migrate to git.charlotte.sh

net-sec-controls-sec350/machines/LOG01.md

@@ -0,0 +1,123 @@
+# LOG01 Configuration
+
+> **Note**: This is the original log01 server that will eventually be retired, then brought back as a jump server.
+
+## Basic Setup
+- Set hostname to `log01-charlotte`
+- Add sudo user `charlotte:password`
+- Set network adapter to DMZ
+- Configure static IP via nmtui:
+  - IP Address: `172.16.50.5/29`
+  - Gateway & DNS: `172.16.50.2`
+
+## Configure Firewall for Syslog
+```
+sudo firewall-cmd --add-port=514/tcp --permanent
+sudo firewall-cmd --add-port=514/udp --permanent
+sudo firewall-cmd --reload
+```
+
+## Configure Rsyslog
+
+### Enable Syslog Input Modules
+Edit `/etc/rsyslog.conf` and uncomment these lines:
+```
+# Provides UDP syslog reception
+module(load="imudp")
+input(type="imudp" port="514")
+
+# Provides TCP syslog reception
+module(load="imtcp")
+input(type="imtcp" port="514")
+```
+
+### Configure High Precision Timestamps
+Add to `/etc/rsyslog.conf`:
+```
+$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format
+template(name="BetterTiming" type="string" string="%timestamp:::date-rfc3339% %HOSTNAME% %syslogtag%%msg%\n")
+```
+
+Apply the template to the desired log file:
+```
+# Example: Add ;BetterTiming suffix to a log destination
+*.info;mail.none;authpriv.none;cron.none                /var/log/messages;BetterTiming
+```
+
+### Configure Log Organization
+Create a file named `/etc/rsyslog.d/sec350.conf` with these contents:
+```
+# Input modules
+module(load="imudp")
+input(type="imudp" port="514")
+module(load="imtcp")
+input(type="imtcp" port="514")
+
+# Creating templates for storing logs dynamically
+$template DynFile,"/var/log/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/%programname%.log"
+$template RemoteLogs,"/var/log/remote/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/%programname%.log"
+
+# Create a ruleset for remote devices
+ruleset(name="RemoteDevice"){
+    action(type="omfile" dynaFile="RemoteLogs")
+}
+
+# Direct local logs to files
+:programname, !startswith, "rsyslog" ?DynFile
+
+# Direct messages from remote hosts to the ruleset
+:inputname, isequal, "imudp" call RemoteDevice
+:inputname, isequal, "imtcp" call RemoteDevice
+```
+
+### Restart Rsyslog
+```
+sudo systemctl restart rsyslog
+```
+
+## Monitor Incoming Logs
+```
+tail -f /var/log/messages
+```
+
+Or check specific remote log files:
+```
+tail -f /var/log/remote/*/*/*/*/sshd.log
+```
+
+## Recommissioned as Jump Server
+When log01 is repurposed as a jump server:
+
+1. Change IP address to: `172.16.50.4/29`
+2. Change hostname: `sudo hostnamectl set-hostname jump-charlotte`
+
+### SSH Configuration for Passwordless Access
+```bash
+# Create dedicated user for jump access
+useradd -m -d /home/charlotte-jump -s /bin/bash charlotte-jump
+
+# Disable password authentication
+sudo sed -i 's/PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+
+# Create SSH directory structure with proper permissions
+mkdir -p /home/charlotte-jump/.ssh
+chmod 700 /home/charlotte-jump/.ssh
+
+# Add the public key to authorized_keys
+echo "ssh-rsa AAAAB3N...your-public-key..." >> /home/charlotte-jump/.ssh/authorized_keys
+
+# Set proper permissions and ownership
+chmod 600 /home/charlotte-jump/.ssh/authorized_keys
+chown -R charlotte-jump:charlotte-jump /home/charlotte-jump/.ssh
+
+# Restart SSH service
+systemctl restart sshd
+```
+
+### Wazuh Agent Installation
+```bash
+sudo WAZUH_MANAGER='172.16.200.10' WAZUH_AGENT_GROUP='linux' WAZUH_AGENT_NAME='jump-charlotte' rpm -ihv wazuh-agent-4.7.3-1.x86_64.rpm
+sudo systemctl daemon-reload
+sudo systemctl enable wazuh-agent
+sudo systemctl start wazuh-agent
+```