Skip to content
/ siem-infra Public

Vulnerability detection, OSquery, fully-fledged Wazuh ELK stack with Linux and Windows Wazuh + osquery enrollment via Ansible.

License

View license
5 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ketsapiwiq/siem-infra

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
examples
examples
 
 
roles
roles
 
 
terraform
terraform
 
 
wazuh-docker
wazuh-docker
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
ConfigureRemotingForAnsible.ps1
ConfigureRemotingForAnsible.ps1
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
Vagrantfile
Vagrantfile
 
 
ansible.cfg
ansible.cfg
 
 
osquery-win-vars.yml
osquery-win-vars.yml
 
 
ossec.conf.xml
ossec.conf.xml
 
 
requirements.yml
requirements.yml
 
 
sysmonconfig-export.xml
sysmonconfig-export.xml
 
 
taxii-tests.sh
taxii-tests.sh
 
 
taxii.py
taxii.py
 
 
vagrant.ini
vagrant.ini
 
 
wazuh-agent-win-vars.yml
wazuh-agent-win-vars.yml
 
 
wazuh-agent-win.yml
wazuh-agent-win.yml
 
 
wazuh-agent.yml
wazuh-agent.yml
 
 
wazuh-vm-single-node.yml
wazuh-vm-single-node.yml
 
 
win-client-extra.yml
win-client-extra.yml
 
 
winlogbeat.ps1
winlogbeat.ps1
 
 

Repository files navigation

Wazuh-based SIEM with Linux and Windows osquery-enabled agents with Ansible + Vagrant

Fully-fledged Wazuh (OSSEC HIDS + Elastic stack) installation with Linux and Windows Wazuh agents and osquery, via Ansible and Vagrant.

Run

With Ansible, Vagrant and VirtualBox

  1. Install Vagrant
  2. Run vagrant up

With Terraform (deprecated and not up-to-date)

Careful: no firewall has been setup, your Terraform servers are listening on a public IP by default with NO KIBANA or ELASTIC AUTHENTICATION

  1. Set your terraform.tfvars
  2. Install Terraform plugin for your cloud provider
  3. terraform apply
  4. Install Ansible Terraform dynamic inventory binary at adammck/terraform-inventory
  5. Set some variable due to a plugin issue: export TF_STATE=./; (see adammck/terraform-inventory#144)
  6. Run the Ansible playbooks

Known issues

  • Get-Service OssecSvc on Windows hosts: service is stopped after the playbook played.
  • Troubleshoot Windows osquery bugs

Workarounds

On MacOS Catalina, trying to use Ansible with WinRM, if you get:

objc[11628]: +[NSNumber initialize] may have been in progress in another thread when fork() was called.
objc[11628]: +[NSNumber initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.
ERROR! A worker was found in a dead state

You need to set some variable: export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES See ansible/ansible#32499

External documentation

TODO

Known issues

  • Troubleshoot Windows osquery bugs

Features

  • Add Powershell command execution logging and alerting
  • Setup X-pack auth config + HTTPS/TLS certs everywhere
  • Active response

Possible evolutions

  • add minotring of node modules security output recurring task (npm audit)
  • integrate other tools/sysinternals into ansible playbooks: https://docs.microsoft.com/en-us/sysinternals/downloads/rootkit-revealer
    • with a script to suspend all processes and dump RAM and disk (sysinternals) as an action response
  • VirusTotal API / Malice / Cuckoo integration
  • Suricata integration
  • Multi-cluster / load-balanced Ansible playbook
    • K8s/Helm ?

Low priority

About

Vulnerability detection, OSquery, fully-fledged Wazuh ELK stack with Linux and Windows Wazuh + osquery enrollment via Ansible.

Topics

security ansible elasticsearch kibana siem osquery vulnerability-detection wazuh

Resources

Readme

License

View license
Activity

Stars

5 stars

Watchers

2 watching

Forks

2 forks
Report repository

Languages