SECURITY RESEARCH, TOOLS, TUTORIAL |

Extend DetectionLab with Linux Endpoints

DetectionLab is a fantastic project by Chris Long for quickly deploying a Windows Domain-based test environment with Linux-based Security Information Event Management (SIEM). See our DetectionLab Tutorial or check out the project page for more information.

In this post, I detail how to easily deploy additional Ubuntu Linux-based servers into the DetectionLab environment.

The idea is to be able to quickly deploy a Linux server that has agents (ossec / osquery) pre-installed for security monitoring, with the agents sending data back to the DetectionLab logger host.

Vagrant Configuration File

The basis for adding additional hosts to the DetectionLab network is the Vagrant configuration file. If you have not used Vagrant, then getting things working in a test environment is not difficult. A little bit of knowledge will go a long way, and you will find yourself using Vagrant for other tasks as it simply saves you time.

extending DetectionLab

Digging into the Vagrant configuration and deployment, we find that the configuration file is configured to:

  1. Deploy an Ubuntu server that connects to the DetectionLab Network (192.168.38.0/24)
  2. Installs osquery agent and connects to the Fleet Manager
  3. Install ossec agent, configured to send logs to UDP 514 Syslog on Splunk
  4. Updates Splunk to enable the UDP Syslog Input
  5. Splunk is now collecting security events from the Ubuntu Server (indexing both osquery and ossec events)

Hopefully, this sample configuration highlights the time saving benefits of using Vagrant within your lab environment. All these tasks are performed automatically and after the operating system is deployed, with only a few configuration files.

Using this configuration it will be straightforward to modify the parameters and shell commands to generate custom systems that suit your own environment.

Reading through the configuration file there is nothing overly complex. One point to highlight is the curl commands that retrieve a JWT token from the fleetdm server (using default credentials). Using these credentials the second curl command downloads the client certificate so that osquery can connect to Fleet.

Use this Vagrant configuration as a template to build other custom Linux hosts to deploy automatically into the DetectionLab Network.

Deploying the Ubuntu Host

To get started grab the Vagrantfile, secret.txt, ossec.conf and flagfile.txt from Github. Modify the host name and IP address as required if you are deploying multiple systems.

Hostname: ubuntu200
IP Address: 192.168.38.200

test@vbox:~/$ git clone https://github.com/hackertarget/DetectionLabUbuntuAddon/
test@vbox:~/$ cd DetectionLabUbuntuAddon
test@vbox:~/DetectionLabUbuntuAddon$ vagrant up

This will start up the host, add it to the network and install ossec and osquery. Log into the fleetdm console to see if the host (ubuntu200) has connected successfully.

DetectionLab with Fleet Dashboard

And in this screenshot we can see ossec alerts being indexed in Splunk from the ubuntu200 host.

Note that with the standard DetectionLab hosts running (logger + windows x 3), you will likely need a bit more than 16GB of ram to add this additional host. You could adjust the memory of the hosts, stop one of the Windows hosts or better still upgrade your Testing Lab (fast lab environments are more fun).