SOCTools
SOCTools is a set of tools that can be used by a SOC for collecting and analyzing security data, incident handling and threat intelligence.
Installation
Do a minimal installation of CentOS 7.
Log in and install ansible:
yum -y install epel-release
yum -y install ansible git
ansible-galaxy collection install ansible.posix
Clone soctools:
git clone https://scm.uninett.no/geant-wp8-t3.1/soctools.git
cd soctools
Install soctools:
Edit group_vars/all/main.yml and change 'dslproxy' so that it point to the FQDN of the server.
vi group_vars/all/main.yml
The first entry in the soctools_users variable is the user with full admin privileges in NiFi and Kibana.
To configure the server running soctools, run the ansible playbook:
ansible-playbook -i soctools-inventory soctools_server.yml
To build the Docker images needed, run the ansible playbook:
ansible-playbook -i soctools-inventory buildimages.yml
To build the CA needed for host and user certificates, run the ansible playbook:
ansible-playbook -i soctools-inventory buildca.yml
User certificates are can be found in the directory roles/ca/files/CA/private. Import into browser for authentication.
To start the cluster, run the ansible playbook soctools.yml:
ansible-playbook -i soctools-inventory soctools.yml -t start
To stop the cluster, run the ansible playbook soctools.yml:
ansible-playbook -i soctools-inventory soctools.yml -t stop
The NiFi interface should now be available on port 9443 on the server.
The OpenDistro for Elasticsearch interface should now be available on port 5601 on the server. To access preconfigured
index patterns you have to switch to Global tenant.
The Keycloak IdP interface should now be available on port 12443 on the server.
License
BSD
Author Information
GEANT WP8