diff --git a/README.md b/README.md index adcf420..993cda0 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,6 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr * Powershell transcript logging is enabled. All logs are saved to `\\wef\pslogs` * osquery comes installed on each host and is pre-configured to connect to a [Fleet](https://kolide.co/fleet) server via TLS. Fleet is preconfigured with the configuration from [Palantir's osquery Configuration](https://github.com/palantir/osquery-configuration) * Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration -* Mitre's [Caldera](https://github.com/mitre/caldera) server is built on the logger host and the Caldera agent gets pre-installed on all Windows hosts * All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog) * SMBv1 Auditing is enabled @@ -93,7 +92,7 @@ $ packer build --only=[vmware|virtualbox]-iso windows_2016.json 4. cd into the Vagrant directory: `cd ../Vagrant` 5. Install the Vagrant-Reload plugin: `vagrant plugin install vagrant-reload` -6. Ensure you are in the Vagrant folrder and run `vagrant up`. This command will do the following: +6. Ensure you are in the Vagrant folder and run `vagrant up`. This command will do the following: * Provision the logger host. This host will run the [Fleet](https://kolide.co/fleet) osquery manager and a fully featured pre-configured Splunk instance. * Provision the DC host and configure it as a Domain Controller * Provision the WEF host and configure it as a Windows Event Collector in the Servers OU @@ -101,7 +100,6 @@ $ packer build --only=[vmware|virtualbox]-iso windows_2016.json 7. Navigate to https://192.168.38.105:8000 in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen) 8. Navigate to https://192.168.38.105:8412 in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration). -9. Navigate to https://192.168.38.105:8888 in a browser to access the Caldera server on logger. Default credentials are admin:caldera. ## Basic Vagrant Usage Vagrant commands must be run from the "Vagrant" folder. @@ -122,9 +120,8 @@ Vagrant commands must be run from the "Vagrant" folder. ## Lab Information * Domain Name: windomain.local * Admininstrator login: vagrant:vagrant -* Fleet login: https://192.168.38.105:8412 - admin@:admin123# +* Fleet login: https://192.168.38.105:8412 - admin:admin123# * Splunk login: https://192.168.38.105:8000 - admin:changeme -* Caldera login: https://192.168.38.105:8888 - admin:admin * MS ATA login: https://192.168.38.103 - wef\vagrant:vagrant ## Lab Hosts @@ -155,7 +152,6 @@ Vagrant commands must be run from the "Vagrant" folder. * Logger - Ubuntu 16.04 * Splunk Enterprise * Fleet osquery Manager - * Mitre's Caldera Server * Bro * Suricata @@ -174,7 +170,6 @@ suricata | Suricata IDS logs * Sysmon * osquery * AutorunsToWinEventLog - * Caldera Agent * Process Monitor * Process Explorer * PsExec @@ -184,6 +179,7 @@ suricata | Suricata IDS logs * WinRar * Mimikatz * Wireshark + * Powersploit ## Applied GPOs * [Custom Event Channel Permissions](https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Custom%20Event%20Channel%20Permissions.htm) @@ -255,7 +251,6 @@ A sizable percentage of this code was borrowed and adapted from [Stefan Scherer] * [Splunk](https://www.splunk.com) * [osquery](https://osquery.io) * [Fleet](https://kolide.co/fleet) -* [Caldera](https://github.com/mitre/caldera) * [Windows Event Forwarding for Network Defense](https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f) * [palantir/windows-event-forwarding](http://github.com/palantir/windows-event-forwarding) * [osquery Across the Enterprise](https://medium.com/@palantir/osquery-across-the-enterprise-3c3c9d13ec55) diff --git a/Terraform/main.tf b/Terraform/main.tf index f976f4b..a955455 100644 --- a/Terraform/main.tf +++ b/Terraform/main.tf @@ -71,14 +71,6 @@ resource "aws_security_group" "logger" { cidr_blocks = "${var.ip_whitelist}" } - # Caldera access - ingress { - from_port = 8888 - to_port = 8888 - protocol = "tcp" - cidr_blocks = "${var.ip_whitelist}" - } - # Allow all traffic from the private subnet ingress { from_port = 0 @@ -166,7 +158,6 @@ resource "aws_instance" "logger" { "sudo mkdir /home/vagrant/.ssh && sudo cp /home/ubuntu/.ssh/authorized_keys /home/vagrant/.ssh/authorized_keys && sudo chown -R vagrant:vagrant /home/vagrant/.ssh", "echo 'vagrant ALL=(ALL:ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers", "sudo git clone https://github.com/clong/DetectionLab.git /opt/DetectionLab", - "sudo sed -i \"s#sed -i 's/archive.ubuntu.com/us.archive.ubuntu.com/g' /etc/apt/sources.list##g\" /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo sed -i 's/eth1/eth0/g' /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo sed -i 's/ETH1/ETH0/g' /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo sed -i 's#/usr/local/go/bin/go get -u#GOPATH=/root/go /usr/local/go/bin/go get -u#g' /opt/DetectionLab/Vagrant/bootstrap.sh", @@ -174,8 +165,6 @@ resource "aws_instance" "logger" { "sudo chmod +x /opt/DetectionLab/Vagrant/bootstrap.sh", "sudo apt-get update", "sudo /opt/DetectionLab/Vagrant/bootstrap.sh", - "sudo pip3.6 install --upgrade --force-reinstall pip==9.0.3 && sudo pip3.6 install -r /home/vagrant/caldera/caldera/requirements.txt && sudo pip3.6 install --upgrade pip", - "sudo service caldera stop && sudo service caldera start", ] connection { type = "ssh" diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 6969716..e8329f5 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -48,7 +48,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false @@ -104,7 +103,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false @@ -154,7 +152,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false diff --git a/Vagrant/Vagrantfile_Minimum b/Vagrant/Vagrantfile_Minimum index 62f3557..96ca99a 100644 --- a/Vagrant/Vagrantfile_Minimum +++ b/Vagrant/Vagrantfile_Minimum @@ -46,7 +46,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false @@ -100,7 +99,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false @@ -147,7 +145,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/install-caldera-agent.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 348429a..7085c08 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -5,26 +5,17 @@ echo "apt-fast apt-fast/maxdownloads string 10" | debconf-set-selections; echo "apt-fast apt-fast/dlflag boolean true" | debconf-set-selections; sed -i "2ideb mirror://mirrors.ubuntu.com/mirrors.txt xenial main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-updates main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-backports main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt xenial-security main restricted universe multiverse" /etc/apt/sources.list -install_python_apt_source() { - # Install apt source for Python3.6 - add-apt-repository -y ppa:jonathonf/python-3.6 - add-apt-repository -y ppa:apt-fast/stable -} - apt_install_prerequisites() { # Install prerequisites and useful tools echo "Running apt-get update..." apt-get -qq update apt-get -qq install -y apt-fast echo "Running apt-fast install..." - apt-fast -qq install -y jq whois build-essential git docker docker-compose unzip python3.6 python3.6-dev - # Install pip for Python 3.6 - echo "Installing Pip3.6..." - curl -s https://bootstrap.pypa.io/get-pip.py | sudo -H python3.6 + apt-fast -qq install -y jq whois build-essential git docker docker-compose unzip } test_prerequisites() { - for package in jq whois build-essential git docker docker-compose unzip python3.6 python3.6-dev + for package in jq whois build-essential git docker docker-compose unzip do echo "[TEST] Validating that $package is correctly installed..." # Loop through each package using dpkg @@ -219,33 +210,6 @@ import_osquery_config_into_fleet() { /opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_status" -index osquery-status -sourcetype 'osquery:status' -auth 'admin:changeme' } -install_caldera() { - if [ -f "/lib/systemd/system/caldera.service" ]; then - echo "Caldera is already installed... Skipping" - else - # Install Mitre's Caldera - echo "Installing Caldera..." - cd /home/vagrant || exit - git clone https://github.com/mitre/caldera.git - cd /home/vagrant/caldera/plugins || exit - git clone https://github.com/mitre/adversary.git adversary - git clone https://github.com/mitre/chain.git chain - git clone https://github.com/mitre/gui.git gui - git clone https://github.com/mitre/sandcat.git sandcat - git clone https://github.com/mitre/stockpile.git stockpile - cd /home/vagrant/caldera || exit - pip3.6 install -r requirements.txt - # Make Caldera accessible on all ports - sed -i 's/127.0.0.1/0.0.0.0/g' conf/local.yml - # Create Systemd service for Caldera - cp /vagrant/resources/caldera/caldera.service /lib/systemd/system/caldera.service - cd /home/vagrant/caldera || exit - cp /vagrant/resources/caldera/cert.pem /vagrant/resources/caldera/key.pem /home/vagrant/caldera/conf - service caldera start - systemctl enable caldera.service - fi -} - install_bro() { # Environment variables NODECFG=/opt/bro/etc/node.cfg @@ -436,7 +400,6 @@ main() { install_fleet download_palantir_osquery_config import_osquery_config_into_fleet - install_caldera install_suricata install_bro } diff --git a/Vagrant/resources/caldera/caldera.service b/Vagrant/resources/caldera/caldera.service deleted file mode 100644 index fade6b1..0000000 --- a/Vagrant/resources/caldera/caldera.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Caldera -After=multi-user.target - -[Service] -Type=idle -WorkingDirectory=/home/vagrant/caldera -ExecStart=/usr/bin/python3.6 server.py -E local - -[Install] -WantedBy=multi-user.target diff --git a/Vagrant/resources/caldera/cert.pem b/Vagrant/resources/caldera/cert.pem deleted file mode 100644 index ff54454..0000000 --- a/Vagrant/resources/caldera/cert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDVTCCAj2gAwIBAgIJAKUxnMnJz4CPMA0GCSqGSIb3DQEBCwUAMEExDzANBgNV -BAMMBmxvZ2dlcjEQMA4GA1UECwwHU2VydmVyczEPMA0GA1UECgwGbG9nZ2VyMQsw -CQYDVQQGEwJVUzAeFw0xOTAzMjcwMzU3NThaFw0yOTAzMjYwMzU3NThaMEExDzAN -BgNVBAMMBmxvZ2dlcjEQMA4GA1UECwwHU2VydmVyczEPMA0GA1UECgwGbG9nZ2Vy -MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKL/ -7cDUXrSac8oILHLN3iKtuhoLttPrVi+GuYsdfKer7D9M9DrkGAvQ+qHLpHgg+omY -ZIK4kDjS26eDKP2SGTHjeYwlmcJPnII6YU8vYdzyvi4eLJjI+lMO8BYd2yL2PVJX -W8ScY/2MoC8LX31A8maGDW+4E6bu3ItAEchh4EWRj8V4PqCDJH1XnY18A0N0QEDV -Osleb2dFWvXtyFmSu0OsqiMxBzlPbf/yl71Q1VjrRUT+alDJNfF3ewctshvx4hV8 -qDwpATR9GPfPKV6w1lj0a+81Qpwy6vOLve3yCV02lWe1TaCjL2otGbTspujbulkR -DGy6MC9/9i1CRkEIBj0CAwEAAaNQME4wHQYDVR0OBBYEFKGWfBB6O2ktq/a4frXy -LKxZNjngMB8GA1UdIwQYMBaAFKGWfBB6O2ktq/a4frXyLKxZNjngMAwGA1UdEwQF -MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIgLaPeFJS/bHzITf62RgDbBEU3zaeOg -72xiFHWd6uIA9SCHGHuKhbpzLOqBtoSGZlejI75/QDwAiwpu/cd9BWx9h9S/f0Zf -fZnA/ngPojhnaHYFIn8165z/XSJwNvDhVh1oYqMcfTPgeSlbRdPTwAjxdYsJ4nik -4xriKHV6WQ9ixFwOk9ROYg1M/OJ2lmOi23NFODKVP0LFPAqZEX7evKJatWQiJ2tF -iUAm+4xvkGVJfPd6hShYEsXDjTJC+fVFgsPTWhaHGnLjiLORJLgvd/E6wIGGzvx7 -fIw1x7LxMmhlWa74yyGZKAMUOlMh4uBAYR3JhsVYl2LNSK9HwZYnfXc= ------END CERTIFICATE----- diff --git a/Vagrant/resources/caldera/conf.yml b/Vagrant/resources/caldera/conf.yml deleted file mode 100644 index 3e00c40..0000000 --- a/Vagrant/resources/caldera/conf.yml +++ /dev/null @@ -1,24 +0,0 @@ -url_root: https://logger:8888 -verify_hostname: false -cert: | - -----BEGIN CERTIFICATE----- - MIIDVTCCAj2gAwIBAgIJAKUxnMnJz4CPMA0GCSqGSIb3DQEBCwUAMEExDzANBgNV - BAMMBmxvZ2dlcjEQMA4GA1UECwwHU2VydmVyczEPMA0GA1UECgwGbG9nZ2VyMQsw - CQYDVQQGEwJVUzAeFw0xOTAzMjcwMzU3NThaFw0yOTAzMjYwMzU3NThaMEExDzAN - BgNVBAMMBmxvZ2dlcjEQMA4GA1UECwwHU2VydmVyczEPMA0GA1UECgwGbG9nZ2Vy - MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKL/ - 7cDUXrSac8oILHLN3iKtuhoLttPrVi+GuYsdfKer7D9M9DrkGAvQ+qHLpHgg+omY - ZIK4kDjS26eDKP2SGTHjeYwlmcJPnII6YU8vYdzyvi4eLJjI+lMO8BYd2yL2PVJX - W8ScY/2MoC8LX31A8maGDW+4E6bu3ItAEchh4EWRj8V4PqCDJH1XnY18A0N0QEDV - Osleb2dFWvXtyFmSu0OsqiMxBzlPbf/yl71Q1VjrRUT+alDJNfF3ewctshvx4hV8 - qDwpATR9GPfPKV6w1lj0a+81Qpwy6vOLve3yCV02lWe1TaCjL2otGbTspujbulkR - DGy6MC9/9i1CRkEIBj0CAwEAAaNQME4wHQYDVR0OBBYEFKGWfBB6O2ktq/a4frXy - LKxZNjngMB8GA1UdIwQYMBaAFKGWfBB6O2ktq/a4frXyLKxZNjngMAwGA1UdEwQF - MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIgLaPeFJS/bHzITf62RgDbBEU3zaeOg - 72xiFHWd6uIA9SCHGHuKhbpzLOqBtoSGZlejI75/QDwAiwpu/cd9BWx9h9S/f0Zf - fZnA/ngPojhnaHYFIn8165z/XSJwNvDhVh1oYqMcfTPgeSlbRdPTwAjxdYsJ4nik - 4xriKHV6WQ9ixFwOk9ROYg1M/OJ2lmOi23NFODKVP0LFPAqZEX7evKJatWQiJ2tF - iUAm+4xvkGVJfPd6hShYEsXDjTJC+fVFgsPTWhaHGnLjiLORJLgvd/E6wIGGzvx7 - fIw1x7LxMmhlWa74yyGZKAMUOlMh4uBAYR3JhsVYl2LNSK9HwZYnfXc= - -----END CERTIFICATE----- -logging_level: debug diff --git a/Vagrant/resources/caldera/key.pem b/Vagrant/resources/caldera/key.pem deleted file mode 100644 index 826058a..0000000 --- a/Vagrant/resources/caldera/key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCi/+3A1F60mnPK -CCxyzd4irboaC7bT61YvhrmLHXynq+w/TPQ65BgL0Pqhy6R4IPqJmGSCuJA40tun -gyj9khkx43mMJZnCT5yCOmFPL2Hc8r4uHiyYyPpTDvAWHdsi9j1SV1vEnGP9jKAv -C199QPJmhg1vuBOm7tyLQBHIYeBFkY/FeD6ggyR9V52NfANDdEBA1TrJXm9nRVr1 -7chZkrtDrKojMQc5T23/8pe9UNVY60VE/mpQyTXxd3sHLbIb8eIVfKg8KQE0fRj3 -zylesNZY9GvvNUKcMurzi73t8gldNpVntU2goy9qLRm07Kbo27pZEQxsujAvf/Yt -QkZBCAY9AgMBAAECggEAchAQKyExyMZQgq9nk0r2yGOz2GgcH34OyKFJk80lnxvS -7ZUHT3KwVQx/Zttfk2TYjZLjuwo2el0rsrQ46gDjuqKJOwZQ68XUKtl5oPTyUbBY -X2NkJ+J0Mc1BOujXoUaZMNbK8/HQkuxmZ6VYxAi/1/i0zFoO/oEmOheymfvL+kG9 -Yi9o7DR8o8yHT2XAJM3sdRLb19/BdquB8vcXYvHY/X2+2uLU4vDycHZ9bFiRWfMK -bpgzH0XRsfz5/9nV42gUhPZWbKJYZnauYI4k603i5uT165chkkv4HJld5mgUMZel -U58zFE9LwGOKuQJbYkvKDj4G+vF4i9ONRMg5jNhO4QKBgQDPRALjFSFoTd5wOjef -Z2n5P307DPyix+GxbE1VRvsKpWNW/DYmVHrLX9cyZPpVPwcAla11gSoSOQ4AW3F4 -8uVrL86FTPI3h4nCZje6NvLlzNvI7zmNgCVHLrtp16sub7qxRTuLJuO8V0Penka8 -dpRI1npaetvwuVjNjw98NdioWQKBgQDJU2hKEbCmX+h9IfuKdOCT5gMYjii1ndC4 -uUwrUf+Fy9Z0aZIIDa/TKjmVnUEd+2C4AGdWIc0p/ApzKId9o9f0RUTFv0x2fKGt -wQUE4BuvHBTQY++N6lYSEVBHOicoITbKfTQyiHimzgg19JjRaxPEoI7zla7euOtz -wD8RZisQhQKBgQCoqP14cG95AzSpOpacvnh7/PAZJ15F0EWWLT1Y0aPja+ZEmIQv -+Lrb2CezuHwE9n7qOOKoJe1oWslL/R1/gJiz+nkh/BV2nnK5oJhkjeZmnaeUASdi -QA8Vt6+GV5vS89SGAIKNn53eW1y9QSrqncvY4b869ZMYdpsO2wWM2/xsMQKBgQCU -cgaszrxlAMTJN3xky+cnxmqz+WY0/AeBnUd3jb+OJQ2cypbdj1H8rt7E3a288LSR -F+MaFFRVx7zgypqU3nGGcGjUMkir+RuxpWgQ/zoKdPc37OgeyRHrwo5h5pQmt87R -oV4SgKQNwk81kYP4ri5mRkkBfHXzTYB22eLm7mGEjQKBgB+WaIOMpgQwrewRkU17 -S63jjHso3J4S21OHm748vpx3ize4JpnAkRpfpwZ9Rj+TmyOjgitJNWdV77zdiQkN -5Dv5ZjsIurrnDXMslBww37mnV7LXyDAAsyaKqSGQuikKusz45FSej82KIfr/zGv+ -WbNZ+sK8mdVZoUSam+6BO9JH ------END PRIVATE KEY----- diff --git a/Vagrant/resources/caldera/mongod.service b/Vagrant/resources/caldera/mongod.service deleted file mode 100644 index 5a726a1..0000000 --- a/Vagrant/resources/caldera/mongod.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=High-performance, schema-free document-oriented database -After=network.target -Documentation=https://docs.mongodb.org/manual - -[Service] -User=mongodb -Group=mongodb -ExecStart=/usr/bin/mongod --quiet --config /etc/mongod.conf - -[Install] -WantedBy=multi-user.target diff --git a/Vagrant/resources/caldera/settings.yml b/Vagrant/resources/caldera/settings.yml deleted file mode 100644 index 8e5a294..0000000 --- a/Vagrant/resources/caldera/settings.yml +++ /dev/null @@ -1,27 +0,0 @@ -auth: - key: !!binary | - QfVQNdpJt0br69u4yGYgjJYr8mlKRb8nhkzxd+XkuBt7D/JKeCUmSafJuBFY3w7oXatwSqFYKdWn - ZhVklJsZAmoPy3BEr1maTwFFfJtfav6e6JUMfPKP2SXHFW0fsyF3mdxpXtMbRrMTwnQ4TrndAtCs - E0jWC9qM/ktTga5UweS3YkDlQpWQHktgPPRC8nLk2dtGkWLuam7lfFCW93mxrNyYAAlbNQPq8/ld - DvYD+eWB8tviOh5ZcntmST4tCXXZqk6pGByWV8m7EnBRK4ffIoNmgNV5K7UrWBPEI5ZbNbHx9rSl - GNqAiA9T020MJ5qyrCl9mgZTnbmKXiUOcgpr6g== -crypto: - cert: conf/cert.pem - key: conf/key.pem -database: - host: localhost - key: !!binary | - UXFoNGMzdU1kYWJzU195ZDEybUItWnBJbEg5UnNqYndmQWJpcC1xNjFNaz0= - port: 27017 -proxy: - default: - cert: '' - http: '' - https: '' -server: - host: 0.0.0.0 - https: true - port: 8888 -users: -- name: admin - password: caldera diff --git a/Vagrant/scripts/install-caldera-agent.ps1 b/Vagrant/scripts/install-caldera-agent.ps1 deleted file mode 100644 index bb9c202..0000000 --- a/Vagrant/scripts/install-caldera-agent.ps1 +++ /dev/null @@ -1,36 +0,0 @@ -# Purpose: Installs the Caldera agent on the host -Write-Host "Installing the Caldera agent..." -$url="https://192.168.38.105:8888/file/render"; $ps_table = $PSVersionTable.PSVersion;If([double]$ps_table.Major -ge 6){iex (irm -Method Post -Uri $url -Headers @{"file"="54ndc47.ps1"} -SkipCertificateCheck);}else{[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$True};$web=New-Object System.Net.WebClient;$web.Headers.Add("file","54ndc47.ps1");$resp=$web.UploadString("$url",'');iex($resp);} - -If (-not (Test-Path 'C:\Program Files\cagent\cagent.exe')) { - # Add /etc/hosts entry - Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.105 logger" - - # Make the directory - New-Item "c:\Program Files\cagent" -type directory - - # Install Visual Studio 2015 C++ Redistributable - choco install -y vcredist2015 - - # Download cagent and start the service - Write-Host "Downloading Caldera Agent (cagent.exe)" - $cagentPath = "C:\Program Files\cagent\cagent.exe" - $cagentConfPath = "C:\Program Files\cagent\conf.yml" - # GitHub requires TLS 1.2 as of 2/1/2018 - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - (New-Object System.Net.WebClient).DownloadFile('https://github.com/mitre/caldera-agent/releases/download/v0.1.0/cagent.exe', $cagentPath) - # Copy hardocded Caldera config from the Vagrant resources folder - Copy-Item "C:\vagrant\resources\caldera\conf.yml" $cagentConfPath -Force - If (-not (Test-Path "$cagentConfPath" )) { - Write-Host "Caldera Agent configuration failed. Unable to retrieve config from resources folder." - } - Start-Process -FilePath $cagentPath -ArgumentList '--startup', 'auto', 'install' -Wait - Start-Process -FilePath $cagentPath -ArgumentList 'start' -Wait -} Else { - Write-Host "Caldera Agent is already installed. Moving on." -} -Start-Sleep 5 -If ((Get-Service -name cagent).Status -ne "Running") { - throw "Caldera Agent service not running" -} -Write-Host "Cagent installation complete!" diff --git a/build.ps1 b/build.ps1 index 1e164a5..f518eb9 100644 --- a/build.ps1 +++ b/build.ps1 @@ -338,10 +338,6 @@ function download { function post_build_checks { - Write-Host '[post_build_checks] Running Caldera Check.' - $CALDERA_CHECK = download -URL 'https://192.168.38.105:8888' -PatternToMatch 'CALDERA' - Write-Host "[post_build_checks] Cladera Result: $CALDERA_CHECK" - Write-Host '[post_build_checks] Running Splunk Check.' $SPLUNK_CHECK = download -URL 'https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F' -PatternToMatch 'This browser is not supported by Splunk' Write-Host "[post_build_checks] Splunk Result: $SPLUNK_CHECK" @@ -354,9 +350,6 @@ function post_build_checks { $ATA_CHECK = download -URL 'https://192.168.38.103' -SuccessOn401 Write-Host "[post_build_checks] ATA Result: $ATA_CHECK" - if ($CALDERA_CHECK -eq $false) { - Write-Warning 'Caldera failed post-build tests and may not be functioning correctly.' - } if ($SPLUNK_CHECK -eq $false) { Write-Warning 'Splunk failed post-build tests and may not be functioning correctly.' } diff --git a/build.sh b/build.sh index 5726158..36b9f44 100755 --- a/build.sh +++ b/build.sh @@ -261,7 +261,6 @@ vagrant_reload_host() { post_build_checks() { # If the curl operation fails, we'll just leave the variable equal to 0 # This is needed to prevent the script from exiting if the curl operation fails - CALDERA_CHECK=$(curl -ks -m 2 https://192.168.38.105:8888 | grep -c '302: Found' || echo "") SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.105:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk' || echo "") FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.105:8412 | grep -c 'Kolide Fleet' || echo "") ATA_CHECK=$(curl --fail --write-out "%{http_code}" -ks https://192.168.38.103 -m 2) @@ -271,16 +270,13 @@ post_build_checks() { # Associative arrays are only supported in bash 4 and up if [ "$BASH_MAJOR_VERSION" -ge 4 ]; then declare -A SERVICES - SERVICES=(["caldera"]="$CALDERA_CHECK" ["splunk"]="$SPLUNK_CHECK" ["fleet"]="$FLEET_CHECK" ["ms_ata"]="$ATA_CHECK") + SERVICES=(["splunk"]="$SPLUNK_CHECK" ["fleet"]="$FLEET_CHECK" ["ms_ata"]="$ATA_CHECK") for SERVICE in "${!SERVICES[@]}"; do if [ "${SERVICES[$SERVICE]}" -lt 1 ]; then (echo >&2 "Warning: $SERVICE failed post-build tests and may not be functioning correctly.") fi done else - if [ "$CALDERA_CHECK" -lt 1 ]; then - (echo >&2 "Warning: Caldera failed post-build tests and may not be functioning correctly.") - fi if [ "$SPLUNK_CHECK" -lt 1 ]; then (echo >&2 "Warning: Splunk failed post-build tests and may not be functioning correctly.") fi