This repo contains the CentOS 7 kickstarts, packer configurations, and test scripts used in the virtual lab for my GIAC Continuous Monitoring Certification (GMON) Gold paper Continuous Security Monitoring in non-Active Directory Environments. The primary purpose of the paper was to investigate a FreeIPA directory and determine what artifacts can be leveraged by defenders to track activity--similar to CSM techniques used to track activity with Active Directory/Windows Event logs.
- VMWare Workstation 14+
- Packer
- CentOS 7 Everything DVD ISO (CentOS-7-x86_64-DVD-1810.iso is automatically downloaded by Packer.)
- The Packer and kickstart files expect the local virtual machine (VM) network to be 192.168.1.0/24.
- IP addresses and credentials are hardcoded to minimize my PEBKAC errors. (Update as needed for your test environment.)
- This lab setup process was not designed to be fully automated and requires machines to be setup in a specific order.
This lab is comprised of 7 servers with assigned hostnames, IP addresses, and system requirements:
| System | Domain | IP Address | RAM | Disk Size |
|---|---|---|---|---|
| Syslog/ELK Server | elk.ipa.domain.local | 192.168.1.200 | 1GB | 20GB |
| Primary Directory Server | ipa01.ipa.domain.local | 192.168.1.201 | 2GB | 20GB |
| Secondary Directory Server | ipa02.ipa.domain.local | 192.168.1.202 | 2GB | 20GB |
| Client Server #1 | svr01.ipa.domain.local | 192.168.1.203 | 1GB | 20GB |
| Client Server #2 | svr02.ipa.domain.local | 192.168.1.206 | 1GB | 20GB |
| Client Workstation #1 | wkst01.ipa.domain.local | 192.168.1.204 | 1GB | 20GB |
| Client Workstation #2 | wkst02.ipa.domain.local | 192.168.1.205 | 1GB | 20GB |
The VMs are created is a specific order and each VM must be powered on before the next one is created. (Packer)[https://packer.io] is used to create the VMs:
packer build log01.json
packer build ipa01.json
packer build ipa02.json
packer build srv01.json
packer build srv02.json
packer build wkst01.json
packer build wkst02.jsonThe test suite is designed to perform commands associated with common administrative activity, user activity, and basic password attacks.
Once all VMs are online, log on to IPA01 as root and execute:
/root/start-ipa-tests.shThe results will be recorded to /root/results-ipa-tests.log.
Next, log on to WSKT01 as root and execute:
script -f /root/results-wkst-tests.log && /root/start-wkst-tests.shWhen you have completed the interactive script, type exit to record the results to /root/results-wkst-tests.log.
Finally, log on to WSKT01 as root and execute:
/root/start-password-attacks.shThe results will be recorded to /root/results-password-attacks.log.
| Test ID | Test Type | Test Name | Status |
|---|---|---|---|
| T1 | Administrative | User Creation | ✔️ Implemented |
| T2 | Administrative | Group Creation | ✔️ Implemented |
| T3 | Administrative | User Deletion | ✔️ Implemented |
| T4 | Administrative | Group Deletion | ✔️ Implemented |
| T5 | Administrative | Group Membership Modification | ✔️ Implemented |
| T6 | Administrative | Workstation/Server Domain Membership | ✔️ Implemented |
| T7 | Administrative | Suspend User | ✔️ Implemented |
| T8 | Administrative | Unsuspend User | ✔️ Implemented |
| T9 | User Events | User Login | ✔️ Implemented |
| T10 | User Events | User Logout | ✔️ Implemented |
| T11 | User Events | Password Change | ✔️ Implemented |
| T12 | User Events | Account Lockout | ✔️ Implemented |
| T13 | Abnormal Activity | Directory Recon | ✔️ Implemented |
| T14 | Abnormal Activity | Service Account Misuse | ❌ Not Automated |
| T15 | Password Attack | Brute-Force Guessing | ✔️ Implemented |
| T16 | Password Attack | Password Spray | ✔️ Implemented |
Please note the Moodle installation/configuration, testing, and analysis of the IPA logs for T14 is currently a manual process.