouditor.yml
new file mode 100644
index 0000000..be61025
--- /dev/null
+++ b/ansible/provision-clouditor.yml
@@ -0,0 +1,45 @@
+---
+# Clouditor
+  - hosts: clouditor
+    tasks:
+      - name: Install yum packages
+        yum:
+          name:
+            - git
+            - gcc
+            - wget
+            - make
+          state: present
+        become: yes
+      - name: Download Golang installer
+        get_url:
+          url: https://storage.googleapis.com/golang/getgo/installer_linux
+          dest: ~/installer_linux
+          mode: '0555'
+      - name: Run Golang installer
+        raw: ./installer_linux && source ~/.bashrc
+      - name: Create dir
+        file:
+          path: /home/vagrant/clouditor
+          state: directory
+      - name: Clone Clouditor repo
+        git:
+          repo: https://github.com/clouditor/clouditor.git
+          dest: /home/vagrant/clouditor
+      - name: Copy Makefile
+        copy:
+          src: ./clouditor/Makefile
+          dest: ~/Makefile
+      - name: Create Clouditor log file
+        file:
+          path: /var/log/clouditor.log
+          mode: 0666
+          state: touch
+          owner: vagrant
+        become: yes
+      - name: Run Clouditor in background
+        shell:
+          chdir: ~/clouditor
+          executable: /bin/bash
+          cmd: "(nohup ~/.go/bin/go run cmd/engine/engine.go --db-in-memory </dev/null >/var/log/clouditor.log 2>&1 & sleep 1)"
+          # see https://ansibledaily.com/execute-detached-process-with-ansible/
\ No newline at end of file
diff --git a/ansible/provision-evidence-collector.yml b/ansible/provision-evidence-collector.yml
index 627cbbe..fa13074 100644
--- a/ansible/provision-evidence-collector.yml
+++ b/ansible/provision-evidence-collector.yml
@@ -3,7 +3,7 @@
   - hosts: evidence_collector
     become: yes
     pre_tasks:
-    - import_tasks: "{{ ansible_dir }}/docker/credentials/vars.yml"
+      - import_tasks: "{{ ansible_dir }}/docker/credentials/vars.yml"
     roles:   
       - docker
     tasks:
diff --git a/ansible/provision-managers.yml b/ansible/provision-managers.yml
index 31edada..1d89472 100644
--- a/ansible/provision-managers.yml
+++ b/ansible/provision-managers.yml
@@ -4,7 +4,7 @@
     become: yes    
     become_user: root
     pre_tasks:
-    - import_tasks: "{{ ansible_dir }}/globals/vars.yml"
+      - import_tasks: "{{ ansible_dir }}/globals/vars.yml"
     roles:
       - role: ../wazuh-ansible/roles/opendistro/opendistro-elasticsearch
       - role: ../wazuh-ansible/roles/wazuh/ansible-wazuh-manager
diff --git a/ansible/provision.yml b/ansible/provision.yml
index 6901c33..a06d908 100644
--- a/ansible/provision.yml
+++ b/ansible/provision.yml
@@ -5,5 +5,8 @@
 - name: Start provision of the Wazuh Agents
   import_playbook: provision-agents.yml
 
-- name: Start provision of Evidence Collector
-  import_playbook: provision-evidence-collector.yml
\ No newline at end of file
+- name: Start provision of the Evidence Collector
+  import_playbook: provision-evidence-collector.yml
+
+- name: Start provision of the Clouditor
+  import_playbook: provision-clouditor.yml
\ No newline at end of file
diff --git a/environments/full-setup/Vagrantfile b/environments/full-setup/Vagrantfile
index 2b311d4..de5e3ef 100644
--- a/environments/full-setup/Vagrantfile
+++ b/environments/full-setup/Vagrantfile
@@ -13,14 +13,14 @@ servers=[
     :hostname => "agent1",
     :ip => "192.168.33.11",
     :box => "centos/8",
-    :ram => 1024,
+    :ram => 512,
     :cpu => 1
   },
   {
     :hostname => "agent2",
     :ip => "192.168.33.12",
     :box => "centos/8",
-    :ram => 1024,
+    :ram => 512,
     :cpu => 1
   },
   {
@@ -29,6 +29,13 @@ servers=[
     :box => "centos/8",
     :ram => 1024,
     :cpu => 2
+  },
+  {
+    :hostname => "clouditor",
+    :ip => "192.168.33.14",
+    :box => "centos/8",
+    :ram => 512,
+    :cpu => 1
   }
 ]
 
diff --git a/environments/full-setup/full-setup.mk b/environments/full-setup/full-setup.mk
index cf5009b..4932cf8 100644
--- a/environments/full-setup/full-setup.mk
+++ b/environments/full-setup/full-setup.mk
@@ -18,4 +18,13 @@ ssh-agent2:
 	@$(VAGRANT_RUN) ssh agent2
 
 ssh-evidence-collector:
-	@$(VAGRANT_RUN) ssh evidence-collector
\ No newline at end of file
+	@$(VAGRANT_RUN) ssh evidence-collector
+
+ssh-clouditor:
+	@$(VAGRANT_RUN) ssh clouditor
+
+provision-evidence-collector:
+	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-evidence-collector.yml
+
+provision-clouditor:
+	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-clouditor.yml
\ No newline at end of file
diff --git a/environments/full-setup/inventory.txt b/environments/full-setup/inventory.txt
index cea1c6b..58aa449 100644
--- a/environments/full-setup/inventory.txt
+++ b/environments/full-setup/inventory.txt
@@ -15,4 +15,10 @@ ansible_ssh_common_args='-o StrictHostKeyChecking=no'
 192.168.33.13 public_ip=192.168.33.13 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/full-setup/.vagrant/machines/evidence-collector/virtualbox/private_key
 
 [evidence_collector:vars]
+ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+
+[clouditor]
+192.168.33.14 public_ip=192.168.33.14 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/full-setup/.vagrant/machines/clouditor/virtualbox/private_key
+
+[clouditor:vars]
 ansible_ssh_common_args='-o StrictHostKeyChecking=no'
\ No newline at end of file
-- 
GitLab