Added new components

Three new components were added:
Cassandra db
The Hive
Cortex (with embedded Elasticsearch v6)

roles/docker/tasks/volumecreate.yml

@@ -8,6 +8,22 @@
   tags:
     - start
 
+- name: Create cassandra volumes
+  docker_volume:
+    name: "{{item}}"
+  with_items:
+    - "{{ groups['cassandra'] }}" 
+  tags:
+    - start
+
+- name: Create cortex volumes
+  docker_volume:
+    name: "{{item}}"
+  with_items:
+    - "{{ groups['cortex'] }}" 
+  tags:
+    - start
+
 - name: Create NiFi volumes
   docker_volume:
     name: "{{item}}"

roles/haproxy/templates/haproxy.cfg.j2

@@ -57,6 +57,30 @@ listen keycloakserv
 	server {{keycloakhost}} {{keycloakhost}}:8443 ssl check verify none
 {% endfor %}
 
+listen thehiveserv
+        bind *:9000 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
+        mode http
+        maxconn 5000
+        fullconn 5000
+        balance source
+        option tcpka
+        option forwardfor
+{% for thehivehost in groups['thehive'] %}
+	server {{thehivehost}} {{thehivehost}}:9000 check verify none
+{% endfor %}
+
+listen cortexserv
+        bind *:9001 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
+        mode http
+        maxconn 5000
+        fullconn 5000
+        balance source
+        option tcpka
+        option forwardfor
+{% for cortexhost in groups['cortex'] %}
+	server {{cortexhost}} {{cortexhost}}:9001 check verify none
+{% endfor %}
+
 {% for port in range(50, 60) %}
 listen nifiservtcp77{{port}}
 	bind *:77{{port}}

roles/odfees/tasks/main.yml

@@ -62,6 +62,19 @@
   tags:
     - start
 
+- name: Change password for cortex
+  command: "bash plugins/opendistro_security/tools/hash.sh -p {{cortex_odfe_pass}}"
+  register: cortexhash
+  # when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname"
+  tags:
+    - start
+
+- set_fact:
+    cortexhashpwd: "{{ cortexhash.stdout }}"
+    #adminhashpwd: "{{ hostvars[groups['odfeescontainers'][0]]['adminhash.stdout'] }}"
+  tags:
+    - start
+
 - name: Configure opendistro_security properties
   template:
     src: "securityconfig/{{item}}.j2"

roles/odfees/templates/securityconfig/internal_users.yml.j2

@@ -17,6 +17,15 @@ admin:
   - "admin"
   description: "Demo admin user"
 
+cortex:
+  hash: "{{cortexhashpwd}}"
+  reserved: true
+  backend_roles:
+  - "admin"
+#  - "own_index"
+#  - "readall"
+  description: "Cortex user"
+
 kibanaserver:
   hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
   reserved: true

roles/thehive/tasks/main.yml

+---
+
+- name: Configure TheHive
+  template:
+    src: application.conf.j2
+    dest: /etc/thehive/application.conf
+  tags:
+    - start
+
+- name: Start TheHive
+  command: >
+    daemonize 
+    -c /opt/thehive 
+    -p /tmp/thehive.pid
+    -o /tmp/thehive-stdout.log 
+    /opt/thehive/bin/thehive 
+    -Dconfig.file=/etc/thehive/application.conf 
+    -Dlogger.file=/etc/thehive/logback.xml 
+    -J-Xms1g
+    -J-Xmx1g
+    -Dpidfile.path=/dev/null
+  tags:
+    - start
+
+- name: Wait for TheHive
+  wait_for:
+    host: "{{groups['thehive'][0]}}"
+    port: 9000
+    state: started
+    delay: 5
+  tags:
+    - start
+
+- name: Stop TheHive
+  command: "pkill -SIGTERM -F /tmp/thehive.pid"
+  tags:
+    - stop
+

roles/thehive/templates/application.conf.j2

+###
+## Documentation is available at https://github.com/TheHive-Project/TheHiveDocs/TheHive4
+###
+
+## Include Play secret key
+# More information on secret key at https://www.playframework.com/documentation/2.8.x/ApplicationSecret
+#include "/etc/thehive/secret.conf"
+play.http.secret.key="{{thehive_secret_key}}"
+
+## Database configuration
+db.janusgraph {
+  storage {
+    ## Cassandra configuration
+    # More information at https://docs.janusgraph.org/basics/configuration-reference/#storagecql
+    backend: cql
+    hostname: ["{{groups['cassandra'][0]}}.{{soctools_netname}}"]
+    # Cassandra authentication (if configured)
+    // username: "thehive"
+    // password: "password"
+    cql {
+      cluster-name: thp
+      keyspace: thehive
+    }
+  }
+
+  ## For test only !
+  # Comment Cassandra settings before enable Berkeley database
+  // storage.backend: berkeleyje
+  // storage.directory: /path/to/berkeleydb
+  // berkeleyje.freeDisk: 200 # disk usage threshold
+}
+
+## Attachment storage configuration
+storage {
+  ## Local filesystem
+  provider: localfs
+  localfs.directory: /opt/thp_data/files/thehive
+
+  ## Hadoop filesystem (HDFS)
+  // provider: hdfs
+  // hdfs {
+  //   root: "hdfs://localhost:10000" # namenode server hostname
+  //   location: "/thehive"           # location inside HDFS
+  //   username: thehive              # file owner
+  // }
+}
+
+## Authentication configuration
+# More information at https://github.com/TheHive-Project/TheHiveDocs/TheHive4/Administration/Authentication.md
+//auth {
+//  providers: [
+//    {name: session}               # required !
+//    {name: basic, realm: thehive}
+//    {name: local}
+//    {name: key}
+//  ]
+# The format of logins must be valid email address format. If the provided login doesn't contain `@` the following
+# domain is automatically appended
+//  defaultUserDomain: "thehive.local"
+//}
+
+## CORTEX configuration
+# More information at https://github.com/TheHive-Project/TheHiveDocs/TheHive4/Administration/Connectors.md
+# Enable Cortex connector
+// play.modules.enabled += org.thp.thehive.connector.cortex.CortexModule
+// cortex {
+//  servers: [
+//    {
+//      name: "local"                # Cortex name
+//      url: "http://localhost:9001" # URL of Cortex instance
+//      auth {
+//        type: "bearer"
+//        key: "***"                 # Cortex API key
+//      }
+//      ws {}                        # HTTP client configuration (SSL and proxy)
+//    }
+//  ]
+// }
+
+## MISP configuration
+# More information at https://github.com/TheHive-Project/TheHiveDocs/TheHive4/Administration/Connectors.md
+# Enable MISP connector
+// play.modules.enabled += org.thp.thehive.connector.mips.MispModule
+// misp {
+//  interval: 1 hour
+//  servers: [
+//    {
+//      name = "local"            # MISP name
+//      url = "http://localhost/" # URL or MISP
+//      auth {
+//        type = key
+//        key = "***"             # MISP API key
+//      }
+//      ws {}                        # HTTP client configuration (SSL and proxy)
+//    }
+//  ]
+//}
+
+# Define maximum size of attachments (default 10MB)
+//play.http.parser.maxDiskBuffer: 1GB

soctools-inventory

@@ -22,5 +22,14 @@ dsoclab-mysql ansible_connection=docker
 [mispcontainers]
 dsoclab-misp ansible_connection=docker
 
+[cassandra]
+dsoclab-cassandra ansible_connection=docker
+
+[thehive]
+dsoclab-thehive ansible_connection=docker
+
+[cortex]
+dsoclab-cortex ansible_connection=docker
+
 [haproxy]
 dsoclab-haproxy ansible_connection=docker

startsoctools.yml

@@ -15,6 +15,11 @@
   roles:
     - mysql
 
+- name: Reconfigure and start Cassandra
+  hosts: cassandra
+  roles:
+    - cassandra
+
 - name: Reconfigure and start Keycloak
   hosts: keycloakcontainers
   roles:
@@ -35,8 +40,18 @@
   roles:
     - odfekibana
 
-- name: Reconfigure and start misp
+- name: Reconfigure and start MISP
   hosts: mispcontainers
   roles:
     - misp
 
+- name: Reconfigure and start TheHive
+  hosts: thehive
+  roles:
+    - thehive
+
+- name: Reconfigure and start Cortex
+  hosts: cortex
+  roles:
+    - cortex
+