Security

Attack Range Local (ubuntu 22.04)

ejohns
Loves-to-Learn

I'm trying to build a Local Attack Range but it fails when it tries to restart the splunk.service. The Splunk instance does restart but fails when the systemctl command is implemented. I did insure that THPs was disabled, seLinux was disabled and ulimits were set properly on the host.

It did increate the timeout but it fails to restart even after 30 minutes. The "python attack_range.py build" does successfully create the Splunk instance and installs all the required apps & TAs. It just fails to restart once the Splunk Enterprise as a systemd service within the Vagrant VM. 

Any feedback would be appreciated!!!

TASK [splunk_server_post : change password splunk] *****************************

changed: [ar-splunk-attack-range-key-pair-ar]

TASK [splunk_server_post : restart splunk] *************************************

fatal: [ar-splunk-attack-range-key-pair-ar]: FAILED! => {"changed": false, "msg": "Unable to restart service splunk: Job for splunk.service failed because a timeout was exceeded.\nSee \"systemctl status splunk.service\" and \"journalctl -xe\" for details.\n"}

RUNNING HANDLER [splunk_server_post : restart splunk] **************************

PLAY RECAP *********************************************************************

ar-splunk-attack-range-key-pair-ar : ok=139 changed=64  unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

Ansible failed to complete successfully. Any error output should be visible above. Please fix these errors and try again.

2024-09-19 16:22:49,709 - ERROR - attack_range - vagrant failed to build (attack-range-py3.8) aradmin@attackrange:~/attack_range$

Here is my attack_range yml file:

general:
attack_range_password: "xxxxx"
cloud_provider: local
use_prebuilt_images_with_packer: "0"
ingest_bots3_data: "1"
local:
splunk_server:
# Enable Enterprise Security
install_es: "1"

# Save to the apps folder from Attack Range
splunk_es_app: "splunk-enterprise-security_732.spl"

phantom_server:
phantom_server: "0"
# Enable/Disable Phantom Server
kali_server:
kali_server: "1"
windows_servers:
- hostname: ar-win-dc
windows_image: windows-server-2022
create_domain: '1'
install_red_team_tools: '1'
bad_blood: '1'
- hostname: ar-win-2
windows_image: windows-2019-v3-0-0
join_domain: '1'
install_red_team_tools: '1'
linux_servers:
- hostname: ar-linux
Labels (1)
Tags (2)
0 Karma

PaulPanther
Builder

Check out: ansible.builtin.file module – Manage files and file properties — Ansible Community Documentation

- name: Recursively change ownership of a directory
  ansible.builtin.file:
    path: /etc/foo
    state: directory
    recurse: yes
    owner: foo
    group: foo
0 Karma

PaulPanther
Builder

What happens when you execute the restart command manually? Do you use the correct user in your ansible script? Maybe you have to set "become: tru"e if splunk runs under root.

0 Karma

ejohns
Loves-to-Learn

I did fix the restart issue

But in the $HOME/attack_range/terraform/ansible/roles/splunk_server_post/tasks/install_enterprise_security.yml, the following stanza fails:

- name: Run es post-install setup
command: "/opt/splunk/bin/splunk search '| essinstall --ssl_enablement auto' -auth admin:{{ general.attack_range_password }}"
become: yes
async: 600
poll: 60
 
It seems that the OWNERSHIP OF THE splunk install path is either root or the uid/gid (10777) of the person that built the tar ball. How can I get the path ownership to be owned by my user (aradmin) ? Is this done with the "become:true" flag? Where do I need to update the scripts?
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...