Skip to content

littleairmada/gmon-ipa-lab

Repository files navigation

gmon-ipa-lab

This repo contains the CentOS 7 kickstarts, packer configurations, and test scripts used in the virtual lab for my GIAC Continuous Monitoring Certification (GMON) Gold paper Continuous Security Monitoring in non-Active Directory Environments. The primary purpose of the paper was to investigate a FreeIPA directory and determine what artifacts can be leveraged by defenders to track activity--similar to CSM techniques used to track activity with Active Directory/Windows Event logs.

Host Requirements

  • VMWare Workstation 14+
  • Packer
  • CentOS 7 Everything DVD ISO (CentOS-7-x86_64-DVD-1810.iso is automatically downloaded by Packer.)

Important Notes

  • The Packer and kickstart files expect the local virtual machine (VM) network to be 192.168.1.0/24.
  • IP addresses and credentials are hardcoded to minimize my PEBKAC errors. (Update as needed for your test environment.)
  • This lab setup process was not designed to be fully automated and requires machines to be setup in a specific order.

Lab Setup

This lab is comprised of 7 servers with assigned hostnames, IP addresses, and system requirements:

System Domain IP Address RAM Disk Size
Syslog/ELK Server elk.ipa.domain.local 192.168.1.200 1GB 20GB
Primary Directory Server ipa01.ipa.domain.local 192.168.1.201 2GB 20GB
Secondary Directory Server ipa02.ipa.domain.local 192.168.1.202 2GB 20GB
Client Server #1 svr01.ipa.domain.local 192.168.1.203 1GB 20GB
Client Server #2 svr02.ipa.domain.local 192.168.1.206 1GB 20GB
Client Workstation #1 wkst01.ipa.domain.local 192.168.1.204 1GB 20GB
Client Workstation #2 wkst02.ipa.domain.local 192.168.1.205 1GB 20GB

The VMs are created is a specific order and each VM must be powered on before the next one is created. (Packer)[https://packer.io] is used to create the VMs:

packer build log01.json
packer build ipa01.json
packer build ipa02.json
packer build srv01.json
packer build srv02.json
packer build wkst01.json
packer build wkst02.json

Log Generation

The test suite is designed to perform commands associated with common administrative activity, user activity, and basic password attacks.

Once all VMs are online, log on to IPA01 as root and execute:

/root/start-ipa-tests.sh

The results will be recorded to /root/results-ipa-tests.log.

Next, log on to WSKT01 as root and execute:

script -f /root/results-wkst-tests.log && /root/start-wkst-tests.sh

When you have completed the interactive script, type exit to record the results to /root/results-wkst-tests.log.

Finally, log on to WSKT01 as root and execute:

/root/start-password-attacks.sh

The results will be recorded to /root/results-password-attacks.log.

Test Suite Coverage

Test ID Test Type Test Name Status
T1 Administrative User Creation ✔️ Implemented
T2 Administrative Group Creation ✔️ Implemented
T3 Administrative User Deletion ✔️ Implemented
T4 Administrative Group Deletion ✔️ Implemented
T5 Administrative Group Membership Modification ✔️ Implemented
T6 Administrative Workstation/Server Domain Membership ✔️ Implemented
T7 Administrative Suspend User ✔️ Implemented
T8 Administrative Unsuspend User ✔️ Implemented
T9 User Events User Login ✔️ Implemented
T10 User Events User Logout ✔️ Implemented
T11 User Events Password Change ✔️ Implemented
T12 User Events Account Lockout ✔️ Implemented
T13 Abnormal Activity Directory Recon ✔️ Implemented
T14 Abnormal Activity Service Account Misuse ❌ Not Automated
T15 Password Attack Brute-Force Guessing ✔️ Implemented
T16 Password Attack Password Spray ✔️ Implemented

Please note the Moodle installation/configuration, testing, and analysis of the IPA logs for T14 is currently a manual process.

About

Lab for GMON Gold Paper

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages