search

teamdfir / sift

SIFT
MIT License
492 stars 65 forks source link

[RFC] sift ansible role #135

Closed juju4 closed 7 years ago

juju4 commented 7 years ago

For comments, https://github.com/juju4/ansible-sift

It has

ekristen commented 7 years ago

First let me just say you must have put in a good bit of time and energy on this, thanks @juju4.

I like that you used a config management tool, that it has CI integration, vagrant and packer, bravo.

Unfortunately I wish you would have reached out sooner!

We made the decision a while ago to standardize building SIFT using Salt. (https://github.com/sans-dfir/sift/issues/114) It has been in the works for a while, but only for 16.04 and forward since 14.04 is already almost 3 years old.

I'm also working with REMnux to build a corresponding salt states repo (https://github.com/REMnux/salt-states) that will work seamlessly with SIFT.

It's been primarily a one man show with respect to building and maintaining the SIFT process therefore the long term plan was not made public, but I see know that that might have been a mistake. I will work to correct this to put the roadmap up for everyone to see.

@juju4 I see potential for collaboration. Interested?

ekristen commented 7 years ago

@juju4 I'd definitely be interested in checking out your packer scripts and potentially using them in conjunction with the salt-masterless setup from packer. I have a bunch of packer stuff I'm been working on for sift that I have not published yet because it hasn't worked reliably for me.

ekristen commented 7 years ago

I'm starting to add the roadmap from my personal notes to here -- https://github.com/sans-dfir/sift/blob/master/README.md#roadmap

@juju4 I appreciate the effort. I want to try and figure out if there is way the SIFT project can benefit from what you did.

juju4 commented 7 years ago

No issue, tools are individual or collective choices and it may change over time. I can eventually help but most of my personal stuff is ansible base. Anyway ansible or salt in masterless mode should be pretty similar AFAIK: small requirements (ssh+python), yml config. it should be possible to use and inter-change them.

vagrant and packer should be easy to use with salt as they just call orchestration tools. https://www.packer.io/docs/provisioners/salt-masterless.html https://www.vagrantup.com/docs/provisioning/salt.html kitchen-test also has a salt plugin https://github.com/simonmcc/kitchen-salt

I think first thing would be adding a travisCI config but I need first to play a bit with salt. Not found much docs/examples with a quick search I would expect serverspec tests to be working directly.

From my experience, some tools should have separate role/recipe/state like volatility or rekall. For me, I choose to setup rekall in virtualenv by default as it requires pretty recent stuff (pip/setuptools...) which might break other stuff (especially for legacy trusty)

For building periodically VM, you will need a jenkins server or similar. And not cheap vps as no good for VM. Got there too :(

ekristen commented 7 years ago

Feel free and take a look at the salt states that are being worked on.

From my experience, some tools should have separate role/recipe/state like volatility or rekall. For me, I choose to setup rekall in virtualenv by default as it requires pretty recent stuff (pip/setuptools...) which might break other stuff (especially for legacy trusty)

Thanks for the reference to serverspec that is a tool I wasn't familiar with. I'm definitely going to be taking a look at that.

juju4 commented 7 years ago

followup in splitted issues.

I enabled xenial in my ansible role. still some missing some packages in sift ppa but seems fine.

Last note, serverspec is very nice (infra testing), you also have inspec (fork+review) but more targeted on security+compliance. testinfra (python-based) is also an option