Resource ID mapping

e69e6f5f · Matevz Erzen · Zitnik, Anze · ba070252 · e69e6f5f · e69e6f5f
Commit e69e6f5f authored 3 years ago by Matevz Erzen Committed by Zitnik, Anze 3 years ago
--- a/README.md
+++ b/README.md
@@ -34,7 +34,15 @@ In addition to Wazuh, ClamAV is also installed on agent machines.
    > Note: Docker registry credentials used for pulling Evidence Collector are located in `/ansible/docker/credentials/credentials.yml`. They don't need to be changed unless you explicitly want to use other registry.
-3. Create and provision VMs:
+3. If you're using `full-setup` environment, you can set custom environment variable (that will be passed to `evidence-collector`) in `/environments/full-setup/.env`.
+    If you wish to set or remove custom resource ID mapping scheme used by `evidence-collector`, you can change mapped values inside `/environments/full-setup/resource-id-map.json`.
+    See [Evidence collector's documentation](https://git.code.tecnalia.com/medina/wp3/task_3.2/evidence-collector) for more information.
+    > Note: neither of these two files has to be changed for `security-monitoring` to work. You can (and should; in case of `.env`) leave them unchanged. 
+4. Create and provision VMs:
    ```
    $ make create provision
@@ -173,7 +181,11 @@ Wazuh manager and Evidence collector should be installed on the same, clean mach
    | `elasticsearch_host_ip` | IP of the machine running Elasticsearch (same as Wazuh manager). |
    | `wazuh_manager_ip` | IP of the machine running Wazuh manager. |
-6. Provision:
+6. Set custom resource ID mapping scheme used by `evidence-collector`. Change it in `/custom-provision/resource-id-map.json`.
+    > Note: this doesn't need to be changed or set for it to work.
+7. Provision:
    ```
    $ make -B custom-provision
@@ -187,7 +199,7 @@ To troubleshoot in more details, check the logs in `/var/ossec/logs/ossec.log` a
 Two of the most common problems (often times in tandem) are [missing open ports](https://documentation.wazuh.com/current/user-manual/agent-enrollment/troubleshooting.html#testing-communication-with-wazuh-manager) and [invalid agent names](https://documentation.wazuh.com/current/user-manual/agent-enrollment/troubleshooting.html#invalid-agent-name-for-enrollment) (if agent machine's hostname matches hostname of any already existing Wazuh machine).
-To enable required ports, run the following commands on Wazuh manager machine:
+Current version of `security-monitoring` automatically opens required ports on the manager (using Ansible, see `ansible/provision-managers.yml`). However, if that fails, run the following commands on Wazuh manager machine to enable required ports:
 ```
 $ sudo firewall-cmd --zone=public --add-port=1514/tcp --permanent

--- a/ansible/provision-evidence-collector.yml
+++ b/ansible/provision-evidence-collector.yml
@@ -20,14 +20,20 @@
          ansible_python_interpreter: /usr/bin/python3.6
      - name: Create 'evidence-collector' directory
        file: 
-          path: /home/security-monitoring
+          path: /home/evidence-collector
          state: directory
          owner: "{{ ansible_ssh_user }}"
          group: "{{ ansible_ssh_user }}"
      - name: Copy .env file
        copy:
          src: "{{ environment_dir }}/.env"
-          dest: /home/security-monitoring/.env
+          dest: /home/evidence-collector/.env
+          owner: "{{ ansible_ssh_user }}"
+          group: "{{ ansible_ssh_user }}"
+      - name: Copy resource-id-map.json file
+        copy:
+          src: "{{ environment_dir }}/resource-id-map.json"
+          dest: /home/evidence-collector/resource-id-map.json
          owner: "{{ ansible_ssh_user }}"
          group: "{{ ansible_ssh_user }}"
      - name: Log in to Docker image registry
@@ -44,6 +50,7 @@
          state: started
          pull: yes
          restart_policy: always
-          env_file: /home/security-monitoring/.env
+          env_file: /home/evidence-collector/.env
+          volumes: /home/evidence-collector/resource-id-map.json:/evidence-collector/resource_id_map.json
        vars:
          ansible_python_interpreter: /usr/bin/python3.6
\ No newline at end of file
--- a/ansible/provision-managers.yml
+++ b/ansible/provision-managers.yml
@@ -31,3 +31,24 @@
        node1:
          name: node-1       # Important: must be equal to elasticsearch_node_name.
          ip: "{{ elasticsearch_host_ip }}"
+    tasks:
+      - name: Install firewalld
+        action: yum name=firewalld state=installed
+      - name: Enable firewalld on system reboot
+        service: name=firewalld enabled=yes
+      - name: Start service firewalld, if not started
+        service:
+          name: firewalld
+          state: started
+      - name: Enable required ports
+        firewalld:
+          permanent: yes
+          immediate: yes
+          port: "{{item.port}}/{{item.proto}}"
+          state: "{{item.state}}"
+          zone: "{{item.zone}}"
+        with_items:
+          - {port: "1514", proto: "tcp", state: "enabled", zone: "public"}
+          - {port: "1515", proto: "tcp", state: "enabled", zone: "public"}
+          - {port: "55000", proto: "tcp", state: "enabled", zone: "public"}
+          - {port: "5601", proto: "tcp", state: "enabled", zone: "public"}
\ No newline at end of file
--- a/custom-provision/resource-id-map.json
+++ b/custom-provision/resource-id-map.json
+{
+    "manager": "wazuh_manager",
+    "agent1": "wazuh_agent_1",
+    "agent2": "wazuh_agent_2"
+}
\ No newline at end of file
--- a/environments/full-setup/resource-id-map.json
+++ b/environments/full-setup/resource-id-map.json
+{
+    "manager": "test_wazuh_manager",
+    "agent1": "test_wazuh_agent_1",
+    "agent2": "test_wazuh_agent_2"
+}
\ No newline at end of file