├── CalderaMitre ├── .gitignore ├── Dockerfile ├── README.md ├── conf │ ├── caldera │ │ ├── caldera.service │ │ └── settings.yaml.default │ ├── mongo │ │ └── mongodb.conf │ └── nginx │ │ ├── nginx.conf │ │ └── nginx_caldera.conf ├── deploy_caldera.yml ├── deploy_windows_agents.yml ├── docker │ └── start.sh ├── group_vars │ ├── all.example │ └── windows.example ├── hosts └── roles │ ├── caldera │ ├── caldera.yml │ ├── firewall.yml │ ├── mongo.yml │ └── nginx.yml │ ├── init.yml │ └── win_agents │ └── deploy_cagent.yml ├── GoogleGrr ├── .gitignore ├── README.md ├── conf │ └── nginx │ │ ├── nginx.conf │ │ └── nginx_grr.conf ├── deploy_grr.yml ├── group_vars │ ├── all.example │ └── grr.example ├── hosts └── roles │ └── server │ ├── firewall.yml │ ├── grr.yml │ ├── init.yml │ ├── mysql.yml │ └── nginx.yml ├── Kolide ├── .gitignore ├── README.md ├── conf │ ├── agents │ │ ├── certificate.example │ │ ├── osquery.flags │ │ └── osquery.key │ ├── filebeat │ │ └── filebeat.yml │ ├── kolide │ │ ├── kolide.service │ │ └── kolide.yml │ └── nginx │ │ ├── nginx.conf │ │ ├── nginx_graylog.conf │ │ └── nginx_kolide.conf ├── deploy_graylog.yml ├── deploy_kolide.yml ├── deploy_linux_osquery_agents.yml ├── deploy_windows_osquery_agents.yml ├── group_vars │ ├── agents.example │ ├── all.example │ ├── graylog.example │ ├── kolide.example │ └── windows.example ├── hosts └── roles │ ├── agents │ ├── deploy_osquery_centos.yml │ ├── deploy_osquery_ubuntu.yml │ └── deploy_osquery_windows.yml │ ├── graylog │ └── deploy_graylog.yml │ ├── init.yml │ └── kolide │ ├── filebeat.yml │ ├── kolide.yml │ ├── mysql.yml │ └── redis.yml ├── LabScrips ├── README.md └── WinRMize │ ├── .gitignore │ ├── hosts.example │ └── psexec_ansiblize_setup.ps1 ├── README.md ├── docker_machine_botnet ├── .gitignore ├── README.md ├── deploy_docker_manager.yml ├── deploy_docker_nodes.yml ├── group_vars │ └── all.example ├── hosts.example └── roles │ ├── setup_manager.yml │ └── setup_nodes.yml └── honeypots ├── Cowrie └── docker-compose-cowire.yml ├── README.md └── Responder ├── Dockerfile └── docker-compose-responder.yml /CalderaMitre/.gitignore: -------------------------------------------------------------------------------- 1 | *.retry 2 | group_vars/all 3 | group_vars/windows 4 | -------------------------------------------------------------------------------- /CalderaMitre/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | 3 | RUN apt-get update -y 4 | 5 | RUN apt-get install mongodb python3-pip python3-dev git wget -y 6 | COPY conf/mongo/mongodb.conf /etc/mongodb.conf 7 | RUN mkdir -p /data/db/ 8 | 9 | RUN mkdir /opt/caldera 10 | RUN git clone https://github.com/mitre/caldera.git /opt/caldera 11 | 12 | WORKDIR /opt/caldera/caldera 13 | RUN pip3 install --upgrade pip 14 | RUN sed -i 's#aiohttp==2.3.2#aiohttp==2.3.8#g' requirements.txt 15 | RUN pip3 install -r requirements.txt 16 | 17 | RUN mkdir -p ../dep/crater/crater 18 | RUN wget https://github.com/mitre/caldera-crater/releases/download/v0.1.0/CraterMainWin8up.exe -O ../dep/crater/crater/CraterMain.exe 19 | 20 | COPY docker/start.sh start.sh 21 | RUN chmod +x start.sh 22 | 23 | EXPOSE 8888 24 | 25 | CMD ["./start.sh"] 26 | -------------------------------------------------------------------------------- /CalderaMitre/README.md: -------------------------------------------------------------------------------- 1 | # Caldera 2 | ## Ansible setup - prod 3 | 0. vim hosts and set [caldera] 4 | 0. mv group_vars/all.example group_vars/all 5 | 0. vim group_vars/all and set: 6 | 1. base_domain 7 | 1. caldera_pass 8 | 0. Create a DNS entry on your DNS server for {{ caldera_pass }}.{{ base_domain }} 9 | 0. ansible-playbook -i hosts deploy_caldera.yml -u 10 | 11 | ## Docker setup - dev 12 | 0. docker build -t caldera . 13 | 0. docker run -d -p 8888:8888 --hostname= caldera 14 | 1. A DNS entry MUST be made to point at the host running the Docker container. By default Caldera uses the hostname of the Docker container which is only accessible within the Docker network. 15 | 16 | ## Deploy Caldera agents to Windows 17 | 0. vim hosts and set [win_agents] 18 | 0. mv group_vars/windows.example group_vars/windows 19 | 0. vim group_vars/windows and set: 20 | 1. ansible_user: 21 | 1. ansible_password: 22 | 0. ansible-playbook -i hosts deploy_windows_agents.yml 23 | 24 | 25 | 26 | ## Supported OSes for Ansible 27 | * Ubuntu Server 16.04 64-bit 28 | 29 | # To do: 30 | 31 | # Resources/Sources 32 | * https://caldera.readthedocs.io/en/latest/installation.html 33 | * https://github.com/mitre/caldera 34 | -------------------------------------------------------------------------------- /CalderaMitre/conf/caldera/caldera.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=MITRE Caldera service 3 | After=network.target 4 | 5 | [Service] 6 | User=caldera 7 | Restart=on-failure 8 | WorkingDirectory={{ caldera_dir }}/caldera 9 | ExecStart=/usr/bin/python3 caldera.py 10 | 11 | [Install] 12 | WantedBy=multi-user.target 13 | -------------------------------------------------------------------------------- /CalderaMitre/conf/caldera/settings.yaml.default: -------------------------------------------------------------------------------- 1 | crypto: 2 | cert: '' 3 | key: '' 4 | server: 5 | host: 127.0.0.1 6 | https: false 7 | port: 8888 8 | users: 9 | - name: {{ caldera_user }} 10 | password: {{ caldera_pass }} 11 | proxy: 12 | default: 13 | cert: '' 14 | http: '' 15 | https: '' 16 | -------------------------------------------------------------------------------- /CalderaMitre/conf/mongo/mongodb.conf: -------------------------------------------------------------------------------- 1 | # mongodb.conf 2 | 3 | # Where to store the data. 4 | dbpath=/var/lib/mongodb 5 | 6 | #where to log 7 | logpath=/var/log/mongodb/mongodb.log 8 | 9 | logappend=true 10 | 11 | bind_ip = 127.0.0.1 12 | port = 27017 13 | 14 | # Enable journaling, http://www.mongodb.org/display/DOCS/Journaling 15 | journal=true 16 | 17 | ############################################################ 18 | # Caldera replication set 19 | ############################################################ 20 | replSet = caldera 21 | 22 | # Enables periodic logging of CPU utilization and I/O wait 23 | #cpu = true 24 | 25 | # Turn on/off security. Off is currently the default 26 | #noauth = true 27 | #auth = true 28 | 29 | # Verbose logging output. 30 | #verbose = true 31 | 32 | # Inspect all client data for validity on receipt (useful for 33 | # developing drivers) 34 | #objcheck = true 35 | 36 | # Enable db quota management 37 | #quota = true 38 | 39 | # Set oplogging level where n is 40 | # 0=off (default) 41 | # 1=W 42 | # 2=R 43 | # 3=both 44 | # 7=W+some reads 45 | #oplog = 0 46 | 47 | # Diagnostic/debugging option 48 | #nocursors = true 49 | 50 | # Ignore query hints 51 | #nohints = true 52 | 53 | # Disable the HTTP interface (Defaults to localhost:27018). 54 | #nohttpinterface = true 55 | 56 | # Turns off server-side scripting. This will result in greatly limited 57 | # functionality 58 | #noscripting = true 59 | 60 | # Turns off table scans. Any query that would do a table scan fails. 61 | #notablescan = true 62 | 63 | # Disable data file preallocation. 64 | #noprealloc = true 65 | 66 | # Specify .ns file size for new databases. 67 | # nssize = 68 | 69 | # Accout token for Mongo monitoring server. 70 | #mms-token = 71 | 72 | # Server name for Mongo monitoring server. 73 | #mms-name = 74 | 75 | # Ping interval for Mongo monitoring server. 76 | #mms-interval = 77 | 78 | # Replication Options 79 | 80 | # in replicated mongo databases, specify here whether this is a slave or master 81 | #slave = true 82 | #source = master.example.com 83 | # Slave only: specify a single database to replicate 84 | #only = master.example.com 85 | # or 86 | #master = true 87 | #source = slave.example.com 88 | 89 | # Address of a server to pair with. 90 | #pairwith = 91 | # Address of arbiter server. 92 | #arbiter = 93 | # Automatically resync if slave data is stale 94 | #autoresync 95 | # Custom size for replication operation log. 96 | #oplogSize = 97 | # Size limit for in-memory storage of op ids. 98 | #opIdMem = 99 | 100 | # SSL options 101 | # Enable SSL on normal ports 102 | #sslOnNormalPorts = true 103 | # SSL Key file and password 104 | #sslPEMKeyFile = /etc/ssl/mongodb.pem 105 | #sslPEMKeyPassword = pass 106 | -------------------------------------------------------------------------------- /CalderaMitre/conf/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | user www-data; 2 | worker_processes auto; 3 | pid /run/nginx.pid; 4 | 5 | events { 6 | worker_connections 768; 7 | # multi_accept on; 8 | } 9 | 10 | http { 11 | 12 | ## 13 | # Basic Settings 14 | ## 15 | 16 | sendfile on; 17 | tcp_nopush on; 18 | tcp_nodelay on; 19 | keepalive_timeout 65; 20 | types_hash_max_size 2048; 21 | # server_tokens off; 22 | 23 | # server_names_hash_bucket_size 64; 24 | # server_name_in_redirect off; 25 | 26 | include /etc/nginx/mime.types; 27 | default_type application/octet-stream; 28 | 29 | ## 30 | # SSL Settings 31 | ## 32 | 33 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE 34 | ssl_prefer_server_ciphers on; 35 | 36 | ## 37 | # Logging Settings 38 | ## 39 | 40 | access_log /var/log/nginx/access.log; 41 | error_log /var/log/nginx/error.log; 42 | 43 | ## 44 | # Gzip Settings 45 | ## 46 | 47 | gzip on; 48 | gzip_disable "msie6"; 49 | 50 | # gzip_vary on; 51 | # gzip_proxied any; 52 | # gzip_comp_level 6; 53 | # gzip_buffers 16 8k; 54 | # gzip_http_version 1.1; 55 | # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; 56 | 57 | #### 58 | # Config for web sockets 59 | #### 60 | map $http_upgrade $connection_upgrade { 61 | default upgrade; 62 | '' close; 63 | } 64 | 65 | include /etc/nginx/conf.d/*.conf; 66 | } 67 | -------------------------------------------------------------------------------- /CalderaMitre/conf/nginx/nginx_caldera.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80 default_server; 3 | listen [::]:80 default_server; 4 | server_name _; 5 | return 301 https://$host$request_uri; 6 | } 7 | 8 | upstream websocket { 9 | server 127.0.0.1:8888; 10 | } 11 | 12 | server { 13 | listen 443 ssl; 14 | server_name {{ caldera_hostname }}.{{ base_domain }}; 15 | 16 | ssl_certificate /etc/nginx/ssl/{{ cert_name }}.crt; 17 | ssl_certificate_key /etc/nginx/ssl/{{ cert_name }}.key; 18 | 19 | ssl_dhparam /etc/nginx/ssl/dhparam.pem; 20 | ssl_ciphers HIGH:!aNULL:!MD5; 21 | 22 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 23 | ssl_prefer_server_ciphers on; 24 | 25 | location / 26 | { 27 | proxy_http_version 1.1; 28 | proxy_set_header Upgrade $http_upgrade; 29 | proxy_set_header Connection $connection_upgrade; 30 | proxy_pass http://127.0.0.1:8888; 31 | } 32 | 33 | 34 | } 35 | -------------------------------------------------------------------------------- /CalderaMitre/deploy_caldera.yml: -------------------------------------------------------------------------------- 1 | - hosts: caldera 2 | become: yes 3 | become_user: root 4 | tasks: 5 | - import_tasks: roles/init.yml 6 | - import_tasks: roles/caldera/mongo.yml 7 | - import_tasks: roles/caldera/caldera.yml 8 | #- import_tasks: roles/caldera/nginx.yml 9 | - import_tasks: roles/caldera/firewall.yml 10 | -------------------------------------------------------------------------------- /CalderaMitre/deploy_windows_agents.yml: -------------------------------------------------------------------------------- 1 | - hosts: win_agents 2 | tasks: 3 | - win_ping: 4 | - import_tasks: roles/win_agents/deploy_cagent.yml 5 | -------------------------------------------------------------------------------- /CalderaMitre/docker/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Start mongo 4 | service mongodb start 5 | 6 | # Start web app 7 | /usr/bin/python3 caldera.py 8 | -------------------------------------------------------------------------------- /CalderaMitre/group_vars/all.example: -------------------------------------------------------------------------------- 1 | base_domain: 2 | caldera_hostname: caldera 3 | timezone: America/New_York 4 | 5 | caldera_dir: /opt/caldera 6 | caldera_user: admin 7 | caldera_pass: 8 | -------------------------------------------------------------------------------- /CalderaMitre/group_vars/windows.example: -------------------------------------------------------------------------------- 1 | ansible_user: 2 | ansible_password: 3 | ansible_port: 5986 4 | ansible_connection: winrm 5 | ansible_winrm_scheme: https 6 | ansible_winrm_server_cert_validation: ignore 7 | -------------------------------------------------------------------------------- /CalderaMitre/hosts: -------------------------------------------------------------------------------- 1 | [caldera] 2 | 172.16.77.130 ansible_python_interpreter=/usr/bin/python3 timeout=30 3 | 4 | [windows] 5 | 1.2.3.4 6 | 7 | [windows:children] 8 | win_agents 9 | 10 | [win_agents] 11 | 10.80.100.141 12 | -------------------------------------------------------------------------------- /CalderaMitre/roles/caldera/caldera.yml: -------------------------------------------------------------------------------- 1 | #################################################### 2 | # Install/Setup Caldera 3 | #################################################### 4 | - name: Install software 5 | package: 6 | name: '{{ item }}' 7 | state: latest 8 | with_items: 9 | - python3-dev 10 | - python3-pip 11 | 12 | - name: Create Caldera user 13 | user: 14 | name: caldera 15 | shell: /usr/sbin/nologin 16 | 17 | - name: Download caldera 18 | git: 19 | repo: 'https://github.com/mitre/caldera.git' 20 | dest: '{{ caldera_dir }}' 21 | - file: 22 | path: '{{ caldera_dir }}' 23 | recurse: yes 24 | state: directory 25 | owner: caldera 26 | group: caldera 27 | 28 | - name: SED aiohttp==2.3.2 to aiohttp==2.3.8 29 | lineinfile: 30 | path: '{{ caldera_dir }}/caldera/requirements.txt' 31 | regexp: '^aiohttp==2.3.2' 32 | line: 'aiohttp==2.3.8' 33 | 34 | - name: Pip requirements.txt 35 | pip: 36 | requirements: '{{ caldera_dir }}/caldera/requirements.txt' 37 | executable: pip3 38 | 39 | - name: Create directory for CraterMain.exe 40 | file: 41 | path: '{{ caldera_dir }}/dep/crater/crater' 42 | state: directory 43 | owner: caldera 44 | group: caldera 45 | mode: 0755 46 | 47 | - name: Download CraterMain.exe for Win8 and up 48 | get_url: 49 | url: https://github.com/mitre/caldera-crater/releases/download/v0.1.0/CraterMainWin8up.exe 50 | dest: '{{ caldera_dir }}/dep/crater/crater/CraterMain.exe' 51 | validate_certs: no 52 | 53 | #- name: Copy Caldera settings.yaml 54 | # template: 55 | # src: conf/caldera/settings.yaml.default 56 | # dest: '{{ caldera_dir }}/caldera/conf/settings.yaml.default' 57 | 58 | - name: Copy SystemD file 59 | template: 60 | src: conf/caldera/caldera.service 61 | dest: /etc/systemd/system/caldera.service 62 | 63 | - name: Start caldera service 64 | service: 65 | name: caldera 66 | state: restarted 67 | enabled: yes 68 | -------------------------------------------------------------------------------- /CalderaMitre/roles/caldera/firewall.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Setup Firewall 3 | #################################################################### 4 | - name: Setup Ubuntu UFW firewall 5 | ufw: 6 | rule: allow 7 | name: OpenSSH 8 | - ufw: 9 | rule: allow 10 | port: 80 11 | proto: tcp 12 | - ufw: 13 | rule: allow 14 | port: 443 15 | proto: tcp 16 | - ufw: 17 | rule: allow 18 | proto: tcp 19 | port: 8888 20 | - ufw: 21 | state: enabled 22 | policy: deny 23 | -------------------------------------------------------------------------------- /CalderaMitre/roles/caldera/mongo.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Install/Setup MongoDB 3 | #################################################################### 4 | - name: Install MongoDB 5 | package: 6 | name: '{{ item }}' 7 | state: latest 8 | with_items: 9 | - mongodb-server 10 | 11 | - name: Copy Mongo conf 12 | template: 13 | src: conf/mongo/mongodb.conf 14 | dest: /etc/mongodb.conf 15 | 16 | - name: Start Mongo service 17 | service: 18 | name: mongodb 19 | state: restarted 20 | enabled: yes 21 | -------------------------------------------------------------------------------- /CalderaMitre/roles/caldera/nginx.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Install/Setup Nginx 3 | #################################################################### 4 | - name: Install/Setup Nginx 5 | package: 6 | name: '{{ item }}' 7 | state: latest 8 | with_items: 9 | - nginx 10 | 11 | - name: Backup nginx conf 12 | shell: cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak 13 | 14 | - file: 15 | path: /etc/nginx/ssl 16 | owner: root 17 | group: root 18 | state: directory 19 | 20 | - file: 21 | path: /etc/nginx/ssl 22 | state: directory 23 | mode: 0400 24 | 25 | - name: Copy nginx.conf 26 | template: 27 | src: conf/nginx/nginx.conf 28 | dest: /etc/nginx/nginx.conf 29 | 30 | - name: Copy nginx_caldera.conf 31 | template: 32 | src: conf/nginx/nginx_caldera.conf 33 | dest: /etc/nginx/conf.d/nginx_caldera.conf 34 | 35 | - name: Generate DH key 36 | stat: 37 | path: /etc/nginx/ssl/dhparam.pem 38 | register: stat_dhparam 39 | - shell: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 40 | when: stat_dhparam.stat.exists == False 41 | - shell: openssl req -new -nodes -x509 -days 3650 -subj "/C={{ cert_country }}/ST={{ cert_state }}/L={{ cert_local }}/O={{ cert_org }}/CN={{ caldera_hostname }}.{{ base_domain }}" -keyout /etc/nginx/ssl/{{ cert_name }}.key -out /etc/nginx/ssl/{{ cert_name }}.crt 42 | when: stat_dhparam.stat.exists == False 43 | 44 | - name: Start Nginx service 45 | service: 46 | name: nginx 47 | state: restarted 48 | enabled: yes 49 | -------------------------------------------------------------------------------- /CalderaMitre/roles/init.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Apt update 3 | #################################################################### 4 | - name: Run the equivalent of "apt-get update" as a separate step 5 | apt: 6 | update_cache: yes 7 | 8 | #################################################################### 9 | # Setup Timedatectl 10 | #################################################################### 11 | - name: Set time to {{ timezone }} 12 | shell: timedatectl set-ntp on && timedatectl set-timezone {{ timezone }} 13 | 14 | #################################################################### 15 | # Set hostname 16 | #################################################################### 17 | - name: add hostname to /etc/hosts 18 | lineinfile: 19 | dest: /etc/hosts 20 | regexp: '^127\.0\.0\.1[ \t]+localhost' 21 | line: '127.0.0.1 localhost {{ caldera_hostname }} {{ caldera_hostname }}.{{ base_domain }}' 22 | state: present 23 | - hostname: 24 | name: "{{ caldera_hostname }}.{{ base_domain }}" 25 | -------------------------------------------------------------------------------- /CalderaMitre/roles/win_agents/deploy_cagent.yml: -------------------------------------------------------------------------------- 1 | #################################################### 2 | # Install/Setup Caldera agent 3 | #################################################### 4 | - name: Create Caldera directory 5 | win_file: 6 | path: C:\Program Files\cagent 7 | state: directory 8 | 9 | - name: Get config 10 | win_get_url: 11 | url: https://{{ caldera_hostname }}.{{ base_domain }}:{{ item }}/conf.yml 12 | dest: C:\Program Files\cagent\conf.yml 13 | validate_certs: no 14 | with_items: 15 | - 8888 16 | # - 443 17 | 18 | - name: Copy binary 19 | win_get_url: 20 | url: https://github.com/mitre/caldera-agent/releases/download/v0.1.0/cagent.exe 21 | dest: C:\Program Files\cagent\cagent.exe 22 | 23 | - name: Install cagent.exe 24 | win_shell: .\cagent.exe --startup auto install 25 | args: 26 | chdir: C:\Program Files\cagent 27 | 28 | - name: Install cagent.exe 29 | win_shell: .\cagent.exe start 30 | args: 31 | chdir: C:\Program Files\cagent 32 | -------------------------------------------------------------------------------- /GoogleGrr/.gitignore: -------------------------------------------------------------------------------- 1 | *.retry 2 | group_vars/all 3 | group_vars/grr 4 | -------------------------------------------------------------------------------- /GoogleGrr/README.md: -------------------------------------------------------------------------------- 1 | # Ansible Google Grr server 2 | 0. mv group_vars/all.example group_vars/all 3 | 0. vim hosts and set [google_grr] 4 | 0. vim group_vars/all and set: 5 | 1. base_domain 6 | 1. grr_hostname 7 | 1. timezone 8 | 1. cert info 9 | 0. mv group_vars/grr.example group_vars/grr 10 | 0. vim group_vars/grr and set: 11 | 1. mysql_root_password 12 | 1. mysql_grr_user 13 | 1. mysql_grr_pass 14 | 1. grr_password 15 | 1. email settings(optional) 16 | 0. ansible-playbook -i hosts deploy_grr.yml -u 17 | 18 | # Ansible Google Grr agents 19 | 20 | ## Supported OSes 21 | * Ubuntu Server 16.04 64-bit 22 | -------------------------------------------------------------------------------- /GoogleGrr/conf/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | user www-data; 2 | worker_processes auto; 3 | pid /run/nginx.pid; 4 | 5 | events { 6 | worker_connections 768; 7 | # multi_accept on; 8 | } 9 | 10 | http { 11 | 12 | ## 13 | # Basic Settings 14 | ## 15 | 16 | sendfile on; 17 | tcp_nopush on; 18 | tcp_nodelay on; 19 | keepalive_timeout 65; 20 | types_hash_max_size 2048; 21 | # server_tokens off; 22 | 23 | # server_names_hash_bucket_size 64; 24 | # server_name_in_redirect off; 25 | 26 | include /etc/nginx/mime.types; 27 | default_type application/octet-stream; 28 | 29 | ## 30 | # SSL Settings 31 | ## 32 | 33 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE 34 | ssl_prefer_server_ciphers on; 35 | 36 | ## 37 | # Logging Settings 38 | ## 39 | 40 | access_log /var/log/nginx/access.log; 41 | error_log /var/log/nginx/error.log; 42 | 43 | ## 44 | # Gzip Settings 45 | ## 46 | 47 | gzip on; 48 | gzip_disable "msie6"; 49 | 50 | # gzip_vary on; 51 | # gzip_proxied any; 52 | # gzip_comp_level 6; 53 | # gzip_buffers 16 8k; 54 | # gzip_http_version 1.1; 55 | # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; 56 | 57 | ## 58 | # Virtual Host Configs 59 | ## 60 | 61 | include /etc/nginx/conf.d/*.conf; 62 | } 63 | -------------------------------------------------------------------------------- /GoogleGrr/conf/nginx/nginx_grr.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80 default_server; 3 | listen [::]:80 default_server; 4 | server_name _; 5 | return 301 https://$host$request_uri; 6 | } 7 | 8 | server  {    9 | listen 443 ssl; 10 | server_name {{ grr_hostname }}.{{ base_domain }}; 11 | 12 | ssl_certificate /etc/nginx/ssl/{{ cert_name }}.crt; 13 | ssl_certificate_key /etc/nginx/ssl/{ cert_name }.key; 14 | 15 | ssl_dhparam /etc/nginx/ssl/dhparam.pem; 16 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 17 | ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; 18 | ssl_prefer_server_ciphers on; 19 | ssl_session_cache shared:SSL:10m; 20 | 21 | location / { 22 | proxy_set_header Host $http_host; 23 | proxy_set_header X-Forwarded-Host $host; 24 | proxy_set_header X-Forwarded-Server $host; 25 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 26 | proxy_pass http://127.0.0.1:8000; 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /GoogleGrr/deploy_grr.yml: -------------------------------------------------------------------------------- 1 | - hosts: google_grr 2 | become: yes 3 | become_user: root 4 | tasks: 5 | - include_vars: group_vars/grr 6 | - import_tasks: roles/server/init.yml 7 | - import_tasks: roles/server/mysql.yml 8 | - import_tasks: roles/server/grr.yml 9 | - import_tasks: roles/server/nginx.yml 10 | - import_tasks: roles/server/firewall.yml 11 | -------------------------------------------------------------------------------- /GoogleGrr/group_vars/all.example: -------------------------------------------------------------------------------- 1 | base_domain: 2 | grr_hostname: grr 3 | 4 | timezone: America/New_York 5 | 6 | # Cert generation 7 | cert_country: 8 | cert_state: 9 | cert_local: 10 | cert_org: 11 | cert_name: 12 | -------------------------------------------------------------------------------- /GoogleGrr/group_vars/grr.example: -------------------------------------------------------------------------------- 1 | # MySQL setup 2 | mysql_root_user: root 3 | mysql_root_password: 4 | 5 | # MySQL Kolide 6 | mysql_grr_dbname: grr 7 | mysql_grr_user: 8 | mysql_grr_pass: 9 | 10 | # Set to % for all hosts 11 | mysql_grr_hosts: 127.0.0.1 12 | 13 | # Google Grr admin stuff 14 | grr_password: 15 | grr_email_domain: '{{ base_domain }}' 16 | grr_email_alert: 'grr-monitoring@{{ base_domain }}' 17 | grr_email_emerg: 'grr-emergency@{{ base_domain }}' 18 | -------------------------------------------------------------------------------- /GoogleGrr/hosts: -------------------------------------------------------------------------------- 1 | [google_grr] 2 | 172.16.77.130 ansible_python_interpreter=/usr/bin/python3 timeout=30 3 | -------------------------------------------------------------------------------- /GoogleGrr/roles/server/firewall.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Setup Firewall 3 | #################################################################### 4 | - name: Setup Ubuntu UFW firewall 5 | ufw: 6 | rule: allow 7 | name: OpenSSH 8 | - ufw: 9 | rule: allow 10 | port: 80 11 | proto: tcp 12 | - ufw: 13 | rule: allow 14 | port: 443 15 | proto: tcp 16 | - ufw: 17 | rule: allow 18 | port: 8000 19 | proto: tcp 20 | - ufw: 21 | state: enabled 22 | policy: deny 23 | -------------------------------------------------------------------------------- /GoogleGrr/roles/server/grr.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Install/Setup Google Grr 3 | #################################################################### 4 | - name: Install software 5 | package: 6 | name: '{{ item }}' 7 | state: latest 8 | with_items: 9 | - prelink 10 | - libmysqlclient-dev 11 | 12 | - name: Download Google Grr setup script 13 | get_url: 14 | url: https://raw.githubusercontent.com/google/grr/master/scripts/install_script_ubuntu.sh 15 | dest: /tmp 16 | mode: 0400 17 | 18 | #################################################################### 19 | # Setup questions 20 | # 1. Datastore [1] - 2 21 | # 2. Are you ready to continue? - Y 22 | # 3. MySQL Host [localhost] - {{ mysql_grr_hosts }} 23 | # 4. MySQL Port (0 for local socket) [0] - 0 24 | # 5. MySQL Database [grr]: '{{ mysql_grr_dbname }}' 25 | # 6. MySQL Username [root]: - '{{ mysql_grr_user }}' 26 | # 7. Please enter password for database user {{ mysql_grr_user }} - '{{ mysql_grr_pass }}' 27 | # 8. Please enter your hostname e.g. grr.example.com [ubuntu] - '{{ grr_hostname }}.{{ base_domain }}' 28 | # 9. Frontend URL [http://{{ grr_hostname }}.{{ base_domain }}:8080/] - ENTER 29 | # 10. AdminUI URL - ENTER 30 | # 11. Email Domain e.g example.com [localhost] - {{ grr_email_domain }} 31 | # 12. Alert Email Address - {{ grr_email_alert }} 32 | # 13. Emergency Access Email Address - {{ grr_email_emerg }} 33 | # 14. Download and upgrade client templates? You can skip this if templates are already installed -y 34 | # 15. Google Grr admin password 35 | #################################################################### 36 | - name: Install MySQL-python 37 | pip: 38 | name: pexpect 39 | 40 | 41 | - name: Run setup script 42 | expect: 43 | command: bash /tmp/install_script_ubuntu.sh 44 | responses: 45 | Question: 46 | - '2' 47 | - 'Y' 48 | - '{{ mysql_grr_hosts }}' 49 | - '0' 50 | - '{{ mysql_grr_dbname }}' 51 | - '{{ mysql_grr_user }}' 52 | - '{{ mysql_grr_pass }}' 53 | - '{{ grr_hostname }}.{{ base_domain }}' 54 | - '' 55 | - '' 56 | - '{{ grr_email_domain }}' 57 | - '{{ grr_email_alert }}' 58 | - '{{ grr_email_emerg }}' 59 | - 'y' 60 | - '{{ grr_password }}' 61 | 62 | - name: Start Google grr service 63 | service: 64 | name: grr-server 65 | state: restarted 66 | enabled: yes 67 | -------------------------------------------------------------------------------- /GoogleGrr/roles/server/init.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Apt update 3 | #################################################################### 4 | - name: Run the equivalent of "apt-get update" as a separate step 5 | apt: 6 | update_cache: yes 7 | 8 | #################################################################### 9 | # Setup Timedatectl 10 | #################################################################### 11 | - name: Set time to {{ timezone }} 12 | shell: timedatectl set-ntp on && timedatectl set-timezone {{ timezone }} 13 | -------------------------------------------------------------------------------- /GoogleGrr/roles/server/mysql.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Install/Setup MySQL 3 | #################################################################### 4 | - name: Install/Setup MySQL 5 | package: 6 | name: '{{ item }}' 7 | state: latest 8 | with_items: 9 | - mysql-server 10 | - python3-mysqldb 11 | - python3-pip 12 | 13 | - name: Start MySQL service 14 | service: 15 | name: mysql.service 16 | state: restarted 17 | enabled: yes 18 | 19 | #################################################################### 20 | # Secure MySQL setup 21 | #################################################################### 22 | - name: Delete anonymous MySQL server user 23 | action: mysql_user user="" host="{{ ansible_hostname }}" state="absent" 24 | ignore_errors: yes 25 | 26 | - name: Delete anonymous MySQL server user for localhost 27 | action: mysql_user user="" state="absent" 28 | ignore_errors: yes 29 | 30 | - name: Remove the MySQL test database 31 | action: mysql_db db=test state=absent 32 | ignore_errors: yes 33 | 34 | - name: Change root user password on first run 35 | mysql_user: login_user=root 36 | login_password='' 37 | name={{ mysql_root_user }} 38 | password={{ mysql_root_password }} 39 | priv=*.*:ALL,GRANT 40 | host={{ item }} 41 | with_items: 42 | - "{{ ansible_hostname }}" 43 | - 127.0.0.1 44 | - ::1 45 | - localhost 46 | ignore_errors: yes 47 | 48 | #################################################################### 49 | # Setup Google Grr database 50 | #################################################################### 51 | - name: Create Grr database 52 | shell: mysql -u {{ mysql_root_user }} --password={{ mysql_root_password }} -e "CREATE DATABASE {{ mysql_grr_dbname }};" 53 | ignore_errors: yes 54 | register: mysql_result 55 | failed_when: "'database exists' in mysql_result.stdout" 56 | 57 | - name: Create Grr database user 58 | mysql_user: 59 | name: '{{ mysql_grr_user }}' 60 | password: '{{ mysql_grr_pass }}' 61 | priv: '{{ mysql_grr_dbname }}.*:ALL' 62 | state: present 63 | login_user: '{{ mysql_root_user }}' 64 | login_password: '{{ mysql_root_password }}' 65 | host: '{{ mysql_grr_hosts }}' 66 | ignore_errors: yes 67 | -------------------------------------------------------------------------------- /GoogleGrr/roles/server/nginx.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Install/Setup Nginx 3 | #################################################################### 4 | - name: Install/Setup Nginx 5 | package: 6 | name: '{{ item }}' 7 | state: latest 8 | with_items: 9 | - nginx 10 | 11 | - name: Backup nginx conf 12 | shell: cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak 13 | 14 | - file: 15 | path: /etc/nginx/ssl 16 | owner: root 17 | group: root 18 | state: directory 19 | 20 | - file: 21 | path: /etc/nginx/ssl 22 | state: directory 23 | mode: 0400 24 | 25 | - name: Copy nginx.conf 26 | template: 27 | src: conf/nginx/nginx.conf 28 | dest: /etc/nginx/nginx.conf 29 | 30 | - name: Copy nginx_grr.conf 31 | template: 32 | src: conf/nginx/nginx_grr.conf 33 | dest: /etc/nginx/conf.d/nginx_grr.conf 34 | 35 | - name: Generate DH key 36 | stat: 37 | path: /etc/nginx/ssl/dhparam.pem 38 | register: stat_dhparam 39 | - shell: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 40 | when: stat_dhparam.stat.exists == False 41 | - shell: openssl req -new -nodes -x509 -days 3650 -subj "/C={{ cert_country }}/ST={{ cert_state }}/L={{ cert_local }}/O={{ cert_org }}/CN={{ grr_hostname }}.{{ base_domain }}" -keyout /etc/nginx/ssl/{{ cert_name }}.key -out /etc/nginx/ssl/{{ cert_name }}.crt 42 | when: stat_dhparam.stat.exists == False 43 | 44 | - name: Start Nginx service 45 | service: 46 | name: nginx 47 | state: restarted 48 | enabled: yes 49 | -------------------------------------------------------------------------------- /Kolide/.gitignore: -------------------------------------------------------------------------------- 1 | *.retry 2 | group_vars/all 3 | group_vars/kolide 4 | group_vars/agents 5 | group_vars/win_agents 6 | group_vars/graylog 7 | group_vars/windows 8 | conf/agents/certificate.crt 9 | .DS_Store 10 | -------------------------------------------------------------------------------- /Kolide/README.md: -------------------------------------------------------------------------------- 1 | # Kolide 2 | ## Ansible deployment - prod 3 | 4 | ## Docker deployment - dev 5 | 0. git clone https://github.com/kolide/kolide-quickstart.git 6 | 0. cd kolide-quickstart 7 | 0. ./demo.sh up simple 8 | 0. ./demo.sh add_hosts 10 9 | 10 | # To do: 11 | * Add Mac OSX deployment 12 | -------------------------------------------------------------------------------- /Kolide/conf/agents/certificate.example: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Kolide/conf/agents/osquery.flags: -------------------------------------------------------------------------------- 1 | {% if (ansible_os_family == "RedHat") or (ansible_os_family == "Debian") %} 2 | --tls_server_certs=/etc/osquery/certificate.crt 3 | --enroll_secret_path=/etc/osquery/osquery.key 4 | {% else %} 5 | --tls_server_certs=C:\ProgramData\osquery\certs\certificate.crt 6 | --enroll_secret_path=C:\ProgramData\osquery\osquery.key 7 | {% endif %} 8 | --tls_hostname={{ fleet_hostname }}.{{ base_domain }}:443 9 | --host_identifier=uuid 10 | --enroll_tls_endpoint=/api/v1/osquery/enroll 11 | --config_plugin=tls 12 | --config_tls_endpoint=/api/v1/osquery/config 13 | --config_tls_refresh=10 14 | --disable_distributed=false 15 | --distributed_plugin=tls 16 | --distributed_interval=10 17 | --distributed_tls_max_attempts=3 18 | --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read 19 | --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write 20 | --logger_plugin=tls 21 | --logger_tls_endpoint=/api/v1/osquery/log 22 | --logger_tls_period=10 23 | --disabled_events=false 24 | -------------------------------------------------------------------------------- /Kolide/conf/agents/osquery.key: -------------------------------------------------------------------------------- 1 | {{ osquery_enroll_secret }} 2 | -------------------------------------------------------------------------------- /Kolide/conf/filebeat/filebeat.yml: -------------------------------------------------------------------------------- 1 | ###################### Filebeat Configuration Example ######################### 2 | 3 | # This file is an example configuration file highlighting only the most common 4 | # options. The filebeat.reference.yml file from the same directory contains all the 5 | # supported options with more comments. You can use it as a reference. 6 | # 7 | # You can find the full configuration reference here: 8 | # https://www.elastic.co/guide/en/beats/filebeat/index.html 9 | 10 | # For more available modules and options, please see the filebeat.reference.yml sample 11 | # configuration file. 12 | 13 | #=========================== Filebeat prospectors ============================= 14 | 15 | filebeat.prospectors: 16 | 17 | # Each - is a prospector. Most options can be set at the prospector level, so 18 | # you can use different prospectors for various configurations. 19 | # Below are the prospector specific configurations. 20 | 21 | - type: log 22 | 23 | # Change to true to enable this prospector configuration. 24 | enabled: true 25 | 26 | # Paths that should be crawled and fetched. Glob based paths. 27 | paths: 28 | - {{ log_dir }}/*.log 29 | #- c:\programdata\elasticsearch\logs\* 30 | 31 | # Exclude lines. A list of regular expressions to match. It drops the lines that are 32 | # matching any regular expression from the list. 33 | #exclude_lines: ['^DBG'] 34 | 35 | # Include lines. A list of regular expressions to match. It exports the lines that are 36 | # matching any regular expression from the list. 37 | #include_lines: ['^ERR', '^WARN'] 38 | 39 | # Exclude files. A list of regular expressions to match. Filebeat drops the files that 40 | # are matching any regular expression from the list. By default, no files are dropped. 41 | #exclude_files: ['.gz$'] 42 | 43 | # Optional additional fields. These fields can be freely picked 44 | # to add additional information to the crawled log files for filtering 45 | fields: 46 | tool: osquery 47 | # level: debug 48 | # review: 1 49 | 50 | ### Multiline options 51 | 52 | # Mutiline can be used for log messages spanning multiple lines. This is common 53 | # for Java Stack Traces or C-Line Continuation 54 | 55 | # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ 56 | #multiline.pattern: ^\[ 57 | 58 | # Defines if the pattern set under pattern should be negated or not. Default is false. 59 | #multiline.negate: false 60 | 61 | # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern 62 | # that was (not) matched before or after or as long as a pattern is not matched based on negate. 63 | # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash 64 | #multiline.match: after 65 | 66 | 67 | #============================= Filebeat modules =============================== 68 | 69 | filebeat.config.modules: 70 | # Glob pattern for configuration loading 71 | path: ${path.config}/modules.d/*.yml 72 | 73 | # Set to true to enable config reloading 74 | reload.enabled: false 75 | 76 | # Period on which files under path should be checked for changes 77 | #reload.period: 10s 78 | 79 | #==================== Elasticsearch template setting ========================== 80 | 81 | #setup.template.settings: 82 | # index.number_of_shards: 3 83 | #index.codec: best_compression 84 | #_source.enabled: false 85 | 86 | #================================ General ===================================== 87 | 88 | # The name of the shipper that publishes the network data. It can be used to group 89 | # all the transactions sent by a single shipper in the web interface. 90 | #name: 91 | 92 | # The tags of the shipper are included in their own field with each 93 | # transaction published. 94 | #tags: ["service-X", "web-tier"] 95 | 96 | # Optional fields that you can specify to add additional information to the 97 | # output. 98 | #fields: 99 | # env: staging 100 | 101 | 102 | #============================== Dashboards ===================================== 103 | # These settings control loading the sample dashboards to the Kibana index. Loading 104 | # the dashboards is disabled by default and can be enabled either by setting the 105 | # options here, or by using the `-setup` CLI flag or the `setup` command. 106 | #setup.dashboards.enabled: false 107 | 108 | # The URL from where to download the dashboards archive. By default this URL 109 | # has a value which is computed based on the Beat name and version. For released 110 | # versions, this URL points to the dashboard archive on the artifacts.elastic.co 111 | # website. 112 | #setup.dashboards.url: 113 | 114 | #============================== Kibana ===================================== 115 | 116 | # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. 117 | # This requires a Kibana endpoint configuration. 118 | #setup.kibana: 119 | 120 | # Kibana Host 121 | # Scheme and port can be left out and will be set to the default (http and 5601) 122 | # In case you specify and additional path, the scheme is required: http://localhost:5601/path 123 | # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 124 | #host: "localhost:5601" 125 | 126 | #============================= Elastic Cloud ================================== 127 | 128 | # These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/). 129 | 130 | # The cloud.id setting overwrites the `output.elasticsearch.hosts` and 131 | # `setup.kibana.host` options. 132 | # You can find the `cloud.id` in the Elastic Cloud web UI. 133 | #cloud.id: 134 | 135 | # The cloud.auth setting overwrites the `output.elasticsearch.username` and 136 | # `output.elasticsearch.password` settings. The format is `:`. 137 | #cloud.auth: 138 | 139 | #================================ Outputs ===================================== 140 | 141 | # Configure what output to use when sending the data collected by the beat. 142 | 143 | #-------------------------- Elasticsearch output ------------------------------ 144 | #output.elasticsearch: 145 | # Array of hosts to connect to. 146 | # hosts: ["localhost:9200"] 147 | 148 | # Optional protocol and basic auth credentials. 149 | #protocol: "https" 150 | #username: "elastic" 151 | #password: "changeme" 152 | 153 | #----------------------------- Logstash output -------------------------------- 154 | output.logstash: 155 | # The Logstash hosts 156 | hosts: ["{{ graylog_hostname }}.{{ base_domain }}:5044"] 157 | 158 | # Optional SSL. By default is off. 159 | # List of root certificates for HTTPS server verifications 160 | #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] 161 | 162 | # Certificate for SSL client authentication 163 | #ssl.certificate: "/etc/pki/client/cert.pem" 164 | 165 | # Client Certificate Key 166 | #ssl.key: "/etc/pki/client/cert.key" 167 | 168 | #================================ Logging ===================================== 169 | 170 | # Sets log level. The default log level is info. 171 | # Available log levels are: critical, error, warning, info, debug 172 | #logging.level: debug 173 | 174 | # At debug level, you can selectively enable logging only for some components. 175 | # To enable all selectors use ["*"]. Examples of other selectors are "beat", 176 | # "publish", "service". 177 | #logging.selectors: ["*"] 178 | -------------------------------------------------------------------------------- /Kolide/conf/kolide/kolide.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Kolide Fleet management service 3 | After=network.target 4 | 5 | [Service] 6 | User=kolide 7 | Restart=on-failure 8 | ExecStart=/usr/local/bin/linux/fleet_linux_amd64 serve --config /etc/kolide/kolide.yml 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | -------------------------------------------------------------------------------- /Kolide/conf/kolide/kolide.yml: -------------------------------------------------------------------------------- 1 | mysql: 2 | address: 127.0.0.1:3306 3 | database: {{ mysql_kolide_dbname }} 4 | username: {{ mysql_kolide_user }} 5 | password: {{ mysql_kolide_pass }} 6 | redis: 7 | address: 127.0.0.1:6379 8 | server: 9 | address: 127.0.0.1:8080 10 | tls: false 11 | auth: 12 | jwt_key: {{ kolide_jwt_key }} 13 | osquery: 14 | result_log_file: /var/log/kolide/osquery_result.log 15 | status_log_file: /var/log/kolide/osquery_status.log 16 | logging: 17 | json: true 18 | -------------------------------------------------------------------------------- /Kolide/conf/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | user www-data; 2 | worker_processes auto; 3 | pid /run/nginx.pid; 4 | 5 | events { 6 | worker_connections 768; 7 | # multi_accept on; 8 | } 9 | 10 | http { 11 | 12 | ## 13 | # Basic Settings 14 | ## 15 | 16 | sendfile on; 17 | tcp_nopush on; 18 | tcp_nodelay on; 19 | keepalive_timeout 65; 20 | types_hash_max_size 2048; 21 | # server_tokens off; 22 | 23 | # server_names_hash_bucket_size 64; 24 | # server_name_in_redirect off; 25 | 26 | include /etc/nginx/mime.types; 27 | default_type application/octet-stream; 28 | 29 | ## 30 | # SSL Settings 31 | ## 32 | 33 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE 34 | ssl_prefer_server_ciphers on; 35 | 36 | ## 37 | # Logging Settings 38 | ## 39 | 40 | access_log /var/log/nginx/access.log; 41 | error_log /var/log/nginx/error.log; 42 | 43 | ## 44 | # Gzip Settings 45 | ## 46 | 47 | gzip on; 48 | gzip_disable "msie6"; 49 | 50 | # gzip_vary on; 51 | # gzip_proxied any; 52 | # gzip_comp_level 6; 53 | # gzip_buffers 16 8k; 54 | # gzip_http_version 1.1; 55 | # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; 56 | 57 | #### 58 | # Config for web sockets 59 | #### 60 | map $http_upgrade $connection_upgrade { 61 | default upgrade; 62 | '' close; 63 | } 64 | 65 | include /etc/nginx/conf.d/*.conf; 66 | } 67 | -------------------------------------------------------------------------------- /Kolide/conf/nginx/nginx_graylog.conf: -------------------------------------------------------------------------------- 1 | server 2 | { 3 | listen 443 ssl spdy; 4 | server_name {{ graylog_hostname }}.{{ base_domain }}; 5 | 6 | ssl_certificate /etc/nginx/ssl/graylog.crt; 7 | ssl_certificate_key /etc/nginx/ssl/graylog.key; 8 | 9 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 10 | ssl_prefer_server_ciphers on; 11 | ssl_dhparam /etc/nginx/ssl/dhparam.pem; 12 | ssl_ciphers HIGH:!aNULL:!MD5; 13 | 14 | location / 15 | { 16 | proxy_set_header Host $http_host; 17 | proxy_set_header X-Forwarded-Host $host; 18 | proxy_set_header X-Forwarded-Server $host; 19 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 20 | proxy_set_header X-Graylog-Server-URL https://$server_name/api; 21 | proxy_pass http://127.0.0.1:9000; 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /Kolide/conf/nginx/nginx_kolide.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80 default_server; 3 | listen [::]:80 default_server; 4 | server_name _; 5 | return 301 https://$host$request_uri; 6 | } 7 | 8 | upstream websocket { 9 | server 127.0.0.1:8080; 10 | } 11 | 12 | server { 13 | listen 443 ssl; 14 | server_name kolide.hackinglab.beer; 15 | 16 | ssl_certificate /etc/nginx/ssl/kolide.crt; 17 | ssl_certificate_key /etc/nginx/ssl/kolide.key; 18 | 19 | ssl_dhparam /etc/nginx/ssl/dhparam.pem; 20 | ssl_ciphers HIGH:!aNULL:!MD5; 21 | 22 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 23 | ssl_prefer_server_ciphers on; 24 | 25 | location / 26 | { 27 | #proxy_set_header Host $http_host; 28 | #proxy_set_header X-Forwarded-Host $host; 29 | #proxy_set_header X-Forwarded-Server $host; 30 | #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 31 | proxy_http_version 1.1; 32 | proxy_set_header Upgrade $http_upgrade; 33 | proxy_set_header Connection $connection_upgrade; 34 | proxy_pass http://127.0.0.1:8080; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /Kolide/deploy_graylog.yml: -------------------------------------------------------------------------------- 1 | - hosts: graylog 2 | become: yes 3 | become_user: root 4 | tasks: 5 | - import_tasks: roles/init.yml 6 | - import_tasks: roles/graylog/deploy_graylog.yml 7 | -------------------------------------------------------------------------------- /Kolide/deploy_kolide.yml: -------------------------------------------------------------------------------- 1 | - hosts: kolide 2 | become: yes 3 | become_user: root 4 | tasks: 5 | - import_tasks: roles/init.yml 6 | - import_tasks: roles/kolide/redis.yml 7 | - import_tasks: roles/kolide/mysql.yml 8 | - import_tasks: roles/kolide/kolide.yml 9 | #- import_tasks: roles/kolide/filebeat.yml 10 | -------------------------------------------------------------------------------- /Kolide/deploy_linux_osquery_agents.yml: -------------------------------------------------------------------------------- 1 | - hosts: linux_agents 2 | become: yes 3 | become_user: root 4 | tasks: 5 | - include_vars: group_vars/agents 6 | - import_tasks: roles/agents/deploy_osquery_centos.yml 7 | when: ansible_distribution == "CentOS" 8 | - import_tasks: roles/agents/deploy_osquery_ubuntu.yml 9 | when: ansible_distribution == "Ubuntu" 10 | -------------------------------------------------------------------------------- /Kolide/deploy_windows_osquery_agents.yml: -------------------------------------------------------------------------------- 1 | - hosts: win_agents 2 | tasks: 3 | - win_ping: 4 | - include_vars: group_vars/agents 5 | - import_tasks: roles/agents/deploy_osquery_windows.yml 6 | -------------------------------------------------------------------------------- /Kolide/group_vars/agents.example: -------------------------------------------------------------------------------- 1 | osquery_enroll_secret: 2 | -------------------------------------------------------------------------------- /Kolide/group_vars/all.example: -------------------------------------------------------------------------------- 1 | base_domain: 2 | fleet_hostname: 3 | graylog_hostname: 4 | timezone: America/New_York 5 | 6 | slack_channel: 7 | slack_token: 8 | 9 | # Cert Generation 10 | cert_country: 11 | cert_state: 12 | cert_local: 13 | cert_org: 14 | -------------------------------------------------------------------------------- /Kolide/group_vars/graylog.example: -------------------------------------------------------------------------------- 1 | graylog_admin_password: 2 | -------------------------------------------------------------------------------- /Kolide/group_vars/kolide.example: -------------------------------------------------------------------------------- 1 | # Kolide jwt key 2 | kolide_jwt_key: 3 | 4 | # MySQL setup 5 | mysql_root_user: root 6 | mysql_root_password: 7 | 8 | # MySQL Kolide 9 | mysql_kolide_dbname: kolide 10 | mysql_kolide_user: kolide 11 | mysql_kolide_pass: 12 | 13 | # Set to % for all hosts 14 | mysql_kolide_hosts: 127.0.0.1 15 | 16 | # Filebeat 17 | log_dir: /var/log/kolide 18 | -------------------------------------------------------------------------------- /Kolide/group_vars/windows.example: -------------------------------------------------------------------------------- 1 | ansible_user: 2 | ansible_password: 3 | ansible_port: 5986 4 | ansible_connection: winrm 5 | ansible_winrm_scheme: https 6 | ansible_winrm_server_cert_validation: ignore 7 | -------------------------------------------------------------------------------- /Kolide/hosts: -------------------------------------------------------------------------------- 1 | [kolide] 2 | kolide01 ansible_ssh_host=172.16.77.130 ansible_python_interpreter=/usr/bin/python3 timeout=30 3 | 4 | [graylog] 5 | graylog01 ansible_ssh_host=172.16.77.194 ansible_python_interpreter=/usr/bin/python3 timeout=30 6 | 7 | [windows] 8 | 1.2.3.4 9 | 10 | [windows:children] 11 | win_agents 12 | 13 | [win_agents] 14 | agent01 ansible_ssh_host=172.16.77.192 15 | 16 | [linux_agents] 17 | agent02 ansible_ssh_host=172.16.77.196 ansible_python_interpreter=/usr/bin/python3 timeout=30 18 | agent03 ansible_ssh_host=172.16.77.195 19 | 20 | [mac_agents] 21 | -------------------------------------------------------------------------------- /Kolide/roles/agents/deploy_osquery_centos.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Install/Setup MySQL 3 | #################################################################### 4 | - name: Add OSQuery repo key for CentOS 5 | rpm_key: 6 | state: present 7 | key: https://pkg.osquery.io/rpm/GPG 8 | 9 | - name: Add OSQuery repo for CentOS 10 | yum_repository: 11 | name: osquery-s3-rpm-repo 12 | enabled: yes 13 | description: OSQuery repo 14 | baseurl: https://pkg.osquery.io/rpm/$basearch/ 15 | enabled: yes 16 | gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-osquery 17 | gpgcheck: yes 18 | 19 | - name: Install OSQuery 20 | package: 21 | name: osquery 22 | state: installed 23 | 24 | - name: Get cert for Kolide 25 | shell: python -c "import ssl; print ssl.get_server_certificate(('{{ fleet_hostname }}.{{ base_domain }}', 443))" | sudo tee /etc/osquery/certificate.crt 26 | 27 | - name: Copy OSQuery flags file 28 | template: 29 | src: conf/agents/osquery.flags 30 | dest: /etc/osquery/osquery.flags 31 | owner: root 32 | group: root 33 | mode: '0600' 34 | 35 | - name: Copy OSQuery secret 36 | template: 37 | src: conf/agents/osquery.key 38 | dest: /etc/osquery/osquery.key 39 | owner: root 40 | group: root 41 | mode: '0600' 42 | 43 | - name: Enable OSQuery service 44 | service: 45 | name: osqueryd 46 | state: restarted 47 | enabled: yes 48 | 49 | #################################################################### 50 | # Slack notification 51 | #################################################################### 52 | - name: Send slack notification when done 53 | slack: 54 | token: "{{ slack_token }}" 55 | msg: '{{ ansible_nodename }}:{{ ansible_default_ipv4.address }} - Finished setting OSQuery agent on {{ ansible_nodename }}' 56 | channel: "{{ slack_channel }}" 57 | when: slack_token is undefined 58 | -------------------------------------------------------------------------------- /Kolide/roles/agents/deploy_osquery_ubuntu.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Install/Setup OSQUery 3 | #################################################################### 4 | - name: Add OSQuery repo key for Ubuntu 5 | apt_key: 6 | keyserver: keyserver.ubuntu.com 7 | id: 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B 8 | when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' 9 | 10 | - name: Add OSquery repo for Ubuntu 11 | apt_repository: 12 | repo: deb [arch=amd64] https://pkg.osquery.io/deb deb main 13 | state: present 14 | when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' 15 | 16 | - name: Install OSQuery 17 | package: 18 | name: osquery 19 | state: installed 20 | 21 | - name: Get cert for Kolide 22 | shell: python3 -c "import ssl; print (ssl.get_server_certificate(('{{ fleet_hostname }}.{{ base_domain }}', 443)))" | sudo tee /etc/osquery/certificate.crt 23 | 24 | - name: Copy OSQuery flags file 25 | template: 26 | src: conf/agents/osquery.flags 27 | dest: /etc/osquery/osquery.flags 28 | owner: root 29 | group: root 30 | mode: '0600' 31 | 32 | - name: Copy OSQuery secret 33 | template: 34 | src: conf/agents/osquery.key 35 | dest: /etc/osquery/osquery.key 36 | owner: root 37 | group: root 38 | mode: '0600' 39 | 40 | - name: Enable OSQuery service 41 | service: 42 | name: osqueryd 43 | state: restarted 44 | enabled: yes 45 | 46 | #################################################################### 47 | # Slack notification 48 | #################################################################### 49 | - name: Send slack notification when done 50 | slack: 51 | token: "{{ slack_token }}" 52 | msg: '{{ ansible_nodename }}:{{ ansible_default_ipv4.address }} - Finished setting OSQuery agent on {{ ansible_nodename }}' 53 | channel: "{{ slack_channel }}" 54 | when: slack_token is undefined 55 | -------------------------------------------------------------------------------- /Kolide/roles/agents/deploy_osquery_windows.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Install/Setup OSQuery 3 | #################################################################### 4 | - name: Install chocolatey 5 | win_shell: Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) 6 | 7 | - name: Install OSQuery with chocolatey 8 | win_chocolatey: 9 | name: osquery 10 | params: "/InstallService" 11 | state: latest 12 | 13 | - name: Get certificate 14 | win_template: 15 | src: conf/agents/certificate.crt 16 | dest: C:\ProgramData\osquery\certs\certificate.crt 17 | 18 | - name: Copy OSQuery.flags 19 | win_template: 20 | src: conf/agents/osquery.flags 21 | dest: C:\ProgramData\osquery\osquery.flags 22 | 23 | - name: Copy OSQuery.key 24 | win_template: 25 | src: conf/agents/osquery.key 26 | dest: C:\ProgramData\osquery\osquery.key 27 | 28 | - name: Start OSQuery service 29 | win_service: 30 | name: osqueryd 31 | start_mode: auto 32 | state: restarted 33 | 34 | #################################################################### 35 | # Slack notification 36 | #################################################################### 37 | - name: Send slack notification when done 38 | slack: 39 | token: "{{ slack_token }}" 40 | msg: '{{ ansible_nodename }}:{{ ansible_default_ipv4.address }} - Finished setting OSQuery agent on {{ ansible_nodename }}' 41 | channel: "{{ slack_channel }}" 42 | when: slack_token is undefined 43 | -------------------------------------------------------------------------------- /Kolide/roles/graylog/deploy_graylog.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Setup hostname 3 | #################################################################### 4 | - name: Set hostname 5 | hostname: 6 | name: '{{ graylog_hostname }}.{{ base_domain }}' 7 | 8 | #################################################################### 9 | # Install software 10 | #################################################################### 11 | - name: Install software 12 | package: 13 | name: '{{ item }}' 14 | state: latest 15 | with_items: 16 | - apt-transport-https 17 | - openjdk-8-jre-headless 18 | - uuid-runtime 19 | - pwgen 20 | 21 | #################################################################### 22 | # Install/Setup MongoDB 23 | #################################################################### 24 | - name: Install MongoDB 25 | package: 26 | name: '{{ item }}' 27 | state: latest 28 | with_items: 29 | - mongodb-server 30 | 31 | - name: Start Mongo service 32 | service: 33 | name: mongodb 34 | state: started 35 | enabled: yes 36 | 37 | #################################################################### 38 | # Install/Setup Elasticsearch 39 | #################################################################### 40 | - name: Add Elastic GPG key 41 | apt_key: 42 | url: https://artifacts.elastic.co/GPG-KEY-elasticsearch 43 | state: present 44 | 45 | - name: Add Elastic repo 46 | apt_repository: 47 | repo: deb https://artifacts.elastic.co/packages/6.x/apt stable main 48 | state: present 49 | 50 | - name: Install/Setup Elasticsearch 51 | package: 52 | name: '{{ item }}' 53 | state: latest 54 | with_items: 55 | - curl 56 | - elasticsearch 57 | 58 | - name: Rename Elasticsearch cluster name 59 | lineinfile: 60 | path: /etc/elasticsearch/elasticsearch.yml 61 | regexp: '^cluster.name:' 62 | line: 'cluster.name: graylog' 63 | 64 | - service: 65 | name: elasticsearch 66 | state: restarted 67 | enabled: yes 68 | 69 | #################################################################### 70 | # Install/Setup Graylog 71 | #################################################################### 72 | - name: Download and Install Graylog repo 73 | apt: 74 | deb: https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.deb 75 | 76 | - name: Run the equivalent of "apt-get update" as a separate step 77 | apt: 78 | update_cache: yes 79 | 80 | - name: Install/Setup Graylog 81 | package: 82 | name: '{{ item }}' 83 | state: latest 84 | with_items: 85 | - graylog-server 86 | 87 | - name: Covert password to sha256 hash 88 | shell: "echo -n {{ graylog_admin_password }} | sha256sum | awk '{print $1}'" 89 | register: pass_contents 90 | 91 | - name: Set admin password 92 | lineinfile: 93 | path: /etc/graylog/server/server.conf 94 | regexp: '^root_password_sha2 =' 95 | line: "root_password_sha2 = {{ pass_contents.stdout }}" 96 | 97 | - name: Generate secret key 98 | shell: "pwgen -s 96 1" 99 | register: secret_key_content 100 | 101 | - name: Set secret key 102 | shell: sed -i -e "s/password_secret =.*/password_secret = {{ secret_key_content.stdout }}/" /etc/graylog/server/server.conf 103 | 104 | - name: Start and Enable Graylog service 105 | service: 106 | name: graylog-server 107 | state: restarted 108 | enabled: yes 109 | 110 | #################################################################### 111 | # Install/Setup Graylog slack plugin 112 | #################################################################### 113 | - name: Download Graylog Slack plugin 114 | get_url: 115 | url: https://github.com/graylog-labs/graylog-plugin-slack/releases/download/2.4.0/graylog-plugin-slack-2.4.0.jar 116 | dest: /usr/share/graylog-server/plugin/graylog-plugin-slack-2.4.0.jar 117 | 118 | - name: Start and Enable Graylog service 119 | service: 120 | name: graylog-server 121 | state: restarted 122 | enabled: yes 123 | 124 | #################################################################### 125 | # Install/Setup Nginx 126 | #################################################################### 127 | - name: Install/Setup Nginx 128 | package: 129 | name: '{{ item }}' 130 | state: installed 131 | with_items: 132 | - nginx 133 | 134 | - name: Backup NGINX config 135 | shell: cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak 136 | 137 | - name: Copy Nginx config 138 | template: 139 | src: conf/nginx/nginx.conf 140 | dest: /etc/nginx/nginx.conf 141 | owner: root 142 | group: root 143 | mode: '0600' 144 | 145 | - file: 146 | path: /etc/nginx/ssl 147 | owner: root 148 | group: root 149 | state: directory 150 | 151 | - file: 152 | path: /etc/nginx/ssl 153 | state: directory 154 | mode: 0755 155 | 156 | - name: Generate DH key 157 | stat: 158 | path: /etc/ssl/certs/dhparam.pem 159 | register: stat_dhparam 160 | - shell: openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 161 | when: stat_dhparam.stat.exists == False 162 | 163 | - name: Generate DH key 164 | stat: 165 | path: /etc/nginx/ssl/dhparam.pem 166 | register: stat_dhparam 167 | - shell: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 168 | when: stat_dhparam.stat.exists == False 169 | - shell: openssl req -new -nodes -x509 -days 3650 -subj "/C={{ cert_country }}/ST={{ cert_state }}/L={{ cert_local }}/O={{ cert_org }}/CN={{ graylog_hostname }}.{{ base_domain }}" -keyout /etc/nginx/ssl/graylog.key -out /etc/nginx/ssl/graylog.crt 170 | when: stat_dhparam.stat.exists == False 171 | 172 | - template: 173 | src: conf/nginx/nginx_graylog.conf 174 | dest: /etc/nginx/conf.d/nginx_graylog.conf 175 | owner: root 176 | group: root 177 | mode: '0600' 178 | 179 | - service: 180 | name: nginx 181 | state: restarted 182 | enabled: yes 183 | 184 | #################################################################### 185 | # Install/Setup FirewallD 186 | #################################################################### 187 | - name: Setup Ubuntu UFW firewall 188 | ufw: 189 | rule: allow 190 | name: OpenSSH 191 | - ufw: 192 | rule: allow 193 | port: 80 194 | proto: tcp 195 | - ufw: 196 | rule: allow 197 | port: 443 198 | proto: tcp 199 | - ufw: 200 | rule: allow 201 | port: 5044 202 | proto: tcp 203 | - ufw: 204 | state: enabled 205 | policy: deny 206 | 207 | 208 | #################################################################### 209 | # Slack notification 210 | #################################################################### 211 | - name: Send slack notification when done 212 | slack: 213 | token: "{{ slack_token }}" 214 | msg: '{{ ansible_nodename }}:{{ ansible_default_ipv4.address }} - Finished setting up Graylog server on {{ ansible_nodename }}' 215 | channel: "{{ slack_channel }}" 216 | when: slack_token is undefined 217 | -------------------------------------------------------------------------------- /Kolide/roles/init.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Apt update 3 | #################################################################### 4 | - name: Run the equivalent of "apt-get update" as a separate step 5 | apt: 6 | update_cache: yes 7 | 8 | #################################################################### 9 | # Setup Timedatectl 10 | #################################################################### 11 | - name: Set time to {{ timezone }} 12 | shell: timedatectl set-ntp on && timedatectl set-timezone {{ timezone }} 13 | 14 | #################################################################### 15 | # Setup Firewall 16 | #################################################################### 17 | - name: Setup Ubuntu UFW firewall 18 | ufw: 19 | rule: allow 20 | name: OpenSSH 21 | - ufw: 22 | rule: allow 23 | port: 80 24 | proto: tcp 25 | - ufw: 26 | rule: allow 27 | port: 443 28 | proto: tcp 29 | - ufw: 30 | state: enabled 31 | policy: deny 32 | 33 | #################################################################### 34 | # Slack notification 35 | #################################################################### 36 | - name: Send slack notification when done 37 | slack: 38 | token: "{{ slack_token }}" 39 | msg: '{{ ansible_nodename }}:{{ ansible_default_ipv4.address }} - Init setup - {{ ansible_nodename }}' 40 | channel: "{{ slack_channel }}" 41 | when: slack_token is undefined 42 | -------------------------------------------------------------------------------- /Kolide/roles/kolide/filebeat.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Install/Setup Filebeat 3 | #################################################################### 4 | - name: Add Elastic GPG key 5 | apt_key: 6 | url: https://artifacts.elastic.co/GPG-KEY-elasticsearch 7 | state: present 8 | 9 | - name: Add Elastic repo 10 | apt_repository: 11 | repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main 12 | state: present 13 | 14 | - name: Install/Setup Elasticsearch 15 | package: 16 | name: '{{ item }}' 17 | state: latest 18 | with_items: 19 | - filebeat 20 | 21 | - name: Filebeat.yml 22 | template: 23 | src: conf/filebeat/filebeat.yml 24 | dest: /etc/filebeat/filebeat.yml 25 | 26 | - name: Start Filebeat service 27 | service: 28 | name: filebeat 29 | state: restarted 30 | enabled: yes 31 | 32 | #################################################################### 33 | # Slack notification 34 | #################################################################### 35 | - name: Send slack notification when done 36 | slack: 37 | token: "{{ slack_token }}" 38 | msg: '{{ ansible_nodename }}:{{ ansible_default_ipv4.address }} - Finished setting up Kolide Fleet manager - {{ ansible_nodename }}' 39 | channel: "{{ slack_channel }}" 40 | when: slack_token is undefined 41 | -------------------------------------------------------------------------------- /Kolide/roles/kolide/kolide.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Install/Setup Kolide 3 | #################################################################### 4 | - name: Create Kolide user 5 | user: 6 | name: kolide 7 | shell: /usr/sbin/nologin 8 | 9 | - name: Create Kolide log directory 10 | file: 11 | path: '{{ log_dir }}' 12 | state: directory 13 | owner: kolide 14 | group: root 15 | 16 | - name: Create Kolide conf directory 17 | file: 18 | path: /etc/kolide 19 | state: directory 20 | owner: root 21 | group: root 22 | 23 | - name: Copy Kolide conf 24 | template: 25 | src: conf/kolide/kolide.yml 26 | dest: /etc/kolide/kolide.yml 27 | owner: root 28 | group: root 29 | 30 | - name: Install unzip 31 | package: 32 | name: unzip 33 | state: latest 34 | 35 | - name: Download Kolide 36 | unarchive: 37 | src: https://dl.kolide.co/bin/fleet_latest.zip 38 | dest: /usr/local/bin 39 | remote_src: yes 40 | 41 | - name: Intialize Kolide database 42 | shell: /usr/local/bin/linux/fleet_linux_amd64 prepare db --config /etc/kolide/kolide.yml 43 | 44 | - name: Create kolide user 45 | user: 46 | name: kolide 47 | shell: /usr/sbin/nologin 48 | 49 | - name: Copy Kolide SystemD 50 | template: 51 | src: conf/kolide/kolide.service 52 | dest: /etc/systemd/system/kolide.service 53 | 54 | - name: Start Kolide service 55 | service: 56 | name: kolide 57 | state: restarted 58 | enabled: yes 59 | 60 | #################################################################### 61 | # Install/Setup Nginx 62 | #################################################################### 63 | - name: Install/Setup Nginx 64 | package: 65 | name: '{{ item }}' 66 | state: latest 67 | with_items: 68 | - nginx 69 | 70 | - name: Backup nginx conf 71 | shell: cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak 72 | 73 | - file: 74 | path: /etc/nginx/ssl 75 | owner: root 76 | group: root 77 | state: directory 78 | 79 | - file: 80 | path: /etc/nginx/ssl 81 | state: directory 82 | mode: 0400 83 | 84 | - name: Copy nginx.conf 85 | template: 86 | src: conf/nginx/nginx.conf 87 | dest: /etc/nginx/nginx.conf 88 | 89 | - name: Copy nginx_kolide.conf 90 | template: 91 | src: conf/nginx/nginx_kolide.conf 92 | dest: /etc/nginx/conf.d/nginx_kolide.conf 93 | 94 | - name: Generate DH key 95 | stat: 96 | path: /etc/nginx/ssl/dhparam.pem 97 | register: stat_dhparam 98 | - shell: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 99 | when: stat_dhparam.stat.exists == False 100 | - shell: openssl req -new -nodes -x509 -days 3650 -subj "/C={{ cert_country }}/ST={{ cert_state }}/L={{ cert_local }}/O={{ cert_org }}/CN={{ fleet_hostname }}.{{ base_domain }}" -keyout /etc/nginx/ssl/kolide.key -out /etc/nginx/ssl/kolide.crt 101 | when: stat_dhparam.stat.exists == False 102 | 103 | - name: Start Nginx service 104 | service: 105 | name: nginx 106 | state: restarted 107 | enabled: yes 108 | 109 | #################################################################### 110 | # Slack notification 111 | #################################################################### 112 | - name: Send slack notification when done 113 | slack: 114 | token: "{{ slack_token }}" 115 | msg: '{{ ansible_nodename }}:{{ ansible_default_ipv4.address }} - Finished setting up Kolide Fleet manager - {{ ansible_nodename }}' 116 | channel: "{{ slack_channel }}" 117 | when: slack_token is undefined 118 | -------------------------------------------------------------------------------- /Kolide/roles/kolide/mysql.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Install/Setup MySQL 3 | #################################################################### 4 | - name: Install/Setup MySQL 5 | package: 6 | name: '{{ item }}' 7 | state: latest 8 | with_items: 9 | - mysql-server 10 | - python3-mysqldb 11 | - python3-pip 12 | 13 | - name: Start MySQL service 14 | service: 15 | name: mysql.service 16 | state: restarted 17 | enabled: yes 18 | 19 | #################################################################### 20 | # Secure MySQL setup 21 | #################################################################### 22 | - name: Delete anonymous MySQL server user 23 | action: mysql_user user="" host="{{ ansible_hostname }}" state="absent" 24 | ignore_errors: yes 25 | 26 | - name: Delete anonymous MySQL server user for localhost 27 | action: mysql_user user="" state="absent" 28 | ignore_errors: yes 29 | 30 | - name: Remove the MySQL test database 31 | action: mysql_db db=test state=absent 32 | ignore_errors: yes 33 | 34 | - name: Change root user password on first run 35 | mysql_user: login_user=root 36 | login_password='' 37 | name={{ mysql_root_user }} 38 | password={{ mysql_root_password }} 39 | priv=*.*:ALL,GRANT 40 | host={{ item }} 41 | with_items: 42 | - "{{ ansible_hostname }}" 43 | - 127.0.0.1 44 | - ::1 45 | - localhost 46 | ignore_errors: yes 47 | 48 | 49 | #################################################################### 50 | # Setup Kolide database 51 | #################################################################### 52 | - name: Create Kolide database 53 | shell: mysql -u {{ mysql_root_user }} --password={{ mysql_root_password }} -e "CREATE DATABASE {{ mysql_kolide_dbname }};" 54 | ignore_errors: yes 55 | register: mysql_result 56 | failed_when: "'database exists' in mysql_result.stdout" 57 | 58 | - name: Create Kolide database user 59 | mysql_user: 60 | name: '{{ mysql_kolide_user }}' 61 | password: '{{ mysql_kolide_pass }}' 62 | priv: '{{ mysql_kolide_dbname }}.*:ALL' 63 | state: present 64 | login_user: '{{ mysql_root_user }}' 65 | login_password: '{{ mysql_root_password }}' 66 | host: '{{ mysql_kolide_hosts }}' 67 | ignore_errors: yes 68 | 69 | #################################################################### 70 | # Slack notification 71 | #################################################################### 72 | - name: Send slack notification when done 73 | slack: 74 | token: "{{ slack_token }}" 75 | msg: '{{ ansible_nodename }}:{{ ansible_default_ipv4.address }} - Finished setting up mysql - {{ ansible_nodename }}' 76 | channel: "{{ slack_channel }}" 77 | when: slack_token is undefined 78 | -------------------------------------------------------------------------------- /Kolide/roles/kolide/redis.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Install/Setup Redis 3 | #################################################################### 4 | - name: Install/Setup Redis 5 | package: 6 | name: '{{ item }}' 7 | state: latest 8 | with_items: 9 | - redis-server 10 | 11 | - name: Start redis service 12 | service: 13 | name: redis-server.service 14 | state: restarted 15 | enabled: yes 16 | 17 | #################################################################### 18 | # Slack notification 19 | #################################################################### 20 | - name: Send slack notification when done 21 | slack: 22 | token: "{{ slack_token }}" 23 | msg: '{{ ansible_nodename }}:{{ ansible_default_ipv4.address }} - Finished setting up redis - {{ ansible_nodename }}' 24 | channel: "{{ slack_channel }}" 25 | when: slack_token is undefined 26 | -------------------------------------------------------------------------------- /LabScrips/README.md: -------------------------------------------------------------------------------- 1 | # Lab scripts 2 | These are scripts that I use in my lab enviornment at school. Scripts are created to accomplish a simple task and NOT for security. Please use at your own risk. 3 | 4 | # WinRMize Windows clients for Ansible 5 | 0. Spin up Windows host 6 | 0. ./psexec_ansiblize_setup.ps1 -u 7 | -------------------------------------------------------------------------------- /LabScrips/WinRMize/.gitignore: -------------------------------------------------------------------------------- 1 | hosts 2 | -------------------------------------------------------------------------------- /LabScrips/WinRMize/hosts.example: -------------------------------------------------------------------------------- 1 | [win_agents] 2 | test 3 | -------------------------------------------------------------------------------- /LabScrips/WinRMize/psexec_ansiblize_setup.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Author: Ben Bornohlm 3 | Project: Blog scripts 4 | Date: 1-22-18 5 | #> 6 | 7 | <# 8 | COmmand line parameters 9 | #> 10 | Param 11 | ( 12 | [Parameter(Mandatory=$true)][string]$username, 13 | [string]$password = $( Read-Host "Input password, please" ) 14 | ) 15 | 16 | # Array for jobs 17 | $jobs=@() 18 | 19 | # Mount drive 20 | NET USE M: \\live.sysinternals.com 21 | 22 | Write-Host $username 23 | Write-Host $password 24 | 25 | <# 26 | Script block to run PsExec on each machine 27 | #> 28 | $sb = { 29 | param 30 | ( 31 | $computer = "", 32 | $username = "", 33 | $password = "", 34 | $command = "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command `"iex ((new-object net.webclient).DownloadString('https://github.com/ansible/ansible/raw/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))" 35 | ) 36 | 37 | if (( Test-Connection -Cn $computer -BufferSize 16 -Count 1 -ea 0 -TimeToLive 3 -quiet )) { 38 | M:\PsExec "\\$computer" -u $username -p $password -d cmd /c $Command 39 | } 40 | } 41 | 42 | <# 43 | Iterate over each compunter in hosts file 44 | #> 45 | foreach ($computer in Get-Content hosts) { 46 | Write-Host "starting $computer" -foreground green 47 | $jobs += Start-Job $sb -ArgumentList $computer, $username, $password 48 | } 49 | 50 | Wait-Job $jobs 51 | $jobs | Receive-Job 52 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # BlogProjects 2 | 3 | ## Projects 4 | * Google Grr 5 | * MITRE Caldera 6 | -------------------------------------------------------------------------------- /docker_machine_botnet/.gitignore: -------------------------------------------------------------------------------- 1 | group_vars/all 2 | hosts 3 | -------------------------------------------------------------------------------- /docker_machine_botnet/README.md: -------------------------------------------------------------------------------- 1 | # Docker Machine Botnet 2 | This isn't really a botnet in a malicious way. I want to start testing my tools at scale and Docker will allow me to do just that. With Docker I can make all computers in my computer lab part of a Docker Swarm. 3 | 4 | ## Ansible deploy 5 | ### Setup manager 6 | 0. mv hosts.example hosts 7 | 0. vim hosts and set "[manager]" 8 | 0. mv group_vars/all.example group_vars/all 9 | 0. vim group_vars/all and set slack_token and slack_channel 10 | 1. optional 11 | 0. ansible-playbook -i hosts deploy_docker_manager.yml 12 | 1. Copy Docker token from output 13 | 14 | ### Setup agents 15 | 0. vim group_vars/all and set docker_token 16 | 0. vim hosts and set "[win_agents]" 17 | 0. ansible-playbook -i hosts deploy_docker_nodes.yml 18 | 19 | ## Supported OSes 20 | * Windows 10 21 | 22 | # TO do: 23 | -------------------------------------------------------------------------------- /docker_machine_botnet/deploy_docker_manager.yml: -------------------------------------------------------------------------------- 1 | - hosts: manager 2 | tasks: 3 | - import_tasks: roles/setup_manager.yml 4 | -------------------------------------------------------------------------------- /docker_machine_botnet/deploy_docker_nodes.yml: -------------------------------------------------------------------------------- 1 | - hosts: win_agents 2 | tasks: 3 | - roles/setup_nodes.yml 4 | -------------------------------------------------------------------------------- /docker_machine_botnet/group_vars/all.example: -------------------------------------------------------------------------------- 1 | slack_token: 2 | slack_channel: 3 | 4 | docker_token 5 | -------------------------------------------------------------------------------- /docker_machine_botnet/hosts.example: -------------------------------------------------------------------------------- 1 | [manager] 2 | manager01 ansible_host=192.168.1.1 3 | 4 | [win_agents] 5 | 192.168.1.2 6 | 192.168.1.3 7 | 192.168.1.4 8 | 192.168.1.5 9 | -------------------------------------------------------------------------------- /docker_machine_botnet/roles/setup_manager.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Install/Setup Docker 3 | #################################################################### 4 | - name: Install chocolatey 5 | win_shell: Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) 6 | 7 | - name: Install Docker 8 | name: docker 9 | state: latest 10 | 11 | - name: Setup Docker swarn 12 | shell: docker swarm init --advertise-addr={{ ansible_host }} --listen-addr {{ ansible_host }}:2377 13 | register: output 14 | 15 | - name: Print Docker token 16 | debug: 17 | msg: {{ output }} 18 | 19 | #################################################################### 20 | # Slack notification 21 | #################################################################### 22 | - name: Send slack notification when done 23 | slack: 24 | token: "{{ slack_token }}" 25 | msg: '{{ ansible_nodename }}:{{ ansible_default_ipv4.address }} - Finished setting OSQuery agent on {{ ansible_nodename }}' 26 | channel: "{{ slack_channel }}" 27 | when: slack_token is defined 28 | -------------------------------------------------------------------------------- /docker_machine_botnet/roles/setup_nodes.yml: -------------------------------------------------------------------------------- 1 | #################################################################### 2 | # Install/Setup Docker 3 | #################################################################### 4 | - name: Install chocolatey 5 | win_shell: Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) 6 | 7 | - name: Install Docker 8 | name: docker 9 | state: latest 10 | 11 | - name: Setup Docker swarn 12 | shell: docker swarm join --token {{ docker_token }} {{ hostvars.manager.ansible_ssh_host }}:2377 13 | 14 | #################################################################### 15 | # Slack notification 16 | #################################################################### 17 | - name: Send slack notification when done 18 | slack: 19 | token: "{{ slack_token }}" 20 | msg: '{{ ansible_nodename }}:{{ ansible_default_ipv4.address }} - Finished setting OSQuery agent on {{ ansible_nodename }}' 21 | channel: "{{ slack_channel }}" 22 | when: slack_token is defined 23 | -------------------------------------------------------------------------------- /honeypots/Cowrie/docker-compose-cowire.yml: -------------------------------------------------------------------------------- 1 | version: "2.0" 2 | services: 3 | cowrie: 4 | restart: always 5 | image: wonderfall/cowrie 6 | links: ### MySQL output 7 | - cowrie-db:cowrie-db ### MySQL output 8 | ports: 9 | - "2222:2222" 10 | volumes: 11 | - /srv/cowrie/dl:/cowrie/dl 12 | - /srv/cowrie/log:/cowrie/log 13 | - /srv/cowrie/custom:/custom 14 | cowrie-db: 15 | restart: always 16 | image: mariadb:10 17 | volumes: 18 | - /srv/cowrie/db:/var/lib/mysql 19 | - /srv/cowrie/sql:/docker-entrypoint-initdb.d 20 | environment: 21 | - MYSQL_ROOT_PASSWORD=supersecretpassword 22 | - MYSQL_DATABASE=cowrie 23 | - MYSQL_USER=cowrie 24 | - MYSQL_PASSWORD=supersecretpassword 25 | -------------------------------------------------------------------------------- /honeypots/README.md: -------------------------------------------------------------------------------- 1 | # Honeypots 2 | ## Cowire - prod 3 | 0. docker-compose -f docker-compose-cowrie.yml 4 | 5 | ## Responder - prod 6 | 0. docker-compose -f docker-compose-responder.yml up 7 | 8 | ## Responder - dev 9 | 0. docker build -t responder . 10 | 0. docker run -d -p 445:445 -p 389:389 -p 139:139 -p 138:138 -p 137:137 responder 11 | 12 | # to do: 13 | * Web honeypot 14 | -------------------------------------------------------------------------------- /honeypots/Responder/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | 3 | RUN apt update -y && apt-get install python python-pip git sudo -y 4 | 5 | RUN git clone https://github.com/SpiderLabs/Responder.git 6 | WORKDIR Responder 7 | 8 | EXPOSE 445 389 139 137 138 9 | 10 | CMD ["python","-u","./Responder.py", "--interface=eth0", "-A"] 11 | -------------------------------------------------------------------------------- /honeypots/Responder/docker-compose-responder.yml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | services: 3 | resp: 4 | restart: always 5 | build: . 6 | ports: 7 | - "137:137" 8 | - "138:138" 9 | - "139:139" 10 | - "389:389" 11 | - "445:445" 12 | volumes: 13 | - /srv/responder/logs:/Responder/logs 14 | --------------------------------------------------------------------------------