Adding Guacamole for multi-machine management

2019-11-19 21:01:19 -08:00
parent 3db4b4e3c5
commit 905eaca9fa
5 changed files with 134 additions and 0 deletions
--- a/Terraform/main.tf
+++ b/Terraform/main.tf
@@ -72,6 +72,20 @@ resource "aws_security_group" "logger" {
    cidr_blocks = var.ip_whitelist
  }

+  # Guacamole access
+  ingress {
+    from_port   = 8080
+    to_port     = 8080
+    protocol    = "tcp"
+    cidr_blocks = var.ip_whitelist
+  }
+  ingress {
+    from_port   = 8443
+    to_port     = 8443
+    protocol    = "tcp"
+    cidr_blocks = var.ip_whitelist
+  }
+
  # Allow all traffic from the private subnet
  ingress {
    from_port   = 0
@@ -167,6 +181,8 @@ resource "aws_instance" "logger" {
      "sudo sed -i 's/ETH1/ETH0/g' /opt/DetectionLab/Vagrant/bootstrap.sh",
      "sudo sed -i 's#/usr/local/go/bin/go get -u#GOPATH=/root/go /usr/local/go/bin/go get -u#g' /opt/DetectionLab/Vagrant/bootstrap.sh",
      "sudo sed -i 's#/vagrant/resources#/opt/DetectionLab/Vagrant/resources#g' /opt/DetectionLab/Vagrant/bootstrap.sh",
+      "sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config",
+      "sudo service ssh restart",
      "sudo chmod +x /opt/DetectionLab/Vagrant/bootstrap.sh",
      "sudo apt-get -qq update",
      "sudo /opt/DetectionLab/Vagrant/bootstrap.sh",
--- a/Vagrant/bootstrap.sh
+++ b/Vagrant/bootstrap.sh
@@ -423,6 +423,29 @@ test_suricata_prerequisites() {
  done
 }

+install_guacamole() {
+  echo "[$(date +%H:%M:%S)]: Installing Guacamole..."
+  cd /home/vagrant
+  apt-get -qq install -y libcairo2-dev libjpeg62-dev libpng12-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat8 tomcat8-admin tomcat8-user
+  wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz" -O guacamole-server-1.0.0.tar.gz
+  tar -xvf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0
+  ./configure &> /dev/null && make --quiet &> /dev/null && make --quiet install &> /dev/null || echo "[-] An error occurred while installing Guacamole."
+  ldconfig
+  cd /var/lib/tomcat8/webapps
+  wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/binary/guacamole-1.0.0.war" -O guacamole.war
+  mkdir /etc/guacamole
+  mkdir /usr/share/tomcat8/.guacamole
+  cp /vagrant/resources/guacamole/user-mapping.xml /etc/guacamole/
+  cp /vagrant/resources/guacamole/guacamole.properties /etc/guacamole/
+  cp /vagrant/resources/guacamole/guacd.service /lib/systemd/system
+  sudo ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat8/.guacamole/
+  sudo ln -s /etc/guacamole/user-mapping.xml /usr/share/tomcat8/.guacamole/
+  systemctl enable guacd
+  systemctl enable tomcat8
+  systemctl start guacd
+  systemctl start tomcat8
+}
+
 postinstall_tasks() {
  # Include Splunk and Bro in the PATH
  echo export PATH="$PATH:/opt/splunk/bin:/opt/bro/bin" >> ~/.bashrc
@@ -438,6 +461,7 @@ main() {
  import_osquery_config_into_fleet
  install_suricata
  install_bro
+  install_guacamole
  postinstall_tasks
 }

--- a/Vagrant/resources/guacamole/guacamole.properties
+++ b/Vagrant/resources/guacamole/guacamole.properties
@@ -0,0 +1,24 @@
+#    Guacamole - Clientless Remote Desktop
+#    Copyright (C) 2010  Michael Jumper
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+# Hostname and port of guacamole proxy
+guacd-hostname: localhost
+guacd-port:     4822
+
+# Auth provider class (authenticates user/pass combination, needed if using the provided login screen)
+auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
+basic-user-mapping: /etc/guacamole/user-mapping.xml
--- a/Vagrant/resources/guacamole/guacd.service
+++ b/Vagrant/resources/guacamole/guacd.service
@@ -0,0 +1,29 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[Unit]
+Description=Guacamole Server
+Documentation=man:guacd(8)
+After=network.target
+
+[Service]
+User=daemon
+ExecStart=/usr/local/sbin/guacd -f
+Restart=on-abnormal
+
+[Install]
+WantedBy=multi-user.target
--- a/Vagrant/resources/guacamole/user-mapping.xml
+++ b/Vagrant/resources/guacamole/user-mapping.xml
@@ -0,0 +1,41 @@
+<user-mapping>
+    <authorize username="vagrant" password="vagrant">
+        <connection name="logger">
+            <protocol>ssh</protocol>
+            <param name="hostname">192.168.38.105</param>
+            <param name="port">22</param>
+            <param name="username">vagrant</param>
+            <param name="password">vagrant</param>
+        </connection>
+
+        <connection name="wef">
+            <protocol>rdp</protocol>
+            <param name="hostname">192.168.38.103</param>
+            <param name="port">3389</param>
+            <param name="username">vagrant</param>
+            <param name="password">vagrant</param>
+            <param name="security">nla</param>
+            <param name="ignore-cert">true</param>
+        </connection>
+
+        <connection name="win10">
+            <protocol>rdp</protocol>
+            <param name="hostname">192.168.38.104</param>
+            <param name="port">3389</param>
+            <param name="username">vagrant</param>
+            <param name="password">vagrant</param>
+            <param name="security">nla</param>
+            <param name="ignore-cert">true</param>
+        </connection>
+
+        <connection name="dc">
+            <protocol>rdp</protocol>
+            <param name="hostname">192.168.38.102</param>
+            <param name="port">3389</param>
+            <param name="username">vagrant</param>
+            <param name="password">vagrant</param>
+            <param name="security">nla</param>
+            <param name="ignore-cert">true</param>
+        </connection>
+    </authorize>
+</user-mapping>