search

splunk / attack_range

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
Apache License 2.0
2.18k stars 358 forks source link

Provisioning of Splunk SOAR fails #990

Open bl4ckOut opened 4 weeks ago

bl4ckOut commented 4 weeks ago

Hi... it seems that Python 3 is missing or doesn't get installed in the CentOS 7 image which is used for Splunk SOAR.

TASK [phantom : Change mirror to vault.centos.org] *****************************
[WARNING]: No python interpreters found for host ar-phantom-attack-range-key-
pair-ar (tried ['python3.12', 'python3.11', 'python3.10', 'python3.9',
'python3.8', 'python3.7', '/usr/bin/python3', 'python3'])
fatal: [ar-phantom-attack-range-key-pair-ar]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3"}, "changed": false, "module_stderr": "Shared connection to 127.0.0.1 closed.\r\n", "module_stdout": "/bin/sh: /usr/bin/python3: No such file or directory\r\n", "msg": "The module failed to execute correctly, you probably need to set the interpreter.\nSee stdout/stderr for the exact error", "rc": 127}

PLAY RECAP *********************************************************************
ar-phantom-attack-range-key-pair-ar : ok=1    changed=0    unreachable=0    failed=1    skipped=2    rescued=0    ignored=0   

Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.
2024-11-02 21:19:42,694 - ERROR - attack_range - vagrant failed to build

I use the following config:

general:
  cloud_provider: local
  attack_range_password: XXX
local: {}
windows_servers:
- hostname: ar-win-dc
  windows_image: windows-server-2022
  create_domain: '1'
  install_red_team_tools: '1'
  bad_blood: '1'
- hostname: ar-win-2
  windows_image: windows-server-2022
  join_domain: '1'
  install_red_team_tools: '1'
linux_servers:
- hostname: ar-linux
phantom_server:
  phantom_server: '1'
  phantom_app: splunk_soar-unpriv-6.3.0.719-d9df3cc1-el7-x86_64.tgz
splunk_server:
  install_es: "1"
  splunk_es_app: "splunk-enterprise-security_710.spl"
  splunk_url: "https://download.splunk.com/products/splunk/releases/9.3.1/linux/splunk-9.3.1-0b8d769cb912-Linux-x86_64.tgz"
  splunk_uf_url: "https://download.splunk.com/products/universalforwarder/releases/9.3.1/linux/splunkforwarder-9.3.1-0b8d769cb912-linux-2.6-amd64.deb"
  splunk_uf_win_url: "https://download.splunk.com/products/universalforwarder/releases/9.3.1/windows/splunkforwarder-9.3.1-0b8d769cb912-x64-release.msi"
  splunk_apps:
    - TA-aurora-0.2.0.tar.gz
    - TA-osquery.tar.gz
    - app-for-circleci_011.tgz
    - palo-alto-networks-add-on-for-splunk_813.tgz
    - punchcard---custom-visualization_150.tgz
    - python-for-scientific-computing-(for-linux-64-bit)_421.tgz
    - splunk-add-on-for-github_300.tgz
    - splunk-add-on-for-microsoft-cloud-services_532.tgz
    - splunk-add-on-for-microsoft-office-365_451.tgz
    - splunk-add-on-for-microsoft-windows_890.tgz
    - splunk-add-on-for-nginx_322.tgz
    - splunk-add-on-for-okta-identity-cloud_221.tgz
    - splunk-add-on-for-sysmon-for-linux_100.tgz
    - splunk-add-on-for-sysmon_401.tgz
    - splunk-add-on-for-unix-and-linux_920.tgz
    - splunk-app-for-stream_813.tgz
    - splunk-common-information-model-(cim)_532.tgz
    - splunk-es-content-update_4391.tgz
    - splunk-machine-learning-toolkit_542.tgz
    - splunk-sankey-diagram---custom-visualization_160.tgz
    - splunk-security-essentials_380.tgz
    - splunk-timeline---custom-visualization_162.tgz
    - splunk_attack_range_reporting-1.0.9.tar.gz
    - status-indicator---custom-visualization_150.tgz
    - ta-for-zeek_108.tgz
  ingest_bots3_data: "1"
  install_dltk: "1"
P4T12ICK commented 2 days ago

I will debug it. Thanks for reporting it.