sonofagl1tch / awsdetonationlab Goto Github PK
View Code? Open in Web Editor NEWThis script is used to generate some basic detections of the aws security services
License: Apache License 2.0
This script is used to generate some basic detections of the aws security services
License: Apache License 2.0
currently you cannot run mulitple detonation labs at once because the user being created in the cf template already exists. this breaks the stack.
request to generate a username like "wazuh-asdfsreasd" with everything after the hyphen being generated in the cf template.
this will allow multiple detlabs to run at once
add wazuh agent to all other systems in the detonationlab
currently, network visibility is pretty weak. So I want to add bro and suricata/snort to my detlab.
https://github.com/Security-Onion-Solutions/security-onion/wiki/CloudClient
Hello,
The VPCFlow Bucket where logs are stored is being configured as custom
type but it must be vpflow
:
AWSDetonationLab/additionalInstallationScripts/installWazuh.sh
Lines 174 to 179 in f179d8b
This makes VPC Flow logs not being parsed/processed by Wazuh.
Best regards,
Marta
Describe the bug
I have deployed the template multiple times today and all the times I did, the AWS secret key wasn't correctly replaced in the Wazuh configuration file.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The insert_secret_key
value should be replaced by the actual secret key.
Additional context
# tail /var/ossec/etc/ossec.conf
<access_key>AKIAJ64K653OQV3ZJ6IA</access_key>
<secret_key>insert_secret_key</secret_key>
</bucket>
<bucket type="vpcflow">
<name>detonationlab-s3bucketvpcflow-15sozza5u84l7</name>
<access_key>AKIAJ64K653OQV3ZJ6IA</access_key>
<secret_key>insert_secret_key</secret_key>
</bucket>
</wodle>
</ossec_config>
currently the det lab creates 1 s3 bucket per service getting logged. This was the easiest way to do it in the beginning due to how we learned to create the logging pipeline. Since then I have multiple requests to log all services to a single s3 bucket with a subdirectory for each service. This was due to a limitation in s3 for 100 buckets total. To solve this issue I think we should add an option to the config page for the user to select multiple or single s3 bucket for logs. The directory structure should look something like the below
add nikto web vuln scanner to redteam instance in template
update cloudformation template to prompt for a VT key during the build stage that will configure the wazuh server to use their VT integration.
https://documentation.wazuh.com/3.x/user-manual/capabilities/virustotal-scan/index.html
add atleast 1 tag to every resource that is created by the detonationlab for ease of account cleanup after cloudformation stack is deleted
fix error
- ***** RFIURL is not defined in nikto.conf--no RFI tests will run *****
Hello @sonofagl1tch,
I've noticed the script in /additionalInstallationScripts/installWazuh-Ubuntu.sh
is outdated respecting to the installWazuh script used for Amazon Linux.
I think it would be a good idea to make some kind of library with common install functions for both rpm and deb. The only difference between the two should be the way repositories are managed.
Best regards,
Marta
need to remove wazuhagenttraffic securitygroup for all instances except for the wazuh server. Also the wazuhagenttraffic securitygroup needs to have the egress rules deleted so it allows all outbound traffic instead of just specific ports.
Describe the bug
Boto3 python package is not being installed in the wazuh manager, that makes the Wazuh's AWS integration to fail:
2019/03/22 19:51:38 wazuh-modulesd:aws-s3: INFO: Executing Bucket Analysis: ********
2019/03/22 19:51:38 wazuh-modulesd:aws-s3: WARNING: Bucket: - Returned exit code 4
2019/03/22 19:51:38 wazuh-modulesd:aws-s3: WARNING: Bucket: - boto3 module is required.
2019/03/22 19:51:38 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.
Hello @sonofagl1tch,
The Wazuh team has added support for AWS Trust Advisor in wazuh/wazuh#1845. I think we should add it to the detonation lab.
Tasks:
ossec.conf
file in Wazuh manager.Best regards,
Marta
setup template or install script to automatically import the kibana Visualizations and dashboards created for the detonation lab
Hi @sonofagl1tch,
After deploying the detonation lab, I had to register the agents manually. I think the registration scripts should be improved to use authd.
Currently defined tasks:
authd
in the wazuh manager.Best regards,
Marta
add default values for all parameters in the cloudformation template
Hello,
The Windows AMI currently used by the Detonation lab is outdated. This makes the template to fail when deploying.
From AWS Docs:
The Windows AMIs in each release have new AMI IDs. Therefore, we recommend that you write scripts that locate the latest AWS Windows AMIs by their names, rather than by their IDs.
This problem has already happened (#51) so we should consider looking for AMIs based on instance names instead of having AMIs hardcoded.
Best regards,
Marta
Hi @sonofagl1tch,
I think the README is too long. It's difficult to find specific information and it's necessary to do a lot of scrolling to get to the Get Started section.
It would be much better to have all that information organized in a Wiki section. I think the following the Wiki can have the following sections:
Best regards,
Marta
Hi @sonofagl1tch,
After the deployment of my Wazuh manager in the Detonation lab, the Wazuh app wasn't installed. I run the script manually and noticed the following error:
Attempting to transfer from https://packages.wazuh.com/wazuhapp/wazuhapp-3.6.1.0_6.4.0.zip
Attempting to transfer from https://artifacts.elastic.co/downloads/kibana-plugins/https://packages.wazuh.com/wazuhapp/wazuhapp-3.6.1.0_6.4.0.zip/https://packages.wazuh.com/wazuhapp/wazuhapp-3.6.1.0_6.4.0.zip-6.4.0.zip
Plugin installation was unsuccessful due to error "No valid url specified."
I think the problem is on this part of the script:
AWSDetonationLab/additionalInstallationScripts/installWazuh.sh
Lines 108 to 109 in 419be40
More precisely, the Wazuh version variable is 3.6.1 but in the URL it is hardcoded a .0
, resulting in a file wazuhapp-3.6.1.0
which doesn't exist.
Best regards,
Marta
update cloudformation template to collect and write vpcflow logs to an s3 bucket without the usage of a lambda function
Is your feature request related to a problem? Please describe.
The actual template deploys very expensive EC2 instances. I think the deployed environment is good for production but it's too much for someone who only wants to do a few testing or playing around.
Describe the solution you'd like
Add another template, this way the user would have two options to chose from: prod or testing.
I don't want to do it by copying and pasting, if the code of one template can't be used for the other we can try doing a script that generates the template or something like that.
installwazuh script not appending aws wodle to ossec.conf
setup template or install script to automatically set the default index in kibana
https://stackoverflow.com/questions/36871862/programmatically-set-kibanas-default-index-pattern
add sections to the cloudformation template that automatically turns on the following services
It would help a lot to have each PR automatically tested using a CI service such as Travis or Jenkins.
route53 DNS
currently requires a public domain to be registered to be used so I cut it for cost reasons
Hello @sonofagl1tch,
The Wazuh team has improved the way Inspector findings are fetched from AWS: a bucket is no longer necessary since events are directly read from AWS API using boto3
. More info: wazuh/wazuh#1895
There's no need to send Inspector events to a bucket anymore, enabling the service and updating Wazuh configuration should be enough.
Best regards,
Marta
update the cloudformation template to automatically update the wazuh server with everything it needs to ingest aws logs
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>10m</interval>
<run_on_start>no</run_on_start>
<skip_on_error>no</skip_on_error>
<bucket type="cloudtrail">
<name>wazuh-cloudtrail</name>
<access_key>insert_access_key</access_key>
<secret_key>insert_secret_key</secret_key>
</bucket>
</wodle>
oracle has changed the URI format and TLD for downloading java. This will need to be updated in the installWazuh.sh script.
Describe the bug
The AWS wodle configuration in wazuh is not correct, which means the script doesn't execute this part of the template:
AWSDetonationLab/awsDetonationLab.template
Lines 2540 to 2587 in e39441a
Boto3 python package wasn't installed either.
To Reproduce
Steps to reproduce the behavior:
ssh wazuh
tail -n20 /var/ossec/etc/ossec.conf
Expected behavior
Template values in configuration should be replaced with bucket names and AWS keys. Boto3 should be installed.
Output
# tail -n20 /var/ossec/etc/ossec.conf
<bucket type="custom">
<name>inspectorlogging</name>
<path>firehose</path>
<access_key>insert_access_key</access_key>
<secret_key>insert_secret_key</secret_key>
</bucket>
<bucket type="custom">
<name>macielogging</name>
<path>firehose</path>
<access_key>insert_access_key</access_key>
<secret_key>insert_secret_key</secret_key>
</bucket>
<bucket type="custom">
<name>vpcflowlogging</name>
<path>flowlogs</path>
<access_key>insert_access_key</access_key>
<secret_key>insert_secret_key</secret_key>
</bucket>
</wodle>
</ossec_config>
# pip install boto3
Collecting boto3
Downloading https://files.pythonhosted.org/packages/6d/5b/67f82c90b73ea21121a7d94c0b56546c1bfbd516ca27ae829220389c547a/boto3-1.9.69-py2.py3-none-any.whl (128kB)
100% |████████████████████████████████| 133kB 5.7MB/s
Collecting s3transfer<0.2.0,>=0.1.10 (from boto3)
Downloading https://files.pythonhosted.org/packages/d7/14/2a0004d487464d120c9fb85313a75cd3d71a7506955be458eebfe19a6b1d/s3transfer-0.1.13-py2.py3-none-any.whl (59kB)
100% |████████████████████████████████| 61kB 8.4MB/s
Collecting botocore<1.13.0,>=1.12.69 (from boto3)
Downloading https://files.pythonhosted.org/packages/72/ba/a188505f67a78a686aa24d8511a18cb5a8bb27705c9d1b1bb81bee97a138/botocore-1.12.69-py2.py3-none-any.whl (5.2MB)
100% |████████████████████████████████| 5.2MB 228kB/s
Requirement already satisfied: jmespath<1.0.0,>=0.7.1 in /usr/lib/python2.7/dist-packages (from boto3)
Requirement already satisfied: futures<4.0.0,>=2.2.0; python_version == "2.6" or python_version == "2.7" in /usr/lib/python2.7/dist-packages (from s3transfer<0.2.0,>=0.1.10->boto3)
Collecting urllib3<1.25,>=1.20; python_version == "2.7" (from botocore<1.13.0,>=1.12.69->boto3)
Downloading https://files.pythonhosted.org/packages/62/00/ee1d7de624db8ba7090d1226aebefab96a2c71cd5cfa7629d6ad3f61b79e/urllib3-1.24.1-py2.py3-none-any.whl (118kB)
100% |████████████████████████████████| 122kB 8.9MB/s
Requirement already satisfied: python-dateutil<3.0.0,>=2.1; python_version >= "2.7" in /usr/lib/python2.7/dist-packages (from botocore<1.13.0,>=1.12.69->boto3)
Requirement already satisfied: docutils>=0.10 in /usr/lib/python2.7/dist-packages (from botocore<1.13.0,>=1.12.69->boto3)
Requirement already satisfied: six in /usr/lib/python2.7/dist-packages (from python-dateutil<3.0.0,>=2.1; python_version >= "2.7"->botocore<1.13.0,>=1.12.69->boto3)
Installing collected packages: urllib3, botocore, s3transfer, boto3
Found existing installation: urllib3 1.8.2
Uninstalling urllib3-1.8.2:
Successfully uninstalled urllib3-1.8.2
Found existing installation: botocore 1.10.82
Uninstalling botocore-1.10.82:
Successfully uninstalled botocore-1.10.82
Successfully installed boto3-1.9.69 botocore-1.12.69 s3transfer-0.1.13 urllib3-1.24.1
You are using pip version 9.0.3, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
# pip install boto3
Requirement already satisfied: boto3 in /usr/local/lib/python2.7/site-packages
Requirement already satisfied: s3transfer<0.2.0,>=0.1.10 in /usr/local/lib/python2.7/site-packages (from boto3)
Requirement already satisfied: botocore<1.13.0,>=1.12.69 in /usr/local/lib/python2.7/site-packages (from boto3)
Requirement already satisfied: jmespath<1.0.0,>=0.7.1 in /usr/lib/python2.7/dist-packages (from boto3)
Requirement already satisfied: futures<4.0.0,>=2.2.0; python_version == "2.6" or python_version == "2.7" in /usr/lib/python2.7/dist-packages (from s3transfer<0.2.0,>=0.1.10->boto3)
Requirement already satisfied: urllib3<1.25,>=1.20; python_version == "2.7" in /usr/local/lib/python2.7/site-packages (from botocore<1.13.0,>=1.12.69->boto3)
Requirement already satisfied: python-dateutil<3.0.0,>=2.1; python_version >= "2.7" in /usr/lib/python2.7/dist-packages (from botocore<1.13.0,>=1.12.69->boto3)
Requirement already satisfied: docutils>=0.10 in /usr/lib/python2.7/dist-packages (from botocore<1.13.0,>=1.12.69->boto3)
Requirement already satisfied: six in /usr/lib/python2.7/dist-packages (from python-dateutil<3.0.0,>=2.1; python_version >= "2.7"->botocore<1.13.0,>=1.12.69->boto3)
You are using pip version 9.0.3, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
Describe the bug
When I try to deploy the template it fails in the middle of the deployment process and rolls back all the deployed resources.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I expect the stack deployment to get CREATE_COMPLETE
status instead of ROLLBACK_IN_PROGRESS
.
Additional context
It seems Amazon Marketplace has updated their images so the ID is no longer the one specified in the template.
Some Resources are named firehose and some are named firehost
firehostdeliveryRoleGuardDuty
firehostdeliveryRoleIAM
firehostdeliveryRoleInspector
firehostdeliveryRoleMacie
firehostdeliveryRoleVPC
Hello @sonofagl1tch,
The Wazuh team has added support for AWS Config in wazuh/wazuh#1835. I think we should add it to the detonation lab.
Tasks:
ossec.conf
file in Wazuh manager.Best regards,
Marta
Hi @sonofagl1tch and @mgmacias95,
since the release of Wazuh v3.9.1, Wazuh is compatible with Elastic 7.1.0 but now, Logstash and Java aren't necessary, so the installation process from installWazuh.sh needs some changes.
In addition, Elastic 7.1.0 includes some security features out of the box. More info at https://www.elastic.co/es/blog/getting-started-with-elasticsearch-security.
Requested changes:
Some helpful links:
Best regards,
Braulio.
after cloudformation template is delete, the s3 buckets are kept if they have objects within them. We need to either add an option to choose buckets are deleted fully with a lambda function or some other solution.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.