Define `DCO` lab environment

[uwardlaw]

All configurations, specifications, and diagrams for content belong in the rous wiki.

On a per VM basis...

• [ ] Hardware requirements
• [ ] Networking configuration (IP addresses, reachable from, NAT, etc)
• [ ] Software installed with versions
• [ ] All configuration steps for software, preferably as .sh or ps1 commands
• [ ] Run status of different processes (stopped, running on boot, etc)
• [ ] Clean snapshot
• [ ] Exploited snapshot
• [ ] Any files and where
• [ ] User accounts with passwords
• [ ] Source for draw.io network diagram exported into rous/diagrams as svg

[Hawk3y3-333]

In response to this issue, I have compiled some preliminary requirements and files that will be useful. One of the main requirements for the DCO environment not captured in the documents is that we will need snapshots of a clean network and also snapshots of the environment after exploits have been run. This alleviates the dependence on students doing things right in OCO to cause effect for DCO. Having an "exploited" snapshot will allow every class to run off the same baseline network.

The files contain the following information: Define DCO Lab environment.docx - Defines specific host requirements PossibleExploits.txt - Lists possible exploits that can be present on the Ops Network winlogbeat.yml.txt - A winlogbeat YAML confiiguration file. Can be used for all winlogbeat deployments load_fakedomainusers2.ps1.txt - PowerShell script generated by the Youzer tool to create fake domain accounts fakedomainusers2.csv - used by above script. Contains fake user information CreateTestADUsers.ps1.txt - Alternate script for generating active directory users FirstLastEurope.csv - Used by CreateTestADUsers.ps1. Contains list of first and last names

*NOTE - The user generation scripts require the domain to exist, so the scripts will have to be edited to reflect whatever the actual domain name is on the range.

fakedomainusers2.csv load_fakedomainusers2.ps1.txt CreateTestADUsers.ps1.txt FirstLastEurope.csv winlogbeat.yml.txt Define DCO Lab environment.docx PossibleExploits.txt

[rylagek]

Initial Generic Specs Provided by CWO

• sift - premade vm from sans, change creds https://www.sans.org/tools/sift-workstation/
• security onion - premade iso https://github.com/Security-Onion-Solutions/securityonion/blob/master/VERIFY_ISO.md
• remnux (not on the chart) - premade iso https://docs.remnux.org/install-distro/install-from-scratch
• windows server 2019 setup as DC, setup active directory
• storage device of your choice (truenas, unraid, win server smb)
• 1-2 win 10 workstations on the domain
• 1-2 nix workstations (recommend rocky linux or ubuntu desktop)
• pfsense router w/ onion sensor
• kali box or w/e

[rylagek]

Need an updated network map to resolve differences between initial DCO specifications and the current map

[rylagek]

Initial Generic Specs Provided by CWO

• sift - premade vm from sans, change creds https://www.sans.org/tools/sift-workstation/
• security onion - premade iso https://github.com/Security-Onion-Solutions/securityonion/blob/master/VERIFY_ISO.md
• remnux (not on the chart) - premade iso https://docs.remnux.org/install-distro/install-from-scratch
• windows server 2019 setup as DC, setup active directory
• storage device of your choice (truenas, unraid, win server smb)
• 1-2 win 10 workstations on the domain
• 1-2 nix workstations (recommend rocky linux or ubuntu desktop)
• pfsense router w/ onion sensor
• kali box or w/e

This is the secure enclave + the onion node on the outside

[rylagek]

Unless otherwise specified, the installed software, services, and configurations will remain default until the DCO course is rewritten. Any additional files, flags, processes, etc will be determined at a later time. The workstations and network devices can be shared across other blocks (i.e., windows workstations and DC can be shared with windows block, Ubuntu workstations shared with linux block). Until the new DCO block is written, we will utilize the existing VMs on COTR.

SIFT – premade VM from SANS (https://sans.org/tools/sift-workstation)

• Hardware requirements: 8GB RAM, 250GB Disk Space
• Additional Software: REMNUX free download

Security Onion – premade ISO

• Hardware requirements: 12GB RAM, 250GB Disk Space

SOF-ELK – premade configs on github

• Hardware requirements: 8GB RAM, 250GB Disk Space

Kali (bare metal)

• Hardware requirements: 8GB RAM, 120GB Disk Space

Workstations: 2 Windows 10 workstations

• Office Suite, WinRM enabled
• SysInternals Suite (https://docs.microsoft.com/en-us/sysinternals/downloads/)

2 Ubuntu Workstations

Network Devices: Windows Server 2019 (serves as DC)

• ADUC services enabled, WinRM enabled

[rylagek]

Total DCO Enclave Size Requirements

total = 16 * 1 full enclave

• 1136GB RAM
• 24720GB Disk Space

Itemized DCO Enclave Total

RAM: 71GB

Disk Space: 1545GB

secure OS	RAM	Disk Space
SIFT w/ REMNUX	8GB	250GB
Security Onion	12GB	250GB + (onion sensor??)
SOF-ELK	8GB	250GB
Kali	2GB	20GB
server 2k19 dc	4GB	60GB
server 2k19 multipurpose	4GB	60GB
2x Ubuntu desktop workstations	4GB	25GB
2x Windows 10 desktop workstations	2GB	50GB
Total	48GB	1040GB

internal OS	RAM	Disk Space
trueNAS	4GB	240GB
ubuntu vpn server	512MB	2.5GB
ubuntu vpn CA	512MB	2.5GB
2x Ubuntu desktop workstations	4GB	25GB
3x Windows 10 desktop workstations	2GB	50GB
server 2k19 dc	4GB	60GB
Total	23GB	505GB

[rylagek]

Based on the above requirements we are going to need to find ways to conserve and share resources

[comeste10]

@rylagek where did you get the hardware (ram/storage) requirements for the various components? Asking because they seem kinda high in my uninformed opinion (e.g. do SIFT, SO, and SOF-ELK actually need that much of each?) -- if we're able to trim a lot of those down, my back of the napkin math says we can get roughly an order of magnitude reduction in the hardware requirements

[comeste10]

I think it's also important that we be clear up front tomorrow that we can temporarily prune the CWONext range plan (very easily because IaC) to fit the existing hardware resources locally until such time as the required resources become available

[uwardlaw]

That was very trimmed down. We might need to revisit keeping enclaves off.

On Sun, Dec 19, 2021, 20:24 Steve Comer @.***> wrote:

@rylagek https://github.com/rylagek where did you get the hardware (ram/storage) requirements for the various components? Asking because they seem kinda high in my uninformed opinion (e.g. do SIFT, SO, and SOF-ELK actually need that much of each?) -- if we're able to trim a lot of those down, my back of the napkin math says we can get roughly an order of magnitude reduction in the hardware requirements

— Reply to this email directly, view it on GitHub https://github.com/uwardlaw/vater/issues/99#issuecomment-997538799, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANF5BYQU6J2OABUMG2HJPGDUR2HUVANCNFSM5IUH2SWQ . You are receiving this because you authored the thread.Message ID: @.***>

[rylagek]

I took the original CWO requirement specifications they supplied and cross referenced known good minimums. I'm sure we can trim down more through additional testing, but as it is I chose system documented supported minimums and then the requirements from the official virtual applications of the more specialized systems (SIFT & REMnux). From the initial single DCO enclave requirements I trimmed 50+ GB RAM and ~900 GB disk space

[rylagek]

@comeste10 In the meeting tomorrow we can definitely be flexible, as the requirements @Hawk3y3-333 gave us are less resource intensive (read: no SIFT w/ REMnux, no SOF-ELK) and we can have fewer workstations

[Summerhays319]

Have we ironed out the specific requirements here? Also, wondering why we are allocating 50GB to the Windows workstations when it looks like they would work just fine with 25-30GB unless I am missing something?

[rylagek]

@Summerhays319 the Windows 10 size is the recommended minimum + the size of the sys internals suite