Merge branch 'develop' into 'master'

Develop

See merge request medina/security-monitoring!2

.gitignore

@@ -2,4 +2,4 @@
 wazuh-ansible/
 *.swp
 *.retry
-security-monitoring-ansible/ansible/opendistro/
+ansible/opendistro/

LICENSE.txt

+Copyright (C) 2021 XLAB d.o.o.
+Use of this software allowed only to MEDINA partners for the purpose of research in the scope of MEDINA project, as specified in the MEDINA Consortium Agreement.
+No commercial use allowed.
+This program is distributed without any warranty.
\ No newline at end of file

security-monitoring-ansible/Makefile → Makefile

-ENVIRONMENT ?= vagrant-1manager-2agents
+ENVIRONMENT ?= full-setup
 DEPLOY_DIR = $(PWD)
 ENV_DIR = $(DEPLOY_DIR)/environments/$(ENVIRONMENT)
 ANSIBLE_DIR = $(DEPLOY_DIR)/ansible
@@ -8,6 +8,10 @@ ANSIBLE_ARGS = -i $(ENV_DIR)/inventory.txt \
 							 -e ansible_dir=$(ANSIBLE_DIR) \
 							 -e environment_dir=$(ENV_DIR)
 
+clone-wazuh:
+	-git clone https://github.com/wazuh/wazuh-ansible.git > /dev/null 2>&1
+	cd wazuh-ansible && git checkout tags/v4.1.5
+
 reprovision:
 	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS)  $(ANSIBLE_DIR)/provision-reset.yml
 
@@ -17,5 +21,8 @@ provision-managers:
 provision-agents:
 	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-agents.yml
 
+provision-evidence-collector:
+	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-evidence-collector.yml
+
 provision:
 	@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision.yml
\ No newline at end of file

README.md

@@ -3,6 +3,8 @@
 This project is meant for quickly setting up Wazuh instance using Ansible scripts
 on top infrastructure provisioned using Vagrant.
 
+In addition to Wazuh, ClamAV is also installed to agent machines (for testing purposes).
+
 ## Requirements
 
  * Vagrant 2.2.14
@@ -13,15 +15,20 @@ on top infrastructure provisioned using Vagrant.
 
 First, checkout Wazuh's tag `v4.1.5` into the current directory:
 
+```
+$ make clone-wazuh
+```
+or
 ```
 $ git clone https://github.com/wazuh/wazuh-ansible.git
 $ git checkout tags/v4.1.5
 ```
 
+Then select your `ENVIRONMENT` in `Makefile`. Set it to `full-setup` or `no-collector`.
+
 1. Provision Wazuh server and Wazuh agents:
 
 ```
-$ cd security-monitoring-ansible
 $ make create provision
 ```
 
@@ -36,8 +43,22 @@ You should see 2 agents registered and running with Wazuh.
 ```
 $ PORT=8088 npx http-echo-server
 ```
+
+## Using Evidence Collector
+
+To see Evidence Collector's output, `ssh` to it's machine and open Docker logs:
+
+```
+$ make ssh-evidence-collector
+$ docker logs -ft evidence-collector
+```
+
 ## Potential issues
  
+### ClamAV (re)start failed/timed out
+
+ClamAV restart can time-out due to slow disk read/write speeds (if using HDD) and lack of memory. To resolve this, provide the machine with more RAM. Current implementation has it set to `1024` MB (which should suffice for the majoirty of host machine configurations). If you're using SSD, you can lower it to `512` MB.
+
 ### Vagrant issue:
 
 ```
@@ -83,10 +104,8 @@ Host key verification failed.
 
 Solution:
 ```
-ssh-keygen -f "/home/ales/.ssh/known_hosts" -R "192.168.33.10"
-ssh-keygen -f "/home/ales/.ssh/known_hosts" -R "192.168.33.11"
-ssh-keygen -f "/home/ales/.ssh/known_hosts" -R "192.168.33.12"
-ssh-keyscan -H 192.168.33.10 >> /home/ales/.ssh/known_hosts
-ssh-keyscan -H 192.168.33.11 >> /home/ales/.ssh/known_hosts
-ssh-keyscan -H 192.168.33.12 >> /home/ales/.ssh/known_hosts
+ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.10"
+ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.11"
+ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.12"
+ssh-keygen -f ".ssh/known_hosts" -R "192.168.33.13"
 ```
\ No newline at end of file

Security monitoring FISHY.puml

-@startuml
-participant "FISHY agent" as FISHY_agent
-participant "Security monitoring Tool (appliance runtime)" as SecurityMonitoring #99FF99 
-
-group Configure FISHY security monitoring via FISHY Agent
-    FISHY_agent->SecurityMonitoring: Configure security monitroing
-    SecurityMonitoring -> SecurityMonitoring: Configure server (rules)
-    SecurityMonitoring -> SecurityMonitoring: Configure agents (register agents, define rules)
-    SecurityMonitoring -> FISHY_agent: Security monitoring configured 
-    note over SecurityMonitoring:The server and agents should be deployed beforehand via FISHY Agent
-end
-
-group Start security monitoring
-    FISHY_agent->SecurityMonitoring: Start security monitoring 
-    SecurityMonitoring -> SecurityMonitoring : Start security monitoring
-    FISHY_agent<-SecurityMonitoring: Security monitoring started
-end
-
-group Security monitoring runtime
-    FISHY_agent<-SecurityMonitoring: Send monitoring alert
-end
-
-group Stop monitoring
-    FISHY_agent ->SecurityMonitoring: Stop security monitoring
-    SecurityMonitoring ->FISHY_agent: Security monitoring stopped
-end
-
-@enduml
\ No newline at end of file

Security monitoring PIACERE.puml

-@startuml
-participant RuntimeController
-participant RuntimeMonitoring
-participant SecurityMonitoring #99FF99
-participant DOML
-participant Selflearning
-
-group Configure security monitoring
-    RuntimeController->SecurityMonitoring: Start security monitoring configuration
-    SecurityMonitoring -> DOML: Acquire information about the NFRs to configure security monitoring
-    SecurityMonitoring -> SecurityMonitoring: Configure server (rules)
-    SecurityMonitoring -> SecurityMonitoring: Configure agents (register agents, define rules)
-    SecurityMonitoring -> RuntimeController: Security monitoring configured
-    note over SecurityMonitoring,RuntimeController:The server and agents should be deployed beforehand (included in the IaC already? Described within DOML/IaC implicitly?)
-end
-
-group Start security monitoring
-    RuntimeController->SecurityMonitoring: Start security monitoring 
-    SecurityMonitoring -> SecurityMonitoring : Start security monitoring
-    RuntimeController<-SecurityMonitoring: Security monitoring started
-end
-
-group Security monitoring runtime
-    Selflearning<-SecurityMonitoring: Send notification/alarm
-end
-
-group Stop security monitoring
-    RuntimeController ->SecurityMonitoring: Stop security monitoring
-    SecurityMonitoring ->RuntimeController: Security monitoring stopped
-end
-
-@enduml
\ No newline at end of file

ansible/docker/credentials/credentials.yml

+---
+docker_registry: 'registry-gitlab.xlab.si'
+docker_username: 'gitlab+deploy-token-53'
+docker_token: '_yRiffnzyub8XmuJ4ugr'
\ No newline at end of file

ansible/docker/credentials/vars.yml

+---
+- name: include credentials
+  include_vars: credentials.yml
\ No newline at end of file

security-monitoring-ansible/ansible/docker/tasks/main.yml → ansible/docker/tasks/main.yml

@@ -4,7 +4,7 @@
     name: docker-ce-stable
     file: docker
     description: Docker CE Stable - $basearch
-    baseurl: https://download.docker.com/linux/centos/7/$basearch/stable
+    baseurl: https://download.docker.com/linux/centos/8/$basearch/stable
     enabled: yes
     gpgcheck: yes
     gpgkey: https://download.docker.com/linux/centos/gpg

security-monitoring-ansible/ansible/provision-agents.yml → ansible/provision-agents.yml

@@ -5,7 +5,7 @@
     pre_tasks:
     - import_tasks: "{{ ansible_dir }}/globals/vars.yml" 
     roles:    
-      - ../../../wazuh-ansible/roles/wazuh/ansible-wazuh-agent
+      - ../wazuh-ansible/roles/wazuh/ansible-wazuh-agent
       - docker
     vars:
       wazuh_managers:

ansible/provision-evidence-collector.yml

+---
+# Evidence Collector
+  - hosts: evidence_collector
+    become: yes
+    pre_tasks:
+    - import_tasks: "{{ ansible_dir }}/docker/credentials/vars.yml"
+    roles:   
+      - docker
+    tasks:
+      # Required by Ansible Docker module
+      - name: Install python3.6
+        package:
+          name: python36
+          state: present
+      - name: Install docker-py
+        pip:
+          name: docker-py
+      - name: Log in to Docker image registry
+        docker_login:
+          registry: "{{ docker_registry }}"
+          username: "{{ docker_username }}"
+          password: "{{ docker_token }}"
+      - name: Run Docker container
+        docker_container:
+          name: evidence-collector
+          image: "{{ docker_registry }}/medina/evidence-collector:latest"
+          state: started
+          pull: yes
+          restart_policy: always
\ No newline at end of file

security-monitoring-ansible/ansible/provision-managers.yml → ansible/provision-managers.yml

@@ -6,10 +6,10 @@
     pre_tasks:
     - import_tasks: "{{ ansible_dir }}/globals/vars.yml"
     roles:
-      - role: ../../../wazuh-ansible/roles/opendistro/opendistro-elasticsearch
-      - role: ../../../wazuh-ansible/roles/wazuh/ansible-wazuh-manager
-      - role: ../../../wazuh-ansible/roles/wazuh/ansible-filebeat-oss
-      - role: ../../../wazuh-ansible/roles/opendistro/opendistro-kibana
+      - role: ../wazuh-ansible/roles/opendistro/opendistro-elasticsearch
+      - role: ../wazuh-ansible/roles/wazuh/ansible-wazuh-manager
+      - role: ../wazuh-ansible/roles/wazuh/ansible-filebeat-oss
+      - role: ../wazuh-ansible/roles/opendistro/opendistro-kibana
       - role: custom-integration
     vars:
       single_node: true

security-monitoring-ansible/ansible/provision.yml → ansible/provision.yml

@@ -4,3 +4,6 @@
 
 - name: Start provision of the Wazuh Agents
   import_playbook: provision-agents.yml
+
+- name: Start provision of Evidence Collector
+  import_playbook: provision-evidence-collector.yml
\ No newline at end of file