From e8ae554901d701210346706b44e8c090b35477ea Mon Sep 17 00:00:00 2001
From: Matevz Erzen <matevz.erzen@xlab.si>
Date: Tue, 12 Oct 2021 09:31:45 +0200
Subject: [PATCH] Added Evidence Collector machine
---
README.md | 10 ++++++++
security-monitoring-ansible/Makefile | 5 +++-
.../docker/credentials/credentials.yml | 4 ++++
.../ansible/docker/credentials/vars.yml | 3 +++
.../ansible/provision-evidence-collector.yml | 13 +++++++++++
.../ansible/provision.yml | 5 +++-
.../Vagrantfile | 23 ++++++++++++-------
.../inventory.txt | 12 +++++++---
.../vagrant-full-setup.mk} | 5 +++-
9 files changed, 66 insertions(+), 14 deletions(-)
create mode 100644 security-monitoring-ansible/ansible/docker/credentials/credentials.yml
create mode 100644 security-monitoring-ansible/ansible/docker/credentials/vars.yml
create mode 100644 security-monitoring-ansible/ansible/provision-evidence-collector.yml
rename security-monitoring-ansible/environments/{vagrant-1manager-2agents => vagrant-full-setup}/Vagrantfile (58%)
rename security-monitoring-ansible/environments/{vagrant-1manager-2agents => vagrant-full-setup}/inventory.txt (52%)
rename security-monitoring-ansible/environments/{vagrant-1manager-2agents/vagrant-1manager-2agents.mk => vagrant-full-setup/vagrant-full-setup.mk} (75%)
diff --git a/README.md b/README.md
index 51a3540..d4be5ba 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,16 @@ You should see 2 agents registered and running with Wazuh.
```
$ PORT=8088 npx http-echo-server
```
+
+## Using Evidence Collector
+
+To see Evidence Collector's output, `ssh` to it's machine and open Docker logs:
+
+```
+$ make ssh-evidence-collector
+$ docker logs -ft evidence-collector
+```
+
## Potential issues
### Vagrant issue:
diff --git a/security-monitoring-ansible/Makefile b/security-monitoring-ansible/Makefile
index 394e7ff..84021dc 100644
--- a/security-monitoring-ansible/Makefile
+++ b/security-monitoring-ansible/Makefile
@@ -1,4 +1,4 @@
-ENVIRONMENT ?= vagrant-1manager-2agents
+ENVIRONMENT ?= vagrant-full-setup
DEPLOY_DIR = $(PWD)
ENV_DIR = $(DEPLOY_DIR)/environments/$(ENVIRONMENT)
ANSIBLE_DIR = $(DEPLOY_DIR)/ansible
@@ -17,5 +17,8 @@ provision-managers:
provision-agents:
@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-agents.yml
+provision-evidence-collector:
+ @ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision-evidence-collector.yml
+
provision:
@ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(ANSIBLE_ARGS) $(ANSIBLE_DIR)/provision.yml
\ No newline at end of file
diff --git a/security-monitoring-ansible/ansible/docker/credentials/credentials.yml b/security-monitoring-ansible/ansible/docker/credentials/credentials.yml
new file mode 100644
index 0000000..d3e7318
--- /dev/null
+++ b/security-monitoring-ansible/ansible/docker/credentials/credentials.yml
@@ -0,0 +1,4 @@
+---
+docker_registry: 'registry-gitlab.xlab.si'
+docker_username: 'gitlab+deploy-token-53'
+docker_token: '_yRiffnzyub8XmuJ4ugr'
\ No newline at end of file
diff --git a/security-monitoring-ansible/ansible/docker/credentials/vars.yml b/security-monitoring-ansible/ansible/docker/credentials/vars.yml
new file mode 100644
index 0000000..e209b5f
--- /dev/null
+++ b/security-monitoring-ansible/ansible/docker/credentials/vars.yml
@@ -0,0 +1,3 @@
+---
+- name: include credentials
+ include_vars: credentials.yml
\ No newline at end of file
diff --git a/security-monitoring-ansible/ansible/provision-evidence-collector.yml b/security-monitoring-ansible/ansible/provision-evidence-collector.yml
new file mode 100644
index 0000000..655791c
--- /dev/null
+++ b/security-monitoring-ansible/ansible/provision-evidence-collector.yml
@@ -0,0 +1,13 @@
+---
+# Evidence Collector
+ - hosts: evidence_collector
+ become: yes
+ pre_tasks:
+ - import_tasks: "{{ ansible_dir }}/docker/credentials/vars.yml"
+ roles:
+ - docker
+ tasks:
+ - name: Login to Docker registry
+ shell: "docker login -u {{ docker_username }} -p {{ docker_token }} {{ docker_registry }}"
+ - name: Run Docker container
+ shell: "docker run --name evidence-collector -d {{ docker_registry }}/medina/evidence-collector:latest"
\ No newline at end of file
diff --git a/security-monitoring-ansible/ansible/provision.yml b/security-monitoring-ansible/ansible/provision.yml
index a4ff61d..6901c33 100644
--- a/security-monitoring-ansible/ansible/provision.yml
+++ b/security-monitoring-ansible/ansible/provision.yml
@@ -3,4 +3,7 @@
import_playbook: provision-managers.yml
- name: Start provision of the Wazuh Agents
- import_playbook: provision-agents.yml
\ No newline at end of file
+ import_playbook: provision-agents.yml
+
+- name: Start provision of Evidence Collector
+ import_playbook: provision-evidence-collector.yml
\ No newline at end of file
diff --git a/security-monitoring-ansible/environments/vagrant-1manager-2agents/Vagrantfile b/security-monitoring-ansible/environments/vagrant-full-setup/Vagrantfile
similarity index 58%
rename from security-monitoring-ansible/environments/vagrant-1manager-2agents/Vagrantfile
rename to security-monitoring-ansible/environments/vagrant-full-setup/Vagrantfile
index 157229a..e2ecdd6 100644
--- a/security-monitoring-ansible/environments/vagrant-1manager-2agents/Vagrantfile
+++ b/security-monitoring-ansible/environments/vagrant-full-setup/Vagrantfile
@@ -22,6 +22,13 @@ servers=[
:box => "centos/7",
:ram => 512,
:cpu => 1
+ },
+ {
+ :hostname => "evidence-collector",
+ :ip => "192.168.33.13",
+ :box => "centos/7",
+ :ram => 2048,
+ :cpu => 2
}
]
@@ -32,14 +39,14 @@ Vagrant.configure(2) do |config|
# "You are trying to forward a host IP that does not exist. Please set `host_ip`
# to the address of an existing IPv4 network interface, or remove the option
# from your port forward configuration."
- if machine[:hostname] == "manager"
- node.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "192.168.33.10"
- node.vm.network "forwarded_port", guest: 443, host: 8443 , host_ip: "192.168.33.10"
- node.vm.network "forwarded_port", guest: 55000, host: 55000 , host_ip: "192.168.33.10"
- node.vm.network "forwarded_port", guest: 1514, host: 1514 , host_ip: "192.168.33.10"
- node.vm.network "forwarded_port", guest: 1515, host: 1515 , host_ip: "192.168.33.10"
- node.vm.network "forwarded_port", guest: 1516, host: 1516 , host_ip: "192.168.33.10"
- end
+ #if machine[:hostname] == "manager"
+ # node.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "192.168.33.10"
+ # node.vm.network "forwarded_port", guest: 443, host: 8443 , host_ip: "192.168.33.10"
+ # node.vm.network "forwarded_port", guest: 55000, host: 55000 , host_ip: "192.168.33.10"
+ # node.vm.network "forwarded_port", guest: 1514, host: 1514 , host_ip: "192.168.33.10"
+ # node.vm.network "forwarded_port", guest: 1515, host: 1515 , host_ip: "192.168.33.10"
+ # node.vm.network "forwarded_port", guest: 1516, host: 1516 , host_ip: "192.168.33.10"
+ #end
node.vm.box = machine[:box]
node.vm.hostname = machine[:hostname]
node.vm.network "private_network", ip: machine[:ip]
diff --git a/security-monitoring-ansible/environments/vagrant-1manager-2agents/inventory.txt b/security-monitoring-ansible/environments/vagrant-full-setup/inventory.txt
similarity index 52%
rename from security-monitoring-ansible/environments/vagrant-1manager-2agents/inventory.txt
rename to security-monitoring-ansible/environments/vagrant-full-setup/inventory.txt
index 2626412..05e28e4 100644
--- a/security-monitoring-ansible/environments/vagrant-1manager-2agents/inventory.txt
+++ b/security-monitoring-ansible/environments/vagrant-full-setup/inventory.txt
@@ -1,12 +1,18 @@
[wazuh_managers]
-192.168.33.10 public_ip=192.168.33.10 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/vagrant-1manager-2agents/.vagrant/machines/manager/virtualbox/private_key
+192.168.33.10 public_ip=192.168.33.10 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/vagrant-full-setup/.vagrant/machines/manager/virtualbox/private_key
[wazuh_managers:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
[wazuh_agents]
-192.168.33.11 public_ip=192.168.33.11 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/vagrant-1manager-2agents/.vagrant/machines/agent1/virtualbox/private_key
-192.168.33.12 public_ip=192.168.33.12 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/vagrant-1manager-2agents/.vagrant/machines/agent2/virtualbox/private_key
+192.168.33.11 public_ip=192.168.33.11 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/vagrant-full-setup/.vagrant/machines/agent1/virtualbox/private_key
+192.168.33.12 public_ip=192.168.33.12 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/vagrant-full-setup/.vagrant/machines/agent2/virtualbox/private_key
[wazuh_agents:vars]
+ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+
+[evidence_collector]
+192.168.33.13 public_ip=192.168.33.13 ansible_ssh_pass=vagrant ansible_ssh_user=vagrant ansible_ssh_private_key_file=environments/vagrant-full-setup/.vagrant/machines/evidence-collector/virtualbox/private_key
+
+[evidence_collector:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
\ No newline at end of file
diff --git a/security-monitoring-ansible/environments/vagrant-1manager-2agents/vagrant-1manager-2agents.mk b/security-monitoring-ansible/environments/vagrant-full-setup/vagrant-full-setup.mk
similarity index 75%
rename from security-monitoring-ansible/environments/vagrant-1manager-2agents/vagrant-1manager-2agents.mk
rename to security-monitoring-ansible/environments/vagrant-full-setup/vagrant-full-setup.mk
index 244fcdd..cf5009b 100644
--- a/security-monitoring-ansible/environments/vagrant-1manager-2agents/vagrant-1manager-2agents.mk
+++ b/security-monitoring-ansible/environments/vagrant-full-setup/vagrant-full-setup.mk
@@ -15,4 +15,7 @@ ssh-agent1:
@$(VAGRANT_RUN) ssh agent1
ssh-agent2:
- @$(VAGRANT_RUN) ssh agent2
\ No newline at end of file
+ @$(VAGRANT_RUN) ssh agent2
+
+ssh-evidence-collector:
+ @$(VAGRANT_RUN) ssh evidence-collector
\ No newline at end of file
--
GitLab