diff --git a/.gitignore b/.gitignore
index 2e0067e1eb51afd8e04198192ec3b61f73253171..75db421843374a62cd204cb430694a79c296781c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,4 @@
wazuh-ansible/
*.swp
*.retry
-security-monitoring-ansible/ansible/opendistro/
+ansible/opendistro/
diff --git a/LICENSE.txt b/LICENSE.txt
new file mode 100644
index 0000000000000000000000000000000000000000..455e2a7c4e7f2aed15fd5b118cd7991cc2d5e72f
--- /dev/null
+++ b/LICENSE.txt
@@ -0,0 +1,4 @@
+Copyright (C) 2021 XLAB d.o.o.
+Use of this software allowed only to MEDINA partners for the purpose of research in the scope of MEDINA project, as specified in the MEDINA Consortium Agreement.
+No commercial use allowed.
+This program is distributed without any warranty.
\ No newline at end of file
diff --git a/security-monitoring-ansible/Makefile b/Makefile
similarity index 70%
rename from security-monitoring-ansible/Makefile
rename to Makefile
index 394e7ffbda06c325f1a897eccee47db497c26d4c..b1d23320ab5c8f612acc3f5861f043c3a5ac0dbf 100644
--- a/security-monitoring-ansible/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-ENVIRONMENT ?= vagrant-1manager-2agents
+ENVIRONMENT ?= full-setup
DEPLOY_DIR = $(PWD)
ENV_DIR = $(DEPLOY_DIR)/environments/$(ENVIRONMENT)
ANSIBLE_DIR = $(DEPLOY_DIR)/ansible
@@ -7,7 +7,11 @@ include $(ENV_DIR)/$(ENVIRONMENT).mk
ANSIBLE_ARGS = -i $(ENV_DIR)/inventory.txt \
-e ansible_dir=$(ANSIBLE_DIR) \
-e environment_dir=$(ENV_DIR)
-
+
+clone-wazuh:
+ -git clone https://github.com/wazuh/wazuh-ansible.git > /dev/null 2>&1
+ cd wazuh-ansible && git checkout tags/v4.1.5
+
reprovision:
@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-reset.yml
@@ -17,5 +21,8 @@ provision-managers:
provision-agents:
@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-agents.yml
+provision-evidence-collector:
+ @ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-evidence-collector.yml
+
provision:
@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision.yml
\ No newline at end of file
diff --git a/README.md b/README.md
index 51a3540bf8800bfb8a5632a94370c927cd39d824..a588564179e0e01e4675e2094d3006f2f867bb92 100644
--- a/README.md
+++ b/README.md
@@ -3,6 +3,8 @@
This project is meant for quickly setting up Wazuh instance using Ansible scripts
on top infrastructure provisioned using Vagrant.
+In addition to Wazuh, ClamAV is also installed to agent machines (for testing purposes).
+
## Requirements
* Vagrant 2.2.14
@@ -13,15 +15,20 @@ on top infrastructure provisioned using Vagrant.
First, checkout Wazuh's tag `v4.1.5` into the current directory:
+```
+$ make clone-wazuh
+```
+or
```
$ git clone https://github.com/wazuh/wazuh-ansible.git
$ git checkout tags/v4.1.5
```
+Then select your `ENVIRONMENT` in `Makefile`. Set it to `full-setup` or `no-collector`.
+
1. Provision Wazuh server and Wazuh agents:
```
-$ cd security-monitoring-ansible
$ make create provision
```
@@ -36,8 +43,22 @@ You should see 2 agents registered and running with Wazuh.
```
$ PORT=8088 npx http-echo-server
```
+
+## Using Evidence Collector
+
+To see Evidence Collector's output, `ssh` to it's machine and open Docker logs:
+
+```
+$ make ssh-evidence-collector
+$ docker logs -ft evidence-collector
+```
+
## Potential issues
+### ClamAV (re)start failed/timed out
+
+ClamAV restart can time-out due to slow disk read/write speeds (if using HDD) and lack of memory. To resolve this, provide the machine with more RAM. Current implementation has it set to `1024` MB (which should suffice for the majoirty of host machine configurations). If you're using SSD, you can lower it to `512` MB.
+
### Vagrant issue:
```
@@ -83,10 +104,8 @@ Host key verification failed.
Solution:
```
-ssh-keygen -f "/home/ales/.ssh/known_hosts" -R "192.168.33.10"
-ssh-keygen -f "/home/ales/.ssh/known_hosts" -R "192.168.33.11"
-ssh-keygen -f "/home/ales/.ssh/known_hosts" -R "192.168.33.12"
-ssh-keyscan -H 192.168.33.10 >> /home/ales/.ssh/known_hosts
-ssh-keyscan -H 192.168.33.11 >> /home/ales/.ssh/known_hosts
-ssh-keyscan -H 192.168.33.12 >> /home/ales/.ssh/known_hosts
+ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.10"
+ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.11"
+ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.12"
+ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.13"
```
\ No newline at end of file
diff --git a/Security monitoring FISHY.png b/Security monitoring FISHY.png
deleted file mode 100644
index ad46f970bbf2b11b4eaa67fad5bcfaf61586f696..0000000000000000000000000000000000000000
Binary files a/Security monitoring FISHY.png and /dev/null differ
diff --git a/Security monitoring FISHY.puml b/Security monitoring FISHY.puml
deleted file mode 100644
index 8cd83d8748ca7b00731de8ecf2bf0abc8c686028..0000000000000000000000000000000000000000
--- a/Security monitoring FISHY.puml
+++ /dev/null
@@ -1,28 +0,0 @@
-@startuml
-participant "FISHY agent" as FISHY_agent
-participant "Security monitoring Tool (appliance runtime)" as SecurityMonitoring #99FF99
-
-group Configure FISHY security monitoring via FISHY Agent
- FISHY_agent->SecurityMonitoring: Configure security monitroing
- SecurityMonitoring -> SecurityMonitoring: Configure server (rules)
- SecurityMonitoring -> SecurityMonitoring: Configure agents (register agents, define rules)
- SecurityMonitoring -> FISHY_agent: Security monitoring configured
- note over SecurityMonitoring:The server and agents should be deployed beforehand via FISHY Agent
-end
-
-group Start security monitoring
- FISHY_agent->SecurityMonitoring: Start security monitoring
- SecurityMonitoring -> SecurityMonitoring : Start security monitoring
- FISHY_agent<-SecurityMonitoring: Security monitoring started
-end
-
-group Security monitoring runtime
- FISHY_agent<-SecurityMonitoring: Send monitoring alert
-end
-
-group Stop monitoring
- FISHY_agent ->SecurityMonitoring: Stop security monitoring
- SecurityMonitoring ->FISHY_agent: Security monitoring stopped
-end
-
-@enduml
\ No newline at end of file
diff --git a/Security monitoring PIACERE.puml b/Security monitoring PIACERE.puml
deleted file mode 100644
index 23cf363944bd25b79df4db9e870e53b4cc0ecb2b..0000000000000000000000000000000000000000
--- a/Security monitoring PIACERE.puml
+++ /dev/null
@@ -1,32 +0,0 @@
-@startuml
-participant RuntimeController
-participant RuntimeMonitoring
-participant SecurityMonitoring #99FF99
-participant DOML
-participant Selflearning
-
-group Configure security monitoring
- RuntimeController->SecurityMonitoring: Start security monitoring configuration
- SecurityMonitoring -> DOML: Acquire information about the NFRs to configure security monitoring
- SecurityMonitoring -> SecurityMonitoring: Configure server (rules)
- SecurityMonitoring -> SecurityMonitoring: Configure agents (register agents, define rules)
- SecurityMonitoring -> RuntimeController: Security monitoring configured
- note over SecurityMonitoring,RuntimeController:The server and agents should be deployed beforehand (included in the IaC already? Described within DOML/IaC implicitly?)
-end
-
-group Start security monitoring
- RuntimeController->SecurityMonitoring: Start security monitoring
- SecurityMonitoring -> SecurityMonitoring : Start security monitoring
- RuntimeController<-SecurityMonitoring: Security monitoring started
-end
-
-group Security monitoring runtime
- Selflearning<-SecurityMonitoring: Send notification/alarm
-end
-
-group Stop security monitoring
- RuntimeController ->SecurityMonitoring: Stop security monitoring
- SecurityMonitoring ->RuntimeController: Security monitoring stopped
-end
-
-@enduml
\ No newline at end of file
diff --git a/security-monitoring-ansible/ansible/clamav/tasks/install-clamav.yml b/ansible/clamav/tasks/install-clamav.yml
similarity index 100%
rename from security-monitoring-ansible/ansible/clamav/tasks/install-clamav.yml
rename to ansible/clamav/tasks/install-clamav.yml
diff --git a/security-monitoring-ansible/ansible/custom-integration/files/custom-integration b/ansible/custom-integration/files/custom-integration
similarity index 100%
rename from security-monitoring-ansible/ansible/custom-integration/files/custom-integration
rename to ansible/custom-integration/files/custom-integration
diff --git a/security-monitoring-ansible/ansible/custom-integration/files/custom-integration.py b/ansible/custom-integration/files/custom-integration.py
similarity index 100%
rename from security-monitoring-ansible/ansible/custom-integration/files/custom-integration.py
rename to ansible/custom-integration/files/custom-integration.py
diff --git a/security-monitoring-ansible/ansible/custom-integration/tasks/main.yml b/ansible/custom-integration/tasks/main.yml
similarity index 100%
rename from security-monitoring-ansible/ansible/custom-integration/tasks/main.yml
rename to ansible/custom-integration/tasks/main.yml
diff --git a/ansible/docker/credentials/credentials.yml b/ansible/docker/credentials/credentials.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d3e73186b46ceba31145217394d228d46c65955a
--- /dev/null
+++ b/ansible/docker/credentials/credentials.yml
@@ -0,0 +1,4 @@
+---
+docker_registry: 'registry-gitlab.xlab.si'
+docker_username: 'gitlab+deploy-token-53'
+docker_token: '_yRiffnzyub8XmuJ4ugr'
\ No newline at end of file
diff --git a/ansible/docker/credentials/vars.yml b/ansible/docker/credentials/vars.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e209b5f66949fa798c1eb9450c41ce0b63578bf0
--- /dev/null
+++ b/ansible/docker/credentials/vars.yml
@@ -0,0 +1,3 @@
+---
+- name: include credentials
+ include_vars: credentials.yml
\ No newline at end of file
diff --git a/security-monitoring-ansible/ansible/docker/tasks/main.yml b/ansible/docker/tasks/main.yml
similarity index 91%
rename from security-monitoring-ansible/ansible/docker/tasks/main.yml
rename to ansible/docker/tasks/main.yml
index 4e0685438aa28b955dcde22a22ded8d7863eff94..42c7d248f955f73f869acaf790d1d2788eab8b43 100644
--- a/security-monitoring-ansible/ansible/docker/tasks/main.yml
+++ b/ansible/docker/tasks/main.yml
@@ -4,7 +4,7 @@
name: docker-ce-stable
file: docker
description: Docker CE Stable - $basearch
- baseurl: https://download.docker.com/linux/centos/7/$basearch/stable
+ baseurl: https://download.docker.com/linux/centos/8/$basearch/stable
enabled: yes
gpgcheck: yes
gpgkey: https://download.docker.com/linux/centos/gpg
diff --git a/security-monitoring-ansible/ansible/globals/globals.yml b/ansible/globals/globals.yml
similarity index 100%
rename from security-monitoring-ansible/ansible/globals/globals.yml
rename to ansible/globals/globals.yml
diff --git a/security-monitoring-ansible/ansible/globals/vars.yml b/ansible/globals/vars.yml
similarity index 100%
rename from security-monitoring-ansible/ansible/globals/vars.yml
rename to ansible/globals/vars.yml
diff --git a/security-monitoring-ansible/ansible/provision-agents.yml b/ansible/provision-agents.yml
similarity index 89%
rename from security-monitoring-ansible/ansible/provision-agents.yml
rename to ansible/provision-agents.yml
index 7823533d9f4927b8baa619da0a40f682d5d12d38..b5f7fc61f052dfcb81506f8dac3e67cd226b3350 100644
--- a/security-monitoring-ansible/ansible/provision-agents.yml
+++ b/ansible/provision-agents.yml
@@ -5,7 +5,7 @@
pre_tasks:
- import_tasks: "{{ ansible_dir }}/globals/vars.yml"
roles:
- - ../../../wazuh-ansible/roles/wazuh/ansible-wazuh-agent
+ - ../wazuh-ansible/roles/wazuh/ansible-wazuh-agent
- docker
vars:
wazuh_managers:
diff --git a/ansible/provision-evidence-collector.yml b/ansible/provision-evidence-collector.yml
new file mode 100644
index 0000000000000000000000000000000000000000..627cbbe5eecc3654e96a378a4ac7f4fb489c468e
--- /dev/null
+++ b/ansible/provision-evidence-collector.yml
@@ -0,0 +1,29 @@
+---
+# Evidence Collector
+ - hosts: evidence_collector
+ become: yes
+ pre_tasks:
+ - import_tasks: "{{ ansible_dir }}/docker/credentials/vars.yml"
+ roles:
+ - docker
+ tasks:
+ # Required by Ansible Docker module
+ - name: Install python3.6
+ package:
+ name: python36
+ state: present
+ - name: Install docker-py
+ pip:
+ name: docker-py
+ - name: Log in to Docker image registry
+ docker_login:
+ registry: "{{ docker_registry }}"
+ username: "{{ docker_username }}"
+ password: "{{ docker_token }}"
+ - name: Run Docker container
+ docker_container:
+ name: evidence-collector
+ image: "{{ docker_registry }}/medina/evidence-collector:latest"
+ state: started
+ pull: yes
+ restart_policy: always
\ No newline at end of file
diff --git a/security-monitoring-ansible/ansible/provision-managers.yml b/ansible/provision-managers.yml
similarity index 76%
rename from security-monitoring-ansible/ansible/provision-managers.yml
rename to ansible/provision-managers.yml
index 8c03802882477a27809635eb1e8f724643480d43..31edada492d9d5af1c5f592114084eb7bf56687f 100644
--- a/security-monitoring-ansible/ansible/provision-managers.yml
+++ b/ansible/provision-managers.yml
@@ -6,10 +6,10 @@
pre_tasks:
- import_tasks: "{{ ansible_dir }}/globals/vars.yml"
roles:
- - role: ../../../wazuh-ansible/roles/opendistro/opendistro-elasticsearch
- - role: ../../../wazuh-ansible/roles/wazuh/ansible-wazuh-manager
- - role: ../../../wazuh-ansible/roles/wazuh/ansible-filebeat-oss
- - role: ../../../wazuh-ansible/roles/opendistro/opendistro-kibana
+ - role: ../wazuh-ansible/roles/opendistro/opendistro-elasticsearch
+ - role: ../wazuh-ansible/roles/wazuh/ansible-wazuh-manager
+ - role: ../wazuh-ansible/roles/wazuh/ansible-filebeat-oss
+ - role: ../wazuh-ansible/roles/opendistro/opendistro-kibana
- role: custom-integration
vars:
single_node: true
diff --git a/ansible/provision.yml b/ansible/provision.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6901c339d3bad30efd718058f10e2e26e5369f31
--- /dev/null
+++ b/ansible/provision.yml
@@ -0,0 +1,9 @@
+---
+- name: Start provision of the Wazuh Managers
+ import_playbook: provision-managers.yml
+
+- name: Start provision of the Wazuh Agents
+ import_playbook: provision-agents.yml
+
+- name: Start provision of Evidence Collector
+ import_playbook: provision-evidence-collector.yml
\ No newline at end of file
diff --git a/environments/full-setup/Vagrantfile b/environments/full-setup/Vagrantfile
new file mode 100644
index 0000000000000000000000000000000000000000..2b311d4158b39a74ff057a0b6c99714bd93d5e31
--- /dev/null
+++ b/environments/full-setup/Vagrantfile
@@ -0,0 +1,46 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+servers=[
+ {
+ :hostname => "manager",
+ :ip => "192.168.33.10",
+ :box => "centos/8",
+ :ram => 2048,
+ :cpu => 2
+ },
+ {
+ :hostname => "agent1",
+ :ip => "192.168.33.11",
+ :box => "centos/8",
+ :ram => 1024,
+ :cpu => 1
+ },
+ {
+ :hostname => "agent2",
+ :ip => "192.168.33.12",
+ :box => "centos/8",
+ :ram => 1024,
+ :cpu => 1
+ },
+ {
+ :hostname => "evidence-collector",
+ :ip => "192.168.33.13",
+ :box => "centos/8",
+ :ram => 1024,
+ :cpu => 2
+ }
+]
+
+Vagrant.configure(2) do |config|
+ servers.each do |machine|
+ config.vm.define machine[:hostname] do |node|
+ node.vm.box = machine[:box]
+ node.vm.hostname = machine[:hostname]
+ node.vm.network "private_network", ip: machine[:ip]
+ node.vm.provider "virtualbox" do |vb|
+ vb.customize ["modifyvm", :id, "--memory", machine[:ram]]
+ end
+ end
+ end
+end
\ No newline at end of file
diff --git a/environments/full-setup/full-setup.mk b/environments/full-setup/full-setup.mk
new file mode 100644
index 0000000000000000000000000000000000000000..cf5009bb77e1e293c46321646e8509af8d9f0c12
--- /dev/null
+++ b/environments/full-setup/full-setup.mk
@@ -0,0 +1,21 @@
+VAGRANT_RUN = cd $(ENV_DIR) && vagrant
+SSH_PRIVATE_KEY = $(HOME)/.vagrant.d/insecure_private_key
+SSH_USER = vagrant
+
+create:
+ @$(VAGRANT_RUN) up
+
+delete:
+ @$(VAGRANT_RUN) destroy -f
+
+ssh-manager:
+ @$(VAGRANT_RUN) ssh manager
+
+ssh-agent1:
+ @$(VAGRANT_RUN) ssh agent1
+
+ssh-agent2:
+ @$(VAGRANT_RUN) ssh agent2
+
+ssh-evidence-collector:
+ @$(VAGRANT_RUN) ssh evidence-collector
\ No newline at end of file
diff --git a/environments/full-setup/inventory.txt b/environments/full-setup/inventory.txt
new file mode 100644
index 0000000000000000000000000000000000000000..cea1c6b98ce6f4712d9641a31cfc2ecd3e68ddcc
--- /dev/null
+++ b/environments/full-setup/inventory.txt
@@ -0,0 +1,18 @@
+[wazuh_managers]
+192.168.33.10 public_ip=192.168.33.10 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/full-setup/.vagrant/machines/manager/virtualbox/private_key
+
+[wazuh_managers:vars]
+ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+
+[wazuh_agents]
+192.168.33.11 public_ip=192.168.33.11 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/full-setup/.vagrant/machines/agent1/virtualbox/private_key
+192.168.33.12 public_ip=192.168.33.12 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/full-setup/.vagrant/machines/agent2/virtualbox/private_key
+
+[wazuh_agents:vars]
+ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+
+[evidence_collector]
+192.168.33.13 public_ip=192.168.33.13 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/full-setup/.vagrant/machines/evidence-collector/virtualbox/private_key
+
+[evidence_collector:vars]
+ansible_ssh_common_args='-o StrictHostKeyChecking=no'
\ No newline at end of file
diff --git a/environments/no-collector/Vagrantfile b/environments/no-collector/Vagrantfile
new file mode 100644
index 0000000000000000000000000000000000000000..33cc1da1d2bdd13f193f816be337471107f60b19
--- /dev/null
+++ b/environments/no-collector/Vagrantfile
@@ -0,0 +1,39 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+servers=[
+ {
+ :hostname => "manager",
+ :ip => "192.168.33.10",
+ :box => "centos/8",
+ :ram => 2048,
+ :cpu => 2
+ },
+ {
+ :hostname => "agent1",
+ :ip => "192.168.33.11",
+ :box => "centos/8",
+ :ram => 1024,
+ :cpu => 1
+ },
+ {
+ :hostname => "agent2",
+ :ip => "192.168.33.12",
+ :box => "centos/8",
+ :ram => 1024,
+ :cpu => 1
+ }
+]
+
+Vagrant.configure(2) do |config|
+ servers.each do |machine|
+ config.vm.define machine[:hostname] do |node|
+ node.vm.box = machine[:box]
+ node.vm.hostname = machine[:hostname]
+ node.vm.network "private_network", ip: machine[:ip]
+ node.vm.provider "virtualbox" do |vb|
+ vb.customize ["modifyvm", :id, "--memory", machine[:ram]]
+ end
+ end
+ end
+end
\ No newline at end of file
diff --git a/security-monitoring-ansible/environments/vagrant-1manager-2agents/inventory.txt b/environments/no-collector/inventory.txt
similarity index 71%
rename from security-monitoring-ansible/environments/vagrant-1manager-2agents/inventory.txt
rename to environments/no-collector/inventory.txt
index 2626412b402112508c979649780ceb14f1ba723c..30cfc80f8dfec844020bda2a89810f36c8a81a9a 100644
--- a/security-monitoring-ansible/environments/vagrant-1manager-2agents/inventory.txt
+++ b/environments/no-collector/inventory.txt
@@ -1,12 +1,12 @@
[wazuh_managers]
-192.168.33.10 public_ip=192.168.33.10 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/vagrant-1manager-2agents/.vagrant/machines/manager/virtualbox/private_key
+192.168.33.10 public_ip=192.168.33.10 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/no-collector/.vagrant/machines/manager/virtualbox/private_key
[wazuh_managers:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
[wazuh_agents]
-192.168.33.11 public_ip=192.168.33.11 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/vagrant-1manager-2agents/.vagrant/machines/agent1/virtualbox/private_key
-192.168.33.12 public_ip=192.168.33.12 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/vagrant-1manager-2agents/.vagrant/machines/agent2/virtualbox/private_key
+192.168.33.11 public_ip=192.168.33.11 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/no-collector/.vagrant/machines/agent1/virtualbox/private_key
+192.168.33.12 public_ip=192.168.33.12 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/no-collector/.vagrant/machines/agent2/virtualbox/private_key
[wazuh_agents:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
\ No newline at end of file
diff --git a/security-monitoring-ansible/environments/vagrant-1manager-2agents/vagrant-1manager-2agents.mk b/environments/no-collector/no-collector.mk
similarity index 100%
rename from security-monitoring-ansible/environments/vagrant-1manager-2agents/vagrant-1manager-2agents.mk
rename to environments/no-collector/no-collector.mk
diff --git a/out/Security monitoring PIACERE/Security monitoring PIACERE.png b/out/Security monitoring PIACERE/Security monitoring PIACERE.png
deleted file mode 100644
index 752145666405ce2e408e6b3af7dcbc71d0052e40..0000000000000000000000000000000000000000
Binary files a/out/Security monitoring PIACERE/Security monitoring PIACERE.png and /dev/null differ
diff --git a/security-monitoring-ansible/README.md b/security-monitoring-ansible/README.md
deleted file mode 100644
index fd4ffe8bd96f1f502358b76e997557b40737df62..0000000000000000000000000000000000000000
--- a/security-monitoring-ansible/README.md
+++ /dev/null
@@ -1,35 +0,0 @@
-# Security Monitoring
-
-This project is meant for quickly setting up Wazuh instance using Ansible scripts
-on top infrastructure provisioned using Vagrant.
-
-In addition to Wazuh, ClamAV is also installed to agent machines (for testing purposes).
-
-## Requirements
-
- * Vagrant 2.2.14
- * Ansible 2.9.16
-
-## Setting up the demo
-
-First, checkout Wazuh's tag `v4.1.5` into the directory above the current one:
-
-```
-$ cd ..
-$ git clone https://github.com/wazuh/wazuh-ansible.git
-$ git checkout tags/v4.1.5
-```
-
-1. Provision Wazuh server and Wazuh agents:
-
-```
-[sre maj 12][10:31:32][ales@~/workspace/PIACERE/security-monitoring/security-monitoring-ansible]
-$ make create provision
-
-```
-
-2. Check the running instances:
-
-Navigate browser to: `https://192.168.33.10:5601`, login with default credentials `admin:changeme`. Navigate to `wazuh` section on the left hand-side.
-
-You should see 2 agents registered and running with Wazuh.
\ No newline at end of file
diff --git a/security-monitoring-ansible/ansible/provision.yml b/security-monitoring-ansible/ansible/provision.yml
deleted file mode 100644
index a4ff61d0e660002b2d7130a081fafeac02332740..0000000000000000000000000000000000000000
--- a/security-monitoring-ansible/ansible/provision.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-- name: Start provision of the Wazuh Managers
- import_playbook: provision-managers.yml
-
-- name: Start provision of the Wazuh Agents
- import_playbook: provision-agents.yml
\ No newline at end of file
diff --git a/security-monitoring-ansible/environments/vagrant-1manager-2agents/Vagrantfile b/security-monitoring-ansible/environments/vagrant-1manager-2agents/Vagrantfile
deleted file mode 100644
index 157229a6ea4fb84c503fc64207d59efa679ae6be..0000000000000000000000000000000000000000
--- a/security-monitoring-ansible/environments/vagrant-1manager-2agents/Vagrantfile
+++ /dev/null
@@ -1,51 +0,0 @@
-# -*- mode: ruby -*-
-# vi: set ft=ruby :
-
-servers=[
- {
- :hostname => "manager",
- :ip => "192.168.33.10",
- :box => "centos/7",
- :ram => 4096,
- :cpu => 2
- },
- {
- :hostname => "agent1",
- :ip => "192.168.33.11",
- :box => "centos/7",
- :ram => 512,
- :cpu => 1
- },
- {
- :hostname => "agent2",
- :ip => "192.168.33.12",
- :box => "centos/7",
- :ram => 512,
- :cpu => 1
- }
-]
-
-Vagrant.configure(2) do |config|
- servers.each do |machine|
- config.vm.define machine[:hostname] do |node|
- # Can cause error:
- # "You are trying to forward a host IP that does not exist. Please set `host_ip`
- # to the address of an existing IPv4 network interface, or remove the option
- # from your port forward configuration."
- if machine[:hostname] == "manager"
- node.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "192.168.33.10"
- node.vm.network "forwarded_port", guest: 443, host: 8443 , host_ip: "192.168.33.10"
- node.vm.network "forwarded_port", guest: 55000, host: 55000 , host_ip: "192.168.33.10"
- node.vm.network "forwarded_port", guest: 1514, host: 1514 , host_ip: "192.168.33.10"
- node.vm.network "forwarded_port", guest: 1515, host: 1515 , host_ip: "192.168.33.10"
- node.vm.network "forwarded_port", guest: 1516, host: 1516 , host_ip: "192.168.33.10"
- end
- node.vm.box = machine[:box]
- node.vm.hostname = machine[:hostname]
- node.vm.network "private_network", ip: machine[:ip]
- node.vm.provider "virtualbox" do |vb|
- vb.customize ["modifyvm", :id, "--memory", machine[:ram]]
- end
- end
- end
-end
\ No newline at end of file
diff --git a/security-monitoring-architecture.puml b/security-monitoring-architecture.puml
deleted file mode 100644
index c400e8a907f0316650f0f363c84f710a3f5c980a..0000000000000000000000000000000000000000
--- a/security-monitoring-architecture.puml
+++ /dev/null
@@ -1,31 +0,0 @@
-@startuml
-skinparam nodesep 5
-
-package "Wazuh Server" {
- [Kibana server]
- [Kibana server] --> [ElasticSearch]: KQL
- [Wazuh cluster] --> [ElasticSearch]: Filebeat
-}
-interface "Log collector" as LC
-interface "File integrity monitoring" as FIM
-interface "Command execution" as CE
-interface "Security configuration assessment" as SCA
-interface "Malware detection" as MD
-interface "System inventory" as SI
-interface "Cloud security monitoring" as SCM
-interface "Container security monitoring" as CSM
-
-LC -down- [Wazuh agent]
-CE -down- [Wazuh agent]
-FIM -down- [Wazuh agent]
-SCA -down- [Wazuh agent]
-
-MD -down- [Wazuh agent]
-SI -down- [Wazuh agent]
-SCM -down- [Wazuh agent]
-CSM -down- [Wazuh agent]
-
-
-[Wazuh agent] --> [Wazuh cluster]: TCP or UDP (encrypted)
-
-@enduml
\ No newline at end of file