web01 - Cyber-JL/SEC-350-01 GitHub Wiki

Lab 1.1 Routing and DMZ

  1. First is to make sure that web01 is set to the right network adapter in this case it should be SEC350-01-DMZ-jude.lindale
  2. like the other machines web01 will need it IP address and hostname changed which can be done via nmtui, as well as a new sudo user and to change the passwords for champuser and root:

2023-01-16 14_44_26-VMware Horizon

2023-01-16 14_44_50-VMware Horizon

Configuring httpd on web01 & Configuring firewall on web01

  1. First is to install httpd using the following command:

    sudo yum install httpd -y

  2. Once installed enable and start httpd:

     sudo systemctl enable httpd
 sudo systemctl start httpd

  3. Then allow port 80/tcp and 443/tcp or services http and https throught the firewall or just do all for good measure:

    firewall-cmd --permanent --add-port 80/tcp
firewall-cmd --permanent --add-port 445/tcp
firewall-cmd --permanent --add-service http
firewall-cmd --permanent --add-service https
firewall-cmd --reload

RSYSLog

  1. On web01 install rsyslog:

    sudo yum install rsyslog -y

  2. Then create the following file: /etc/rsyslog.d/sec350.conf:

    vi /etc/rsyslog.d/sec350.conf

2023-01-16 15_10_37-VMware Horizon

   NOTE:
   the line in sec350.conf means:
   user=syslog facility
   notice=syslog priority
   @=UDP, @@ means TCP, so we are only going to send UDP
   172.16.50.5=Remote Syslog Server

Test rsyslog messaging from web01 to log01

  1. on log01 run the following command:

    tail -f /var/log/messages

  2. From web01, after restarting rsyslog, run the command:

     logger -t test TESTFROMWEB01TOLOG01

rw01->SSH->web01->SSH->log01

  1. lastly on rw01 in a terminal ssh to web01

     ssh [email protected]

  2. one sshed into web01 ssh into log01 from there

     ssh [email protected]

Lab 2.1 Standardizing on Time

To change the time and date we do the following:

  1. check the current time and data formate by running

this will show the time and date formate of syslogs

   logger -t test timel0nweb02
   sudo cat /var/log/messages | grep timel0nweb02

  1. To change the formate of the time and date of the syslog edit and comment out the following:

    vi /etc/rsyslog.conf

2023-01-23 14_22_10-VMware Horizon

  1. Then restart rsyslog

      sudo systemctl restart rsyslog

  2. Test to see if it worked

2023-01-23 14_16_56-Lindale_Lab 2 1 Standardizing on Time - Google Docs

Lab 2.2 - Syslog Organization on log01

  1. test Log01 Organization

    logger -t SEC350 Testing web01->log01 custom rsyslog configuration

  2. Logging Authorization Events

    1. In /etc/rsyslog.d/sec350.conf add the following:

    2023-01-23 15_59_27-Lindale_ Lab 2 2 - Syslog Organization on log01 - Google Docs

  3. restart rsyslog

  4. SSH into web01 from mgmt01

3.1 Segmentation 1

Update client logging configurations

   cd /etc/rsyslog.d
   sudo rm sys350.conf

Lab 3.2 - Wazuh

Agent install

  • Find the groups screen in Wazuh, create a new group called linux
  • Find the agents screen in Wazuh, Deploy a new agent with the following configuration.

    • Redhat/CentoS

    • CentOS 6 or higher

    • x86_64

    • 172.16.200.10

    • linux

    • Run this command on your web01 server

       sudo WAZUH_MANAGER='localhost' WAZUH_AGENT_GROUP='linux' yum install https://packages.wazuh.com/4.x/yum5/x86_64/wazuh-agent-4.3.10-1.el5.x86_64.rpm

    • Start the Wazuh agent on web01

      sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Agent Directory Structure

agent