Merge pull request #6 from dsiemienas03/post-inv2

Post WRCCDC Inv. 2

Dockerfile

@@ -21,16 +21,6 @@ RUN useradd ansible -ms /bin/bash
 
 WORKDIR /home/ansible
 USER ansible
-RUN set -ex ;\
-    mkdir config ;\
-    mkdir data ;\
-    mkdir dsu ;\
-    mkdir playbooks ;\
-    mkdir .ssh ;\
-    chmod 700 data ;\
-    chmod 700 .ssh ;\
-    chown ansible:ansible data ;\
-    chown ansible:ansible .ssh
 
 COPY --chown=ansible:ansible config/ ./config
 

src/.bashrc

@@ -0,0 +1,117 @@
+# ~/.bashrc: executed by bash(1) for non-login shells.
+# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
+# for examples
+
+# If not running interactively, don't do anything
+case $- in
+    *i*) ;;
+      *) return;;
+esac
+
+# don't put duplicate lines or lines starting with space in the history.
+# See bash(1) for more options
+HISTCONTROL=ignoreboth
+
+# append to the history file, don't overwrite it
+shopt -s histappend
+
+# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
+HISTSIZE=1000
+HISTFILESIZE=2000
+
+# check the window size after each command and, if necessary,
+# update the values of LINES and COLUMNS.
+shopt -s checkwinsize
+
+# If set, the pattern "**" used in a pathname expansion context will
+# match all files and zero or more directories and subdirectories.
+#shopt -s globstar
+
+# make less more friendly for non-text input files, see lesspipe(1)
+[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
+
+# set variable identifying the chroot you work in (used in the prompt below)
+if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
+    debian_chroot=$(cat /etc/debian_chroot)
+fi
+
+# set a fancy prompt (non-color, unless we know we "want" color)
+case "$TERM" in
+    xterm-color|*-256color) color_prompt=yes;;
+esac
+
+# uncomment for a colored prompt, if the terminal has the capability; turned
+# off by default to not distract the user: the focus in a terminal window
+# should be on the output of commands, not on the prompt
+force_color_prompt=yes
+
+if [ -n "$force_color_prompt" ]; then
+    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
+        # We have color support; assume it's compliant with Ecma-48
+        # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
+        # a case would tend to support setf rather than setaf.)
+        color_prompt=yes
+    else
+        color_prompt=
+    fi
+fi
+
+if [ "$color_prompt" = yes ]; then
+    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
+else
+    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
+fi
+unset color_prompt force_color_prompt
+
+# If this is an xterm set the title to user@host:dir
+case "$TERM" in
+xterm*|rxvt*)
+    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
+    ;;
+*)
+    ;;
+esac
+
+# enable color support of ls and also add handy aliases
+if [ -x /usr/bin/dircolors ]; then
+    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
+    alias ls='ls --color=auto'
+    #alias dir='dir --color=auto'
+    #alias vdir='vdir --color=auto'
+
+    alias grep='grep --color=auto'
+    alias fgrep='fgrep --color=auto'
+    alias egrep='egrep --color=auto'
+fi
+
+# colored GCC warnings and errors
+#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
+
+# some more ls aliases
+alias ll='ls -alF'
+alias la='ls -A'
+alias l='ls -CF'
+
+# Add an "alert" alias for long running commands.  Use like so:
+#   sleep 10; alert
+alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
+
+# Alias definitions.
+# You may want to put all your additions into a separate file like
+# ~/.bash_aliases, instead of adding them here directly.
+# See /usr/share/doc/bash-doc/examples in the bash-doc package.
+
+if [ -f ~/.bash_aliases ]; then
+    . ~/.bash_aliases
+fi
+
+# enable programmable completion features (you don't need to enable
+# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
+# sources /etc/bash.bashrc).
+if ! shopt -oq posix; then
+  if [ -f /usr/share/bash-completion/bash_completion ]; then
+    . /usr/share/bash-completion/bash_completion
+  elif [ -f /etc/bash_completion ]; then
+    . /etc/bash_completion
+  fi
+fi

src/data/vars/important_ips.yml

@@ -0,0 +1,19 @@
+---
+# Whiteteam IPs
+white_mask: 10.120.0.0/24
+white_ntp: 10.120.0.10
+white_dns: 10.120.0.53
+white_ccs: 10.120.0.111
+white_proxy: 10.120.0.200
+white_inject: 10.120.0.110
+white_chat: 10.120.0.200
+# white_phone: 10.120.0.100
+
+# Critical IPs
+wazuh: 1.1.1.1
+wazuh_port: 1516
+wazuh_protocol: TCP
+
+# Remote IPS
+# remote_ip: 172.16.1.
+remote_net: 172.16.1.0/24

src/data/interface_map.yml → src/data/vars/interface_map.yml

@@ -1,53 +1,54 @@
 ---
-palo:
+palo_zone:
   zones:
     ethernet1/1:
       zone: wan
     ethernet1/2:
       zone: lan
     # ethernet1/3:
-      # zone:
+    # zone:
     # ethernet1/4:
-      # zone:
+    # zone:
     # ethernet1/5:
-      # zone:
+    # zone:
     # ethernet1/6:
-      # zone:
+    # zone:
     # ethernet1/7:
-      # zone:
+    # zone:
     ethernet1/8:
       zone: mgt
     # ethernet1/9:
-      # zone:
+    # zone:
     # ethernet1/10:
-      # zone:
+    # zone:
     # ethernet1/11:
-      # zone:
+    # zone:
     # ethernet1/12:
-      # zone:
-cisco:
+    # zone:
+
+cisco_zone:
   zones:
     ethernet1/1:
       zone: wan
     ethernet1/2:
       zone: lan
     # ethernet1/3:
-      # zone:
+    # zone:
     # ethernet1/4:
-      # zone:
+    # zone:
     # ethernet1/5:
-      # zone:
+    # zone:
     # ethernet1/6:
-      # zone:
+    # zone:
     # ethernet1/7:
-      # zone:
+    # zone:
     # ethernet1/8:
-      # zone:
+    # zone:
     # ethernet1/9:
-      # zone:
+    # zone:
     # ethernet1/10:
-      # zone:
+    # zone:
     # ethernet1/11:
-      # zone:
+    # zone:
     # ethernet1/12:
-      # zone:
+    # zone:

src/data/service_map.yml → src/data/vars/service_map.yml

@@ -18,13 +18,20 @@ palo:
       - pop3
     smtp:
       - smtp
+    imap:
+      - imap
     http:
       - web-browsing
     email:
+      - imap
       - pop3
       - smtp
     git:
       - git
+    db:
+      - mysql
+      - postgres
+      - mongodb
 
 cisco:
   svc:
@@ -35,6 +42,8 @@ wrccdc_fw:
       port: 22
     http:
       port: 80
+    https:
+      port: 443
     smb:
       port: 445
     ftp:

src/playbooks/palo-beta.yml

@@ -35,10 +35,9 @@
           Logging: "{{ palo_config_logging }}"
           Initial Rules: "{{ palo_config_initial_rules }}"
           PANOS Version: "{{ palo_panos_version }}"
-          # IP Range: "{{ ip_range }}"
-          # Network: "{{ ip_range_mask }}"
           Wazuh: "{{ wazuh }}"
           Wazuh Port: "{{ wazuh_port }}"
+          Remote Networks: "{{ remote_net }}"
 
     - name: Tags
       ansible.builtin.import_role:
@@ -64,6 +63,7 @@
     - name: Wait for System Information
       paloaltonetworks.panos.panos_op:
         provider: "{{ provider }}"
+        device_group: "{{ device_group if device_group is defined else omit }}"
         cmd: show system info
       register: system_info
       until: system_info is not failed

src/playbooks/palo-init.yml

@@ -15,7 +15,7 @@
     palo_config_initial_rules: true
     palo_config_logging: true
     palo_config_initial_groups: true
-    palo_update_other: true
+    palo_update_other: false
     palo_update_os: false
 
   tasks:
@@ -29,17 +29,27 @@
 
     - name: Load vars
       ansible.builtin.include_vars:
-        dir: ~/data/vars/
+        dir: /home/ansible/data/vars/
 
     - name: Print configs
       ansible.builtin.debug:
         msg:
           Update OS: "{{ palo_update_os }}"
           Update Other: "{{ palo_update_other }}"
           PANOS Version: "{{ palo_panos_version }}"
-          FW Net: "{{ fw_mask }}"
-          Wazuh: "{{ wazuh }}"
-          Wazuh Port: "{{ wazuh_port }}"
+          FW Net: "{{ lan_net }}"
+          Wazuh: "{{ wazuh | default(omit) }}"
+          Wazuh Port: "{{ wasuh_port | default(omit) }}"
+
+    - name: Print Important IPs
+      ansible.builtin.debug:
+        msg:
+          Phone: "{{ white_phone | default(omit) }}"
+          CCS: "{{ white_ccs }}"
+          Proxy: "{{ white_proxy }}"
+          Mask: "{{ white_mask }}"
+          NTP: "{{ white_ntp }}"
+          DNS: "{{ white_dns }}"
 
     - name: Print options
       ansible.builtin.debug:
@@ -49,9 +59,18 @@
           Logging: "{{ palo_config_logging }}"
           Initial Rules: "{{ palo_config_initial_rules }}"
           Initial Zones: "{{ palo_config_initial_zones }}"
+
     - name: Confirm config
       ansible.builtin.pause:
 
+    - name: Set dns and panorama
+      paloaltonetworks.panos.panos_mgtconfig:
+        provider: "{{ provider }}"
+        device_group: "{{ device_group if device_group is defined else omit }}"
+        dns_server_primary: "{{ local_dns }}"
+        dns_server_secondary: "{{ white_dns }}"
+        ntp_server_primary: "{{ white_ntp }}"
+
     # Updates
     - name: Palo OS Update
       ansible.builtin.import_role:
@@ -142,6 +161,7 @@
     - name: Wait for System Information
       paloaltonetworks.panos.panos_op:
         provider: "{{ provider }}"
+        device_group: "{{ device_group if device_group is defined else omit }}"
         cmd: show system info
       register: system_info
       until: system_info is not failed