Security

Attack Range Local (ubuntu 22.04)

ejohns
Loves-to-Learn

I'm trying to build a Local Attack Range but it fails when it tries to restart the splunk.service. The Splunk instance does restart but fails when the systemctl command is implemented. I did insure that THPs was disabled, seLinux was disabled and ulimits were set properly on the host.

It did increate the timeout but it fails to restart even after 30 minutes. The "python attack_range.py build" does successfully create the Splunk instance and installs all the required apps & TAs. It just fails to restart once the Splunk Enterprise as a systemd service within the Vagrant VM. 

Any feedback would be appreciated!!!

TASK [splunk_server_post : change password splunk] *****************************

changed: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server_post : restart splunk] *************************************

fatal: [ar-splunk-attack-range-key-pair-ar]: FAILED! => {"changed": false, "msg": "Unable to restart service splunk: Job for splunk.service failed because a timeout was exceeded.\nSee \"systemctl status splunk.service\" and \"journalctl -xe\" for details.\n"}

RUNNING HANDLER [splunk_server_post : restart splunk] **************************

PLAY RECAP *********************************************************************

ar-splunk-attack-range-key-pair-ar : ok=139 changed=64  unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

Ansible failed to complete successfully. Any error output should be visible above. Please fix these errors and try again.

2024-09-19 16:22:49,709 - ERROR - attack_range - vagrant failed to build (attack-range-py3.8) aradmin@attackrange:~/attack_range$

Here is my attack_range yml file:

general:
attack_range_password: "xxxxx"
cloud_provider: local
use_prebuilt_images_with_packer: "0"
ingest_bots3_data: "1"
local:
splunk_server:
# Enable Enterprise Security
install_es: "1"

# Save to the apps folder from Attack Range
splunk_es_app: "splunk-enterprise-security_732.spl"

phantom_server:
phantom_server: "0"
# Enable/Disable Phantom Server
kali_server:
kali_server: "1"
windows_servers:
- hostname: ar-win-dc
windows_image: windows-server-2022
create_domain: '1'
install_red_team_tools: '1'
bad_blood: '1'
- hostname: ar-win-2
windows_image: windows-2019-v3-0-0
join_domain: '1'
install_red_team_tools: '1'
linux_servers:
- hostname: ar-linux
Labels (1)
Tags (2)
0 Karma

PaulPanther
Motivator

Check out: ansible.builtin.file module – Manage files and file properties — Ansible Community Documentation

- name: Recursively change ownership of a directory
  ansible.builtin.file:
    path: /etc/foo
    state: directory
    recurse: yes
    owner: foo
    group: foo
0 Karma

PaulPanther
Motivator

What happens when you execute the restart command manually? Do you use the correct user in your ansible script? Maybe you have to set "become: tru"e if splunk runs under root.

0 Karma

ejohns
Loves-to-Learn

I did fix the restart issue

But in the $HOME/attack_range/terraform/ansible/roles/splunk_server_post/tasks/install_enterprise_security.yml, the following stanza fails:

- name: Run es post-install setup
command: "/opt/splunk/bin/splunk search '| essinstall --ssl_enablement auto' -auth admin:{{ general.attack_range_password }}"
become: yes
async: 600
poll: 60
 
It seems that the OWNERSHIP OF THE splunk install path is either root or the uid/gid (10777) of the person that built the tar ball. How can I get the path ownership to be owned by my user (aradmin) ? Is this done with the "become:true" flag? Where do I need to update the scripts?
0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...