Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • opensearch
  • master-wo-opendistro-plugins
  • dev-bartos
  • tag-modification
  • java-upgrade
  • ports
  • nifi-update
  • kiril.kjiroski-master-patch-71888
  • user-mgmt-ui
  • interactive
  • cluster-support
  • dev5
  • dev4
  • dev02
  • dev01b
  • dev1
  • dev3
  • dev2
  • v1.0
  • v0.7
21 results
Blame Permalink
install.md 4.39 KiB

Installation

The current version of SOCTools only runs on a single server. A fully distributed versiob will be released soon.

Hardware requirements

  • CPU: 8 cores
  • Memory: 32GB
  • Disk: >40GB (This depends entirely on how much data you want to collect and how long you want to keep the data. For just testing SOCTools, 30GB is enough.)

Prerequisites

  • Minimal installation of CentOS7
  • Install Ansible
    • sudo yum -y install epel-release
    • sudo yum -y install ansible git
    • sudo ansible-galaxy collection install ansible.posix

Download SOCTools

To test the development version you can clone the repository instead of downloading the latest release:

Configure SOCTools

You can use configuration script named "configure.sh", located in the root folder, in order to use the Configuration Wizzard and more easily enter preferred values for a number of options. This script will help you in following:

  • Create whitelist for use with haproxy, in order to enable access to various tools from certain IP addresses.
  • By default, following services are accessible only from internal docker network (172.22.0.0/16):
    • HAProxy Stats - Statistics about proxied services/tools and their availability. Generally, you want only a selected number of people to be able to view them.
    • ODFE - Direct access to ODFE Elasticsearch containers. Generally, you would need to access them only for debugging purposes.
  • By default, all SOCTools are accessible from the whole Internet. Since we are using certificates for all tools, except for Keycloak and User Management UI, you may want to restrict access to the last two.

Edit roles/haproxy/files/stats_whitelist.lst in order to manually configure whitelist IP addresses for accessing various tools. You can use access.ips file found in the root folder as starting template.

  • cat access.ips > roles/haproxy/files/stats_whitelist.lst
  • vi roles/haproxy/files/stats_whitelist.lst

Edit group_vars/all/main.yml and change 'soctoolsproxy' so that it points to the FQDN of the server.

  • vi group_vars/all/main.yml

If you want to use MaxMind GeoLite2 database for enrichment, add the license key to the variable 'maxmind_key'
Users can be configured in the file group_vars/all/users.yml

  • vi group_vars/all/users.yml

Install SOCTools

Configure the server running SOCTools:

  • ansible-playbook -i inventories soctools_server.yml

Build the Docker images:

  • ansible-playbook -i inventories buildimages.yml

Build SOCTools CA needed for service and user certificates:

  • ansible-playbook -i inventories buildca.yml
    This playbook will generate some errors but this is normal as long as the playbook ignores them and finish without stopping.

Start SOCTools:

  • ansible-playbook -i inventories soctools.yml -t start-docker-containers
  • ansible-playbook -i inventories soctools.yml -t init

Stop SOCTools:

  • ansible-playbook -i inventories soctools.yml -t stop

Errors building SOCTools

If there are any errors during building of SOCTools then it is often best to start from the top. The easiest way is to delete any existing Docker images that are already built and then restart the installation. To prune existing Docker images run docker system prune -a. This command will delete all images so it assumes that SOCTools is the only service running on the server.

Certificates

To access the web interfaces of the various services in SOCTools, you need to import the root certificate located in secrets/CA/ca.crt. For windows the CA certificate should be installed in the Trusted Root Certficiation Authorities store.
User authentication is done using client certificates. A certificate is generated automatically for all users specified in the file group_vars/all/users.ymland can be found in the directory secrets/certificates. Passwords for the certificates can be found in the directory secrets/passwords. Install one of the client certificates in the the browser to access the web interfaces of SOCTools.

Web interfaces

All Web interfaces of the various services are access by going to https://<server name>:<port>/using the following port numbers:

  • 9443 - NiFi
  • 5601 - Kibana
  • 6443 - Misp
  • 9000 - The Hive
  • 9001 - Cortex
  • 12443 - Keycloak