SOCTools

SOCTools is a set of tools that can be used by a SOC for collecting and analyzing security data, incident handling and threat intelligence.

Installation

Do a minimal installation of CentOS 7.

Log in and install ansible:
yum -y install epel-release
yum -y install ansible git
ansible-galaxy collection install ansible.posix

Clone soctools:
git clone https://scm.uninett.no/geant-wp8-t3.1/soctools.git
cd soctools

Install soctools: Edit group_vars/all/main.yml and change 'dslproxy' so that it point to the FQDN of the server.
vi group_vars/all/main.yml
The first entry in the soctools_users variable is the user with full admin privileges in NiFi and Kibana.

To configure the server running soctools, run the ansible playbook:
ansible-playbook -i soctools-inventory soctools_server.yml

To build the Docker images needed, run the ansible playbook:
ansible-playbook -i soctools-inventory buildimages.yml

To build the CA needed for host and user certificates, run the ansible playbook:
ansible-playbook -i soctools-inventory buildca.yml

User certificates are can be found in the directory roles/ca/files/CA/private. Import into browser for authentication.

To start the cluster, run the ansible playbook soctools.yml:
ansible-playbook -i soctools-inventory soctools.yml -t start

To stop the cluster, run the ansible playbook soctools.yml:
ansible-playbook -i soctools-inventory soctools.yml -t stop

The NiFi interface should now be available on port 9443 on the server.
The OpenDistro for Elasticsearch interface should now be available on port 5601 on the server. To access preconfigured index patterns you have to switch to Global tenant.
The Keycloak IdP interface should now be available on port 12443 on the server.

License

BSD

Author Information

GEANT WP8