Attack Range Local (ubuntu 22.04)

ejohns · ‎09-19-2024

I'm trying to build a Local Attack Range but it fails when it tries to restart the splunk.service. The Splunk instance does restart but fails when the systemctl command is implemented. I did insure that THPs was disabled, seLinux was disabled and ulimits were set properly on the host.

It did increate the timeout but it fails to restart even after 30 minutes. The "python attack_range.py build" does successfully create the Splunk instance and installs all the required apps & TAs. It just fails to restart once the Splunk Enterprise as a systemd service within the Vagrant VM.

Any feedback would be appreciated!!!

TASK [splunk_server_post : change password splunk] *****************************

changed: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server_post : restart splunk] *************************************

fatal: [ar-splunk-attack-range-key-pair-ar]: FAILED! => {"changed": false, "msg": "Unable to restart service splunk: Job for splunk.service failed because a timeout was exceeded.\nSee \"systemctl status splunk.service\" and \"journalctl -xe\" for details.\n"}

RUNNING HANDLER [splunk_server_post : restart splunk] **************************

PLAY RECAP *********************************************************************

ar-splunk-attack-range-key-pair-ar : ok=139 changed=64 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

Ansible failed to complete successfully. Any error output should be visible above. Please fix these errors and try again.

2024-09-19 16:22:49,709 - ERROR - attack_range - vagrant failed to build (attack-range-py3.8) aradmin@attackrange:~/attack_range$

Here is my attack_range yml file:

general:

attack_range_password: "xxxxx"

cloud_provider: local

use_prebuilt_images_with_packer: "0"

ingest_bots3_data: "1"

local:

splunk_server:

# Enable Enterprise Security

install_es: "1"

# Save to the apps folder from Attack Range

splunk_es_app: "splunk-enterprise-security_732.spl"

phantom_server:

phantom_server: "0"

# Enable/Disable Phantom Server

kali_server:

kali_server: "1"

windows_servers:

- hostname: ar-win-dc

windows_image: windows-server-2022

create_domain: '1'

install_red_team_tools: '1'

bad_blood: '1'

- hostname: ar-win-2

windows_image: windows-2019-v3-0-0

join_domain: '1'

install_red_team_tools: '1'

linux_servers:

- hostname: ar-linux

PaulPanther · ‎09-23-2024

Check out: ansible.builtin.file module – Manage files and file properties — Ansible Community Documentation

- name: Recursively change ownership of a directory
  ansible.builtin.file:
    path: /etc/foo
    state: directory
    recurse: yes
    owner: foo
    group: foo

PaulPanther · ‎09-20-2024

What happens when you execute the restart command manually? Do you use the correct user in your ansible script? Maybe you have to set "become: tru"e if splunk runs under root.

ejohns · ‎09-20-2024

I did fix the restart issue

But in the $HOME/attack_range/terraform/ansible/roles/splunk_server_post/tasks/install_enterprise_security.yml, the following stanza fails:

- name: Run es post-install setup

command: "/opt/splunk/bin/splunk search '| essinstall --ssl_enablement auto' -auth admin:{{ general.attack_range_password }}"

become: yes

async: 600

poll: 60

It seems that the OWNERSHIP OF THE splunk install path is either root or the uid/gid (10777) of the person that built the tar ball. How can I get the path ownership to be owned by my user (aradmin) ? Is this done with the "become:true" flag? Where do I need to update the scripts?

Attack Range Local (ubuntu 22.04)

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

Attack Range Local (ubuntu 22.04)

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard