Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • opensearch
  • master-wo-opendistro-plugins
  • dev-bartos
  • tag-modification
  • java-upgrade
  • ports
  • nifi-update
  • kiril.kjiroski-master-patch-71888
  • user-mgmt-ui
  • interactive
  • cluster-support
  • dev5
  • dev4
  • dev02
  • dev01b
  • dev1
  • dev3
  • dev2
  • v1.0
  • v0.7
21 results
Blame Permalink
install.md 2.39 KiB

Installation

The current version of SOCTools only runs on a single server. A fully distributed versiob will be released soon.

Hardware requirements

  • CPU: 8 cores
  • Memory: 32GB (It is possible to run on less but it is not recommended)
  • Disk: >30GB (This depends entirely on how much data you want to collect and how long you want to keep the data. For just testing SOCTools, 30GB is enough.)

Prerequisites

  • Minimal installation of CentOS7
  • Install Ansible
    • sudo yum -y install epel-release
    • sudo yum -y install ansible git
    • sudo ansible-galaxy collection install ansible.posix

Clone SOCTools

  • git clone https://gitlab.geant.org/gn4-3-wp8-t3.1-soc/soctools.git
  • cd soctools

Install SOCTools

Edit group_vars/all/main.yml and change 'soctoolsproxy' so that it points to the FQDN of the server.

  • vi group_vars/all/main.yml

If you want to use MaxMind GeoLite2 database for enrichment, add the license key to the variable 'maxmind_key'
Users can be configured in the file group_vars/all/users.yml

  • vi group_vars/all/users.yml

Configure the server running SOCTools:

  • ansible-playbook -i inventories soctools_server.yml

Build the Docker images:

  • ansible-playbook -i inventories buildimages.yml

Build SOCTools CA needed for service and user certificates:

  • ansible-playbook -i inventories buildca.yml
    This playbook will generate some errors but this is normal as long as the playbook ignores them and finish without stopping.

Start SOCTools:

  • ansible-playbook -i inventories soctools.yml -t start

Stop SOCTools:

  • ansible-playbook -i inventories soctools.yml -t stop

Certificates

To access the web interfaces of the various services in SOCTools, you need to import the root certificate located in secrets/CA/ca.crt. For windows the CA certificate should be installed in the Trusted Root Certficiation Authorities store.
User authentication is done using client certificates. A certificate is generated automatically for all users specified in the file group_vars/all/users.ymland can be found in the directory secrets/certificates. Passwords for the certificates can be fdound in the directory secrets/passwords

Web interfaces

All Web interfaces of the various services are access by going to https://<server name>:<port>/using the following port numbers:

  • 9443 - NiFi
  • 5601 - Kibana
  • 6443 - Misp
  • 9000 - The Hive
  • 9001 - Cortex
  • 12443 - Keycloak