Merge pull request #837 from splunk/ar_improvements

Attack Range Improvements
splunk · Aug 2, 2023 · 87b7e68 · 87b7e68
2 parents a38fdd8 + 76ed475
commit 87b7e68
Show file tree

Hide file tree

Showing 5 changed files with 114 additions and 5 deletions.
diff --git a/modules/vagrant_controller.py b/modules/vagrant_controller.py
@@ -113,12 +113,12 @@ def show(self) -> None:
             instances.append([status.name, status.state])
             if status.name.startswith("ar-splunk"):
                 if self.config["splunk_server"]["install_es"] == "1":
-                    messages.append("\nAccess Splunk via:\n\tWeb > https://localhost:8000\n\tSSH > cd vagrant & vagrant ssh " + status.name + " \n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password'])
+                    messages.append("\nAccess Splunk via:\n\tWeb > https://192.168.56.12:8000\n\tSSH > cd vagrant & vagrant ssh " + status.name + " \n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password'])
                 else:
-                    messages.append("\nAccess Splunk via:\n\tWeb > http://localhost:8000\n\tSSH > cd vagrant & vagrant ssh " + status.name + " \n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password'])
-                messages.append("\nAccess Guacamole via:\n\tWeb > http://localhost:8080/guacamole" + "\n\tusername: Admin \n\tpassword: " + self.config['general']['attack_range_password'])
+                    messages.append("\nAccess Splunk via:\n\tWeb > http://192.168.56.12:8000\n\tSSH > cd vagrant & vagrant ssh " + status.name + " \n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password'])
+                messages.append("\nAccess Guacamole via:\n\tWeb > http://192.168.56.12:8080/guacamole" + "\n\tusername: Admin \n\tpassword: " + self.config['general']['attack_range_password'])
             elif status.name.startswith("ar-phantom"):
-                messages.append("\nAccess Phantom via:\n\tWeb > https://localhost:443 \n\tSSH > cd vagrant & vagrant ssh " + status.name + " \n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password'])
+                messages.append("\nAccess Phantom via:\n\tWeb > https://192.168.56.13:8443 \n\tSSH > cd vagrant & vagrant ssh " + status.name + " \n\tusername: admin \n\tpassword: " + self.config['general']['attack_range_password'])
             elif status.name.startswith("ar-win"):
                 messages.append("\nAccess Windows via:\n\tRDP > rdp://localhost:" + str(5389 + int(status.name[-1])) + " \n\tusername: Administrator \n\tpassword: " + self.config['general']['attack_range_password'])
             elif status.name.startswith("ar-linux"):

diff --git a/packer/ansible/roles/phantom/tasks/install_phantom.yml b/packer/ansible/roles/phantom/tasks/install_phantom.yml
@@ -2,6 +2,7 @@
 # Install Phantom from RPM on a fresh CentOS 7 instance
 
 - name: Copy Splunk SOAR to server
+  become: true
   become_user: centos
   unarchive:
     src: "../../apps/{{ phantom_app }}"

diff --git a/packer/ansible/roles/phantom/tasks/install_phantom_local.yml b/packer/ansible/roles/phantom/tasks/install_phantom_local.yml
@@ -0,0 +1,88 @@
+---
+# Install Phantom from RPM on a fresh CentOS 7 instance
+
+- name: Creates directory
+  file:
+    path: /opt/soar
+    state: directory
+
+- name: Copy Splunk SOAR to server
+  unarchive:
+    src: "../../apps/{{ phantom_app }}"
+    dest: /home/vagrant
+
+- name: prepare phantom install script without apps
+  shell: sudo /home/vagrant/splunk-soar/soar-prepare-system --splunk-soar-home /opt/soar --no-prompt 
+
+- name: copy splunk soar folder
+  shell: cp -r /home/vagrant/splunk-soar /home/phantom/splunk-soar
+
+- name: chown splunk soar folder
+  shell: chown -R phantom. /home/phantom/splunk-soar
+
+# - name: Copy Splunk SOAR to server
+#   become_user: phantom
+#   unarchive:
+#     src: "../../apps/{{ phantom_app }}"
+#     dest: /home/phantom
+
+- name: run the phantom install script 
+  become_user: phantom
+  shell: ./soar-install --splunk-soar-home /opt/soar --no-prompt --ignore-warnings
+  args:
+    chdir: /home/phantom/splunk-soar
+
+# - name: upgrade all packages
+#   yum:
+#     name: '*'
+#     state: latest
+
+# - name: check if phantom is installed
+#   stat: path=/opt/phantom
+#   register: phantom_path
+
+# - name: debug print if phantom is installed
+#   debug: msg='phantom is already installed under /opt/phantom'
+#   when: phantom_path.stat.exists
+
+
+# - name: install the phantom setup rpm from the community repository
+#   yum:
+#     name: '{{ phantom_repo_url }}'
+#     state: present
+
+# # installing apps takes 15+ minutes longer, so later we will install just the apps we need
+# - name: run the phantom install script without apps
+#   shell: printf "{{phantom_community_username}}\n{{phantom_community_password}}\n" | /opt/phantom/bin/phantom_setup.sh install --no-prompt --without-apps --version={{phantom_version}}
+#   async: 1800
+#   poll: 60
+
+# - name: install whois app
+#   yum:
+#     name: https://repo.phantom.us/phantom/4.10/apps/x86_64/phantom_whois-2.1.0.x86_64.rpm
+#     state: present
+
+# - name: install maxmind app
+#   yum:
+#     name: https://repo.phantom.us/phantom/4.10/apps/x86_64/phantom_maxmind-2.0.23.x86_64.rpm
+#     state: present
+
+# - name: install dns app
+#   yum:
+#     name: https://repo.phantom.us/phantom/4.10/apps/x86_64/phantom_dns-2.0.22.x86_64.rpm
+#     state: present
+
+# - name: install phishtank app
+#   yum:
+#     name: https://repo.phantom.us/phantom/4.10/apps/x86_64/phantom_phishtank-2.0.1.x86_64.rpm
+#     state: present
+
+# - name: install splunk app
+#   yum:
+#     name: https://repo.phantom.us/phantom/4.10/apps/x86_64/phantom_splunk-2.2.3.x86_64.rpm
+#     state: present
+
+# - name: install winrm app
+#   yum:
+#     name: https://repo.phantom.us/phantom/4.10/apps/x86_64/phantom_winrm-2.0.1.x86_64.rpm
+#     state: present
diff --git a/packer/ansible/roles/phantom/tasks/main.yml b/packer/ansible/roles/phantom/tasks/main.yml
@@ -2,3 +2,7 @@
 # This playbook contains common tasks in this role
 
 - include: install_phantom.yml
+  when: cloud_provider != "local"
+
+- include: install_phantom_local.yml
+  when: cloud_provider == "local"
diff --git a/vagrant/phantom_server/Vagrantfile b/vagrant/phantom_server/Vagrantfile
@@ -4,8 +4,24 @@ config.vm.define "ar-phantom-{{config.general.key_name}}-{{config.general.attack
     config.vm.hostname = "#{VM_NAME_P}"
     config.vm.boot_timeout = 600
     config.vm.network "forwarded_port", guest: 443, host: 8443, protocol: "tcp"
-    config.vm.network :private_network, ip: "10.0.1.13"
+    config.vm.network :private_network, ip: "192.168.56.13"
 
+    config.vm.provision "ansible" do |ansible|
+      ansible.playbook = "../packer/ansible/phantom_server.yml"
+      ansible.compatibility_mode = "2.0"
+      ansible.extra_vars = {
+{% for key, value in config.general.items() %}
+        {{ key }}: "{{ value }}",
+{% endfor %}
+{% for key, value in config.splunk_server.items() %}
+        {{ key }}: "{{ value }}",
+{% endfor %}
+{% for key, value in config.phantom_server.items() %}
+            {{ key }}: "{{ value }}",
+{% endfor %}
+      }
+    end
+
     config.vm.provision "ansible" do |ansible|
         ansible.playbook = "../terraform/ansible/phantom_server.yml"
         ansible.compatibility_mode = "2.0"