A Docker-based virtual lab for cybersecurity training, focused on configuring a Splunk Indexer and Damn Vulnerable Web App (DVWA) with a Splunk Forwarder. The setup provides an easily redployable environment ideal for aspiring penetration testers and incident responders.
Orchestrate a containerized environment that can be used for practicing offensive security techniques and gain experience with log monitoring configuration and log analysis.
Roadmap Checklist
Part 1:-
Test the creation and configuration of a Splunk Docker container without using a
compose.yml
file. -
Test the Splunk's dashboard
-
Understand the fine details of Universal Forwarder
-
Understand the fine details of Heavy Forwarder
-
Able to explain the differences between Universal and Heavy Forwarders
-
Test the creation of DVWA using Docker without a
compose.yml
file. -
Find where DVWA stores access logs
-
Find where DVWA stores database logs
-
Decide whether to use PHPIDS in tandem with Splunk
Part 2:
-
Edit the original DVWA Dockerfile
- Ensure all tools and libraries splunk requires are present
- wget, curl,
- Ensure all tools and libraries splunk requires are present
-
Create a compose file
- Splunk Indexer/Receiver to collect and visualize data
- Configure DVWA's Splunk Forwarder (Universal/Heavy) to monitor:
- Authentication Logs:
/var/log/apache2/access.log
- Error Logs:
/var/log/apache2/error.log
,/var/mysql/error.log
- Other Files:
/etc/shadow
- DVWA Port 80
-
High concurrent CPU usage -
Critical disk capacity - PHPIDS logs
- Authentication Logs:
-
Figure a way to automate the Forwarder's installation and configuration post composition
- Solution 1: Create a script to automate the installation of a Splunk Forwarder
- Add command to
compose.yml
:sh -c "install_splunk_forwarder.sh"
- NOTE: DVWA doesn't have
wget
orcurl
, but hasdpkg
. It may be best to just download the forwarder file onto the host before mounting it directly incompose.yml
with a volume command like: volumes:/home/kali/Desktop/splunk_forwarder/splunkforwarder-9.2.1-78803f08aabb-linux-2.6-amd64.deb:/opt/splunkforwarder-9.2.1-78803f08aabb-linux-2.6-amd64.deb
install_splunk_forwarder.sh
:dpkg -i /tmp/splunkforwarder-9.2.1-78803f08aabb-linux-2.6-amd64.deb
echo 'Splunk Forwarder Installed'
export SPLUNK_HOME=/opt/splunkforwarder >> ~/.profile
OR while in a CLI session:source /opt/splunk/bin/setSplunkEnv
& skip step 4export PATH=$SPLUNK_HOME/bin:$PATH
splunk add forward-server 127.0.0.1:9997
OR navigate to$SPLUNK_HOME/bin
and use:./splunk add forward-server 127.0.0.1:9997
splunk add monitor /var/log/apache2/access.log
splunk add monitor /var/log/apache2/error.log
splunk add monitor /var/log/mysql/error.log
splunk add monitor /etc/shadow
splunk add tcp 80
OR try:splunk add monitor 80
- Add command to
-
Solution 2: requires I create theinputs.conf
andoutputs.conf
before composition runtime, and that these configuration files are mounted in a safe directory being being copied to$SPLUNK_HOME/etc/system/local
post installation of the Splunk Forwarder on DVWA. -
Solution 3: Add a Universal Forwarder container in the compose file and configuring it usingSPLUNK_ADD
- Solution 1: Create a script to automate the installation of a Splunk Forwarder
Part 3:
-
Compose the virtual pentesting environment
-
Check Splunk Receiver dashboard for forwarder connections
-
Create Alerts for all monitored data
-
Follow the Cyber Kill Chain framework
- Insert the seven steps below (Recon, Weaponization, Delivery, Exploitation, Installation, C2, Actions on Objectives)
- Add specific objectives to complete that are required before moving to the next step
- Insert the seven steps below (Recon, Weaponization, Delivery, Exploitation, Installation, C2, Actions on Objectives)
- Clone the Splunk-DVWA repo
git clone https://github.com/Daethyra/Splunk-DVWA.git
- Clone the DVWA repository
git clone https://github.com/digininja/DVWA.git
- Copy the following files to the newly cloned DVWA repository directory
compose.yml
Dockerfile
- 'config' directory