├── .gitignore
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Local .terraform directories
 2 | **/.terraform/*
 3 | 
 4 | # .tfstate files
 5 | *.tfstate
 6 | *.tfstate.*
 7 | 
 8 | # Crash log files
 9 | crash.log
10 | crash.*.log
11 | 
12 | # Exclude all .tfvars files, which are likely to contain sensitive data, such as
13 | # password, private keys, and other secrets. These should not be part of version 
14 | # control as they are data points which are potentially sensitive and subject 
15 | # to change depending on the environment.
16 | *.tfvars
17 | *.tfvars.json
18 | 
19 | # Ignore override files as they are usually used to override resources locally and so
20 | # are not checked in
21 | override.tf
22 | override.tf.json
23 | *_override.tf
24 | *_override.tf.json
25 | 
26 | # Include override files you do wish to add to version control using negated pattern
27 | # !example_override.tf
28 | 
29 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
30 | # example: *tfplan*
31 | 
32 | # Ignore CLI configuration files
33 | .terraformrc
34 | terraform.rc
35 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Ultimate Cybersecurity Lab
  2 | 
  3 | 
  4 | 
  5 | ## Episode 3 - Wazuh & Nessus build
  6 | 
  7 | In this episode we build our SIEM and XRD tool, Wazuh. We then install the Wazuh agent on our Kali virtal machine, our Docker server and our pfsense firewall.   We then move onto our vulnerability scanner, Nessus.
  8 | 
  9 | Please follow the instructions below to install the Wazuh agent on the pfsense firewall.
 10 | 
 11 | 
 12 | *******
 13 | 
 14 | 
 15 | ### pfSense Wazuh Agent Install Overview
 16 | 
 17 | 1. Enable SSH before connecting to firewall
 18 | 
 19 | 2. Enable FreeBSD so we can pull down the wazuh agent
 20 | 
 21 | 3. Enable the firewall logs (syslog already in place)
 22 | 
 23 | 4. In Wazuh - Create group and enable rule
 24 | 
 25 | 
 26 | 
 27 | *******
 28 | 
 29 | 
 30 | ### Enable FreeBSD so we can pull down the wazuh agent
 31 | 
 32 | By default, FreeBSD package repos are disabled on pfSense firewalls.  Follow below to enable for our lab.
 33 | 
 34 | SSH to firewall, navigate to the following directory:
 35 | ```
 36 | cd /usr/local/etc/pkg/repos/
 37 | ```
 38 | 
 39 | Edit pfsense.conf file:
 40 | ```
 41 | vi pfsense.conf
 42 | ```
 43 | 
 44 | Set to:
 45 | ```
 46 | FreeBSD: { enabled: yes }
 47 | ```
 48 | 
 49 | Edit freebsd.conf file:
 50 | ```
 51 | vi FreeBSD.conf
 52 | ```
 53 | 
 54 | Set to:
 55 | ```
 56 | FreeBSD: { enabled: yes }
 57 | ```
 58 | 
 59 | 
 60 | *******
 61 | 
 62 | 
 63 | ### Install Wazuh Agent
 64 | 
 65 | Update the pacage cache
 66 | ```
 67 | pkg update
 68 | ```
 69 | 
 70 | SearcH for the Wazuh agent
 71 | ```
 72 | pkg search wazuh-agent
 73 | ```
 74 | 
 75 | Install Wazuh firewall agent
 76 | ```
 77 | pkg install wazuh-agent-4.7.2
 78 | ```
 79 | 
 80 | *******
 81 | 
 82 | 
 83 | ### Start Wazuh Agent
 84 | 
 85 | Enter:
 86 | ```
 87 | cp /etc/localtime /var/ossec/etc
 88 | ```
 89 | 
 90 | The edit ossec.conf file:
 91 | ```
 92 | vi ossec.conf
 93 | ```
 94 | 
 95 | Add the following to the file, this is the address of your Wazuh server:
 96 | ```
 97 | <server>
 98 |   <address>10.10.1.51</address>
 99 | </server>
100 | ```
101 | 
102 |  
103 | Set the agent to enabled by entering the following:
104 | ```
105 | sysrc wazuh_agent_enable="YES"
106 | ```
107 | 
108 | Create sumbolic link
109 | ```
110 | ln -s /usr/local/etc/rc.d/wazuh-agent /usr/local/etc/rc.d/wazuh-agent.sh
111 | ```
112 | 
113 | ```
114 | service wazuh-agent start
115 | ```
116 | 
117 | 
118 | 
119 | 
120 | *******
121 | 
122 | 
123 | ### Enable Firewall logs
124 | Waht to monitor your firewall logs? We need to create a pfsense group, and add the following.
125 | 
126 | In Wazuh, navigate to Management > new new group
127 | 
128 | edit group and add the following:
129 | 
130 | ```
131 | <localfile>
132 | 	<log_format>syslog</log_format>
133 | 	<location>/var/log/filter.log</location>
134 | </localfile>
135 | ```
136 | 
137 | *******
138 | 
139 | 
140 | ### Create custom rule
141 | Monitor the output in filter.log file.
142 | 
143 | Navigate to Management > Rules > create a new rule and add the following:
144 | 
145 | ```
146 | <group name="pfsense,">
147 |   <rule id="87701" level="5" overwrite="yes">
148 |     <if_sid>87700</if_sid>
149 |     <action>block</action>
150 |     <description>pfSense firewall drop event.</description>
151 |     <group>firewall_block,pci_dss_1.4,gpg13_4.12,hipaa_164.312.a.1,nist_800_53_SC.7,tsc_CC6.7,tsc_CC6.8,</group>
152 |   </rule>
153 | </group>
154 | ```
155 | Add rule to the existing pfsense group you created previously.
156 | 
157 | 
158 | 
159 | 
160 | 
161 | 
162 | 
163 | 


--------------------------------------------------------------------------------