├── README.md ├── Vagrantfile └── provision └── ansible ├── files ├── 98_4linux ├── bkp-banco.sh ├── client │ └── syslog-tls.conf ├── filebeat │ └── filebeat.yml ├── logstash │ ├── filebeat-input.conf │ ├── output-elasticsearch.conf │ └── syslog-filter.conf ├── metricbeat │ └── metricbeat.yml ├── nginx │ └── kibana.4labs.example ├── rocketchat-deploy │ └── docker-compose.yaml ├── server │ └── syslog-tls.conf └── wordpress-deploy │ └── docker-compose.yaml ├── graylog.yaml ├── kibana.yaml └── webserver.yaml /README.md: -------------------------------------------------------------------------------- 1 | Laboratório 4516 - Auditoria de Logs 2 | ============================= 3 | 4 | Repositório para armazenar o Laboratório do curso de Auditoria de Logs da [4Linux][1] 5 | 6 | Dependências 7 | ------------ 8 | 9 | Para a criação do laboratório é necessário ter pré instalado os seguintes softwares: 10 | 11 | * [Git][2] 12 | * [VirtualBox][3] 13 | * [Vagrant][4] 14 | 15 | > Para o máquinas com Windows aconselhamos, se possível, que as instalações sejam feitas pelo gerenciador de pacotes **[Cygwin][5]**. 16 | 17 | > Para as máquinas com MAC OS aconselhamos, se possível, que as instalações sejam feitas pelo gerenciador de pacotes **brew**. 18 | 19 | Laboratório 20 | ----------- 21 | 22 | O Laboratório será criado utilizando o [Vagrant][6]. Ferramenta para criar e gerenciar ambientes virtualizados (baseado em Inúmeros providers) com foco em automação. 23 | 24 | Nesse laboratório, que está centralizado no arquivo [Vagrantfile][7], sera criada 1 maquina com a seguinte característica: 25 | 26 | Nome | vCPUs | Memoria RAM | IP | S.O.¹ 27 | ---------- |:-----:|:-----------:|:-------------:|:---------------: 28 | webserver-audit | 1 | 2048MB | 172.16.0.11 | centos-7.3-x86_64 29 | graylog-audit | 1 | 2560MB | 172.16.0.12 | ubuntu-18.04-amd64 30 | kibana-audit | 1 | 2560MB | 172.16.0.13 | debian-10-amd64 31 | 32 | > **¹**: Esses Sistemas operacionais estão sendo utilizado no formato de Boxes, é a forma como o vagrant chama as imagens do sistema operacional utilizado. 33 | 34 | Criação do Laboratório 35 | ---------------------- 36 | 37 | Para criar o laboratório é necessário fazer o `git clone` desse repositório e, dentro da pasta baixada realizar a execução do `vagrant up`, conforme abaixo: 38 | 39 | ```bash 40 | git clone https://github.com/4linux/4516 41 | cd 4516/ 42 | vagrant up 43 | ``` 44 | 45 | _O Laboratório **pode demorar**, dependendo da conexão de internet e poder computacional, para ficar totalmente preparado._ 46 | 47 | > Em caso de erro na criação das máquinas sempre valide se sua conexão está boa, os logs de erros na tela e, se necessário, o arquivo **/var/log/vagrant_provision.log** dentro da máquina que apresentou a falha. 48 | 49 | Por fim, para melhor utilização, abaixo há alguns comandos básicos do vagrant para gerencia das máquinas virtuais. 50 | 51 | Comandos | Descrição 52 | :----------------------:| --------------------------------------- 53 | `vagrant init` | Gera o VagrantFile 54 | `vagrant box add ` | Baixar imagem do sistema 55 | `vagrant box status` | Verificar o status dos boxes criados 56 | `vagrant up` | Cria/Liga as VMs baseado no VagrantFile 57 | `vagrant provision` | Provisiona mudanças logicas nas VMs 58 | `vagrant status` | Verifica se VM estão ativas ou não. 59 | `vagrant ssh ` | Acessa a VM 60 | `vagrant ssh -c ` | Executa comando via ssh 61 | `vagrant reload ` | Reinicia a VM 62 | `vagrant halt` | Desliga as VMs 63 | 64 | > Para maiores informações acesse a [Documentação do Vagrant][8] 65 | 66 | [1]: https://4linux.com.br 67 | [2]: https://git-scm.com/downloads 68 | [3]: https://www.virtualbox.org/wiki/Downloads 69 | [4]: https://www.vagrantup.com/downloads 70 | [5]: https://cygwin.com/install.html 71 | [6]: https://www.vagrantup.com/ 72 | [7]: ./Vagrantfile 73 | [8]: https://www.vagrantup.com/docs 74 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | VAGRANT_DISABLE_VBOXSYMLINKCREATE=1 5 | 6 | vms = { 7 | 'webserver-audit' => {'memory' => '2048', 'cpus' => 1, 'ip' => '11', 'box' => 'devopsbox/centos-8.5-docker-ansible-2.9', 'provision' => 'provision/ansible/webserver.yaml'}, 8 | 'graylog-audit' => {'memory' => '2560', 'cpus' => 1, 'ip' => '12', 'box' => 'devopsbox/ubuntu-20.04','provision' => 'provision/ansible/graylog.yaml'}, 9 | 'kibana-audit' => {'memory' => '2560', 'cpus' => 1, 'ip' => '13', 'box' => 'devopsbox/debian-10.11', 'provision' => 'provision/ansible/kibana.yaml'} 10 | } 11 | 12 | Vagrant.configure('2') do |config| 13 | 14 | config.vm.box_check_update = false 15 | 16 | vms.each do |name, conf| 17 | config.vm.define "#{name}" do |k| 18 | k.vm.box = "#{conf['box']}" 19 | k.vm.hostname = "#{name}" 20 | k.vm.network 'private_network', ip: "172.16.0.#{conf['ip']}" 21 | k.vm.provider 'virtualbox' do |vb| 22 | vb.memory = conf['memory'] 23 | vb.cpus = conf['cpus'] 24 | end 25 | k.vm.provision 'ansible_local' do |ansible| 26 | ansible.playbook = "#{conf['provision']}" 27 | ansible.compatibility_mode = '2.0' 28 | end 29 | end 30 | end 31 | end 32 | -------------------------------------------------------------------------------- /provision/ansible/files/98_4linux: -------------------------------------------------------------------------------- 1 | suporte ALL=(ALL) NOPASSWD:ALL 2 | -------------------------------------------------------------------------------- /provision/ansible/files/bkp-banco.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | mysqldump --user="rsysloguser" --password="rsyslogpw" "$@" "Syslog" > "/opt/backup/syslog-$(date '+%d-%m-%Y')".sql 2> /dev/null 3 | -------------------------------------------------------------------------------- /provision/ansible/files/client/syslog-tls.conf: -------------------------------------------------------------------------------- 1 | $DefaultNetStreamDriverCAFile /etc/rsyslog-keys/ca.pem 2 | 3 | $DefaultNetStreamDriver gtls 4 | $ActionSendStreamDriverMode 1 5 | $ActionSendStreamDriverAuthMode anon 6 | 7 | *.* @@(o)graylog:6514 8 | -------------------------------------------------------------------------------- /provision/ansible/files/filebeat/filebeat.yml: -------------------------------------------------------------------------------- 1 | filebeat.inputs: 2 | - type: log 3 | enabled: true 4 | paths: 5 | - /var/log/*.log 6 | 7 | filebeat.config.modules: 8 | path: ${path.config}/modules.d/*.yml 9 | reload.enabled: false 10 | 11 | setup.template.settings: 12 | index.number_of_shards: 1 13 | 14 | setup.kibana: 15 | host: "172.16.0.13:5601" 16 | 17 | output.logstash: 18 | hosts: ["172.16.0.13:5044"] 19 | 20 | processors: 21 | - add_host_metadata: 22 | when.not.contains.tags: forwarded 23 | - add_cloud_metadata: ~ 24 | - add_docker_metadata: ~ 25 | - add_kubernetes_metadata: ~ 26 | -------------------------------------------------------------------------------- /provision/ansible/files/logstash/filebeat-input.conf: -------------------------------------------------------------------------------- 1 | input { 2 | beats { 3 | port => 5044 4 | type => syslog 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /provision/ansible/files/logstash/output-elasticsearch.conf: -------------------------------------------------------------------------------- 1 | output { 2 | elasticsearch { hosts => ["172.16.0.13:9200"] 3 | hosts => "172.16.0.13:9200" 4 | manage_template => false 5 | index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /provision/ansible/files/logstash/syslog-filter.conf: -------------------------------------------------------------------------------- 1 | filter { 2 | if [type] == "syslog" { 3 | grok { 4 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" } 5 | add_field => [ "received_at", "%{@timestamp}" ] 6 | add_field => [ "received_from", "%{host}" ] 7 | } 8 | date { 9 | match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] 10 | } 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /provision/ansible/files/metricbeat/metricbeat.yml: -------------------------------------------------------------------------------- 1 | metricbeat.config.modules: 2 | path: ${path.config}/modules.d/*.yml 3 | reload.enabled: false 4 | 5 | setup.template.settings: 6 | index.number_of_shards: 1 7 | index.codec: best_compression 8 | 9 | setup.kibana: 10 | host: "172.16.0.13:5601" 11 | 12 | output.elasticsearch: 13 | hosts: ["172.16.0.13:9200"] 14 | 15 | processors: 16 | - add_host_metadata: ~ 17 | - add_cloud_metadata: ~ 18 | - add_docker_metadata: ~ 19 | - add_kubernetes_metadata: ~ 20 | 21 | logging.to_files: true 22 | logging.files: 23 | path: /var/log/metricbeat 24 | name: metricbeat 25 | keepfiles: 7 26 | permissions: 0644 27 | -------------------------------------------------------------------------------- /provision/ansible/files/nginx/kibana.4labs.example: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | 4 | server_name kibana.4labs.example; 5 | 6 | auth_basic "Acesso Restrito"; 7 | auth_basic_user_file /etc/nginx/htpasswd.users; 8 | 9 | location / { 10 | proxy_pass http://172.16.0.13:5601/; 11 | proxy_http_version 1.1; 12 | proxy_set_header Upgrade $http_upgrade; 13 | proxy_set_header Connection 'upgrade'; 14 | proxy_set_header Host $host; 15 | proxy_cache_bypass $http_upgrade; 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /provision/ansible/files/rocketchat-deploy/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | rocketchat: 5 | image: rocketchat/rocket.chat:3.1.0 6 | command: > 7 | bash -c 8 | "for i in `seq 1 30`; do 9 | node main.js && 10 | s=$$? && break || s=$$?; 11 | echo \"Tried $$i times. Waiting 5 secs...\"; 12 | sleep 5; 13 | done; (exit $$s)" 14 | volumes: 15 | - "./uploads:/app/uploads" 16 | environment: 17 | - PORT=3000 18 | - ROOT_URL=http://172.16.0.11:3000 19 | - MONGO_URL=mongodb://mongo:27017/rocketchat 20 | - MONGO_OPLOG_URL=mongodb://mongo:27017/local 21 | ports: 22 | - 3000:3000 23 | networks: 24 | - traefik 25 | 26 | mongo: 27 | image: mongo:4.0 28 | volumes: 29 | - "./data/db:/data/db" 30 | command: mongod --smallfiles --oplogSize 128 --replSet rs0 --storageEngine=mmapv1 31 | networks: 32 | - traefik 33 | 34 | mongo-init-replica: 35 | image: mongo:4.0 36 | command: > 37 | bash -c 38 | "for i in `seq 1 30`; do 39 | mongo mongo/rocketchat --eval \" 40 | rs.initiate({ 41 | _id: 'rs0', 42 | members: [ { _id: 0, host: 'localhost:27017' } ]})\" && 43 | s=$$? && break || s=$$?; 44 | echo \"Tried $$i times. Waiting 5 secs...\"; 45 | sleep 5; 46 | done; (exit $$s)" 47 | 48 | networks: 49 | - traefik 50 | 51 | networks: 52 | traefik: 53 | external: true 54 | -------------------------------------------------------------------------------- /provision/ansible/files/server/syslog-tls.conf: -------------------------------------------------------------------------------- 1 | $DefaultNetstreamDriver gtls 2 | 3 | $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem 4 | 5 | $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/webserver-cert.pem 6 | $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/webserver-key.pem 7 | 8 | $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/kibana-cert.pem 9 | $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/kibana-key.pem 10 | 11 | $ModLoad imtcp 12 | $InputTCPServerStreamDriverMode 1 13 | $InputTCPServerStreamDriverAuthMode anon 14 | $InputTCPServerRun 6514 15 | 16 | :fromhost, isequal, "webserver" /var/log/webserver/messages 17 | :fromhost, isequal, "webserver" ~ 18 | :fromhost, isequal, "kibana" /var/log/kibana/messages 19 | :fromhost, isequal, "kibana" ~ 20 | -------------------------------------------------------------------------------- /provision/ansible/files/wordpress-deploy/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | 3 | services: 4 | traefik: 5 | image: traefik:1.7 6 | ports: 7 | - "80:80" 8 | - "8080:8080" 9 | - "443:443" 10 | networks: 11 | - traefik 12 | command: > 13 | --web 14 | --docker 15 | --docker.domain=4labs.example 16 | --docker.watch 17 | volumes: 18 | - /var/run/docker.sock:/var/run/docker.sock 19 | 20 | wordpress-mysql: 21 | image: "mysql:5.6" 22 | logging: 23 | driver: "gelf" 24 | options: 25 | gelf-address: "udp://172.16.0.12:12201" 26 | environment: 27 | MYSQL_ROOT_PASSWORD: wordpresspass 28 | restart: always 29 | volumes: 30 | - "wordpress-mysql:/var/lib/mysql" 31 | networks: 32 | - traefik 33 | 34 | wordpress: 35 | image: "wordpress:4.8-apache" 36 | logging: 37 | driver: "gelf" 38 | options: 39 | gelf-address: "udp://172.16.0.12:12201" 40 | environment: 41 | WORDPRESS_DB_HOST: wordpress-mysql 42 | WORDPRESS_DB_PASSWORD: wordpresspass 43 | restart: always 44 | labels: 45 | - "traefik.enable=true" 46 | - "traefik.port=80" 47 | - "traefik.backend=wordpress" 48 | - "traefik.docker.network=traefik" 49 | - "traefik.frontend.rule=Host:wordpress.4labs.example" 50 | volumes: 51 | - "wordpress:/var/www/html" 52 | networks: 53 | - traefik 54 | 55 | volumes: 56 | wordpress: 57 | wordpress-mysql: 58 | networks: 59 | traefik: 60 | external: true -------------------------------------------------------------------------------- /provision/ansible/graylog.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | become: yes 4 | become_user: root 5 | become_method: sudo 6 | tasks: 7 | - name: Garantindo /etc/hosts 8 | lineinfile: 9 | path: /etc/hosts 10 | line: "{{ item }}" 11 | with_items: 12 | - 172.16.0.11 webserver wordpress.4labs.example chat.4labs.example 13 | - 172.16.0.12 graylog 14 | - 172.16.0.13 kibana kibana.4labs.example 15 | 16 | - name: Criando diretorio /opt/filebeat 17 | synchronize: 18 | src: files/filebeat 19 | dest: /opt 20 | 21 | - name: Criando o arquivo syslog-tls.conf 22 | copy: 23 | src: files/server/syslog-tls.conf 24 | dest: /opt 25 | mode: 0644 26 | 27 | - name: Criando o arquivo bkp-banco.sh 28 | copy: 29 | src: files/bkp-banco.sh 30 | dest: /opt 31 | mode: 0644 32 | -------------------------------------------------------------------------------- /provision/ansible/kibana.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | become: yes 4 | become_user: root 5 | become_method: sudo 6 | tasks: 7 | - name: Garantindo /etc/hosts 8 | lineinfile: 9 | path: /etc/hosts 10 | line: "{{ item }}" 11 | with_items: 12 | - 172.16.0.11 webserver wordpress.4labs.example chat.4labs.example 13 | - 172.16.0.12 graylog 14 | - 172.16.0.13 kibana kibana.4labs.example 15 | 16 | - name: Criando diretorio /opt/filebeat 17 | synchronize: 18 | src: files/filebeat 19 | dest: /opt 20 | 21 | - name: Criando diretorio /opt/logstash 22 | synchronize: 23 | src: files/logstash 24 | dest: /opt 25 | 26 | - name: Criando diretorio /opt/metricbeat 27 | synchronize: 28 | src: files/metricbeat 29 | dest: /opt 30 | 31 | - name: Criando diretorio /opt/nginx 32 | synchronize: 33 | src: files/nginx 34 | dest: /opt 35 | 36 | - name: Criando o arquivo syslog-tls.conf 37 | copy: 38 | src: files/client/syslog-tls.conf 39 | dest: /opt 40 | mode: 0644 41 | -------------------------------------------------------------------------------- /provision/ansible/webserver.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | become: yes 4 | become_user: root 5 | become_method: sudo 6 | tasks: 7 | - name: Garantindo /etc/hosts 8 | lineinfile: 9 | path: /etc/hosts 10 | line: "{{ item }}" 11 | with_items: 12 | - 172.16.0.11 webserver wordpress.4labs.example chat.4labs.example 13 | - 172.16.0.12 graylog 14 | - 172.16.0.13 kibana kibana.4labs.example 15 | 16 | - name: Criando diretorio /home/suporte/wordpress-deploy 17 | synchronize: 18 | src: files/wordpress-deploy 19 | dest: /home/suporte 20 | 21 | - name: Criando diretorio /home/suporte/rocketchat-deploy 22 | synchronize: 23 | src: files/rocketchat-deploy 24 | dest: /home/suporte 25 | 26 | - name: Criando diretorio /opt/filebeat 27 | synchronize: 28 | src: files/filebeat 29 | dest: /opt 30 | 31 | - name: Criando o arquivo syslog-tls.conf 32 | copy: 33 | src: files/client/syslog-tls.conf 34 | dest: /opt 35 | mode: 0644 36 | 37 | - name: Adiciona o usuario vagrant no grupo docker 38 | user: 39 | name: vagrant 40 | group: docker 41 | 42 | - name: Adiciona o usuario suporte no grupo docker 43 | user: 44 | name: suporte 45 | group: docker 46 | 47 | - name: Cria a rede traefik 48 | shell: docker network create traefik 49 | 50 | - name: Download do Docker Compose 51 | get_url: 52 | url: https://github.com/docker/compose/releases/download/1.25.5/docker-compose-Linux-x86_64 53 | dest: /usr/local/bin/docker-compose 54 | mode: 0755 55 | 56 | - name: Deploy do Wordpress via Docker Compose 57 | shell: /usr/local/bin/docker-compose up -d 58 | args: 59 | chdir: /home/suporte/wordpress-deploy 60 | 61 | - name: Reinicia a VM 62 | command: reboot 63 | --------------------------------------------------------------------------------