trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
3ac2b21ccc4ab3434d4362b9bff7e59ce644eeed
DetectionLab/ESXi/ansible/roles/logger/tasks/main.yml
Chris Long 3ac2b21ccc Update ThreatHunting, Add Exchange install script
2021-03-08 09:49:10 -08:00

626 lines
28 KiB
YAML
Raw Blame History

---
- name: Set hostname to logger
hostname:
name: logger
become: yes
- name: Create a directory if it does not exist
file:
path: /vagrant
state: directory
mode: '0755'
become: yes
- name: Copy vagrant resources
synchronize:
src: ../../Vagrant/resources
dest: /vagrant/
become: yes
- name: Copy bootstrap file
copy:
src: ../../Vagrant/logger_bootstrap.sh
dest: /home/vagrant
owner: vagrant
group: vagrant
mode: u+x,g+x
- name: Copy netplan file
copy:
src: ../resources/01-netcfg.yaml
dest: /tmp
owner: vagrant
group: vagrant
- name: Copy the netplan file over as root
shell: "mv /tmp/01-netcfg.yaml /etc/netplan/01-netcfg.yaml"
become: yes
- name: Apply the new netplan
shell: netplan apply
become: yes
- name: Add APT Repositories
apt_repository:
repo: "{{ item }}"
with_items:
- "ppa:apt-fast/stable"
- "ppa:rmescandon/yq"
- "ppa:oisf/suricata-stable"
become: yes
- name: Install apt-fast
become: yes
apt:
name: apt-fast
update_cache: yes
- name: Install tools via apt-fast
args:
executable: /bin/bash
become: yes
shell: |
echo "[$(date +%H:%M:%S)]: Running apt-fast install..."
apt-fast -qq install -y jq whois build-essential git mysql-server redis-server python-pip unzip htop yq
register: apt_install_prerequisites
failed_when: "'error' in apt_install_prerequisites.stderr"
- name: Update the MOTD
args:
executable: /bin/bash
become: yes
shell: |
echo "[$(date +%H:%M:%S)]: Updating the MOTD..."
# Force color terminal
sed -i 's/#force_color_prompt=yes/force_color_prompt=yes/g' /root/.bashrc
sed -i 's/#force_color_prompt=yes/force_color_prompt=yes/g' /home/vagrant/.bashrc
# Remove some stock Ubuntu MOTD content
chmod -x /etc/update-motd.d/10-help-text
# Copy the DetectionLab MOTD
cp /vagrant/resources/logger/20-detectionlab /etc/update-motd.d/
chmod +x /etc/update-motd.d/20-detectionlab
register: modify_motd
failed_when: "'error' in modify_motd.stderr"
- name: Test Prerequisites
args:
executable: /bin/bash
become: yes
shell: |
for package in jq whois build-essential git unzip yq mysql-server redis-server python-pip; do
echo "[$(date +%H:%M:%S)]: [TEST] Validating that $package is correctly installed..."
# Loop through each package using dpkg
if ! dpkg -S $package >/dev/null; then
# If which returns a non-zero return code, try to re-install the package
echo "[-] $package was not found. Attempting to reinstall."
apt-get -qq update && apt-get install -y $package
if ! which $package >/dev/null; then
# If the reinstall fails, give up
echo "[X] Unable to install $package even after a retry. Exiting."
exit 1
fi
else
echo "[+] $package was successfully installed!"
fi
done
register: test_prerequisites
failed_when: "'error' in test_prerequisites.stderr"
- name: Fix Static IPs
args:
executable: /bin/bash
become: yes
shell: |
USING_KVM=$(sudo lsmod | grep kvm)
if [ ! -z "$USING_KVM" ]; then
echo "[*] Using KVM, no need to fix DHCP for eth1 iface"
exit 0
fi
if [ -f /sys/class/net/eth2/address ]; then
if [ "$(cat /sys/class/net/eth2/address)" == "00:50:56:a3:b1:c4" ]; then
echo "[*] Using ESXi, no need to change anything"
exit 0
fi
fi
# There's a fun issue where dhclient keeps messing with eth1 despite the fact
# that eth1 has a static IP set. We workaround this by setting a static DHCP lease.
echo -e 'interface "eth1" {
send host-name = gethostname();
send dhcp-requested-address 192.168.38.105;
}' >>/etc/dhcp/dhclient.conf
netplan apply
# Fix eth1 if the IP isn't set correctly
ETH1_IP=$(ip -4 addr show eth1 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
if [ "$ETH1_IP" != "192.168.38.105" ]; then
echo "Incorrect IP Address settings detected. Attempting to fix."
ifdown eth1
ip addr flush dev eth1
ifup eth1
ETH1_IP=$(ifconfig eth1 | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1)
if [ "$ETH1_IP" == "192.168.38.105" ]; then
echo "[$(date +%H:%M:%S)]: The static IP has been fixed and set to 192.168.38.105"
else
echo "[$(date +%H:%M:%S)]: Failed to fix the broken static IP for eth1. Exiting because this will cause problems with other VMs."
exit 1
fi
fi
# Make sure we do have a DNS resolution
while true; do
if [ "$(dig +short @8.8.8.8 github.com)" ]; then break; fi
sleep 1
done
register: fix_eth1_static_ip
failed_when: "'error' in fix_eth1_static_ip.stderr"
changed_when: "'Using ESXi' in fix_eth1_static_ip.stdout"
- name: Install Splunk
args:
executable: /bin/bash
become: yes
environment:
MAXMIND_LICENSE: ""
BASE64_ENCODED_SPLUNK_LICENSE: ""
shell: |
# Get a free Maxmind license here: https://www.maxmind.com/en/geolite2/signup
# Required for the ASNgen app to work: https://splunkbase.splunk.com/app/3531/
export MAXMIND_LICENSE=
if [ -z $MAXMIND_LICENSE ]; then
echo "Note: You have not entered a MaxMind license key in the 'Install Splunk' Ansible task, so the ASNgen Splunk app may not work correctly."
echo "However, it is not required and everything else should function correctly."
fi
# Check if Splunk is already installed
if [ -f "/opt/splunk/bin/splunk" ]; then
echo "[$(date +%H:%M:%S)]: Splunk is already installed"
else
echo "[$(date +%H:%M:%S)]: Installing Splunk..."
# Get download.splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below
dig @8.8.8.8 download.splunk.com >/dev/null
dig @8.8.8.8 splunk.com >/dev/null
dig @8.8.8.8 www.splunk.com >/dev/null
# Try to resolve the latest version of Splunk by parsing the HTML on the downloads page
echo "[$(date +%H:%M:%S)]: Attempting to autoresolve the latest version of Splunk..."
LATEST_SPLUNK=$(curl https://www.splunk.com/en_us/download/splunk-enterprise.html | grep -i deb | grep -Eo "data-link=\"................................................................................................................................" | cut -d '"' -f 2)
# Sanity check what was returned from the auto-parse attempt
if [[ "$(echo $LATEST_SPLUNK | grep -c "^https:")" -eq 1 ]] && [[ "$(echo $LATEST_SPLUNK | grep -c "\.deb$")" -eq 1 ]]; then
echo "[$(date +%H:%M:%S)]: The URL to the latest Splunk version was automatically resolved as: $LATEST_SPLUNK"
echo "[$(date +%H:%M:%S)]: Attempting to download..."
wget --progress=bar:force -P /opt "$LATEST_SPLUNK"
else
echo "[$(date +%H:%M:%S)]: Unable to auto-resolve the latest Splunk version. Falling back to hardcoded URL..."
# Download Hardcoded Splunk
wget --progress=bar:force -O /opt/splunk-8.0.2-a7f645ddaf91-linux-2.6-amd64.deb 'https://download.splunk.com/products/splunk/releases/8.0.2/linux/splunk-8.0.2-a7f645ddaf91-linux-2.6-amd64.deb&wget=true'
fi
if ! ls /opt/splunk*.deb 1> /dev/null 2>&1; then
echo "Something went wrong while trying to download Splunk. This script cannot continue. Exiting."
exit 1
fi
if ! dpkg -i /opt/splunk*.deb > /dev/null; then
echo "Something went wrong while trying to install Splunk. This script cannot continue. Exiting."
exit 1
fi
/opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd changeme
/opt/splunk/bin/splunk add index wineventlog -auth 'admin:changeme'
/opt/splunk/bin/splunk add index osquery -auth 'admin:changeme'
/opt/splunk/bin/splunk add index osquery-status -auth 'admin:changeme'
/opt/splunk/bin/splunk add index sysmon -auth 'admin:changeme'
/opt/splunk/bin/splunk add index powershell -auth 'admin:changeme'
/opt/splunk/bin/splunk add index zeek -auth 'admin:changeme'
/opt/splunk/bin/splunk add index suricata -auth 'admin:changeme'
/opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme'
/opt/splunk/bin/splunk add index evtx_attack_samples -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_700.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-sysmon_1062.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_110.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/lookup-file-editor_331.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-zeek-aka-bro_400.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme'
/opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_1492.tgz -auth 'admin:changeme'
# Fix ASNGen App - https://github.com/doksu/TA-asngen/issues/18#issuecomment-685691630
echo 'python.version = python2' >> /opt/splunk/etc/apps/TA-asngen/default/commands.conf
# Install the Maxmind license key for the ASNgen App
if [ ! -z $MAXMIND_LICENSE ]; then
mkdir /opt/splunk/etc/apps/TA-asngen/local
cp /opt/splunk/etc/apps/TA-asngen/default/asngen.conf /opt/splunk/etc/apps/TA-asngen/local/asngen.conf
sed -i "s/license_key =/license_key = $MAXMIND_LICENSE/g" /opt/splunk/etc/apps/TA-asngen/local/asngen.conf
fi
# Install a Splunk license if it was provided
if [ -n $BASE64_ENCODED_SPLUNK_LICENSE ]; then
echo "$BASE64_ENCODED_SPLUNK_LICENSE" | base64 -d > /tmp/Splunk.License
/opt/splunk/bin/splunk add licenses /tmp/Splunk.License
rm /tmp/Splunk.License
fi
# Replace the props.conf for Sysmon TA and Windows TA
# Removed all the 'rename = xmlwineventlog' directives
# I know youre not supposed to modify files in "default",
# but for some reason adding them to "local" wasnt working
cp /vagrant/resources/splunk_server/windows_ta_props.conf /opt/splunk/etc/apps/Splunk_TA_windows/default/props.conf
cp /vagrant/resources/splunk_server/sysmon_ta_props.conf /opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf
# Add custom Macro definitions for ThreatHunting App
cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf
# Fix props.conf in ThreatHunting App
sed -i 's/EVAL-host_fqdn = Computer/EVAL-host_fqdn = ComputerName/g' /opt/splunk/etc/apps/ThreatHunting/default/props.conf
# Fix Windows TA macros
mkdir /opt/splunk/etc/apps/Splunk_TA_windows/local
cp /opt/splunk/etc/apps/Splunk_TA_windows/default/macros.conf /opt/splunk/etc/apps/Splunk_TA_windows/local
sed -i 's/wineventlog_windows/wineventlog/g' /opt/splunk/etc/apps/Splunk_TA_windows/local/macros.conf
# Fix Force Directed App until 2.0.1 is released (https://answers.splunk.com/answers/668959/invalid-key-in-stanza-default-value-light.html#answer-669418)
rm /opt/splunk/etc/apps/force_directed_viz/default/savedsearches.conf
# Add a Splunk TCP input on port 9997
echo -e "[splunktcp://9997]\nconnection_host = ip" >/opt/splunk/etc/apps/search/local/inputs.conf
# Add props.conf and transforms.conf
cp /vagrant/resources/splunk_server/props.conf /opt/splunk/etc/apps/search/local/
cp /vagrant/resources/splunk_server/transforms.conf /opt/splunk/etc/apps/search/local/
cp /opt/splunk/etc/system/default/limits.conf /opt/splunk/etc/system/local/limits.conf
# Bump the memtable limits to allow for the ASN lookup table
sed -i.bak 's/max_memtable_bytes = 10000000/max_memtable_bytes = 30000000/g' /opt/splunk/etc/system/local/limits.conf
# Skip Splunk Tour and Change Password Dialog
echo "[$(date +%H:%M:%S)]: Disabling the Splunk tour prompt..."
touch /opt/splunk/etc/.ui_login
mkdir -p /opt/splunk/etc/users/admin/search/local
echo -e "[search-tour]\nviewed = 1" >/opt/splunk/etc/system/local/ui-tour.conf
# Source: https://answers.splunk.com/answers/660728/how-to-disable-the-modal-pop-up-help-us-to-improve.html
if [ ! -d "/opt/splunk/etc/users/admin/user-prefs/local" ]; then
mkdir -p "/opt/splunk/etc/users/admin/user-prefs/local"
fi
echo '[general]
render_version_messages = 1
dismissedInstrumentationOptInVersion = 4
notification_python_3_impact = false
display.page.home.dashboardId = /servicesNS/nobody/search/data/ui/views/logger_dashboard' > /opt/splunk/etc/users/admin/user-prefs/local/user-prefs.conf
# Enable SSL Login for Splunk
echo -e "[settings]\nenableSplunkWebSSL = true" >/opt/splunk/etc/system/local/web.conf
# Copy over the Logger Dashboard
if [ ! -d "/opt/splunk/etc/apps/search/local/data/ui/views" ]; then
mkdir -p "/opt/splunk/etc/apps/search/local/data/ui/views"
fi
cp /vagrant/resources/splunk_server/logger_dashboard.xml /opt/splunk/etc/apps/search/local/data/ui/views || echo "Unable to find dashboard"
# Reboot Splunk to make changes take effect
/opt/splunk/bin/splunk restart
/opt/splunk/bin/splunk enable boot-start
fi
register: install_splunk
changed_when: "'The Splunk web interface is at https://logger:8000' in install_splunk.stdout"
- name: Install Fleet
args:
executable: /bin/bash
become: yes
shell: |
if [ -d "/opt/fleet" ]; then
echo "[$(date +%H:%M:%S)]: Fleet is already installed"
else
cd /opt || exit 1
echo "[$(date +%H:%M:%S)]: Installing Fleet..."
echo -e "\n127.0.0.1 fleet" >>/etc/hosts
echo -e "\n127.0.0.1 logger" >>/etc/hosts
# Set MySQL username and password, create kolide database
mysql -uroot -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'kolide';"
mysql -uroot -pkolide -e "create database kolide;"
# Always download the latest release of Fleet
curl -s https://api.github.com/repos/fleetdm/fleet/releases | grep 'https://github.com' | grep "/fleet.zip" | cut -d ':' -f 2,3 | tr -d '"' | tr -d ' ' | head -1 | wget --progress=bar:force -i -
unzip fleet.zip -d fleet
cp fleet/linux/fleetctl /usr/local/bin/fleetctl && chmod +x /usr/local/bin/fleetctl
cp fleet/linux/fleet /usr/local/bin/fleet && chmod +x /usr/local/bin/fleet
# Prepare the DB
fleet prepare db --mysql_address=127.0.0.1:3306 --mysql_database=kolide --mysql_username=root --mysql_password=kolide
# Copy over the certs and service file
cp /vagrant/resources/fleet/server.* /opt/fleet/
cp /vagrant/resources/fleet/fleet.service /etc/systemd/system/fleet.service
mkdir /var/log/fleet
/bin/systemctl enable fleet.service
/bin/systemctl start fleet.service
echo "[$(date +%H:%M:%S)]: Waiting for fleet service to start..."
while true; do
result=$(curl --silent -k https://127.0.0.1:8412)
if echo "$result" | grep -q setup; then break; fi
sleep 1
done
fleetctl config set --address https://0.0.0.0:8412
fleetctl config set --tls-skip-verify true
fleetctl setup --email admin@detectionlab.network --username admin --password 'admin123#' --org-name DetectionLab
fleetctl login --email admin@detectionlab.network --password 'admin123#'
# Set the enrollment secret to match what we deploy to Windows hosts
mysql -uroot --password=kolide -e 'use kolide; update enroll_secrets set secret = "enrollmentsecret" where active=1;'
echo "Updated enrollment secret"
fi
register: install_fleet
changed_when: "'Updated enrollment secret' in install_fleet.stdout"
failed_when: "'error' in install_splunk.stderr"
- name: Download Palantir Osquery Config
args:
executable: /bin/bash
become: yes
shell: |
if [ -f /opt/osquery-configuration ]; then
echo "[$(date +%H:%M:%S)]: osquery configs have already been downloaded"
else
# Import Palantir osquery configs into Fleet
echo "[$(date +%H:%M:%S)]: Downloading Palantir osquery configs..."
cd /opt && git clone https://github.com/palantir/osquery-configuration.git
fi
register: download_palantir_osquery
failed_when: "'error' in download_palantir_osquery.stderr"
- name: Import osquery Config into Fleet
args:
executable: /bin/bash
become: yes
shell: |
cd /opt
# Change the query invervals to reflect a lab environment
# Every hour -> Every 3 minutes
# Every 24 hours -> Every 15 minutes
sed -i 's/interval: 3600/interval: 180/g' osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml
sed -i 's/interval: 3600/interval: 180/g' osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml
sed -i 's/interval: 28800/interval: 900/g' osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml
sed -i 's/interval: 28800/interval: 900/g' osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml
# Dont log osquery INFO messages
# Fix snapshot event formatting
fleetctl get options > /tmp/options.yaml
/usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.enroll_secret' 'enrollmentsecret'
/usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.logger_snapshot_event_type' 'true'
fleetctl apply -f /tmp/options.yaml
# Use fleetctl to import YAML files
fleetctl apply -f osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml
fleetctl apply -f osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml
for pack in osquery-configuration/Fleet/Endpoints/packs/*.yaml; do
fleetctl apply -f "$pack"
done
# Add Splunk monitors for Fleet
# Files must exist before splunk will add a monitor
touch /var/log/fleet/osquery_result
touch /var/log/fleet/osquery_status
/opt/splunk/bin/splunk add monitor "/var/log/fleet/osquery_result" -index osquery -sourcetype 'osquery:json' -auth 'admin:changeme' --accept-license --answer-yes --no-prompt
/opt/splunk/bin/splunk add monitor "/var/log/fleet/osquery_status" -index osquery-status -sourcetype 'osquery:status' -auth 'admin:changeme' --accept-license --answer-yes --no-prompt
register: fleet_osquery_config
failed_when: "'error' in fleet_osquery_config.stderr"
changed_when: "'Fleet login successful and context configured!' in fleet_osquery_config.stdout"
- name: Install Velociraptor
args:
executable: /bin/bash
become: yes
shell: |
echo "[$(date +%H:%M:%S)]: Installing Velociraptor..."
mkdir /opt/velociraptor
echo "[$(date +%H:%M:%S)]: Attempting to determine the URL for the latest release of Velociraptor"
LATEST_VELOCIRAPTOR_LINUX_URL=$(curl -sL https://github.com/Velocidex/velociraptor/releases/latest | grep linux-amd64 | grep href | head -1 | cut -d '"' -f 2 | sed 's#^#https://github.com#g')
echo "[$(date +%H:%M:%S)]: The URL for the latest release was extracted as $LATEST_VELOCIRAPTOR_LINUX_URL"
echo "[$(date +%H:%M:%S)]: Attempting to download..."
wget -P /opt/velociraptor --progress=bar:force "$LATEST_VELOCIRAPTOR_LINUX_URL"
if [ "$(file /opt/velociraptor/velociraptor*linux-amd64 | grep -c 'ELF 64-bit LSB executable')" -eq 1 ]; then
echo "[$(date +%H:%M:%S)]: Velociraptor successfully downloaded!"
else
echo "[$(date +%H:%M:%S)]: Failed to download the latest version of Velociraptor. Please open a DetectionLab issue on Github."
fi
cd /opt/velociraptor || exit 1
mv velociraptor-*-linux-amd64 velociraptor
chmod +x velociraptor
cp /vagrant/resources/velociraptor/server.config.yaml /opt/velociraptor
echo "[$(date +%H:%M:%S)]: Creating Velociraptor dpkg..."
./velociraptor --config /opt/velociraptor/server.config.yaml debian server
echo "[$(date +%H:%M:%S)]: Installing the dpkg..."
if dpkg -i velociraptor_*_server.deb >/dev/null; then
echo "[$(date +%H:%M:%S)]: Installation complete!"
else
echo "[$(date +%H:%M:%S)]: Failed to install the dpkg"
fi
cd /opt/velociraptor || exit 1
mv velociraptor-*-linux-amd64 velociraptor
chmod +x velociraptor
cp /vagrant/resources/velociraptor/server.config.yaml /opt/velociraptor
echo "[$(date +%H:%M:%S)]: Creating Velociraptor dpkg..."
./velociraptor --config /opt/velociraptor/server.config.yaml debian server
echo "[$(date +%H:%M:%S)]: Installing the dpkg..."
if dpkg -i velociraptor_*_server.deb >/dev/null; then
echo "[$(date +%H:%M:%S)]: Installation complete!"
else
echo "[$(date +%H:%M:%S)]: Failed to install the dpkg"
fi
- name: Install Suricata
args:
executable: /bin/bash
become: yes
shell: |
# Run iwr -Uri testmyids.com -UserAgent "BlackSun" in Powershell to generate test alerts from Windows
echo "[$(date +%H:%M:%S)]: Installing Suricata..."
# Install suricata
apt-get -qq -y install suricata crudini
# Install suricata-update
cd /opt || exit 1
git clone https://github.com/OISF/suricata-update.git
cd /opt/suricata-update || exit 1
pip install pyyaml
python setup.py install
cp /vagrant/resources/suricata/suricata.yaml /etc/suricata/suricata.yaml
crudini --set --format=sh /etc/default/suricata '' iface eth1
# update suricata signature sources
suricata-update update-sources
# disable protocol decode as it is duplicative of Zeek
echo re:protocol-command-decode >>/etc/suricata/disable.conf
# enable et-open and attackdetection sources
suricata-update enable-source et/open
suricata-update enable-source ptresearch/attackdetection
# Configure the Splunk inputs
mkdir -p /opt/splunk/etc/apps/SplunkLightForwarder/local && touch /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf
crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata index suricata
crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata sourcetype suricata:json
crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata whitelist 'eve.json'
crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf monitor:///var/log/suricata disabled 0
crudini --set /opt/splunk/etc/apps/SplunkLightForwarder/local/props.conf json_suricata TRUNCATE 0
# Update suricata and restart
suricata-update
service suricata stop
service suricata start
sleep 3
# Verify that Suricata is running
if ! pgrep -f suricata >/dev/null; then
echo "Suricata attempted to start but is not running. Exiting"
exit 1
fi
register: install_suricata
failed_when: "'error' in install_suricata.stderr"
- name: Install Zeek
args:
executable: /bin/bash
become: yes
shell: |
echo "[$(date +%H:%M:%S)]: Installing Zeek..."
sh -c "echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/ /' > /etc/apt/sources.list.d/security:zeek.list"
wget -nv https://download.opensuse.org/repositories/security:zeek/xUbuntu_18.04/Release.key -O /tmp/Release.key
apt-key add - </tmp/Release.key &>/dev/null
- name: Install Zeek Packages
become: yes
apt:
name: ['zeek', 'crudini', 'python-pip']
update_cache: yes
- name: Install Zeek Continued
args:
executable: /bin/bash
become: yes
shell: |
# Environment variables
NODECFG=/opt/zeek/etc/node.cfg
export PATH=$PATH:/opt/zeek/bin
pip install zkg==2.1.1
zkg refresh
zkg autoconfig
zkg install --force salesforce/ja3
# Load Zeek scripts
echo '
@load protocols/ftp/software
@load protocols/smtp/software
@load protocols/ssh/software
@load protocols/http/software
@load tuning/json-logs
@load policy/integration/collective-intel
@load policy/frameworks/intel/do_notice
@load frameworks/intel/seen
@load frameworks/intel/do_notice
@load frameworks/files/hash-all-files
@load base/protocols/smb
@load policy/protocols/conn/vlan-logging
@load policy/protocols/conn/mac-logging
@load ja3
redef Intel::read_files += {
"/opt/zeek/etc/intel.dat"
};
' >>/opt/zeek/share/zeek/site/local.zeek
# Configure Zeek
crudini --del $NODECFG zeek
crudini --set $NODECFG manager type manager
crudini --set $NODECFG manager host localhost
crudini --set $NODECFG proxy type proxy
crudini --set $NODECFG proxy host localhost
# Setup $CPUS numbers of Zeek workers
crudini --set $NODECFG worker-eth1 type worker
crudini --set $NODECFG worker-eth1 host localhost
crudini --set $NODECFG worker-eth1 interface eth1
crudini --set $NODECFG worker-eth1 lb_method pf_ring
crudini --set $NODECFG worker-eth1 lb_procs "$(nproc)"
# Setup Zeek to run at boot
cp /vagrant/resources/zeek/zeek.service /lib/systemd/system/zeek.service
systemctl enable zeek
systemctl start zeek
# Configure the Splunk inputs
mkdir -p /opt/splunk/etc/apps/Splunk_TA_bro/local && touch /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf
crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager index zeek
crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager sourcetype bro:json
crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager whitelist '.*\.log$'
crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager blacklist '.*(communication|stderr)\.log$'
crudini --set /opt/splunk/etc/apps/Splunk_TA_bro/local/inputs.conf monitor:///opt/zeek/spool/manager disabled 0
# Ensure permissions are correct and restart splunk
chown -R splunk:splunk /opt/splunk/etc/apps/Splunk_TA_bro
/opt/splunk/bin/splunk restart
# Verify that Zeek is running
if ! pgrep -f zeek >/dev/null; then
echo "Zeek attempted to start but is not running. Exiting"
exit 1
fi
register: install_zeek
- name: Install Guacamole
args:
executable: /bin/bash
become: yes
shell: |
echo "[$(date +%H:%M:%S)]: Installing Guacamole..."
cd /opt
apt-get -qq install -y libcairo2-dev libjpeg62-dev libpng-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat8 tomcat8-admin tomcat8-user
wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz" -O guacamole-server-1.0.0.tar.gz
tar -xf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0
./configure &>/dev/null && make --quiet &>/dev/null && make --quiet install &>/dev/null || echo "[-] An error occurred while installing Guacamole."
ldconfig
cd /var/lib/tomcat8/webapps
wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/binary/guacamole-1.0.0.war" -O guacamole.war
mkdir /etc/guacamole
mkdir /usr/share/tomcat8/.guacamole
cp /vagrant/resources/guacamole/user-mapping.xml /etc/guacamole/
cp /vagrant/resources/guacamole/guacamole.properties /etc/guacamole/
cp /vagrant/resources/guacamole/guacd.service /lib/systemd/system
sudo ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat8/.guacamole/
sudo ln -s /etc/guacamole/user-mapping.xml /usr/share/tomcat8/.guacamole/
systemctl enable guacd
systemctl enable tomcat8
systemctl start guacd
systemctl start tomcat8
register: install_guacamole
failed_when: "'error' in install_guacamole.stderr"
- name: Postinstall Tasks
args:
executable: /bin/bash
become: yes
shell: |
# Include Splunk and Zeek in the PATH
echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >>~/.bashrc
# Ping DetectionLab server for usage statistics
curl -s -A "DetectionLab-logger" "https:/ping.detectionlab.network/logger" || echo "Unable to connect to ping.detectionlab.network"
Reference in New Issue View Git Blame Copy Permalink