Installation
Note: All the build steps need to be performed as root
- Clone the ASF repository: git clone https://github.com/vmware-labs/attack-surface-framework.git /opt/asf
- cd /opt/asf/
- [Optional] Edit .kube_vars file, in case you want to enable the Kubernetes option. Update it with your namespace and kube_config file path.
- Run ./setup.sh
- Assign your username, email, and password when prompted. This will be used to login to the GUI of ASF
- A question will be prompted: Would you like to use Kubernetes cluster (y/n)? Press 'y' if you want to use the Kubernetes cluster to run the jobs. Press 'n' if you don't want to use Kubernetes and use Docker for running the jobs.
ASF is not meant to be publicly exposed, assuming you install it on a cloud provider or even on a local instance, we recommend accessing it using port forwarding through SSH, here is an example:
ssh -i "key.pem" -L 2021:127.0.0.1:2021 user@yourhost - For ASF GUI
ssh -i "key.pem" -L 9045:127.0.0.1:9045 user@yourhost - To access Graylog2 Panel
Then open your browser and go to:
http://127.0.0.1:2021 - For ASF - user:youruser pass:yourpassword (provided in initial setup)
https://127.0.0.1:9045 - For Graylog2 - user:admin pass:admin #Change it in /graylog/docker-compose.yaml
Graylog2 requires a few steps to start receiving logs from ASF:
Once logged in, go to System/"Content Packs" and import the Content Pack located at /opt/asf/tools/graylog/content_pack_ASF.json, click on the "Upload" button and you should see "Basic" reflected in the "Select Content Packs" section, click on "Basic", make sure the "ASF" radio button is selected and hit the "Apply content" button, this will create the Global input to parse JSON logs and related extractors.
Now you are ready to receive logs from ASF and set up your streams/alerts/dashboards!
More info @ https://docs.graylog.org/en/4.1/