install.md

Installation

The current version of SOCTools only runs on a single server. A fully distributed versiob will be released soon.

Hardware requirements

• CPU: 8 cores
• Memory: 32GB
• Disk: >40GB (This depends entirely on how much data you want to collect and how long you want to keep the data. For just testing SOCTools, 30GB is enough.)

Prerequisites

• Minimal installation of CentOS7
• Set hostname for your Virtual Machine and create corresponding DNS record (will be needed later)
• Install Ansible
  • sudo yum -y install epel-release
  • sudo yum -y install ansible git
  • sudo ansible-galaxy collection install ansible.posix

Download SOCTools

• Download latest release from https://gitlab.geant.org/gn4-3-wp8-t3.1-soc/soctools/-/releases
• Unpack downloaded release
• cd soctools

To test the development version you can clone the repository instead of downloading the latest release:

• git clone --recursive https://gitlab.geant.org/gn4-3-wp8-t3.1-soc/soctools.git
• cd soctools

Configure SOCTools

You can use configuration script named "configure.sh", located in the root folder, in order to use the Configuration Wizzard and more easily enter preferred values for a number of options. This script will help you in following:

• Create whitelist for use with haproxy, in order to enable access to various tools from certain IP addresses.
• By default, following services are accessible only from internal docker network (172.22.0.0/16):
  • HAProxy Stats - Statistics about proxied services/tools and their availability. Generally, you want only a selected number of people to be able to view them.
  • OpenSearch - Direct access to Opensearch containers. Generally, you would need to access them only for debugging purposes.
• By default, all SOCTools are accessible from the whole Internet. If there is any doubt in the implemented security features, you may want to fine-tune port visibility. You can restrict access to following:
  • Nifi Management - Web UI for managing Nifi flows. You may want to restrict access inside you organization.
  • Nifi ports - ports used for accepting data from various sources. You may want to restrict access only to certain servers/devices in your network.
  • Keycloak Management - Web UI for managing SOCTools Users. Increase security by restricting access only for administrator(s)
  • TheHive - Web UI for TheHive. Usually don't want to restrict access.
  • Cortex - Web UI for Cortex. Usually don't want to restrict access.
  • MISP - Web UI for MISP. Usually don't want to restrict access.
  • User Management UI - Web UI for creating and managing SOCTools users. Increase security by restricting access only for administrator(s)
  • OpenSearch Dashboards - Web UI for OpenSearch Dashboards. Increase security by restricting access only for administrator(s)

Edit roles/haproxy/files/stats_whitelist.lst in order to manually configure whitelist IP addresses for accessing various tools. You can use access.ips file found in the root folder as a starting template.

• cat access.ips > roles/haproxy/files/stats_whitelist.lst
• vi roles/haproxy/files/stats_whitelist.lst

If you want to use MaxMind GeoLite2 database for enrichment, edit group_vars/all/main.yml and add the license key to the variable maxmind_key.

• vi group_vars/all/main.yml

Install SOCTools

Configure the server running SOCTools:

• ansible-playbook -i inventories soctools_server.yml

Build the Docker images:

• ansible-playbook -i inventories buildimages.yml

Build SOCTools CA needed for service and user certificates:

• ansible-playbook -i inventories buildca.yml
  This playbook will generate some errors but this is normal as long as the playbook ignores them and finish without stopping.

Start SOCTools for the first time and initialize:

• ansible-playbook -i inventories soctools.yml -t start-docker-containers
• ansible-playbook -i inventories soctools.yml -t init

Stop SOCTools without destroying containers:

• ansible-playbook -i inventories soctools.yml -t stop-docker-containers

Restart SOCTools after it has been stopped with stop-docker-containers tag:

• ansible-playbook -i inventories soctools.yml -t start-docker-containers

Destroy SOCTools containers:

• ansible-playbook -i inventories soctools.yml -t destroy-docker-containers

Deletion of the SOCTools containers will not delete the data in the volumes, and if the deletion of all data is also required, you should also execute the following command:

• docker system prune -a

Errors building SOCTools

If there are any errors during building of SOCTools then it is often best to start from the top. The easiest way is to delete any existing Docker images that are already built and then restart the installation. To prune existing Docker images run docker system prune -a. This command will delete all images so it assumes that SOCTools is the only service running on the server.

Certificates

To access the web interfaces of the various services in SOCTools, you need to import the root certificate located in secrets/CA/ca.crt. For windows the CA certificate should be installed in the Trusted Root Certficiation Authorities store.
User authentication is done using client certificates. A certificate is generated automatically for all users specified in the file group_vars/all/users.ymland can be found in the directory secrets/certificates. Passwords for the certificates can be found in the directory secrets/passwords. Install one of the client certificates in the the browser to access the web interfaces of SOCTools.

Web interfaces

All Web interfaces of the various services are access by going to https://<server name>:<port>/using the following port numbers:

• 9443 - NiFi
• 5601 - Opensearch Dashboards
• 6443 - Misp
• 9000 - The Hive
• 9001 - Cortex
• 12443 - Keycloak
• 8888 - haproxy-stats
• 5443 - User Management UI