search

cisagov / cool-assessment-terraform

Terraform to deploy an assessment environment to the COOL
Creative Commons Zero v1.0 Universal
13 stars 4 forks source link

Allow SSH and WINRM between instances #246

Closed m1j09830 closed 2 months ago

m1j09830 commented 2 months ago

💡 Summary

The RVA team would like to request that SSH and WINRM be allowed between instances in their environment to allow for more scripting during setup process.

Motivation and context

As RVA assessments mature, the team is using ansible more and more, which will require ssh/winrm access between kali/ptp/teamserver/windows/gophish boxes. Currently the team is having to piece together scripts to run on individual instances which can slow down the setup process and result in inefficiencies.

Implementation notes

The team will be using ansible scripts to deploy the setup of the COOL environment to include but not limited to:

Acceptance criteria

How do we know when this work is done?

dav3r commented 2 months ago

@m1j09830 In the "Motivation and context" section of the PR description, you mentioned the Gophish instances, but I didn't see a corresponding item in the "Acceptance criteria" section. Can you please either add an acceptance checklist item for Gophish or else remove it from the "Motivation and context" section if it was inadvertently included there?

jsf9k commented 2 months ago

@m1j09830 - Were you planning to use the vnc user for your Ansible sshing? I think it already has an ssh key that should get you onto any other instance that has a vnc user, i.e., any instance that is accessible via Guacamole. That's probably the easiest path forward.

I don't remember if any of the instance types you mentioned aren't accessible via Guacamole, but if so then we could always just add the vnc user to those instances' AMIs.

m1j09830 commented 2 months ago

@m1j09830 In the "Motivation and context" section of the PR description, you mentioned the Gophish instances, but I didn't see a corresponding item in the "Acceptance criteria" section. Can you please either add an acceptance checklist item for Gophish or else remove it from the "Motivation and context" section if it was inadvertently included there?

My fault I just missed that in the Acceptance criteria section. It's been added.

m1j09830 commented 2 months ago

@m1j09830 - Were you planning to use the vnc user for your Ansible sshing? I think it already has an ssh key that should get you onto any other instance that has a vnc user, i.e., any instance that is accessible via Guacamole. That's probably the easiest path forward.

I don't remember if any of the instance types you mentioned aren't accessible via Guacamole, but if so then we could always just add the vnc user to those instances' AMIs.

Yes sir that would be the idea. Shouldn't be a need to create any additional users or keys. All of the instances we'll be interacting with have Guacamole so we should be good there.

dav3r commented 2 months ago

Regarding "Kali can communicate with CommandoVM via WINRM (5985/tcp)", all ports between our Kali and Windows instances are already open. This has been the case ever since Windows instances were added in https://github.com/cisagov/cool-assessment-terraform/pull/150 (specifically https://github.com/cisagov/cool-assessment-terraform/pull/150/commits/1e08d8fe6cc34ca02949e2a51e729936e2b46d20).

I went ahead and checked the appropriate "Acceptance criteria" checkbox above for this.