480 Milestone 8 ‐ Putting the Sec in DevSecOps ‐ JM - Jacob-Mayotte/SYS480 GitHub Wiki

💡In the demonstrations shown below, the instructor is using Splunk Enterprise as the Server and Splunk Forwarder + TA for LInux and Unix as the agent. I decided to use Wazuh. I collaborated with Dave Thomsen, Miles C, Miles C, Benji and Max Berry.

CentOS Install:

1. Install CentOS ISO from following link: http://mirrors.greenmountainaccess.net/centos/7.9.2009/isos/x86_64/

2. Create a new centos.base VM via ESXi:

• Make sure this is thin provisioned!
• Set the CD /DVD to the centos ISO!
• hostname: centos.base
• Named user: jacob
• used nmtui to edit network adapter, everything was kept as default except for the DNS server, I used CLoudflare's: 1.1.1.1
• updated VM: sudo yum update
• This is just going to be a centos base VM, create a linked centos clone from here.
• Ensure this is on the blue network adapter.

3. Create the new centos.wazuh linked clone from the centos.base VM: This new centos.server will be the Wazuh Manager!

• Make sure you have a snapshot of this VM to revert to after MANY inevitable ansible fails.

Ansible Time for CentOS server

1. Using the xubnutu-mgmt VM create the following files: wazuh-agent-playbook.yml & wazuh-server-playbook.yml

2. Edit linux.yaml (so your inventory file) to include the wazuh-manager host:

    centos:
      hosts:
        10.0.5.85: // IP of centos (wazuh-mgr) server
          hostname: wazuhserver
          lan_ip: 10.0.5.85
      vars:
        ansible_user: jacob
        device: ens192 // ethernet interface

3. Edit wazuh-server-playbook.yml:

- name: centos config
  hosts: centos
  tasks:
- name: Wazuh Server Config
  hosts: centos
  tasks:
    - name: Allow port 443, 1514, 1515, 55000 through firewalld # 1514, 1515, 55000 are for Wazuh Manager and 443 is for the Kibana interface 
      become: yes 
      shell: firewall-cmd --permanent --add-port=443/tcp && firewall-cmd --permanent --add-port=1514/tcp && firewall-cmd --permanent --add-port=1515/tcp && firewall-cmd --permanent --add-port=55000/tcp && firewall-cmd --reload
    
    - name: Get the Wazah Install Script
      shell: "curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh"
      become: yes
    
    - name: Run the install script
      shell: "bash ./wazuh-install.sh -a -i && cd /home/{{ ansible_user }}/"
      become: yes

    - name: Retrieve the users passwords
      shell: "tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt"
#      register: shell_result
      become: yes

    - name: 
      shell: "systemctl enable wazuh-indexer-performance-analyzer.service && systemctl start wazuh-indexer-performance-analyzer.service"
      become: yes
  
    - name: reboot the box
      shell: "sleep 5 && reboot"
      become: yes
      async: 1
      poll: 0
S
    - name: Start the services
      shell: "sudo systemctl start wazuh-indexer-performance-analyzer.service && systemctl start wazuh-manager"
      become: yes      

# - name: bounce the box
#   hosts: centos
#   tasks:
#     - name: bounce the box
#       shell: "sleep 5 && shutdown -r"
#       become: yes
#       async: 1
#       poll: 0

• I worked with my peers on this script we all collaborated to construct the above. I did face an issue where I could navigate to the CentOS VM from xubuntu-mgmt via web browser but I would receive the following error: error described. Basically the required services were on the machine but they were not starting? This was resolved with the following (this is after the reboot task in the playbook above):

    - name: Start the services
      shell: "sudo systemctl start wazuh-indexer-performance-analyzer.service && systemctl start wazuh-manager"
      become: yes      

• After adding this I could access the login portal for Wazuh from xubuntu-mgmt via google with: https//10.0.5.85

• For the password make sure to scour through the output after running the playbook. There is not only a task for retrieving the password but running the playbook with a -vv very verbose output will output the password too.

• To execute the wazuh-server-playbook: ansible-playbook -i inventories/linux.yaml --ask-pass wazuh-server-playbook.yml -K -vvvv / /FROM A BASH SHELL !!!!

Ansible Time for Wazuh Agents

1. Designate VM's to have Wazuh agent installed

• I leveraged the 3 rockyVM's that we created in Milestone 7.

• There was one issue, these VM's cannot communicate via hostname only IP, so like we did on the centos machine, I added cloudflare's DNS: 1.1.1.1 via nmtui on all three machines. DNS services are not on these machines due to the lack of a DNS server on the blue network.
• Create a before-asible snapshot on each of these VMS.

2. Edit the linux.yaml to include "new" VMs:

linux:
  hosts:
  children:
      # rocky:
      # hosts: // this is for milestone 6 or 7 requirements
      #   10.0.5.77:
      #     hostname: rocky-1
      #     lan_ip: 10.0.5.10
      #   10.0.5.75:
      #     hostname: rocky-2
      #     lan_ip: 10.0.5.11
      #   10.0.5.76:
      #     hostname: rocky-3
      #     lan_ip: 10.0.5.12
      # vars:
      #   device: "{{ ansible_default_ipv4.interface }}"
    rocky:
      hosts:
        10.0.5.10:
          hostname: rocky-1
          lan_ip: 10.0.5.10
        10.0.5.11:
          hostname: rocky-2
          lan_ip: 10.0.5.11
        10.0.5.12:
          hostname: rocky-3
          lan_ip: 10.0.5.12
      vars:
        device: "{{ ansible_default_ipv4.interface }}"


    ubuntu:
      hosts:
        10.0.5.79:
          hostname: ubuntu-1
          lan_ip: 10.0.5.30
        10.0.5.80:
          hostname: ubuntu-2
          lan_ip: 10.0.5.31

    centos:
      hosts:
        10.0.5.85:
          hostname: wazuhserver
          lan_ip: 10.0.5.85
      vars:
        ansible_user: jacob
        device: ens192

  vars:
    public_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8OcD8SINWsdVvOz9SqbTHt2ZzqEK+l4HVfYT2i/EnkxaWmJX3e6XG7CbanuC78mN0wqPfQk1aEXnAlPbyok4FxehdDv38XSlgVOAIURuuRp22DVx8j+jYbjR0sXDLRjCAczvbsIedYLVuIuEuPYY/1fZSGEtW/SQMBt7x6SDMo4ZTsajAwCEYwAKkrHr7eYUDi+q+6AfX9ZKn+hcO6Afazn7xLy6/D/0cKsruZySZ/6t7EhXz8gPn118vVYO1H8R/EFxnIrJx50oep/lHsEqyit3Drdfp3BZq0hfxHgNqqglE3lT6K7zTSuufH8ycZsL4YmpXR73xV0es0xUtV2wFLoGoWmPzKlSfwvpOw0jTFtlhd9BxUXhEbRiRFHpsQBpf4vKL0+HLv6mR4yoGlY2GhxHXObynIEfZNg31GsNOAOH09qdF6tCFZGBTRI8Kt37EqNQiyYpGttPwQ3FPJbJj1bdqkp53GiyCPob0eIfxY/7I7qNbtHjdBqcpxUXkzw8LtbsnY9Zio/xK+iUwOuSwnuKSgamZS1KrEPTmOtfQZojhUJQFGlIw4r0lwxhHfA/fFbgV1Gh/5S9mdJRB/GLPqYu+aM2OD6x4uA2by8Hrp7KdpU1qbczYO7PYiNjopIXaN2Gb9bsxO4tlP7PzbKDKBNC3UDEw7n4OWLVblaGObw== jacob@xubuntu-mgmt"
    ansible_user: jacob // THIS WAS EDITED FOR THIS STEP // USERNAME ON ROCKY VMs
    prefix: 24
    gateway: 10.0.5.2
    name_server: 10.0.5.5
    domain: blue1.local

3. Add the following to wazuh-agent-playbook.yml // templated from Max Berry's script with small adjustments - Max and I did this Milestone in a very similar format hence the similarities! (we also worked on the last two milestones together):

- name: agent configuration
  hosts: rocky
  become: yes
  tasks:
    - name: Import Wazuh GPG Key
      rpm_key: 
        key: "https://packages.wazuh.com/key/GPG-KEY-WAZUH"
        state: present
    - name: Install the Wazuh agent package
      yum:
        name: "https://packages.wazuh.com/4.x/yum/wazuh-agent-4.3.11-1.x86_64.rpm"
        state: present
      environment:
        WAZUH_MANAGER: "10.0.5.85"
        WAZUH_AGENT_GROUP: "default"
    - name: Allow port 1514, 1515, 55000 through firewalld
      shell: firewall-cmd --permanent --add-port=1514/tcp && firewall-cmd --permanent --add-port=1515/tcp && firewall-cmd --permanent --add-port=55000/tcp && firewall-cmd --reload
      become: yes
    - name: Enable and Start Wazuh Agent
      shell: systemctl start wazuh-agent
      become: yes
    - name: Bounce The Box
      shell: "sleep 5 && restart -r"
      become: yes
      async: 1
      poll: 0

• • To execute the wazuh-agent-playbook: ansible-playbook -i inventories/linux.yaml --ask-pass wazuh-agent-playbook.yml -K -vvvv / /FROM A BASH SHELL !!!!

• Reload the wazuh dashboard and you should see the total number of agents change after running the playbook.

Sources:

• I collaborated with Dave Thomsen, Miles C, Miles C, Benji and Max Berry.
• https://github.com/wazuh/wazuh/issues/16850
• https://documentation.wazuh.com/current/installation-guide/index.html
• https://computingforgeeks.com/deploy-wazuh-on-linux-using-ansible/#google_vignette
• https://docs.rockylinux.org/guides/8_6_installation/ // Rocky Linux docs
• https://github.com/wazuh/wazuh-ansible
• https://stackoverflow.com/questions/54640658/how-to-fix-could-not-match-supplied-host-pattern-ignoring-bigip-errors-work // ansible playbook issue

Random but potentially helpful

• Output of history 100 on centos.server: // Just taking note for troubleshooting.

[jacob@centos ~]$ history 100
    1  ip a
    2  nmtui
    3  hostname
    4  cd /etc/wazuh-indexer/
    5  sudo cd /etc/wazuh-indexer/
    6  sudo systemctl enable wazuh-indexer-performance-analyzer.service
    7  sudo systemctl start wazuh-indexer-performance-analyzer.service
    8  sudo systemctl status wazuh-indexer-performance-analyzer.service
    9  systemctl status wazuh-d
   10  firewallcmd --list-all
   11  sudo firewallcmd --list-all
   12  sudo firewall-cmd --list-all
   13  sudo systemctl status wazuh-indexer-performance-analyzer.service
   14  reboot

To test ping via ansible:

• ansible rocky -m ping -i inventories/linux.yaml --user jacob --ask-pass
• ansible centos -m ping -i inventories/linux.yaml --user jacob --ask-pass