Difference between revisions of "Cyber Security: thehive install step by step"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "Step-by-Step guide# This page is a step by step installation and configuration guide to get an instance of TheHive up and running. This guide is illustrated with examples for...")
 
Line 1: Line 1:
Step-by-Step guide#
+
 
 
This page is a step by step installation and configuration guide to get an instance of TheHive up and running. This guide is illustrated with examples for DEB and RPM packages based systems and for installation from binary packages.
 
This page is a step by step installation and configuration guide to get an instance of TheHive up and running. This guide is illustrated with examples for DEB and RPM packages based systems and for installation from binary packages.
  
 
This guide describes the installation of a new instance of TheHive only
 
This guide describes the installation of a new instance of TheHive only
  
Dependencies#
+
==Dependencies#==
 
This process requires few programs beeing already installed on the system.
 
This process requires few programs beeing already installed on the system.
  
 
DEB
 
RPM
 
 
  apt install wget gnupg apt-transport-https git ca-certificates ca-certificates-java curl \
 
  apt install wget gnupg apt-transport-https git ca-certificates ca-certificates-java curl \
 
  software-properties-common python3-pip lsb_release
 
  software-properties-common python3-pip lsb_release
  
Java Virtual Machine#
+
==Java Virtual Machine#==
Read first
 
  
 
For security and long-term support reasons, we require using Amazon Corretto builds (this is OpenJDK built and packaged by Amazon)
 
For security and long-term support reasons, we require using Amazon Corretto builds (this is OpenJDK built and packaged by Amazon)
 
Java version 8 is no longer supported
 
Java version 8 is no longer supported
  
DEB
 
RPM
 
 
Other
 
Other
 
  wget -qO- https://apt.corretto.aws/corretto.key | sudo gpg --dearmor  -o /usr/share/keyrings/corretto.gpg
 
  wget -qO- https://apt.corretto.aws/corretto.key | sudo gpg --dearmor  -o /usr/share/keyrings/corretto.gpg
Line 29: Line 23:
 
  export JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"
 
  export JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"
  
Apache Cassandra#
+
==Apache Cassandra#==
 +
 
 
Apache Cassandra is a scalable and high available database. TheHive supports the latest stable version 4.0.x of Cassandra.
 
Apache Cassandra is a scalable and high available database. TheHive supports the latest stable version 4.0.x of Cassandra.
  
Line 36: Line 31:
 
If you are upgrading from Cassandra 3.x, please follow the dedicated guide. This part is relevant for fresh installation only.
 
If you are upgrading from Cassandra 3.x, please follow the dedicated guide. This part is relevant for fresh installation only.
  
Installation#
+
===Installation#===
  
 
DEB
 
DEB
Line 53: Line 48:
 
By default, data is stored in /var/lib/cassandra.
 
By default, data is stored in /var/lib/cassandra.
  
Configuration#
+
===Configuration#===
 +
 
 
Configure Cassandra by editing /etc/cassandra/cassandra.yaml file.
 
Configure Cassandra by editing /etc/cassandra/cassandra.yaml file.
  
Line 74: Line 70:
 
[..]
 
[..]
  
Start the service#
+
===Start the service#===
  
 
  sudo systemctl start cassandra
 
  sudo systemctl start cassandra
Line 138: Line 134:
 
Cassandra documentation page
 
Cassandra documentation page
 
Datastax documentation page
 
Datastax documentation page
Elasticsearch#
+
 
 +
==Elasticsearch#==
 +
 
 
TheHive requires Elasticsearch to manage data indices.
 
TheHive requires Elasticsearch to manage data indices.
  
 
Elasticsearch 7.x only is supported
 
Elasticsearch 7.x only is supported
  
Installation#
+
===Installation#===
  
DEB
 
RPM
 
 
Other
 
Other
 
Add Elasticsearch repository keys
 
Add Elasticsearch repository keys
Line 162: Line 158:
 
  sudo apt install elasticsearch
 
  sudo apt install elasticsearch
  
Configuration#
+
===Configuration#===
 +
 
 
  /etc/elasticsearch/elasticsearch.yml
 
  /etc/elasticsearch/elasticsearch.yml
 +
 
Elasticsearch configuration should contain the following lines:
 
Elasticsearch configuration should contain the following lines:
  
Line 188: Line 186:
 
This can be updated according the amount of memory available
 
This can be updated according the amount of memory available
  
Start the service#
+
===Start the service#===
  
 
  sudo systemctl start elasticsearch
 
  sudo systemctl start elasticsearch
Line 200: Line 198:
 
  sudo rm -rf /var/lib/elasticsearch/*
 
  sudo rm -rf /var/lib/elasticsearch/*
  
File storage#
+
==File storage#==
 +
 
 
For standalone production and test servers, we recommends using local filesystem. If you think about building a cluster with TheHive, you have several possible solutions: using NFS or S3 services; see the related guide for more details and an example with MinIO servers.
 
For standalone production and test servers, we recommends using local filesystem. If you think about building a cluster with TheHive, you have several possible solutions: using NFS or S3 services; see the related guide for more details and an example with MinIO servers.
  
Line 216: Line 215:
 
  chown -R thehive:thehive /opt/thp/thehive/files
 
  chown -R thehive:thehive /opt/thp/thehive/files
  
TheHive#
+
==TheHive#==
 +
 
 
This part contains instructions to install TheHive and then configure it.
 
This part contains instructions to install TheHive and then configure it.
  
Installation#
+
===Installation#===
 +
 
 
All packages are published on our packages repository. We support Debian and RPM packages as well as binary packages (zip archive). All packages are signed using our GPG key 562CBC1C. Its fingerprint is 0CD5 AC59 DE5C 5A8E 0EE1 3849 3D99 BB18 562C BC1C.
 
All packages are published on our packages repository. We support Debian and RPM packages as well as binary packages (zip archive). All packages are signed using our GPG key 562CBC1C. Its fingerprint is 0CD5 AC59 DE5C 5A8E 0EE1 3849 3D99 BB18 562C BC1C.
  
Line 231: Line 232:
 
  sudo apt-get install -y thehive
 
  sudo apt-get install -y thehive
  
Configuration#
+
===Configuration#===
 +
 
 
The configuration that comes with binary packages is ready for a standalone installation, everything on the same server.
 
The configuration that comes with binary packages is ready for a standalone installation, everything on the same server.
  
Line 258: Line 260:
  
  
Database & index#
+
===Database & index#===
 +
 
 
By default, TheHive is configured to connect to Cassandra and Elasticsearch databases installed locally.
 
By default, TheHive is configured to connect to Cassandra and Elasticsearch databases installed locally.
  
Line 285: Line 288:
 
  }
 
  }
  
File storage#
+
===File storage#===
 +
 
 
By default, TheHive is configured to store files locally in /opt/thp/thehive/files.
 
By default, TheHive is configured to store files locally in /opt/thp/thehive/files.
  
Line 309: Line 313:
 
  }
 
  }
  
Cortex & MISP#
+
===Cortex & MISP#===
 +
 
 
By default the configuration file coming with packages contains following lines, enabling Cortex and MISP modules. If you are not using one them, you can comment the related line and restart the service.
 
By default the configuration file coming with packages contains following lines, enabling Cortex and MISP modules. If you are not using one them, you can comment the related line and restart the service.
  
Line 322: Line 327:
 
  scalligraph.modules += org.thp.thehive.connector.misp.MispModule
 
  scalligraph.modules += org.thp.thehive.connector.misp.MispModule
  
Run#
+
===Run#===
  
 
  sudo systemctl start thehive
 
  sudo systemctl start thehive

Revision as of 09:18, 11 July 2023

This page is a step by step installation and configuration guide to get an instance of TheHive up and running. This guide is illustrated with examples for DEB and RPM packages based systems and for installation from binary packages.

This guide describes the installation of a new instance of TheHive only

Dependencies#

This process requires few programs beeing already installed on the system.

apt install wget gnupg apt-transport-https git ca-certificates ca-certificates-java curl \
software-properties-common python3-pip lsb_release

Java Virtual Machine#

For security and long-term support reasons, we require using Amazon Corretto builds (this is OpenJDK built and packaged by Amazon) Java version 8 is no longer supported

Other

wget -qO- https://apt.corretto.aws/corretto.key | sudo gpg --dearmor  -o /usr/share/keyrings/corretto.gpg

echo "deb [signed-by=/usr/share/keyrings/corretto.gpg] https://apt.corretto.aws stable main" | sudo tee -a /etc/apt/sources.list.d/corretto.sources.list

sudo apt update
sudo apt install java-common java-11-amazon-corretto-jdk
echo JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto" | sudo tee -a /etc/environment 
export JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"

Apache Cassandra#

Apache Cassandra is a scalable and high available database. TheHive supports the latest stable version 4.0.x of Cassandra.

Upgrading from Cassandra 3.x

If you are upgrading from Cassandra 3.x, please follow the dedicated guide. This part is relevant for fresh installation only.

Installation#

DEB RPM Other Add Apache repository references

wget -qO -  https://downloads.apache.org/cassandra/KEYS | sudo gpg --dearmor  -o /usr/share/keyrings/cassandra-archive.gpg

echo "deb [signed-by=/usr/share/keyrings/cassandra-archive.gpg] https://debian.cassandra.apache.org 40x main" | sudo tee -a /etc/apt/sources.list.d/cassandra.sources.list

Install the package

sudo apt update
sudo apt install cassandra

By default, data is stored in /var/lib/cassandra.

Configuration#

Configure Cassandra by editing /etc/cassandra/cassandra.yaml file.

/etc/cassandra/cassandra.yaml
# content from /etc/cassandra/cassandra.yaml
[..]
cluster_name: 'thp'
listen_address: 'xx.xx.xx.xx' # address for nodes
rpc_address: 'xx.xx.xx.xx' # address for clients
seed_provider:
    - class_name: org.apache.cassandra.locator.SimpleSeedProvider
    parameters:
        # Ex: "<ip1>,<ip2>,<ip3>"
        - seeds: 'xx.xx.xx.xx' # self for the first node data_file_directories:
- '/var/lib/cassandra/data'
commitlog_directory: '/var/lib/cassandra/commitlog'
saved_caches_directory: '/var/lib/cassandra/saved_caches'
hints_directory: 
- '/var/lib/cassandra/hints'

[..]

Start the service#

sudo systemctl start cassandra

Remove existing data before starting

With the DEB packages, Cassandra service could start automatically before configuring it: Stop it, remove the data and restart once the configuration is updated:

sudo systemctl stop cassandra
sudo rm -rf /var/lib/cassandra/*

By default Cassandra listens on 7000/tcp (inter-node), 9042/tcp (client).

Additional configuration : disable tombstones (for standalone server ONLY)# This action should be performed after the installation and the first start of TheHive

If you are installing a standalone server, tombstones can be disabled.

Check gc_grace_seconds value

cqlsh -u cassandra <IP ADDRESS> -e "SELECT table_name,gc_grace_seconds FROM system_schema.tables WHERE keyspace_name='thehive'"

Note: default credentials for Cassandra database: cassandra/cassandra

Results should look like this:

            table_name       | gc_grace_seconds
    -------------------------+------------------
                edgestore    |           864000
            edgestore_lock_  |           864000
                graphindex   |           864000
            graphindex_lock_ |           864000
            janusgraph_ids   |           864000
        system_properties    |           864000
    system_properties_lock_  |           864000
                systemlog    |           864000
                    txlog    |           864000
Disable by setting gc_grace_seconds to 0. Use this command line:

for TABLE in edgestore edgestore_lock_ graphindex graphindex_lock_ janusgraph_ids system_properties system_properties_lock_ systemlog txlog
    do
    cqlsh -u cassandra -e "ALTER TABLE thehive.${TABLE} WITH gc_grace_seconds = 0;"
    done
Check changes has been taken into account, by running this command again:
cqlsh -u cassandra <IP ADDRESS> -e "SELECT table_name,gc_grace_seconds FROM system_schema.tables WHERE keyspace_name='thehive'"

Results should look like this:

            table_name       | gc_grace_seconds
    -------------------------+------------------
                edgestore    |           0
            edgestore_lock_  |           0
                graphindex   |           0
            graphindex_lock_ |           0
            janusgraph_ids   |           0
        system_properties    |           0
    system_properties_lock_  |           0
                systemlog    |           0
                    txlog    |           0
For additional configuration options, refer to:

Cassandra documentation page Datastax documentation page

Elasticsearch#

TheHive requires Elasticsearch to manage data indices.

Elasticsearch 7.x only is supported

Installation#

Other Add Elasticsearch repository keys

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch |  sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt-get install apt-transport-https

Add the DEB repository of Elasticsearch

echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" |  sudo tee /etc/apt/sources.list.d/elastic-7.x.list 

Install the package

sudo apt update
sudo apt install elasticsearch

Configuration#

/etc/elasticsearch/elasticsearch.yml

Elasticsearch configuration should contain the following lines:

/etc/elasticsearch/elasticsearch.yml
http.host: 127.0.0.1
transport.host: 127.0.0.1
cluster.name: hive
thread_pool.search.queue_size: 100000
path.logs: "/var/log/elasticsearch"
path.data: "/var/lib/elasticsearch"
xpack.security.enabled: false
script.allowed_types: "inline,stored"

Info

Indexes will be created at the first start of TheHive. It can take few time Like data and files, indexes should be part of the backup policy Indexes can removed and created again Custom JVM options add the file /etc/elasticsearch/jvm.options.d/jvm.options with following lines:

-Dlog4j2.formatMsgNoLookups=true
-Xms4g
-Xmx4g

This can be updated according the amount of memory available

Start the service#

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

Remove existing data before starting

With the DEB packages, Elastic service could start automatically before configuring it: Stop it, remove the data and restart once the configuration is updated:

sudo systemctl stop elasticsearch
sudo rm -rf /var/lib/elasticsearch/*

File storage#

For standalone production and test servers, we recommends using local filesystem. If you think about building a cluster with TheHive, you have several possible solutions: using NFS or S3 services; see the related guide for more details and an example with MinIO servers.


Local Filesystem S3 with Min.io To store files on the local filesystem, start by choosing the dedicated folder (by default /opt/thp/thehive/files):

sudo mkdir -p /opt/thp/thehive/files

This path will be used in the configuration of TheHive.

Later, after having installed TheHive, ensure the user thehive owns the path chosen for storing files:

chown -R thehive:thehive /opt/thp/thehive/files

TheHive#

This part contains instructions to install TheHive and then configure it.

Installation#

All packages are published on our packages repository. We support Debian and RPM packages as well as binary packages (zip archive). All packages are signed using our GPG key 562CBC1C. Its fingerprint is 0CD5 AC59 DE5C 5A8E 0EE1 3849 3D99 BB18 562C BC1C.

wget -O- https://archives.strangebee.com/keys/strangebee.gpg | sudo gpg --dearmor -o /usr/share/keyrings/strangebee-archive-keyring.gpg

Install TheHive package by using the following commands:

Other

echo 'deb [signed-by=/usr/share/keyrings/strangebee-archive-keyring.gpg] https://deb.strangebee.com thehive-5.2 main' | sudo tee -a /etc/apt/sources.list.d/strangebee.list
sudo apt-get update
sudo apt-get install -y thehive

Configuration#

The configuration that comes with binary packages is ready for a standalone installation, everything on the same server.

In this context, and at this stage, you might need to set the following parameters accordingly:

/etc/thehive/application.conf
[..]
# Service configuration
application.baseUrl = "http://localhost:9000" # 
play.http.context = "/"                       # 
[..]

Following configurations are required to start TheHive successfully:

Secret key configuration Database configuration File storage configuration Secret key configuration#


Debian RPM Other The secret key is automatically generated and stored in /etc/thehive/secret.conf by package installation script.


Database & index#

By default, TheHive is configured to connect to Cassandra and Elasticsearch databases installed locally.

/etc/thehive/application.conf
# Database and index configuration
# By default, TheHive is configured to connect to local Cassandra 4.x and a
# local Elasticsearch services without authentication.
db.janusgraph {
storage {
    backend = cql
    hostname = ["127.0.0.1"]
    # Cassandra authentication (if configured)
    # username = "thehive"
    # password = "password"
    cql {
    cluster-name = thp
    keyspace = thehive
    }
}
index.search {
    backend = elasticsearch
    hostname = ["127.0.0.1"]
    index-name = thehive
}
}

File storage#

By default, TheHive is configured to store files locally in /opt/thp/thehive/files.


Local filesystem S3 If you chose to store files on the local filesystem:

Ensure thehive user has permissions on the destination folder

chown -R thehive:thehive /opt/thp/thehive/files

Default values in the configuration file

/etc/thehive/application.conf
# Attachment storage configuration
# By default, TheHive is configured to store files locally in the folder.
# The path can be updated and should belong to the user/group running thehive service. (by default: thehive:thehive)
storage {
provider = localfs
localfs.location = /opt/thp/thehive/files
}

Cortex & MISP#

By default the configuration file coming with packages contains following lines, enabling Cortex and MISP modules. If you are not using one them, you can comment the related line and restart the service.

/etc/thehive/application.conf
# Additional modules
#
# TheHive is strongly integrated with Cortex and MISP.
# Both modules are enabled by default. If not used, each one can be disabled by
# ommenting the configuration line.
scalligraph.modules += org.thp.thehive.connector.cortex.CortexModule
scalligraph.modules += org.thp.thehive.connector.misp.MispModule

Run#

sudo systemctl start thehive
sudo systemctl enable thehive

Please consider the service may take a while at the first start

Once it has started, open your browser and connect to http://YOUR_SERVER_ADDRESS:9000/.

The default admin user is admin@thehive.local with password secret. It is recommended to change the default password.

Advanced configuration# For additional configuration options, please refer to the Configuration Guides.

To setup HTTPS, refer to the dedicated page.

Usage & Licenses# By default, TheHive comes with no license token and let everyone use the application with 2 users and 1 organisation: this is the community version.

To unlock advanced features, contact StrangeBee to get a license - https://wwww.strangebee.com / contact@strangebee.com

First steps & license activation# Now the application is up & running, make your first steps as Administrator, and follow this guide to activate a license: Activate a license.


Referensi

Pranala Menarik