480 Milestone 8 ‐ Putting the Sec in DevSecOps ‐ JM - Jacob-Mayotte/SYS480 GitHub Wiki
Dave Thomsen, Miles C, Miles C, Benji and Max Berry.
💡In the demonstrations shown below, the instructor is using Splunk Enterprise as the Server and Splunk Forwarder + TA for LInux and Unix as the agent. I decided to use Wazuh. I collaborated withCentOS Install:
- Install CentOS ISO from following link: http://mirrors.greenmountainaccess.net/centos/7.9.2009/isos/x86_64/
- Create a new centos.base VM via ESXi:
- Make sure this is thin provisioned!
- Set the CD /DVD to the centos ISO!
- hostname:
centos.base
- Named user:
jacob
- used nmtui to edit network adapter, everything was kept as default except for the DNS server, I used CLoudflare's:
1.1.1.1
- updated VM:
sudo yum update
- This is just going to be a centos base VM, create a linked centos clone from here.
- Ensure this is on the blue network adapter.
- Create the new centos.wazuh linked clone from the centos.base VM: This new
centos.server
will be the Wazuh Manager!
- Make sure you have a snapshot of this VM to revert to after MANY inevitable ansible fails.
Ansible Time for CentOS server
- Using the
xubnutu-mgmt
VM create the following files:wazuh-agent-playbook.yml & wazuh-server-playbook.yml
- Edit
linux.yaml
(so your inventory file) to include the wazuh-manager host:
centos:
hosts:
10.0.5.85: // IP of centos (wazuh-mgr) server
hostname: wazuhserver
lan_ip: 10.0.5.85
vars:
ansible_user: jacob
device: ens192 // ethernet interface
- Edit
wazuh-server-playbook.yml
:
- name: centos config
hosts: centos
tasks:
- name: Wazuh Server Config
hosts: centos
tasks:
- name: Allow port 443, 1514, 1515, 55000 through firewalld # 1514, 1515, 55000 are for Wazuh Manager and 443 is for the Kibana interface
become: yes
shell: firewall-cmd --permanent --add-port=443/tcp && firewall-cmd --permanent --add-port=1514/tcp && firewall-cmd --permanent --add-port=1515/tcp && firewall-cmd --permanent --add-port=55000/tcp && firewall-cmd --reload
- name: Get the Wazah Install Script
shell: "curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh"
become: yes
- name: Run the install script
shell: "bash ./wazuh-install.sh -a -i && cd /home/{{ ansible_user }}/"
become: yes
- name: Retrieve the users passwords
shell: "tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt"
# register: shell_result
become: yes
- name:
shell: "systemctl enable wazuh-indexer-performance-analyzer.service && systemctl start wazuh-indexer-performance-analyzer.service"
become: yes
- name: reboot the box
shell: "sleep 5 && reboot"
become: yes
async: 1
poll: 0
S
- name: Start the services
shell: "sudo systemctl start wazuh-indexer-performance-analyzer.service && systemctl start wazuh-manager"
become: yes
# - name: bounce the box
# hosts: centos
# tasks:
# - name: bounce the box
# shell: "sleep 5 && shutdown -r"
# become: yes
# async: 1
# poll: 0
- I worked with my peers on this script we all collaborated to construct the above. I did face an issue where I could navigate to the CentOS VM from
xubuntu-mgmt
via web browser but I would receive the following error: error described. Basically the required services were on the machine but they were not starting? This was resolved with the following (this is after the reboot task in the playbook above):
- name: Start the services
shell: "sudo systemctl start wazuh-indexer-performance-analyzer.service && systemctl start wazuh-manager"
become: yes
-
After adding this I could access the login portal for Wazuh from
xubuntu-mgmt
via google with:https//10.0.5.85
-
For the password make sure to scour through the output after running the playbook. There is not only a task for retrieving the password but running the playbook with a
-vv
very verbose output will output the password too. -
To execute the wazuh-server-playbook:
ansible-playbook -i inventories/linux.yaml --ask-pass wazuh-server-playbook.yml -K -vvvv
/ /FROM A BASH SHELL !!!!
Ansible Time for Wazuh Agents
- Designate VM's to have Wazuh agent installed
- I leveraged the 3 rockyVM's that we created in Milestone 7.
- There was one issue, these VM's cannot communicate via hostname only IP, so like we did on the centos machine, I added cloudflare's DNS:
1.1.1.1
via nmtui on all three machines. DNS services are not on these machines due to the lack of a DNS server on the blue network. - Create a
before-asible
snapshot on each of these VMS.
- Edit the
linux.yaml
to include "new" VMs:
linux:
hosts:
children:
# rocky:
# hosts: // this is for milestone 6 or 7 requirements
# 10.0.5.77:
# hostname: rocky-1
# lan_ip: 10.0.5.10
# 10.0.5.75:
# hostname: rocky-2
# lan_ip: 10.0.5.11
# 10.0.5.76:
# hostname: rocky-3
# lan_ip: 10.0.5.12
# vars:
# device: "{{ ansible_default_ipv4.interface }}"
rocky:
hosts:
10.0.5.10:
hostname: rocky-1
lan_ip: 10.0.5.10
10.0.5.11:
hostname: rocky-2
lan_ip: 10.0.5.11
10.0.5.12:
hostname: rocky-3
lan_ip: 10.0.5.12
vars:
device: "{{ ansible_default_ipv4.interface }}"
ubuntu:
hosts:
10.0.5.79:
hostname: ubuntu-1
lan_ip: 10.0.5.30
10.0.5.80:
hostname: ubuntu-2
lan_ip: 10.0.5.31
centos:
hosts:
10.0.5.85:
hostname: wazuhserver
lan_ip: 10.0.5.85
vars:
ansible_user: jacob
device: ens192
vars:
public_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8OcD8SINWsdVvOz9SqbTHt2ZzqEK+l4HVfYT2i/EnkxaWmJX3e6XG7CbanuC78mN0wqPfQk1aEXnAlPbyok4FxehdDv38XSlgVOAIURuuRp22DVx8j+jYbjR0sXDLRjCAczvbsIedYLVuIuEuPYY/1fZSGEtW/SQMBt7x6SDMo4ZTsajAwCEYwAKkrHr7eYUDi+q+6AfX9ZKn+hcO6Afazn7xLy6/D/0cKsruZySZ/6t7EhXz8gPn118vVYO1H8R/EFxnIrJx50oep/lHsEqyit3Drdfp3BZq0hfxHgNqqglE3lT6K7zTSuufH8ycZsL4YmpXR73xV0es0xUtV2wFLoGoWmPzKlSfwvpOw0jTFtlhd9BxUXhEbRiRFHpsQBpf4vKL0+HLv6mR4yoGlY2GhxHXObynIEfZNg31GsNOAOH09qdF6tCFZGBTRI8Kt37EqNQiyYpGttPwQ3FPJbJj1bdqkp53GiyCPob0eIfxY/7I7qNbtHjdBqcpxUXkzw8LtbsnY9Zio/xK+iUwOuSwnuKSgamZS1KrEPTmOtfQZojhUJQFGlIw4r0lwxhHfA/fFbgV1Gh/5S9mdJRB/GLPqYu+aM2OD6x4uA2by8Hrp7KdpU1qbczYO7PYiNjopIXaN2Gb9bsxO4tlP7PzbKDKBNC3UDEw7n4OWLVblaGObw== jacob@xubuntu-mgmt"
ansible_user: jacob // THIS WAS EDITED FOR THIS STEP // USERNAME ON ROCKY VMs
prefix: 24
gateway: 10.0.5.2
name_server: 10.0.5.5
domain: blue1.local
- Add the following to
wazuh-agent-playbook.yml
// templated from Max Berry's script with small adjustments - Max and I did this Milestone in a very similar format hence the similarities! (we also worked on the last two milestones together):
- name: agent configuration
hosts: rocky
become: yes
tasks:
- name: Import Wazuh GPG Key
rpm_key:
key: "https://packages.wazuh.com/key/GPG-KEY-WAZUH"
state: present
- name: Install the Wazuh agent package
yum:
name: "https://packages.wazuh.com/4.x/yum/wazuh-agent-4.3.11-1.x86_64.rpm"
state: present
environment:
WAZUH_MANAGER: "10.0.5.85"
WAZUH_AGENT_GROUP: "default"
- name: Allow port 1514, 1515, 55000 through firewalld
shell: firewall-cmd --permanent --add-port=1514/tcp && firewall-cmd --permanent --add-port=1515/tcp && firewall-cmd --permanent --add-port=55000/tcp && firewall-cmd --reload
become: yes
- name: Enable and Start Wazuh Agent
shell: systemctl start wazuh-agent
become: yes
- name: Bounce The Box
shell: "sleep 5 && restart -r"
become: yes
async: 1
poll: 0
-
- To execute the wazuh-agent-playbook:
ansible-playbook -i inventories/linux.yaml --ask-pass wazuh-agent-playbook.yml -K -vvvv
/ /FROM A BASH SHELL !!!!
- To execute the wazuh-agent-playbook:
-
Reload the wazuh dashboard and you should see the total number of agents change after running the playbook.
Sources:
- I collaborated with Dave Thomsen, Miles C, Miles C, Benji and Max Berry.
- https://github.com/wazuh/wazuh/issues/16850
- https://documentation.wazuh.com/current/installation-guide/index.html
- https://computingforgeeks.com/deploy-wazuh-on-linux-using-ansible/#google_vignette
- https://docs.rockylinux.org/guides/8_6_installation/ // Rocky Linux docs
- https://github.com/wazuh/wazuh-ansible
- https://stackoverflow.com/questions/54640658/how-to-fix-could-not-match-supplied-host-pattern-ignoring-bigip-errors-work // ansible playbook issue
Random but potentially helpful
- Output of
history 100
oncentos.server
: // Just taking note for troubleshooting.
[jacob@centos ~]$ history 100
1 ip a
2 nmtui
3 hostname
4 cd /etc/wazuh-indexer/
5 sudo cd /etc/wazuh-indexer/
6 sudo systemctl enable wazuh-indexer-performance-analyzer.service
7 sudo systemctl start wazuh-indexer-performance-analyzer.service
8 sudo systemctl status wazuh-indexer-performance-analyzer.service
9 systemctl status wazuh-d
10 firewallcmd --list-all
11 sudo firewallcmd --list-all
12 sudo firewall-cmd --list-all
13 sudo systemctl status wazuh-indexer-performance-analyzer.service
14 reboot
To test ping via ansible:
ansible rocky -m ping -i inventories/linux.yaml --user jacob --ask-pass
ansible centos -m ping -i inventories/linux.yaml --user jacob --ask-pass