ait-testbed · thorinaboenke · Aug 12, 2024 · Aug 12, 2024 · Aug 12, 2024 · Aug 13, 2024
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
 roles/
 venv/
+.venv/
 .env
 .terragrunt-cache/
 .terraform.lock.hcl

diff --git a/ansible/deploy/firewall/firewall.yml b/ansible/deploy/firewall/firewall.yml
@@ -29,17 +29,24 @@
                 type: ipv4,
                 interface: { name: $DMZIF, broadcast: detect, options: "routeback,bridge,nosmurfs" }
               }
+            - { 
+                name: admin, 
+                type: ipv4,
+                interface: { name: $ADMINIF, broadcast: detect, options: "routeback,bridge,nosmurfs" }
+              }
           policy:
             - { source: fw,    dest: all,   policy: ACCEPT }
             - { source: lan,   dest: inet,  policy: ACCEPT }
             - { source: dmz,   dest: inet,  policy: ACCEPT }
+            - { source: admin,   dest: all,  policy: ACCEPT }
             - THIS POLICY HAS TO BE THE LAST
             - { source: all,   dest: all,   policy: REJECT, log: info } 
           rules:
             # - { action: DNAT, source: inet, dest: "lan:192.168.213.10:22", proto: tcp, dest_port: 10022 }
             - Permit access to SSH
             - { action: SSH/ACCEPT,  source: lan, dest: fw }
             - { action: SSH/ACCEPT,  source: dmz, dest: fw }
+            - { action: SSH/ACCEPT,  source: admin, dest: fw }
             # - { action: ACCEPT,      source: inet, dest: fw, proto: tcp, dest_port: "443,8006" }
             - PING Rules
             - { action: Ping/ACCEPT, source: all, dest: all }
@@ -51,5 +58,6 @@
             - { name: INETIF, value: ens3 }
             - { name: LANIF, value: ens4 }
             - { name: DMZIF, value: ens5 }
+            - { name: ADMINIF, value: ens6 }
 
     - role: auditd
diff --git a/ansible/run/scenario1/templates/scenario_1_c_a.j2 b/ansible/run/scenario1/templates/scenario_1_c_a.j2
@@ -7,6 +7,7 @@ vars:
   $SERVER_ADDRESS: 192.42.0.254
   $ATTACKER_ADDRESS: 192.42.1.174
   $DNS_SERVER: 192.42.0.233
+  $ADMIN_SERVER: 10.12.0.222
   $DOMAIN: aecid-testbed.com
   $USER: aecid
   $DNS_LIST: /usr/local/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
@@ -131,7 +132,7 @@ commands:
 
   - type: ssh
     cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no [email protected] reboot" | at now + 2 minute
-    hostname: 192.168.100.222
+    hostname: $ADMIN_SERVER
     username: aecid
     password: aecid
     jmp_hostname:  192.42.2.42

diff --git a/ansible/run/scenario1/templates/scenario_1_c_b.j2 b/ansible/run/scenario1/templates/scenario_1_c_b.j2
@@ -131,7 +131,7 @@ commands:
 
   - type: ssh
     cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no [email protected] reboot" | at now + 2 minute
-    hostname: 192.168.100.222
+    hostname: $ADMIN_SERVER
     username: aecid
     password: aecid
     jmp_hostname: "192.42.2.42"

diff --git a/ansible/run/scenario1/templates/scenario_1_c_c.j2 b/ansible/run/scenario1/templates/scenario_1_c_c.j2
@@ -131,7 +131,7 @@ commands:
 
   - type: ssh
     cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no [email protected] reboot" | at now + 2 minute
-    hostname: 192.168.100.222
+    hostname: $ADMIN_SERVER
     username: aecid
     password: aecid
     jmp_hostname: "192.42.2.42"

diff --git a/ansible/run/scenario1/templates/scenario_1_d_a.j2 b/ansible/run/scenario1/templates/scenario_1_d_a.j2
@@ -7,6 +7,7 @@ vars:
   $SERVER_ADDRESS: 192.42.0.254
   $ATTACKER_ADDRESS: 192.42.1.174
   $DNS_SERVER: 192.42.0.233
+  $ADMIN_SERVER: 10.12.0.222
   $DOMAIN: aecid-testbed.com
   $USER: aecid
   $DNS_LIST: /usr/local/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
@@ -132,7 +133,7 @@ commands:
 
   - type: ssh
     cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no [email protected] '. /etc/bash_completion'" | at now + 10 minute
-    hostname: 192.168.100.222
+    hostname: $ADMIN_SERVER
     username: aecid
     password: aecid
     jmp_hostname:  192.42.2.42

diff --git a/ansible/run/scenario1/templates/scenario_1_d_b.j2 b/ansible/run/scenario1/templates/scenario_1_d_b.j2
@@ -7,6 +7,7 @@ vars:
   $SERVER_ADDRESS: 192.42.0.254
   $ATTACKER_ADDRESS: 192.42.1.174
   $DNS_SERVER: 192.42.0.233
+  $ADMIN_SERVER: 10.12.0.222
   $DOMAIN: aecid-testbed.com
   $USER: aecid
   $DNS_LIST: /usr/local/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
@@ -132,7 +133,7 @@ commands:
 
   - type: ssh
     cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no [email protected] '. /etc/bash_completion'" | at now + 10 minute
-    hostname: 192.168.100.222
+    hostname: $ADMIN_SERVER
     username: aecid
     password: aecid
     jmp_hostname:  192.42.2.42

diff --git a/ansible/run/scenario1/templates/scenario_1_d_c.j2 b/ansible/run/scenario1/templates/scenario_1_d_c.j2
@@ -132,7 +132,7 @@ commands:
 
   - type: ssh
     cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no [email protected] '. /etc/bash_completion'" | at now + 10 minute
-    hostname: 192.168.100.222
+    hostname: $ADMIN_SERVER
     username: aecid
     password: aecid
     jmp_hostname:  192.42.1.232

diff --git a/ansible/run/scenario3/templates/scenario_3_c.j2 b/ansible/run/scenario3/templates/scenario_3_c.j2
@@ -7,6 +7,7 @@ vars:
   $SERVER_ADDRESS: 192.42.0.254
   $ATTACKER_ADDRESS: 192.42.1.174
   $DNS_SERVER: 192.42.0.233
+  $ADMIN_SERVER: 10.12.0.222
 
 commands:
   - type: shell
@@ -202,7 +203,7 @@ commands:
 
   - type: ssh
     cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no [email protected] \"apt update && apt install -y healthcheckd\"" | at now + 2 minute
-    hostname: 192.168.100.223
+    hostname: $ADMIN_SERVER
     username: aecid
     password: aecid
     jmp_hostname:  192.42.2.42

diff --git a/packer/firewall/playbook/main.yaml b/packer/firewall/playbook/main.yaml
@@ -40,8 +40,14 @@
                 type: ipv4,
                 interface: { name: $DMZIF, broadcast: detect, options: "routeback,bridge,nosmurfs" }
               }
+            - {
+                name: admin,
+                type: ipv4,
+                interface: { name: $ADMINIF, broadcast: detect, options: "routeback,bridge,nosmurfs" }
+              }
           policy:
             - { source: fw,    dest: all,   policy: ACCEPT }
+            - { source: admin,    dest: all,   policy: ACCEPT }
             - { source: lan,   dest: inet,  policy: ACCEPT }
             - { source: lan,   dest: dmz,  policy: ACCEPT }
             - { source: dmz,   dest: inet,  policy: ACCEPT }
@@ -64,9 +70,11 @@
             - Permit access to SSH
             - { action: SSH/ACCEPT,  source: lan, dest: fw }
             - { action: SSH/ACCEPT,  source: dmz, dest: fw }
+            - { action: SSH/ACCEPT,  source: admin, dest: fw }
             - Permit access to DNS
             - { action: DNS/ACCEPT,  source: lan, dest: fw }
             - { action: DNS/ACCEPT,  source: dmz, dest: fw }
+            - { action: DNS/ACCEPT,  source: admin, dest: fw }
             # - { action: ACCEPT,      source: inet, dest: fw, proto: tcp, dest_port: "443,8006" }
             - PING Rules
             - { action: Ping/ACCEPT, source: all, dest: all }
@@ -78,6 +86,7 @@
             - { name: INETIF, value: ens3 }
             - { name: LANIF, value: ens4 }
             - { name: DMZIF, value: ens5 }
+            - { name: ADMINIF, value: ens6 }
             - { name: REPOSERVER, value: 172.17.100.122}
             - { name: LINUXSHARE, value: 192.168.100.23}
             - { name: VIDEOSERVER, value: 172.17.100.121}

diff --git a/terragrunt/bootstrap/module/main.tf b/terragrunt/bootstrap/module/main.tf
@@ -26,7 +26,7 @@ resource "openstack_networking_network_v2" "internet" {
 resource "openstack_networking_subnet_v2" "internet_subnet" {
   name       = "internet_subnet"
   network_id = "${openstack_networking_network_v2.internet.id}"
-  cidr       = var.inet_cidr
+  cidr       = var.subnet_cidrs["inet"]
   dns_nameservers = var.inet_dns
   ip_version = 4
 }
@@ -70,7 +70,7 @@ resource "openstack_compute_instance_v2" "inet-dns" {
 
   network {
     name = "internet"
-    fixed_ip_v4 = cidrhost(var.inet_cidr,514)
+    fixed_ip_v4 = cidrhost(var.subnet_cidrs["inet"],514)
   }
 
   depends_on = [
@@ -92,15 +92,15 @@ resource "openstack_networking_network_v2" "lan" {
 resource "openstack_networking_subnet_v2" "lan_subnet" {
   name       = "lan_subnet"
   network_id = "${openstack_networking_network_v2.lan.id}"
-  cidr       = var.lan_cidr
+  cidr       = var.subnet_cidrs["lan"]
   ip_version = 4
-  gateway_ip = cidrhost(var.lan_cidr,254)
-  dns_nameservers = [cidrhost(var.lan_cidr,254)]
+  gateway_ip = cidrhost(var.subnet_cidrs["lan"],254)
+  dns_nameservers = [cidrhost(var.subnet_cidrs["lan"],254)]
 
   # make the allocation_pool smaller for gateway_ip
   allocation_pool {
-    start = cidrhost(var.lan_cidr,20)
-    end   = cidrhost(var.lan_cidr,200)
+    start = cidrhost(var.subnet_cidrs["lan"],20)
+    end   = cidrhost(var.subnet_cidrs["lan"],200)
   }
 }
 
@@ -117,19 +117,46 @@ resource "openstack_networking_network_v2" "dmz" {
 resource "openstack_networking_subnet_v2" "dmz_subnet" {
   name       = "dmz_subnet"
   network_id = "${openstack_networking_network_v2.dmz.id}"
-  cidr       = var.dmz_cidr
+  cidr       = var.subnet_cidrs["dmz"]
   ip_version = 4
-  gateway_ip = cidrhost(var.dmz_cidr,254)
-  dns_nameservers = [cidrhost(var.dmz_cidr,254)]
+  gateway_ip = cidrhost(var.subnet_cidrs["dmz"],254)
+  dns_nameservers = [cidrhost(var.subnet_cidrs["dmz"],254)]
 
 
   # make the allocation_pool smaller for gateway_ip
   allocation_pool {
-    start = cidrhost(var.dmz_cidr,20)
-    end   = cidrhost(var.dmz_cidr,200)
+    start = cidrhost(var.subnet_cidrs["dmz"],20)
+    end   = cidrhost(var.subnet_cidrs["dmz"],200)
   }
 }
 
+###################################################################
+#
+# CREATE NETWORK "ADMIN"
+#
+resource "openstack_networking_network_v2" "admin" {
+  name           = "admin"
+  port_security_enabled = "false"
+  admin_state_up = "true"
+}
+
+resource "openstack_networking_subnet_v2" "admin_subnet" {
+  name       = "admin_subnet"
+  network_id = "${openstack_networking_network_v2.admin.id}"
+  cidr       = var.subnet_cidrs["admin"]
+  ip_version = 4
+  gateway_ip = cidrhost(var.subnet_cidrs["admin"],254)
+  dns_nameservers = [cidrhost(var.subnet_cidrs["admin"],254)]
+
+
+  # make the allocation_pool smaller for gateway_ip
+  allocation_pool {
+    start = cidrhost(var.subnet_cidrs["admin"],20)
+    end   = cidrhost(var.subnet_cidrs["admin"],200)
+  }
+}
+
+
 ####################################################################
 #
 # CREATE INSTANCE for "Internet-Firewall"
@@ -167,24 +194,30 @@ resource "openstack_compute_instance_v2" "inet-fw" {
 
   network {
     name = "internet"
-    fixed_ip_v4 = cidrhost(var.inet_cidr,254)
+    fixed_ip_v4 = cidrhost(var.subnet_cidrs["inet"],254)
   }
 
   network {
     name = "lan"
-    fixed_ip_v4 = cidrhost(var.lan_cidr,254)
+    fixed_ip_v4 = cidrhost(var.subnet_cidrs["lan"],254)
   }
 
   network {
     name = "dmz"
-    fixed_ip_v4 = cidrhost(var.dmz_cidr,254)
+    fixed_ip_v4 = cidrhost(var.subnet_cidrs["dmz"],254)
+  }
+
+  network {
+    name = "admin"
+    fixed_ip_v4 = cidrhost(var.subnet_cidrs["admin"],254)
   }
 
   depends_on = [
      openstack_compute_instance_v2.inet-dns,
      openstack_networking_network_v2.dmz,
      openstack_networking_network_v2.internet,
-     openstack_networking_network_v2.lan
+     openstack_networking_network_v2.lan,
+     openstack_networking_network_v2.admin
   ]
 }
 
@@ -215,9 +248,12 @@ data "openstack_images_image_v2" "mgmt-image" {
 }
 
 locals {
-  mgmt_internet_ip = cidrhost(var.inet_cidr, 201)  # Static IP for mgmt host in internet network
-  mgmt_lan_ip = cidrhost(var.lan_cidr, 201)  # Static IP for mgmt host in lan network
-  mgmt_dmz_ip = cidrhost(var.dmz_cidr, 201)  # Static IP for mgmt host in dmz network
+  mgmt_ips = {
+    internet = cidrhost(var.subnet_cidrs["inet"], 201)
+    lan      = cidrhost(var.subnet_cidrs["lan"], 201)
+    dmz      = cidrhost(var.subnet_cidrs["dmz"], 201)
+    admin    = cidrhost(var.subnet_cidrs["admin"], 201)
+  }
 }
 
 resource "openstack_compute_instance_v2" "mgmt" {
@@ -229,29 +265,35 @@ resource "openstack_compute_instance_v2" "mgmt" {
 
   network {
     name = "internet"
-    fixed_ip_v4 = local.mgmt_internet_ip
+    fixed_ip_v4 = local.mgmt_ips.internet
   }
 
   network {
     name = "lan"
-    fixed_ip_v4 = local.mgmt_lan_ip
+    fixed_ip_v4 = local.mgmt_ips.lan
   }
 
   network {
     name = "dmz"
-    fixed_ip_v4 = local.mgmt_dmz_ip
+    fixed_ip_v4 = local.mgmt_ips.dmz
+  }
+
+  network {
+    name = "admin"
+    fixed_ip_v4 = local.mgmt_ips.admin
   }
 
   depends_on = [
      openstack_networking_network_v2.dmz,
      openstack_networking_network_v2.internet,
-     openstack_networking_network_v2.lan
-  ]
+     openstack_networking_network_v2.lan,
+     openstack_networking_network_v2.admin,
 
+  ]
 }
 
 data "openstack_networking_port_v2" "mgmt"{
-  fixed_ip = local.mgmt_internet_ip
+  fixed_ip =  local.mgmt_ips.internet
     depends_on = [
       openstack_compute_instance_v2.mgmt  
   ]

diff --git a/terragrunt/bootstrap/module/variables.tf b/terragrunt/bootstrap/module/variables.tf
@@ -26,12 +26,6 @@ variable "ext_router" {
   description = "name of the external router"
 }
 
-variable "inet_cidr" {
-  type        = string
-  description = "CIDR of the internet subnet"
-  default     = "192.42.0.0/16"
-}
-
 variable "inetdns_flavor" {
   type        = string
   description = "flavor of the internet dns server"
@@ -76,14 +70,13 @@ variable "inet_dns" {
   default     = ["1.1.1.1","8.8.8.8"] 
 }
 
-variable "lan_cidr" {
-  type        = string
-  description = "CIDR of the lan subnet"
-  default     = "192.168.100.0/24"
-}
-
-variable "dmz_cidr" {
-  type        = string
-  description = "CIDR of the dmz subnet"
-  default     = "172.17.100.0/24"
+variable "subnet_cidrs" {
+  type        = map(string)
+  description = "CIDRs for various subnets"
+  default = {
+    inet = "192.42.0.0/16"
+    lan   = "192.168.100.0/24"
+    dmz   = "172.17.100.0/24"
+    admin = "10.12.100.0/24"
+  }
 }