Using Terraform and Ansible to build and configure the overall infrastructure, this repo will be a cyber range for red teams to carry out attacks and for blue teams to counter with detections and mitigations, engaging in a full scope purple team effort. Build your skills to frustrate and break the spirits of your adversaries, making any offense on your infrastructure a truly Vile endeavor for all who dare to cross your threshold.
This project is going to utilize the semantic versioning for its tagging.
The general format:
MAJOR.MINOR.PATCH, eg 1.0.1
- MAJOR version when you make incompatible API changes
- MINOR version when you add functionality in a backward compatible manner
- PATCH version when you make backward compatible bug fixes Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.
Execute the below command on the Wazuh Indexer
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
Execute command on the Wazuh Dashboard
cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
The first error indicates an authentication issue with the kibanaserver user. The second shows there is a connection error on the dashboard.
Consult the following password management documentation to fix the issue. Follow step 3 of "Changing the passwords in a distributed environment"
The Terraform CLI installation instructions have changed due to gpg keyring changes. So we needed to refer to the latest install CLI instructions via Terraform Documentation and change the scripting for install.
This project is built against Ubuntu. Please consider verifying your Linux Distribution and change according to your distribution needs
How to Check OS Version in Linux
Example of checking OS version:
$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammyTerraform sources their providers and modules from the Terraform registry which is located at registry.terraform.io
- Providers is an interface to APIs that will allow to create resources in terraform
- Modules are a way to make large amount of terraform code modular, portable and sharable
We can see a list of all Terraform commands by simply typing terraform
At the start of a new Terraform project we will run terraform init to download the binaries for the terraform providers
that we'll use in this project
This will generate out a changeset, about the state of our infrastructure and what will be changed.
We can output this changeset ie. "plan" to be passed to an apply, but often you can just ignore outputting.
terraform apply
This will run a plan and pass the changeset to be executed by terraform. Apply should prompt yes or no.
Apply the --auto-approve flag to automatically approve a terraform transaction
This will destroy resources. This can use the --auto-approve flag as well
terraform destroy --auto-approve
If you receive an Access Denied message when deleting, verify your permissions, groups and ensure you have the proper group name.
Troubleshooting tips:
.terraform.lock.hcl contains the locked versioning for the providers or modules that should be used
with this project.
The Terraform Lock File should be committed to your Version Control System - i.e GitHub
.terraform.tfstate contain information about the current state of your infrastructure .
This file should not be committed to your VCS. This file can contain sensitive information. If you lose this file, you will lose the knowledge of your infrastructure.
.terraform.tfstate.backup is the previous state file state.
.terraform directory contains binaries of terraform providers
1. Tailscale command not recognized on Macbook M2 Create a temp alias for tailscale
alias tailscale /Applications/Tailscale.app/Contents/MacOS/Tailscale
2. Error: Error deleting SSH key: DELETE https://api.digitalocean.com/v2/account/keys/BLAH
This error came up while attempting to create the SSH key and store it in DigitalOcean. I deleted "HackeOps" and "Dev SSH Key" and ran the below command without issue.
terraform apply -auto-approve -var "do_token=${DO_PAT}"
Also, verify the name in the CLOUD_SERVICE_PROVIDER_NAME_ssh_key resource, verify the name of the key is the same SSH key name you provided when uploading your SSH key.
Code
DigitalOcean
