Skip to content
Snippets Groups Projects
Commit e69e6f5f authored by Matevz Erzen's avatar Matevz Erzen Committed by Zitnik, Anze
Browse files

Resource ID mapping

parent ba070252
No related branches found
No related tags found
No related merge requests found
...@@ -34,7 +34,15 @@ In addition to Wazuh, ClamAV is also installed on agent machines. ...@@ -34,7 +34,15 @@ In addition to Wazuh, ClamAV is also installed on agent machines.
> Note: Docker registry credentials used for pulling Evidence Collector are located in `/ansible/docker/credentials/credentials.yml`. They don't need to be changed unless you explicitly want to use other registry. > Note: Docker registry credentials used for pulling Evidence Collector are located in `/ansible/docker/credentials/credentials.yml`. They don't need to be changed unless you explicitly want to use other registry.
3. Create and provision VMs: 3. If you're using `full-setup` environment, you can set custom environment variable (that will be passed to `evidence-collector`) in `/environments/full-setup/.env`.
If you wish to set or remove custom resource ID mapping scheme used by `evidence-collector`, you can change mapped values inside `/environments/full-setup/resource-id-map.json`.
See [Evidence collector's documentation](https://git.code.tecnalia.com/medina/wp3/task_3.2/evidence-collector) for more information.
> Note: neither of these two files has to be changed for `security-monitoring` to work. You can (and should; in case of `.env`) leave them unchanged.
4. Create and provision VMs:
``` ```
$ make create provision $ make create provision
...@@ -173,7 +181,11 @@ Wazuh manager and Evidence collector should be installed on the same, clean mach ...@@ -173,7 +181,11 @@ Wazuh manager and Evidence collector should be installed on the same, clean mach
| `elasticsearch_host_ip` | IP of the machine running Elasticsearch (same as Wazuh manager). | | `elasticsearch_host_ip` | IP of the machine running Elasticsearch (same as Wazuh manager). |
| `wazuh_manager_ip` | IP of the machine running Wazuh manager. | | `wazuh_manager_ip` | IP of the machine running Wazuh manager. |
6. Provision: 6. Set custom resource ID mapping scheme used by `evidence-collector`. Change it in `/custom-provision/resource-id-map.json`.
> Note: this doesn't need to be changed or set for it to work.
7. Provision:
``` ```
$ make -B custom-provision $ make -B custom-provision
...@@ -187,7 +199,7 @@ To troubleshoot in more details, check the logs in `/var/ossec/logs/ossec.log` a ...@@ -187,7 +199,7 @@ To troubleshoot in more details, check the logs in `/var/ossec/logs/ossec.log` a
Two of the most common problems (often times in tandem) are [missing open ports](https://documentation.wazuh.com/current/user-manual/agent-enrollment/troubleshooting.html#testing-communication-with-wazuh-manager) and [invalid agent names](https://documentation.wazuh.com/current/user-manual/agent-enrollment/troubleshooting.html#invalid-agent-name-for-enrollment) (if agent machine's hostname matches hostname of any already existing Wazuh machine). Two of the most common problems (often times in tandem) are [missing open ports](https://documentation.wazuh.com/current/user-manual/agent-enrollment/troubleshooting.html#testing-communication-with-wazuh-manager) and [invalid agent names](https://documentation.wazuh.com/current/user-manual/agent-enrollment/troubleshooting.html#invalid-agent-name-for-enrollment) (if agent machine's hostname matches hostname of any already existing Wazuh machine).
To enable required ports, run the following commands on Wazuh manager machine: Current version of `security-monitoring` automatically opens required ports on the manager (using Ansible, see `ansible/provision-managers.yml`). However, if that fails, run the following commands on Wazuh manager machine to enable required ports:
``` ```
$ sudo firewall-cmd --zone=public --add-port=1514/tcp --permanent $ sudo firewall-cmd --zone=public --add-port=1514/tcp --permanent
......
...@@ -20,14 +20,20 @@ ...@@ -20,14 +20,20 @@
ansible_python_interpreter: /usr/bin/python3.6 ansible_python_interpreter: /usr/bin/python3.6
- name: Create 'evidence-collector' directory - name: Create 'evidence-collector' directory
file: file:
path: /home/security-monitoring path: /home/evidence-collector
state: directory state: directory
owner: "{{ ansible_ssh_user }}" owner: "{{ ansible_ssh_user }}"
group: "{{ ansible_ssh_user }}" group: "{{ ansible_ssh_user }}"
- name: Copy .env file - name: Copy .env file
copy: copy:
src: "{{ environment_dir }}/.env" src: "{{ environment_dir }}/.env"
dest: /home/security-monitoring/.env dest: /home/evidence-collector/.env
owner: "{{ ansible_ssh_user }}"
group: "{{ ansible_ssh_user }}"
- name: Copy resource-id-map.json file
copy:
src: "{{ environment_dir }}/resource-id-map.json"
dest: /home/evidence-collector/resource-id-map.json
owner: "{{ ansible_ssh_user }}" owner: "{{ ansible_ssh_user }}"
group: "{{ ansible_ssh_user }}" group: "{{ ansible_ssh_user }}"
- name: Log in to Docker image registry - name: Log in to Docker image registry
...@@ -44,6 +50,7 @@ ...@@ -44,6 +50,7 @@
state: started state: started
pull: yes pull: yes
restart_policy: always restart_policy: always
env_file: /home/security-monitoring/.env env_file: /home/evidence-collector/.env
volumes: /home/evidence-collector/resource-id-map.json:/evidence-collector/resource_id_map.json
vars: vars:
ansible_python_interpreter: /usr/bin/python3.6 ansible_python_interpreter: /usr/bin/python3.6
\ No newline at end of file
...@@ -31,3 +31,24 @@ ...@@ -31,3 +31,24 @@
node1: node1:
name: node-1 # Important: must be equal to elasticsearch_node_name. name: node-1 # Important: must be equal to elasticsearch_node_name.
ip: "{{ elasticsearch_host_ip }}" ip: "{{ elasticsearch_host_ip }}"
tasks:
- name: Install firewalld
action: yum name=firewalld state=installed
- name: Enable firewalld on system reboot
service: name=firewalld enabled=yes
- name: Start service firewalld, if not started
service:
name: firewalld
state: started
- name: Enable required ports
firewalld:
permanent: yes
immediate: yes
port: "{{item.port}}/{{item.proto}}"
state: "{{item.state}}"
zone: "{{item.zone}}"
with_items:
- {port: "1514", proto: "tcp", state: "enabled", zone: "public"}
- {port: "1515", proto: "tcp", state: "enabled", zone: "public"}
- {port: "55000", proto: "tcp", state: "enabled", zone: "public"}
- {port: "5601", proto: "tcp", state: "enabled", zone: "public"}
\ No newline at end of file
{
"manager": "wazuh_manager",
"agent1": "wazuh_agent_1",
"agent2": "wazuh_agent_2"
}
\ No newline at end of file
{
"manager": "test_wazuh_manager",
"agent1": "test_wazuh_agent_1",
"agent2": "test_wazuh_agent_2"
}
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment