Open uwardlaw opened 2 years ago
In response to this issue, I have compiled some preliminary requirements and files that will be useful. One of the main requirements for the DCO environment not captured in the documents is that we will need snapshots of a clean network and also snapshots of the environment after exploits have been run. This alleviates the dependence on students doing things right in OCO to cause effect for DCO. Having an "exploited" snapshot will allow every class to run off the same baseline network.
The files contain the following information: Define DCO Lab environment.docx - Defines specific host requirements PossibleExploits.txt - Lists possible exploits that can be present on the Ops Network winlogbeat.yml.txt - A winlogbeat YAML confiiguration file. Can be used for all winlogbeat deployments load_fakedomainusers2.ps1.txt - PowerShell script generated by the Youzer tool to create fake domain accounts fakedomainusers2.csv - used by above script. Contains fake user information CreateTestADUsers.ps1.txt - Alternate script for generating active directory users FirstLastEurope.csv - Used by CreateTestADUsers.ps1. Contains list of first and last names
*NOTE - The user generation scripts require the domain to exist, so the scripts will have to be edited to reflect whatever the actual domain name is on the range.
fakedomainusers2.csv load_fakedomainusers2.ps1.txt CreateTestADUsers.ps1.txt FirstLastEurope.csv winlogbeat.yml.txt Define DCO Lab environment.docx PossibleExploits.txt
Initial Generic Specs Provided by CWO
Need an updated network map to resolve differences between initial DCO specifications and the current map
Initial Generic Specs Provided by CWO
- sift - premade vm from sans, change creds https://www.sans.org/tools/sift-workstation/
- security onion - premade iso https://github.com/Security-Onion-Solutions/securityonion/blob/master/VERIFY_ISO.md
- remnux (not on the chart) - premade iso https://docs.remnux.org/install-distro/install-from-scratch
- windows server 2019 setup as DC, setup active directory
- storage device of your choice (truenas, unraid, win server smb)
- 1-2 win 10 workstations on the domain
- 1-2 nix workstations (recommend rocky linux or ubuntu desktop)
- pfsense router w/ onion sensor
- kali box or w/e
This is the secure enclave + the onion node on the outside
Unless otherwise specified, the installed software, services, and configurations will remain default until the DCO course is rewritten. Any additional files, flags, processes, etc will be determined at a later time. The workstations and network devices can be shared across other blocks (i.e., windows workstations and DC can be shared with windows block, Ubuntu workstations shared with linux block). Until the new DCO block is written, we will utilize the existing VMs on COTR.
SIFT – premade VM from SANS (https://sans.org/tools/sift-workstation)
Security Onion – premade ISO
SOF-ELK – premade configs on github
Kali (bare metal)
Workstations: 2 Windows 10 workstations
2 Ubuntu Workstations
Network Devices: Windows Server 2019 (serves as DC)
total = 16 * 1 full enclave
secure
OS |
RAM | Disk Space |
---|---|---|
SIFT w/ REMNUX | 8GB | 250GB |
Security Onion | 12GB | 250GB + (onion sensor??) |
SOF-ELK | 8GB | 250GB |
Kali | 2GB | 20GB |
server 2k19 dc | 4GB | 60GB |
server 2k19 multipurpose | 4GB | 60GB |
2x Ubuntu desktop workstations | 4GB | 25GB |
2x Windows 10 desktop workstations | 2GB | 50GB |
Total | 48GB | 1040GB |
internal
OS |
RAM | Disk Space |
---|---|---|
trueNAS | 4GB | 240GB |
ubuntu vpn server | 512MB | 2.5GB |
ubuntu vpn CA | 512MB | 2.5GB |
2x Ubuntu desktop workstations | 4GB | 25GB |
3x Windows 10 desktop workstations | 2GB | 50GB |
server 2k19 dc | 4GB | 60GB |
Total | 23GB | 505GB |
Based on the above requirements we are going to need to find ways to conserve and share resources
@rylagek where did you get the hardware (ram/storage) requirements for the various components? Asking because they seem kinda high in my uninformed opinion (e.g. do SIFT, SO, and SOF-ELK actually need that much of each?) -- if we're able to trim a lot of those down, my back of the napkin math says we can get roughly an order of magnitude reduction in the hardware requirements
I think it's also important that we be clear up front tomorrow that we can temporarily prune the CWONext range plan (very easily because IaC) to fit the existing hardware resources locally until such time as the required resources become available
That was very trimmed down. We might need to revisit keeping enclaves off.
On Sun, Dec 19, 2021, 20:24 Steve Comer @.***> wrote:
@rylagek https://github.com/rylagek where did you get the hardware (ram/storage) requirements for the various components? Asking because they seem kinda high in my uninformed opinion (e.g. do SIFT, SO, and SOF-ELK actually need that much of each?) -- if we're able to trim a lot of those down, my back of the napkin math says we can get roughly an order of magnitude reduction in the hardware requirements
— Reply to this email directly, view it on GitHub https://github.com/uwardlaw/vater/issues/99#issuecomment-997538799, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANF5BYQU6J2OABUMG2HJPGDUR2HUVANCNFSM5IUH2SWQ . You are receiving this because you authored the thread.Message ID: @.***>
I took the original CWO requirement specifications they supplied and cross referenced known good minimums. I'm sure we can trim down more through additional testing, but as it is I chose system documented supported minimums and then the requirements from the official virtual applications of the more specialized systems (SIFT & REMnux). From the initial single DCO enclave
requirements I trimmed 50+ GB RAM and ~900 GB disk space
@comeste10 In the meeting tomorrow we can definitely be flexible, as the requirements @Hawk3y3-333 gave us are less resource intensive (read: no SIFT w/ REMnux, no SOF-ELK) and we can have fewer workstations
Have we ironed out the specific requirements here? Also, wondering why we are allocating 50GB to the Windows workstations when it looks like they would work just fine with 25-30GB unless I am missing something?
@Summerhays319 the Windows 10
size is the recommended minimum + the size of the sys internals suite
All configurations, specifications, and diagrams for content belong in the
rous
wiki.On a per VM basis...
.sh
orps1
commandsdraw.io
network diagram exported intorous/diagrams
assvg