diff --git a/.gitignore b/.gitignore index 2adb39c..20608e2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ roles/ venv/ +.venv/ .env .terragrunt-cache/ .terraform.lock.hcl diff --git a/ansible/deploy/firewall/firewall.yml b/ansible/deploy/firewall/firewall.yml index ad7ecf7..10bb085 100644 --- a/ansible/deploy/firewall/firewall.yml +++ b/ansible/deploy/firewall/firewall.yml @@ -29,10 +29,16 @@ type: ipv4, interface: { name: $DMZIF, broadcast: detect, options: "routeback,bridge,nosmurfs" } } + - { + name: admin, + type: ipv4, + interface: { name: $ADMINIF, broadcast: detect, options: "routeback,bridge,nosmurfs" } + } policy: - { source: fw, dest: all, policy: ACCEPT } - { source: lan, dest: inet, policy: ACCEPT } - { source: dmz, dest: inet, policy: ACCEPT } + - { source: admin, dest: all, policy: ACCEPT } - THIS POLICY HAS TO BE THE LAST - { source: all, dest: all, policy: REJECT, log: info } rules: @@ -40,6 +46,7 @@ - Permit access to SSH - { action: SSH/ACCEPT, source: lan, dest: fw } - { action: SSH/ACCEPT, source: dmz, dest: fw } + - { action: SSH/ACCEPT, source: admin, dest: fw } # - { action: ACCEPT, source: inet, dest: fw, proto: tcp, dest_port: "443,8006" } - PING Rules - { action: Ping/ACCEPT, source: all, dest: all } @@ -51,5 +58,6 @@ - { name: INETIF, value: ens3 } - { name: LANIF, value: ens4 } - { name: DMZIF, value: ens5 } + - { name: ADMINIF, value: ens6 } - role: auditd diff --git a/ansible/run/scenario1/templates/scenario_1_c_a.j2 b/ansible/run/scenario1/templates/scenario_1_c_a.j2 index 3eb9e1f..1efa0cd 100644 --- a/ansible/run/scenario1/templates/scenario_1_c_a.j2 +++ b/ansible/run/scenario1/templates/scenario_1_c_a.j2 @@ -7,6 +7,7 @@ vars: $SERVER_ADDRESS: 192.42.0.254 $ATTACKER_ADDRESS: 192.42.1.174 $DNS_SERVER: 192.42.0.233 + $ADMIN_SERVER: 10.12.0.222 $DOMAIN: aecid-testbed.com $USER: aecid $DNS_LIST: /usr/local/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt @@ -131,7 +132,7 @@ commands: - type: ssh cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no root@172.17.100.121 reboot" | at now + 2 minute - hostname: 192.168.100.222 + hostname: $ADMIN_SERVER username: aecid password: aecid jmp_hostname: 192.42.2.42 diff --git a/ansible/run/scenario1/templates/scenario_1_c_b.j2 b/ansible/run/scenario1/templates/scenario_1_c_b.j2 index 2aa689a..9daba80 100644 --- a/ansible/run/scenario1/templates/scenario_1_c_b.j2 +++ b/ansible/run/scenario1/templates/scenario_1_c_b.j2 @@ -131,7 +131,7 @@ commands: - type: ssh cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no root@172.17.100.121 reboot" | at now + 2 minute - hostname: 192.168.100.222 + hostname: $ADMIN_SERVER username: aecid password: aecid jmp_hostname: "192.42.2.42" diff --git a/ansible/run/scenario1/templates/scenario_1_c_c.j2 b/ansible/run/scenario1/templates/scenario_1_c_c.j2 index e27799c..12591ff 100644 --- a/ansible/run/scenario1/templates/scenario_1_c_c.j2 +++ b/ansible/run/scenario1/templates/scenario_1_c_c.j2 @@ -131,7 +131,7 @@ commands: - type: ssh cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no root@172.17.100.121 reboot" | at now + 2 minute - hostname: 192.168.100.222 + hostname: $ADMIN_SERVER username: aecid password: aecid jmp_hostname: "192.42.2.42" diff --git a/ansible/run/scenario1/templates/scenario_1_d_a.j2 b/ansible/run/scenario1/templates/scenario_1_d_a.j2 index a700b50..bede630 100644 --- a/ansible/run/scenario1/templates/scenario_1_d_a.j2 +++ b/ansible/run/scenario1/templates/scenario_1_d_a.j2 @@ -7,6 +7,7 @@ vars: $SERVER_ADDRESS: 192.42.0.254 $ATTACKER_ADDRESS: 192.42.1.174 $DNS_SERVER: 192.42.0.233 + $ADMIN_SERVER: 10.12.0.222 $DOMAIN: aecid-testbed.com $USER: aecid $DNS_LIST: /usr/local/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt @@ -132,7 +133,7 @@ commands: - type: ssh cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no root@172.17.100.121 '. /etc/bash_completion'" | at now + 10 minute - hostname: 192.168.100.222 + hostname: $ADMIN_SERVER username: aecid password: aecid jmp_hostname: 192.42.2.42 diff --git a/ansible/run/scenario1/templates/scenario_1_d_b.j2 b/ansible/run/scenario1/templates/scenario_1_d_b.j2 index f544349..ae4d3c2 100644 --- a/ansible/run/scenario1/templates/scenario_1_d_b.j2 +++ b/ansible/run/scenario1/templates/scenario_1_d_b.j2 @@ -7,6 +7,7 @@ vars: $SERVER_ADDRESS: 192.42.0.254 $ATTACKER_ADDRESS: 192.42.1.174 $DNS_SERVER: 192.42.0.233 + $ADMIN_SERVER: 10.12.0.222 $DOMAIN: aecid-testbed.com $USER: aecid $DNS_LIST: /usr/local/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt @@ -132,7 +133,7 @@ commands: - type: ssh cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no root@172.17.100.121 '. /etc/bash_completion'" | at now + 10 minute - hostname: 192.168.100.222 + hostname: $ADMIN_SERVER username: aecid password: aecid jmp_hostname: 192.42.2.42 diff --git a/ansible/run/scenario1/templates/scenario_1_d_c.j2 b/ansible/run/scenario1/templates/scenario_1_d_c.j2 index 1899e1c..4b1848e 100644 --- a/ansible/run/scenario1/templates/scenario_1_d_c.j2 +++ b/ansible/run/scenario1/templates/scenario_1_d_c.j2 @@ -132,7 +132,7 @@ commands: - type: ssh cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no root@172.17.100.121 '. /etc/bash_completion'" | at now + 10 minute - hostname: 192.168.100.222 + hostname: $ADMIN_SERVER username: aecid password: aecid jmp_hostname: 192.42.1.232 diff --git a/ansible/run/scenario3/templates/scenario_3_c.j2 b/ansible/run/scenario3/templates/scenario_3_c.j2 index db5751b..2ce93b7 100644 --- a/ansible/run/scenario3/templates/scenario_3_c.j2 +++ b/ansible/run/scenario3/templates/scenario_3_c.j2 @@ -7,6 +7,7 @@ vars: $SERVER_ADDRESS: 192.42.0.254 $ATTACKER_ADDRESS: 192.42.1.174 $DNS_SERVER: 192.42.0.233 + $ADMIN_SERVER: 10.12.0.222 commands: - type: shell @@ -202,7 +203,7 @@ commands: - type: ssh cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no root@192.168.100.23 \"apt update && apt install -y healthcheckd\"" | at now + 2 minute - hostname: 192.168.100.223 + hostname: $ADMIN_SERVER username: aecid password: aecid jmp_hostname: 192.42.2.42 diff --git a/packer/firewall/playbook/main.yaml b/packer/firewall/playbook/main.yaml index 3f59cc3..8ff1b07 100644 --- a/packer/firewall/playbook/main.yaml +++ b/packer/firewall/playbook/main.yaml @@ -40,8 +40,14 @@ type: ipv4, interface: { name: $DMZIF, broadcast: detect, options: "routeback,bridge,nosmurfs" } } + - { + name: admin, + type: ipv4, + interface: { name: $ADMINIF, broadcast: detect, options: "routeback,bridge,nosmurfs" } + } policy: - { source: fw, dest: all, policy: ACCEPT } + - { source: admin, dest: all, policy: ACCEPT } - { source: lan, dest: inet, policy: ACCEPT } - { source: lan, dest: dmz, policy: ACCEPT } - { source: dmz, dest: inet, policy: ACCEPT } @@ -64,9 +70,11 @@ - Permit access to SSH - { action: SSH/ACCEPT, source: lan, dest: fw } - { action: SSH/ACCEPT, source: dmz, dest: fw } + - { action: SSH/ACCEPT, source: admin, dest: fw } - Permit access to DNS - { action: DNS/ACCEPT, source: lan, dest: fw } - { action: DNS/ACCEPT, source: dmz, dest: fw } + - { action: DNS/ACCEPT, source: admin, dest: fw } # - { action: ACCEPT, source: inet, dest: fw, proto: tcp, dest_port: "443,8006" } - PING Rules - { action: Ping/ACCEPT, source: all, dest: all } @@ -78,6 +86,7 @@ - { name: INETIF, value: ens3 } - { name: LANIF, value: ens4 } - { name: DMZIF, value: ens5 } + - { name: ADMINIF, value: ens6 } - { name: REPOSERVER, value: 172.17.100.122} - { name: LINUXSHARE, value: 192.168.100.23} - { name: VIDEOSERVER, value: 172.17.100.121} diff --git a/terragrunt/bootstrap/module/main.tf b/terragrunt/bootstrap/module/main.tf index b2df524..3c8b81d 100644 --- a/terragrunt/bootstrap/module/main.tf +++ b/terragrunt/bootstrap/module/main.tf @@ -26,7 +26,7 @@ resource "openstack_networking_network_v2" "internet" { resource "openstack_networking_subnet_v2" "internet_subnet" { name = "internet_subnet" network_id = "${openstack_networking_network_v2.internet.id}" - cidr = var.inet_cidr + cidr = var.subnet_cidrs["inet"] dns_nameservers = var.inet_dns ip_version = 4 } @@ -70,7 +70,7 @@ resource "openstack_compute_instance_v2" "inet-dns" { network { name = "internet" - fixed_ip_v4 = cidrhost(var.inet_cidr,514) + fixed_ip_v4 = cidrhost(var.subnet_cidrs["inet"],514) } depends_on = [ @@ -92,15 +92,15 @@ resource "openstack_networking_network_v2" "lan" { resource "openstack_networking_subnet_v2" "lan_subnet" { name = "lan_subnet" network_id = "${openstack_networking_network_v2.lan.id}" - cidr = var.lan_cidr + cidr = var.subnet_cidrs["lan"] ip_version = 4 - gateway_ip = cidrhost(var.lan_cidr,254) - dns_nameservers = [cidrhost(var.lan_cidr,254)] + gateway_ip = cidrhost(var.subnet_cidrs["lan"],254) + dns_nameservers = [cidrhost(var.subnet_cidrs["lan"],254)] # make the allocation_pool smaller for gateway_ip allocation_pool { - start = cidrhost(var.lan_cidr,20) - end = cidrhost(var.lan_cidr,200) + start = cidrhost(var.subnet_cidrs["lan"],20) + end = cidrhost(var.subnet_cidrs["lan"],200) } } @@ -117,19 +117,46 @@ resource "openstack_networking_network_v2" "dmz" { resource "openstack_networking_subnet_v2" "dmz_subnet" { name = "dmz_subnet" network_id = "${openstack_networking_network_v2.dmz.id}" - cidr = var.dmz_cidr + cidr = var.subnet_cidrs["dmz"] ip_version = 4 - gateway_ip = cidrhost(var.dmz_cidr,254) - dns_nameservers = [cidrhost(var.dmz_cidr,254)] + gateway_ip = cidrhost(var.subnet_cidrs["dmz"],254) + dns_nameservers = [cidrhost(var.subnet_cidrs["dmz"],254)] # make the allocation_pool smaller for gateway_ip allocation_pool { - start = cidrhost(var.dmz_cidr,20) - end = cidrhost(var.dmz_cidr,200) + start = cidrhost(var.subnet_cidrs["dmz"],20) + end = cidrhost(var.subnet_cidrs["dmz"],200) } } +################################################################### +# +# CREATE NETWORK "ADMIN" +# +resource "openstack_networking_network_v2" "admin" { + name = "admin" + port_security_enabled = "false" + admin_state_up = "true" +} + +resource "openstack_networking_subnet_v2" "admin_subnet" { + name = "admin_subnet" + network_id = "${openstack_networking_network_v2.admin.id}" + cidr = var.subnet_cidrs["admin"] + ip_version = 4 + gateway_ip = cidrhost(var.subnet_cidrs["admin"],254) + dns_nameservers = [cidrhost(var.subnet_cidrs["admin"],254)] + + + # make the allocation_pool smaller for gateway_ip + allocation_pool { + start = cidrhost(var.subnet_cidrs["admin"],20) + end = cidrhost(var.subnet_cidrs["admin"],200) + } +} + + #################################################################### # # CREATE INSTANCE for "Internet-Firewall" @@ -167,24 +194,30 @@ resource "openstack_compute_instance_v2" "inet-fw" { network { name = "internet" - fixed_ip_v4 = cidrhost(var.inet_cidr,254) + fixed_ip_v4 = cidrhost(var.subnet_cidrs["inet"],254) } network { name = "lan" - fixed_ip_v4 = cidrhost(var.lan_cidr,254) + fixed_ip_v4 = cidrhost(var.subnet_cidrs["lan"],254) } network { name = "dmz" - fixed_ip_v4 = cidrhost(var.dmz_cidr,254) + fixed_ip_v4 = cidrhost(var.subnet_cidrs["dmz"],254) + } + + network { + name = "admin" + fixed_ip_v4 = cidrhost(var.subnet_cidrs["admin"],254) } depends_on = [ openstack_compute_instance_v2.inet-dns, openstack_networking_network_v2.dmz, openstack_networking_network_v2.internet, - openstack_networking_network_v2.lan + openstack_networking_network_v2.lan, + openstack_networking_network_v2.admin ] } @@ -215,9 +248,12 @@ data "openstack_images_image_v2" "mgmt-image" { } locals { - mgmt_internet_ip = cidrhost(var.inet_cidr, 201) # Static IP for mgmt host in internet network - mgmt_lan_ip = cidrhost(var.lan_cidr, 201) # Static IP for mgmt host in lan network - mgmt_dmz_ip = cidrhost(var.dmz_cidr, 201) # Static IP for mgmt host in dmz network + mgmt_ips = { + internet = cidrhost(var.subnet_cidrs["inet"], 201) + lan = cidrhost(var.subnet_cidrs["lan"], 201) + dmz = cidrhost(var.subnet_cidrs["dmz"], 201) + admin = cidrhost(var.subnet_cidrs["admin"], 201) + } } resource "openstack_compute_instance_v2" "mgmt" { @@ -229,29 +265,35 @@ resource "openstack_compute_instance_v2" "mgmt" { network { name = "internet" - fixed_ip_v4 = local.mgmt_internet_ip + fixed_ip_v4 = local.mgmt_ips.internet } network { name = "lan" - fixed_ip_v4 = local.mgmt_lan_ip + fixed_ip_v4 = local.mgmt_ips.lan } network { name = "dmz" - fixed_ip_v4 = local.mgmt_dmz_ip + fixed_ip_v4 = local.mgmt_ips.dmz + } + + network { + name = "admin" + fixed_ip_v4 = local.mgmt_ips.admin } depends_on = [ openstack_networking_network_v2.dmz, openstack_networking_network_v2.internet, - openstack_networking_network_v2.lan - ] + openstack_networking_network_v2.lan, + openstack_networking_network_v2.admin, + ] } data "openstack_networking_port_v2" "mgmt"{ - fixed_ip = local.mgmt_internet_ip + fixed_ip = local.mgmt_ips.internet depends_on = [ openstack_compute_instance_v2.mgmt ] diff --git a/terragrunt/bootstrap/module/variables.tf b/terragrunt/bootstrap/module/variables.tf index f175447..76b53fe 100644 --- a/terragrunt/bootstrap/module/variables.tf +++ b/terragrunt/bootstrap/module/variables.tf @@ -26,12 +26,6 @@ variable "ext_router" { description = "name of the external router" } -variable "inet_cidr" { - type = string - description = "CIDR of the internet subnet" - default = "192.42.0.0/16" -} - variable "inetdns_flavor" { type = string description = "flavor of the internet dns server" @@ -76,14 +70,13 @@ variable "inet_dns" { default = ["1.1.1.1","8.8.8.8"] } -variable "lan_cidr" { - type = string - description = "CIDR of the lan subnet" - default = "192.168.100.0/24" -} - -variable "dmz_cidr" { - type = string - description = "CIDR of the dmz subnet" - default = "172.17.100.0/24" +variable "subnet_cidrs" { + type = map(string) + description = "CIDRs for various subnets" + default = { + inet = "192.42.0.0/16" + lan = "192.168.100.0/24" + dmz = "172.17.100.0/24" + admin = "10.12.100.0/24" + } } diff --git a/terragrunt/repository/module/adminpc.tf b/terragrunt/repository/module/adminpc.tf index a2236f0..25d8d13 100644 --- a/terragrunt/repository/module/adminpc.tf +++ b/terragrunt/repository/module/adminpc.tf @@ -38,8 +38,8 @@ resource "openstack_compute_instance_v2" "adminpc2" { user_data = local.ext_adminpc_userdata_file == null ? null : data.template_cloudinit_config.cloudinitadminpc[0].rendered network { - name = "lan" - fixed_ip_v4 = cidrhost(var.lan_cidr,223) + name = "admin" + fixed_ip_v4 = cidrhost(var.admin_cidr,223) } } diff --git a/terragrunt/repository/module/adminpc_variables.tf b/terragrunt/repository/module/adminpc_variables.tf index f2db740..c4a4be6 100644 --- a/terragrunt/repository/module/adminpc_variables.tf +++ b/terragrunt/repository/module/adminpc_variables.tf @@ -15,3 +15,8 @@ variable "adminpc_userdata" { default = null } +variable "admin_cidr" { + type = string + description = "CIDR of the admin subnet" + default = "10.12.0.0/24" +} \ No newline at end of file diff --git a/terragrunt/repository/module/scripts/default.yml b/terragrunt/repository/module/scripts/default.yml index 31e0af9..27d633a 100644 --- a/terragrunt/repository/module/scripts/default.yml +++ b/terragrunt/repository/module/scripts/default.yml @@ -7,5 +7,6 @@ system_info: bootcmd: - echo "nameserver ${dns_server_address}" > /etc/resolv.conf runcmd: + - [echo, "nameserver ${dns_server_address}", >, /etc/resolv.conf] - [apt-get, update] - [apt-get, install, -y, python3] diff --git a/terragrunt/videoserver/module/adminpc.tf b/terragrunt/videoserver/module/adminpc.tf index a879f2f..e3d2832 100644 --- a/terragrunt/videoserver/module/adminpc.tf +++ b/terragrunt/videoserver/module/adminpc.tf @@ -35,8 +35,8 @@ resource "openstack_compute_instance_v2" "adminpc" { user_data = local.ext_adminpc_userdata_file == null ? null : data.template_cloudinit_config.cloudinitadminpc[0].rendered network { - name = "lan" - fixed_ip_v4 = cidrhost(var.lan_cidr,222) + name = "admin" + fixed_ip_v4 = cidrhost(var.admin_cidr,222) } } diff --git a/terragrunt/videoserver/module/adminpc_variables.tf b/terragrunt/videoserver/module/adminpc_variables.tf index f0c926c..0f74207 100644 --- a/terragrunt/videoserver/module/adminpc_variables.tf +++ b/terragrunt/videoserver/module/adminpc_variables.tf @@ -15,8 +15,8 @@ variable "adminpc_userdata" { default = null } -variable "lan_cidr" { +variable "admin_cidr" { type = string - description = "CIDR of the dmz subnet" - default = "192.168.100.0/24" + description = "CIDR of the admin subnet" + default = "10.12.0.0/24" }