initial commit

README.md

@@ -0,0 +1,26 @@
+# Elastic for Red Teaming
+
+## Overview
+
+Repository of resources for configuring a Red Team SIEM using Elastic
+
+## Directory structure
+
+```
+.
+├── ansible
+│     └── Ansible playbooks for deploying an Elastic instance and configuring clients to forward the relevant logs 
+├── elastalert
+│     └── Elastalert example rules and configuration files
+├── elastic
+│     └── Example static configuration files
+└── resources
+      └── Resources for related services/technology such as Cobalt Strike
+```
+
+## Roadmap
+
+- Update ELK services to latest version
+- Refine playbooks added to reference repo
+- Evaluate alternatives (e.g. Fluentd vs Logstash, Grafana vs Kibana, Rsyslog vs Beats)
+

ansible/README.md

@@ -0,0 +1,29 @@
+# Ansible playbooks for configuring Elastic
+
+The original version of this can be found here: https://github.com/sadsfae/ansible-elk. This version is mostly a mirror of the original with some minor configuration variations. Additionally, it includes several new roles. The elastalert role will install and start Elastalert on an ELK host. This role is bundled in the **elk.yml** playbook as well as in a standlone **alert.yml** playbook. The elk-deb-client role will install Filebeat and Metricbeat on a Debian-based host and modify their configurations. The elk-cs-client role is the same as the elk-deb-client with a modified path (defined by the cs_path, which needs to be specified by extra-vars).
+
+*Note:* While this repo contains configs for services like Fluentd, the majority of SRA's testing was done using Elasticsearch/Logstash/Kibana/-Beats
+
+## Example Usage
+
+Edit the **hosts** file with the appropriate hosts. Edit the **install/group_vars/all.yml** file to match your desired configuration.
+
+To configure the ELK instance, run:
+
+```
+ansible-playbook -i hosts install/elk.yml
+```
+
+To configure the client instance, run (replacing 10.0.0.1 with the IP of the ELK instance):
+
+```
+ansible-playbook -i hosts install/elk-client.yml --extra-vars 'elk_server=10.0.0.1'
+```
+
+To configure log forwarding for a Cobalt Strike running on Ubuntu, run:
+
+```
+ansible-playbook -i hosts install/cs.yml --extra-vars 'elk_server=10.0.0.1 cs_path=/opt/cobaltstrike'
+```
+
+*note: Make sure to set the appropriate user name for SSH connections. The default is 'ec2-user'. You can override this when installing playbooks by specifying the 'ansible_system_user=username' in the --extra-vars option

ansible/hosts

@@ -0,0 +1,10 @@
+[elk]
+10.0.0.1
+
+[elk-client]
+10.0.0.2
+
+[elk-deb-client]
+10.0.0.3
+
+[cs]

ansible/install/alert.yml

@@ -0,0 +1,8 @@
+- hosts: elk
+  remote_user: "{{ ansible_system_user }}"
+  vars_files:
+    - group_vars/all.yml
+  become: yes
+  roles:
+    - { role: elastalert }
+

ansible/install/cs.yml

@@ -0,0 +1,11 @@
+---
+#
+# Playbook to install the ELK client utilities (Debian, Cobalt Strike Specific)
+#
+
+- hosts: cs
+  remote_user: "{{ ansible_system_user }}"
+  vars_files:
+    - group_vars/all.yml
+  roles:
+    - { role: elk_cs_client }

ansible/install/elk-client.yml

@@ -0,0 +1,14 @@
+---
+#
+# Playbook to install the ELK client utilities
+#
+
+- hosts: elk-client
+  remote_user: "{{ ansible_system_user }}"
+  vars_files:
+    - group_vars/all.yml
+  roles:
+    - { role: filebeat }
+    - { role: metricbeat, when: (install_metricbeat)}
+    - { role: packetbeat, when: (install_packetbeat)}
+    - { role: heartbeat, when: (install_heartbeat)}

ansible/install/elk-deb-client.yml

@@ -0,0 +1,12 @@
+---
+#
+# Playbook to install the ELK client utilities (Debian)
+#
+
+#requires Python2.7 callable as 'python' (e.g. use a symlink like 'ln -s /usr/bin/python2.7 /usr/bin/python')
+- hosts: elk-deb-client
+  remote_user: "{{ ansible_system_user }}"
+  vars_files:
+    - group_vars/all.yml
+  roles:
+    - { role: elk_deb_client }

ansible/install/elk.yml

@@ -0,0 +1,21 @@
+---
+#
+# Playbook to install the ELK stack
+#
+
+- hosts: elk
+  remote_user: "{{ ansible_system_user }}"
+  vars_files:
+    - group_vars/all.yml
+  become: yes
+  roles:
+    - { role: elasticsearch }
+    - { role: fluentd, when: (logging_backend == 'fluentd') }
+    - { role: logstash, when: ((logging_backend is none) or (logging_backend == 'logstash')) }
+    - { role: nginx }
+    - { role: curator, when: install_curator_tool }
+    - { role: kibana }
+    - { role: xpack, when: ((install_elasticsearch_xpack) or (install_kibana_xpack) or (install_logstash_xpack)) }
+    - { role: firewall, when: manage_firewall }  
+    - { role: instructions }
+    - { role: elastalert }

ansible/install/group_vars/all.yml

@@ -0,0 +1,107 @@
+---
+
+# Default Ansible user
+# change this if you use a non-root user for running Ansible playbooks
+ansible_system_user: ec2-user
+ansible_ssh_private_key_file: /home/ec2-user/DevLab.pem
+# EPEL Repository for extra packages
+epel_repo: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
+
+########################################
+# ELK Server Variables
+########################################
+### FIREWALL MANAGEMENT ###
+# By default we will enable firewall management, this
+# will ensure if you're using either firewalld or iptables-services
+# that the proper service rules are applied and any existing rulesets
+# are saved.
+# DEFAULT: true
+# TO DISABLE: set to empty or false
+# NOTE: if you disable this you'll need to make sure you open up
+# equivalent firewall ports below or turn it off entirely (not recommended)
+# even if you leave firewall rules off you can safely leave this enabled
+# as the current firewall code will detect this and leave it alone.
+# if you really, really want to disable checking/applying service firewall rules
+# then change to 'false' or empty
+manage_firewall: true
+
+### nginx ###
+# add nonstandard port here for undercloud usage
+# note: you should use nonstandard ports for both here
+# if you choose to do this.
+#
+# usage: port nginx listens to reverse-proxy Kibana
+# default is 80
+# e.g. 8888
+nginx_kibana_port: 80
+#
+# usage: port filebeat client grabs the client SSL certificate
+# default is 8080
+# e.g. 9999
+elk_server_ssl_cert_port: 8080
+#
+# Kibana options
+# change this to affect nginx-wrapped htpasswd authentication
+kibana_user: admin
+kibana_password: admin
+
+### logging backend ###
+# you can pick between logstash or fluentd
+# if left empty logstash will be used
+### accepted options ###
+# logging_backend:
+# logging_backend: logstash
+# logging_backend: fluentd
+logging_backend: logstash
+#
+### logstash options ###
+logstash_syslog_port: 5044
+logstash_localsyslog_port: 5000
+### rsyslog options
+# set this to true if you want to accept
+# external syslog traffic
+syslog_listen_external: false
+### fluentd options ###
+fluentd_syslog_port: 42185
+fluentd_http_port: 9919
+fluentd_debug_port: 24230
+## elasticsearch local port listener
+# general usage will not need elasticsearch listening
+# outside of localhost, if you want to apply firewall rules
+# to allow external connections to elasticsearch change the below setting
+# to true
+# we will set this to false by default
+es_local_port: 9200
+es_listen_external: false
+### install curator tool ###
+# curator is the recommended tool for managing elasticsearch indexes
+# https://www.elastic.co/guide/en/elasticsearch/client/curator/current/index.html
+# default is no (set to blank) or false
+# set the below variable to 'true' to activate
+install_curator_tool: false
+## X-PACK
+# This installs an additional suite of tools from elastic
+# https://www.elastic.co/guide/en/x-pack/current/xpack-introduction.html
+# note: X-Pack will wrap ES with additional authentication, I do not
+# configure this for you, only install it.
+# most people will not need this for basic ELK usage.
+# default login/pass to Kibana for example is:
+# username: elastic
+# password: changeme
+# DO NOT CHANGE THIS UNLESS YOU CHANGE IT ON ES
+xpack_elastic_user_password: changeme
+# install elastic x-pack
+install_elasticsearch_xpack: false
+# install kibana x-pack
+install_kibana_xpack: false
+# install logstash x-pack
+install_logstash_xpack: false
+
+#Install Metricbeat
+install_metricbeat: true
+#Install Packetbeat
+install_packetbeat: false
+
+#This should be installed on only one server in your environment.
+#Install Heartbeat
+install_heartbeat: false

ansible/install/roles/curator/files/curator.repo

@@ -0,0 +1,6 @@
+[curator-3]
+name=CentOS/RHEL 7 repository for Elasticsearch Curator 3.x packages
+baseurl=http://packages.elastic.co/curator/3/centos/7
+gpgcheck=1
+gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
+enabled=1

ansible/install/roles/curator/tasks/main.yml

@@ -0,0 +1,61 @@
+
+---
+#
+# install curator tool for managing elasticsearch
+#
+
+- name: Copy curator yum repo file
+  copy:
+    src=curator.repo
+    dest=/etc/yum.repos.d/curator.repo
+    owner=root
+    group=root
+    mode=0644
+  become: true
+  when: install_curator_tool
+
+- name: Import curator GPG Key
+  rpm_key: key=http://packages.elastic.co/GPG-KEY-elasticsearch
+    state=present
+  when: install_curator_tool
+  become: true
+
+- name: Install curator and python-setuptools
+  yum: name={{ item }} state=present
+  become: true
+  with_items:
+    - python-elasticsearch-curator
+    - python-setuptools
+  when: install_curator_tool
+
+- name: Setup curator config
+  template:
+    src=curator-config.yml.j2
+    dest=/tmp/curator-config.yml
+    owner=root
+    group=root
+    mode=0644
+  become: true
+  when: install_curator_tool
+
+- name: Setup curator template file
+  template:
+    src=curator-action.yml.j2
+    dest=/tmp/curator-action.yml
+    owner=root
+    group=root
+    mode=0644
+  become: true
+  when: install_curator_tool
+
+# Runs cron job to cleanup indicies every weekday.
+- cron:
+    name: Curator run
+    weekday: '*'
+    minute: 0
+    hour: 12
+    user: root
+    job: "/usr/local/bin/curator --config /tmp/curator-config.yml /tmp/curator-action.yml >> /tmp/curator.log 2>&1"
+    cron_file: curator-daily-cleanup
+  when: install_curator_tool
+  become: true

ansible/install/roles/curator/templates/curator-action.yml.j2

@@ -0,0 +1,32 @@
+actions:
+#Closes indicies after 14 days to save on RAM
+  1:
+    action: close
+    description: close indices
+    options:
+      delete_aliases: False
+      timeout_override:
+      continue_if_exception: True
+      disable_action: False
+    filters:
+    -
+      filtertype: age
+      source: name
+      direction: older
+      timestring: '%Y.%m.%d'
+      unit: days
+      unit_count: 14
+      exclude:
+#Deletes indicies after 30 days to clean up storage space.
+  2:
+    action: delete_indices
+    description: delete indices
+    filters:
+    -
+      filtertype: age
+      source: name
+      direction: older
+      timestring: '%Y.%m.%d'
+      unit: days
+      unit_count: 30
+      exclude:

ansible/install/roles/curator/templates/curator-config.yml.j2

@@ -0,0 +1,18 @@
+client:
+  hosts:
+    - 127.0.0.1: {{ es_local_port }}
+  url_prefix:
+  use_ssl: False
+  certificate:
+  client_cert:
+  client_key:
+  ssl_no_validate: True
+  http_auth:
+  timeout: 30
+  master_only: False
+
+logging:
+  loglevel: INFO
+  logfile: 
+  logformat: default
+  blacklist: ['elasticsearch', 'urllib3']