From bb12246e747ba2b7490bebaeb38134b53b72ebea Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 20 Jun 2020 18:32:28 -0700 Subject: [PATCH 1/9] Refactor osquery and add retry-loop for OU --- Vagrant/Vagrantfile | 3 - Vagrant/scripts/configure-ou.ps1 | 69 ++++++++++--------- Vagrant/scripts/download_palantir_osquery.ps1 | 17 ----- Vagrant/scripts/install-osquery.ps1 | 24 +++---- 4 files changed, 48 insertions(+), 65 deletions(-) delete mode 100644 Vagrant/scripts/download_palantir_osquery.ps1 diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index 70cc0dc..28295dc 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -63,7 +63,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "reload" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false @@ -130,7 +129,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "reload" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false @@ -194,7 +192,6 @@ Vagrant.configure("2") do |config| cfg.vm.provision "reload" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false - cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false diff --git a/Vagrant/scripts/configure-ou.ps1 b/Vagrant/scripts/configure-ou.ps1 index d32694c..e36c07d 100644 --- a/Vagrant/scripts/configure-ou.ps1 +++ b/Vagrant/scripts/configure-ou.ps1 @@ -13,43 +13,46 @@ ping /n 1 windomain.local Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server and Workstation OUs..." # Create the Servers OU if it doesn't exist -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server OU" -try { - Get-ADOrganizationalUnit -Identity 'OU=Servers,DC=windomain,DC=local' | Out-Null - Write-Host "Servers OU already exists. Moving On." -} -catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { - New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local" - Write-Host "Created Servers OU." -} -catch [Microsoft.ActiveDirectory.Management.ADServerDownException] { - Write-Host "Unable to reach Active Directory. Sleeping for 10 and attmepting one more time..." - Start-Sleep 10 - New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local" - Write-Host "Created Servers OU after a retry." -} -catch { - Write-Host "Something went wrong attempting to reach AD or create the OU." +$servers_ou_created = 0 +while ($servers_ou_created != 1) { + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server OU" + try { + Get-ADOrganizationalUnit -Identity 'OU=Servers,DC=windomain,DC=local' | Out-Null + Write-Host "Servers OU already exists. Moving On." + } + catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { + New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local" + Write-Host "Created Servers OU." + $servers_ou_created = 1 + } + catch [Microsoft.ActiveDirectory.Management.ADServerDownException] { + Write-Host "Unable to reach Active Directory. Sleeping for 5 and trying again..." + Start-Sleep 5 + } + catch { + Write-Host "Something went wrong attempting to reach AD or create the OU." + } } # Create the Workstations OU if it doesn't exist +$workstations_ou_created = 0 +while ($workstations_ou_created != 1) { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Workstations OU" -try { - Get-ADOrganizationalUnit -Identity 'OU=Workstations,DC=windomain,DC=local' | Out-Null - Write-Host "Workstations OU already exists. Moving On." -} -catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { - New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local" - Write-Host "Created Workstations OU." -} -catch [Microsoft.ActiveDirectory.Management.ADServerDownException] { - Write-Host "Unable to reach Active Directory. Sleeping for 10 and attmepting one more time..." - Start-Sleep 10 - New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local" - Write-Host "Created Workstations OU after a retry." -} -catch { - Write-Host "Something went wrong attempting to reach AD or create the OU." + try { + Get-ADOrganizationalUnit -Identity 'OU=Workstations,DC=windomain,DC=local' | Out-Null + Write-Host "Workstations OU already exists. Moving On." + } + catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { + New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local" + Write-Host "Created Workstations OU." + } + catch [Microsoft.ActiveDirectory.Management.ADServerDownException] { + Write-Host "Unable to reach Active Directory. Sleeping for 5 and trying again..." + Start-Sleep 5 + } + catch { + Write-Host "Something went wrong attempting to reach AD or create the OU." + } } # Sysprep breaks auto-login. Let's restore it here: diff --git a/Vagrant/scripts/download_palantir_osquery.ps1 b/Vagrant/scripts/download_palantir_osquery.ps1 deleted file mode 100644 index d20c7dd..0000000 --- a/Vagrant/scripts/download_palantir_osquery.ps1 +++ /dev/null @@ -1,17 +0,0 @@ -# Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh. -# The items from this config file are used later in install-osquery.ps1 -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading and unzipping the Palantir osquery Repo from Github..." - -$osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip' -if (-not (Test-Path $osqueryRepoPath)) -{ - # GitHub requires TLS 1.2 as of 2/1/2018 - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath - Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force -} -else -{ - Write-Host "$osqueryRepoPath already exists. Moving On." -} -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Palantir osquery config download complete!" diff --git a/Vagrant/scripts/install-osquery.ps1 b/Vagrant/scripts/install-osquery.ps1 index 0cd42a7..6900410 100755 --- a/Vagrant/scripts/install-osquery.ps1 +++ b/Vagrant/scripts/install-osquery.ps1 @@ -1,18 +1,18 @@ # Purpose: Installs osquery on the host # Note: by default, osquery will be configured to connect to the Fleet server on the "logger" host via TLS. -# If you would like to have osquery run without TLS & Fleet, uncomment line 15 and comment lines 21-30. Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing osquery..." -$packsDir = "c:\Program Files\osquery\packs" +$flagfile = "c:\Program Files\osquery\osquery.flags" choco install -y --limit-output --no-progress osquery | Out-String # Apparently Out-String makes the process wait $service = Get-WmiObject -Class Win32_Service -Filter "Name='osqueryd'" If (-not ($service)) { Write-Host "Setting osquery to run as a service" New-Service -Name "osqueryd" -BinaryPathName "C:\Program Files\osquery\osqueryd\osqueryd.exe --flagfile=`"C:\Program Files\osquery\osquery.flags`"" - # Copy over the config and packs from the Palantir repo - Copy-Item "c:\Users\vagrant\AppData\Local\Temp\osquery-configuration-master\Classic\Endpoints\Windows\*" "c:\Program Files\osquery" - Copy-Item "c:\Users\vagrant\AppData\Local\Temp\osquery-configuration-master\Classic\Endpoints\packs" -Path "c:\Program Files\osquery" + # Download the flags file from the Palantir osquery-configuration Github + # GitHub requires TLS 1.2 as of 2/1/2018 + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + Invoke-WebRequest -Uri "https://raw.githubusercontent.com/palantir/osquery-configuration/master/Classic/Endpoints/Windows/osquery.flags" -OutFile $flagfile ## Use the TLS config ## Add entry to hosts file for Kolide for SSL validation @@ -20,14 +20,14 @@ If (-not ($service)) { ## Add kolide secret and avoid BOM $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False [System.IO.File]::WriteAllLines("c:\Program Files\osquery\kolide_secret.txt", "enrollmentsecret", $Utf8NoBomEncoding) - ## Change TLS server hostname - (Get-Content "c:\Program Files\osquery\osquery.flags") -replace 'tls.endpoint.server.com', 'kolide:8412' | Set-Content "c:\Program Files\osquery\osquery.flags" - ## Change path to secrets - (Get-Content "c:\Program Files\osquery\osquery.flags") -replace 'path\\to\\file\\containing\\secret.txt', 'Program Files\osquery\kolide_secret.txt' | Set-Content "c:\Program Files\osquery\osquery.flags" - ## Change path to certfile - (Get-Content "c:\Program Files\osquery\osquery.flags") -replace 'c:\\ProgramData\\osquery\\certfile.crt', 'c:\Program Files\osquery\certfile.crt' | Set-Content "c:\Program Files\osquery\osquery.flags" + ## Change TLS server hostname in the flags file + (Get-Content $flagfile) -replace 'tls.endpoint.server.com', 'kolide:8412' | Set-Content $flagfile + ## Change path to secrets in the flags file + (Get-Content $flagfile) -replace 'path\\to\\file\\containing\\secret.txt', 'Program Files\osquery\kolide_secret.txt' | Set-Content $flagfile + ## Change path to certfile in the flags file + (Get-Content $flagfile) -replace 'c:\\ProgramData\\osquery\\certfile.crt', 'c:\Program Files\osquery\certfile.crt' | Set-Content $flagfile ## Remove the verbose flag and replace it with the logger_min_status=1 option (See https://github.com/osquery/osquery/issues/5212) - (Get-Content "c:\Program Files\osquery\osquery.flags") -replace '--verbose=true', '--logger_min_status=1' | Set-Content "c:\Program Files\osquery\osquery.flags" + (Get-Content $flagfile) -replace '--verbose=true', '--logger_min_status=1' | Set-Content $flagfile ## Add certfile.crt Copy-Item "c:\vagrant\resources\fleet\server.crt" "c:\Program Files\osquery\certfile.crt" ## Start the service From fbc6c0a7677502dd5434c88c26f3e5afc19a65e5 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 20 Jun 2020 18:55:26 -0700 Subject: [PATCH 2/9] Add linter and update issue_template --- .github/issue_template.md | 7 ++---- .github/workflows/linter.yml | 45 ++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/linter.yml diff --git a/.github/issue_template.md b/.github/issue_template.md index bc25876..4da35af 100644 --- a/.github/issue_template.md +++ b/.github/issue_template.md @@ -1,9 +1,6 @@ * Operating System Version: -* Provider (VirtualBox/VMWare): -* Vagrant Version: -* Packer Version: -* Are you using stock boxes (downloaded) or were they built from scratch using Packer? -* Is the issue reproducible or intermittent? +* Deploying via (VirtualBox/VMWare/AWS/Azure/ESXi): +* Vagrant Version (if applicable): Please verify that you are building from an updated Master branch before filing an issue. diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml new file mode 100644 index 0000000..f9bc506 --- /dev/null +++ b/.github/workflows/linter.yml @@ -0,0 +1,45 @@ +--- +########################### +########################### +## Linter GitHub Actions ## +########################### +########################### +name: Lint Code Base + +# +# Documentation: +# https://help.github.com/en/articles/workflow-syntax-for-github-actions +# + +###################################### +# Start the job on all pull requests # +###################################### +on: pull-request + +############### +# Set the Job # +############### +jobs: + build: + # Name the Job + name: Lint Code Base + # Set the agent to run on + runs-on: ubuntu-latest + + ################## + # Load all steps # + ################## + steps: + ########################## + # Checkout the code base # + ########################## + - name: Checkout Code + uses: actions/checkout@v2 + + ################################ + # Run Linter against code base # + ################################ + - name: Lint Code Base + uses: docker://github/super-linter:v2.1.1 + env: + VALIDATE_ALL_CODEBASE: true From aa7f76d6cc940efbf54eb5b536f879c6730355ea Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 20 Jun 2020 18:57:13 -0700 Subject: [PATCH 3/9] typo --- .github/workflows/linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index f9bc506..a04dc51 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -14,7 +14,7 @@ name: Lint Code Base ###################################### # Start the job on all pull requests # ###################################### -on: pull-request +on: pull_request ############### # Set the Job # From d466f343c48e4ada56ea3b06ee15ed968da4fb46 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 20 Jun 2020 19:14:09 -0700 Subject: [PATCH 4/9] Fixing shellcheck lint output --- Vagrant/bootstrap.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index c67330c..36a10be 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -10,7 +10,7 @@ sed -i 's/nameserver 127.0.0.53/nameserver 8.8.8.8/g' /etc/resolv.conf && chattr # Get a free Maxmind license here: https://www.maxmind.com/en/geolite2/signup # Required for the ASNgen app to work: https://splunkbase.splunk.com/app/3531/ export MAXMIND_LICENSE= -if [ -z $MAXMIND_LICENSE ]; then +if [ -z "$MAXMIND_LICENSE" ]; then echo "Note: You have not entered a MaxMind license key on line 5 of bootstrap.sh, so the ASNgen Splunk app may not work correctly." echo "However, it is not required and everything else should function correctly." fi @@ -72,7 +72,7 @@ test_prerequisites() { fix_eth1_static_ip() { USING_KVM=$(sudo lsmod | grep kvm) - if [ ! -z "$USING_KVM" ]; then + if [ -n "$USING_KVM" ]; then echo "[*] Using KVM, no need to fix DHCP for eth1 iface" return 0 fi @@ -127,7 +127,7 @@ install_splunk() { echo "[$(date +%H:%M:%S)]: Attempting to autoresolve the latest version of Splunk..." LATEST_SPLUNK=$(curl https://www.splunk.com/en_us/download/splunk-enterprise.html | grep -i deb | grep -Eo "data-link=\"................................................................................................................................" | cut -d '"' -f 2) # Sanity check what was returned from the auto-parse attempt - if [[ "$(echo $LATEST_SPLUNK | grep -c "^https:")" -eq 1 ]] && [[ "$(echo $LATEST_SPLUNK | grep -c "\.deb$")" -eq 1 ]]; then + if [[ "$(echo \"$LATEST_SPLUNK\" | grep -c "^https:")" -eq 1 ]] && [[ "$(echo \"$LATEST_SPLUNK\" | grep -c "\.deb$")" -eq 1 ]]; then echo "[$(date +%H:%M:%S)]: The URL to the latest Splunk version was automatically resolved as: $LATEST_SPLUNK" echo "[$(date +%H:%M:%S)]: Attempting to download..." wget --progress=bar:force -P /opt "$LATEST_SPLUNK" @@ -166,7 +166,7 @@ install_splunk() { /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_141.tgz -auth 'admin:changeme' # Install the Maxmind license key for the ASNgen App - if [ ! -z $MAXMIND_LICENSE ]; then + if [ ! -z "$MAXMIND_LICENSE" ]; then mkdir /opt/splunk/etc/apps/TA-asngen/local cp /opt/splunk/etc/apps/TA-asngen/default/asngen.conf /opt/splunk/etc/apps/TA-asngen/local/asngen.conf sed -i "s/license_key =/license_key = $MAXMIND_LICENSE/g" /opt/splunk/etc/apps/TA-asngen/local/asngen.conf @@ -249,7 +249,7 @@ download_palantir_osquery_config() { } import_osquery_config_into_fleet() { - cd /opt + cd /opt || exit 1 wget --progress=bar:force https://github.com/kolide/fleet/releases/download/2.4.0/fleet.zip unzip fleet.zip -d fleet cp fleet/linux/fleetctl /usr/local/bin/fleetctl && chmod +x /usr/local/bin/fleetctl @@ -428,13 +428,13 @@ test_suricata_prerequisites() { install_guacamole() { echo "[$(date +%H:%M:%S)]: Installing Guacamole..." - cd /opt + cd /opt || exit 1 apt-get -qq install -y libcairo2-dev libjpeg62-dev libpng-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat8 tomcat8-admin tomcat8-user wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz" -O guacamole-server-1.0.0.tar.gz - tar -xf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0 + tar -xf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0 || echo "[-] Unable to find the Guacamole folder. Exiting."; exit 1 ./configure &>/dev/null && make --quiet &>/dev/null && make --quiet install &>/dev/null || echo "[-] An error occurred while installing Guacamole." ldconfig - cd /var/lib/tomcat8/webapps + cd /var/lib/tomcat8/webapps || echo "[-] Unable to find the tomcat8/webapps folder. Exiting."; exit 1 wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/binary/guacamole-1.0.0.war" -O guacamole.war mkdir /etc/guacamole mkdir /usr/share/tomcat8/.guacamole From 565ca261f1a0435b97df2292446f3a8114c6caac Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 20 Jun 2020 23:51:10 -0700 Subject: [PATCH 5/9] Fix quote escaping --- Vagrant/bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 36a10be..bf444b8 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -127,7 +127,7 @@ install_splunk() { echo "[$(date +%H:%M:%S)]: Attempting to autoresolve the latest version of Splunk..." LATEST_SPLUNK=$(curl https://www.splunk.com/en_us/download/splunk-enterprise.html | grep -i deb | grep -Eo "data-link=\"................................................................................................................................" | cut -d '"' -f 2) # Sanity check what was returned from the auto-parse attempt - if [[ "$(echo \"$LATEST_SPLUNK\" | grep -c "^https:")" -eq 1 ]] && [[ "$(echo \"$LATEST_SPLUNK\" | grep -c "\.deb$")" -eq 1 ]]; then + if [[ "$(echo "$LATEST_SPLUNK" | grep -c "^https:")" -eq 1 ]] && [[ "$(echo "$LATEST_SPLUNK" | grep -c "\.deb$")" -eq 1 ]]; then echo "[$(date +%H:%M:%S)]: The URL to the latest Splunk version was automatically resolved as: $LATEST_SPLUNK" echo "[$(date +%H:%M:%S)]: Attempting to download..." wget --progress=bar:force -P /opt "$LATEST_SPLUNK" From 7858530c1762159621c44c343d5329754fa9bdba Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sun, 21 Jun 2020 00:28:38 -0700 Subject: [PATCH 6/9] Remove from Ansible too --- Azure/Ansible/roles/common/tasks/main.yml | 9 ------ ESXi/ansible/roles/common/tasks/main.yml | 9 ------ Vagrant/bootstrap.sh | 38 +++++++++++------------ 3 files changed, 18 insertions(+), 38 deletions(-) diff --git a/Azure/Ansible/roles/common/tasks/main.yml b/Azure/Ansible/roles/common/tasks/main.yml index ff91103..0ddd5a6 100644 --- a/Azure/Ansible/roles/common/tasks/main.yml +++ b/Azure/Ansible/roles/common/tasks/main.yml @@ -9,15 +9,6 @@ - debug: msg="{{ palantir_wef.stdout_lines }}" -- name: Downloading the Palantir osquery Configuration - win_shell: ".\\download_palantir_osquery.ps1" - args: - chdir: 'c:\vagrant\scripts' - register: palantir_osquery - failed_when: "'Exception' in palantir_osquery.stdout" - -- debug: msg="{{ palantir_osquery.stdout_lines }}" - - name: Installing osquery win_shell: ".\\install-osquery.ps1" args: diff --git a/ESXi/ansible/roles/common/tasks/main.yml b/ESXi/ansible/roles/common/tasks/main.yml index 4ddc117..f8e694e 100644 --- a/ESXi/ansible/roles/common/tasks/main.yml +++ b/ESXi/ansible/roles/common/tasks/main.yml @@ -9,15 +9,6 @@ - debug: msg="{{ palantir_wef.stdout_lines }}" -- name: Downloading the Palantir osquery Configuration - win_shell: ".\\download_palantir_osquery.ps1" - args: - chdir: 'c:\vagrant\scripts' - register: palantir_osquery - failed_when: "'Exception' in palantir_osquery.stdout" - -- debug: msg="{{ palantir_osquery.stdout_lines }}" - - name: Installing osquery win_shell: ".\\install-osquery.ps1" args: diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index bf444b8..7e35dbf 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -289,10 +289,6 @@ install_zeek() { echo "[$(date +%H:%M:%S)]: Installing Zeek..." # Environment variables NODECFG=/opt/zeek/etc/node.cfg - SPLUNK_ZEEK_JSON=/opt/splunk/etc/apps/Splunk_TA_bro - SPLUNK_ZEEK_MONITOR='monitor:///opt/zeek/spool/manager' - SPLUNK_SURICATA_MONITOR='monitor:///var/log/suricata' - SPLUNK_SURICATA_SOURCETYPE='json_suricata' sh -c "echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/ /' > /etc/apt/sources.list.d/security:zeek.list" wget -nv https://download.opensuse.org/repositories/security:zeek/xUbuntu_18.04/Release.key -O /tmp/Release.key apt-key add - /dev/null @@ -346,22 +342,16 @@ install_zeek() { systemctl enable zeek systemctl start zeek - mkdir -p $SPLUNK_ZEEK_JSON/local - cp $SPLUNK_ZEEK_JSON/default/inputs.conf $SPLUNK_ZEEK_JSON/local/inputs.conf - - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR index zeek - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR sourcetype bro:json - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR whitelist '.*\.log$' - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR blacklist '.*(communication|stderr)\.log$' - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR disabled 0 - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype suricata:json - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json' - crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0 - crudini --set $SPLUNK_ZEEK_JSON/local/props.conf $SPLUNK_SURICATA_SOURCETYPE TRUNCATE 0 + # Configure the Splunk inputs + mkdir -p /opt/splunk/etc/apps/Splunk_TA_bro/local && touch /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf + crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager index zeek + crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager sourcetype bro:json + crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager whitelist '.*\.log$' + crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager blacklist '.*(communication|stderr)\.log$' + crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager disabled 0 # Ensure permissions are correct and restart splunk - chown -R splunk $SPLUNK_ZEEK_JSON + chown -R splunk /opt/splunk/etc/apps/Splunk_TA_bro /opt/splunk/bin/splunk restart # Verify that Zeek is running @@ -394,6 +384,14 @@ install_suricata() { suricata-update enable-source et/open suricata-update enable-source ptresearch/attackdetection + # Configure the Splunk inputs + mkdir -p /opt/splunk/etc/apps/SplunkLightForwarder/local && touch /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf + crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata index suricata + crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata sourcetype suricata:json + crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata whitelist 'eve.json' + crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata disabled 0 + crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/props.conf json_suricata TRUNCATE 0 + # Update suricata and restart suricata-update service suricata stop @@ -431,10 +429,10 @@ install_guacamole() { cd /opt || exit 1 apt-get -qq install -y libcairo2-dev libjpeg62-dev libpng-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat8 tomcat8-admin tomcat8-user wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz" -O guacamole-server-1.0.0.tar.gz - tar -xf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0 || echo "[-] Unable to find the Guacamole folder. Exiting."; exit 1 + tar -xf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0 || echo "[-] Unable to find the Guacamole folder." ./configure &>/dev/null && make --quiet &>/dev/null && make --quiet install &>/dev/null || echo "[-] An error occurred while installing Guacamole." ldconfig - cd /var/lib/tomcat8/webapps || echo "[-] Unable to find the tomcat8/webapps folder. Exiting."; exit 1 + cd /var/lib/tomcat8/webapps || echo "[-] Unable to find the tomcat8/webapps folder." wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/binary/guacamole-1.0.0.war" -O guacamole.war mkdir /etc/guacamole mkdir /usr/share/tomcat8/.guacamole From ded6656cb7bc2fd8c67261caeec1b8fd3cde8f97 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sun, 21 Jun 2020 09:16:50 -0700 Subject: [PATCH 7/9] Update operator --- Vagrant/scripts/configure-ou.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Vagrant/scripts/configure-ou.ps1 b/Vagrant/scripts/configure-ou.ps1 index e36c07d..f75d8b2 100644 --- a/Vagrant/scripts/configure-ou.ps1 +++ b/Vagrant/scripts/configure-ou.ps1 @@ -14,7 +14,7 @@ ping /n 1 windomain.local Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server and Workstation OUs..." # Create the Servers OU if it doesn't exist $servers_ou_created = 0 -while ($servers_ou_created != 1) { +while ($servers_ou_created -ne 1) { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server OU" try { Get-ADOrganizationalUnit -Identity 'OU=Servers,DC=windomain,DC=local' | Out-Null @@ -36,7 +36,7 @@ while ($servers_ou_created != 1) { # Create the Workstations OU if it doesn't exist $workstations_ou_created = 0 -while ($workstations_ou_created != 1) { +while ($workstations_ou_created -ne 1) { Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Workstations OU" try { Get-ADOrganizationalUnit -Identity 'OU=Workstations,DC=windomain,DC=local' | Out-Null From c735f529347195b7370a90982b73f97cabd1902a Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sun, 21 Jun 2020 11:49:18 -0700 Subject: [PATCH 8/9] Fixing the loop logic --- Vagrant/scripts/configure-ou.ps1 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Vagrant/scripts/configure-ou.ps1 b/Vagrant/scripts/configure-ou.ps1 index f75d8b2..7abb08d 100644 --- a/Vagrant/scripts/configure-ou.ps1 +++ b/Vagrant/scripts/configure-ou.ps1 @@ -19,6 +19,7 @@ while ($servers_ou_created -ne 1) { try { Get-ADOrganizationalUnit -Identity 'OU=Servers,DC=windomain,DC=local' | Out-Null Write-Host "Servers OU already exists. Moving On." + $servers_ou_created = 1 } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local" @@ -41,10 +42,12 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Workstations OU" try { Get-ADOrganizationalUnit -Identity 'OU=Workstations,DC=windomain,DC=local' | Out-Null Write-Host "Workstations OU already exists. Moving On." + $workstations_ou_created = 1 } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local" Write-Host "Created Workstations OU." + $workstations_ou_created = 1 } catch [Microsoft.ActiveDirectory.Management.ADServerDownException] { Write-Host "Unable to reach Active Directory. Sleeping for 5 and trying again..." From ab5c0b2452e3bbd4b28ae778b7ad10bf79c54f40 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sun, 21 Jun 2020 12:28:44 -0700 Subject: [PATCH 9/9] Standardize logging --- Vagrant/scripts/configure-ou.ps1 | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/Vagrant/scripts/configure-ou.ps1 b/Vagrant/scripts/configure-ou.ps1 index 7abb08d..6d6f869 100644 --- a/Vagrant/scripts/configure-ou.ps1 +++ b/Vagrant/scripts/configure-ou.ps1 @@ -1,21 +1,13 @@ # Purpose: Sets up the Server and Workstations OUs -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Checking AD services status..." -$svcs = "adws","dns","kdc","netlogon" -Get-Service -name $svcs -ComputerName localhost | Select Machinename,Name,Status - -# Hardcoding DC hostname in hosts file +# Hardcoding DC hostname in hosts file to sidestep any DNS issues Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.102 dc.windomain.local" -# Force DNS resolution of the domain -ping /n 1 dc.windomain.local -ping /n 1 windomain.local - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server and Workstation OUs..." # Create the Servers OU if it doesn't exist $servers_ou_created = 0 while ($servers_ou_created -ne 1) { - Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server OU" + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server OU..." try { Get-ADOrganizationalUnit -Identity 'OU=Servers,DC=windomain,DC=local' | Out-Null Write-Host "Servers OU already exists. Moving On." @@ -23,7 +15,7 @@ while ($servers_ou_created -ne 1) { } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local" - Write-Host "Created Servers OU." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Created Servers OU." $servers_ou_created = 1 } catch [Microsoft.ActiveDirectory.Management.ADServerDownException] { @@ -38,7 +30,7 @@ while ($servers_ou_created -ne 1) { # Create the Workstations OU if it doesn't exist $workstations_ou_created = 0 while ($workstations_ou_created -ne 1) { -Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Workstations OU" +Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Workstations OU..." try { Get-ADOrganizationalUnit -Identity 'OU=Workstations,DC=windomain,DC=local' | Out-Null Write-Host "Workstations OU already exists. Moving On." @@ -46,7 +38,7 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Workstations OU" } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local" - Write-Host "Created Workstations OU." + Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Created Workstations OU." $workstations_ou_created = 1 } catch [Microsoft.ActiveDirectory.Management.ADServerDownException] {