Difference between revisions of "Cyber Security: thehive install step by step"

Panduan ini adalah panduan instalasi dan konfigurasi langkah demi langkah untuk menjalankan dan menjalankan instance TheHive.

Dependency

Beberapa program yang dibutuhkan sebelum menginstalasi thehive

sudo su
apt update
apt install wget gnupg apt-transport-https git ca-certificates ca-certificates-java curl \
software-properties-common python3-pip lsb_release

Java Virtual Machine

• Untuk alasan keamanan dan dukungan jangka panjang, kami mengharuskan penggunaan build Amazon Corretto (ini adalah OpenJDK yang dibuat dan dikemas oleh Amazon)
• Java versi 8 tidak lagi didukung

wget -qO- https://apt.corretto.aws/corretto.key | sudo gpg --dearmor  -o /usr/share/keyrings/corretto.gpg

echo "deb [signed-by=/usr/share/keyrings/corretto.gpg] https://apt.corretto.aws stable main" | sudo tee -a /etc/apt/sources.list.d/corretto.sources.list

sudo apt update
sudo apt install java-common java-11-amazon-corretto-jdk
echo JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto" | sudo tee -a /etc/environment 
export JAVA_HOME="/usr/lib/jvm/java-11-amazon-corretto"

Apache Cassandra

Apache Cassandra adalah database yang scalable dan high availablity. TheHive mendukung Cassandra versi stabil terbaru 4.0.x.

Instalasi

Tambahkan Apache Repository

wget -qO -  https://downloads.apache.org/cassandra/KEYS | sudo gpg --dearmor  -o /usr/share/keyrings/cassandra-archive.gpg
echo "deb [signed-by=/usr/share/keyrings/cassandra-archive.gpg] https://debian.cassandra.apache.org 40x main" |  sudo tee -a /etc/apt/sources.list.d/cassandra.sources.list 

Instal

sudo apt update
sudo apt install cassandra

Default setting, data di simpan di /var/lib/cassandra

Konfigurasi

Konfigurasi Cassandra dilakukan dengan mengedit /etc/cassandra/cassandra.yaml file.

/etc/cassandra/cassandra.yaml
# content from /etc/cassandra/cassandra.yaml
[..]
cluster_name: 'thp'
listen_address: 'xx.xx.xx.xx' # address for nodes
rpc_address: 'xx.xx.xx.xx' # address for clients
seed_provider:
    - class_name: org.apache.cassandra.locator.SimpleSeedProvider
    parameters:
        # Ex: "<ip1>,<ip2>,<ip3>"
        - seeds: 'xx.xx.xx.xx' # self for the first node data_file_directories:
- '/var/lib/cassandra/data'
commitlog_directory: '/var/lib/cassandra/commitlog'
saved_caches_directory: '/var/lib/cassandra/saved_caches'
hints_directory: 
- '/var/lib/cassandra/hints'
[..]

Start service

Start service

sudo systemctl start cassandra

Hapus data yang ada sebelum memulai

Dengan paket DEB, layanan Cassandra dapat dimulai secara otomatis sebelum mengonfigurasinya: Hentikan, hapus data, dan mulai ulang setelah konfigurasi diperbarui:

sudo systemctl stop cassandra
sudo rm -rf /var/lib/cassandra/*

Secara default Cassandra listen pada 7000/tcp (inter-node), 9042/tcp (client).

Tambahan konfigurasi : disable tombstones (untuk standalone server ONLY)

Tindakan ini harus dilakukan setelah penginstalan dan awal pertama TheHive

Jika Anda memasang server mandiri, tombstones dapat disabled.

Cek nilai gc_grace_seconds

cqlsh -u cassandra <IP ADDRESS> -e "SELECT table_name,gc_grace_seconds FROM system_schema.tables WHERE keyspace_name='thehive'"

Catatan: default username/password Cassandra database: cassandra/cassandra

Hasilnya kira-kira sebagai berikut,

            table_name       | gc_grace_seconds
    -------------------------+------------------
                edgestore    |           864000
            edgestore_lock_  |           864000
                graphindex   |           864000
            graphindex_lock_ |           864000
            janusgraph_ids   |           864000
        system_properties    |           864000
    system_properties_lock_  |           864000
                systemlog    |           864000
                    txlog    |           864000

Disable dengan cara setting gc_grace_seconds ke 0. Gunakan perintah berikut,

for TABLE in edgestore edgestore_lock_ graphindex graphindex_lock_ janusgraph_ids system_properties system_properties_lock_ systemlog txlog
    do
    cqlsh -u cassandra -e "ALTER TABLE thehive.${TABLE} WITH gc_grace_seconds = 0;"
    done

Cek perubahan apakah sudah terjadi, jalankan perintah ini lagi,

cqlsh -u cassandra <IP ADDRESS> -e "SELECT table_name,gc_grace_seconds FROM system_schema.tables WHERE keyspace_name='thehive'"

Hasilnya kira-kira:

            table_name       | gc_grace_seconds
    -------------------------+------------------
                edgestore    |           0
            edgestore_lock_  |           0
                graphindex   |           0
            graphindex_lock_ |           0
            janusgraph_ids   |           0
        system_properties    |           0
    system_properties_lock_  |           0
                systemlog    |           0
                    txlog    |           0

Elasticsearch

TheHive membutuhkan Elasticsearch untuk manage data index. TheHive hanya mendukung Elasticsearch 7.x

Instalasi

Tambahkan Elasticsearch repository keys

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch |  sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt-get install apt-transport-https

Tambahkan DEB repository dari Elasticsearch

echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" |  sudo tee /etc/apt/sources.list.d/elastic-7.x.list 

Install

sudo apt update
sudo apt install elasticsearch

Konfigurasi

Edit

/etc/elasticsearch/elasticsearch.yml

Pastikan Elasticsearch konfigurasi menggandung kalimat ini,

http.host: 127.0.0.1
transport.host: 127.0.0.1
cluster.name: hive
thread_pool.search.queue_size: 100000
path.logs: "/var/log/elasticsearch"
path.data: "/var/lib/elasticsearch"
xpack.security.enabled: false
script.allowed_types: "inline,stored"

Info

Indexes will be created at the first start of TheHive. It can take few time Like data and files, indexes should be part of the backup policy Indexes can removed and created again Custom JVM options add the file /etc/elasticsearch/jvm.options.d/jvm.options with following lines:

-Dlog4j2.formatMsgNoLookups=true
-Xms4g
-Xmx4g

This can be updated according the amount of memory available

Start service

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

Remove existing data before starting

With the DEB packages, Elastic service could start automatically before configuring it: Stop it, remove the data and restart once the configuration is updated:

sudo systemctl stop elasticsearch
sudo rm -rf /var/lib/elasticsearch/*

File storage#

For standalone production and test servers, we recommends using local filesystem. If you think about building a cluster with TheHive, you have several possible solutions: using NFS or S3 services; see the related guide for more details and an example with MinIO servers.

Local Filesystem S3 with Min.io To store files on the local filesystem, start by choosing the dedicated folder (by default /opt/thp/thehive/files):

sudo mkdir -p /opt/thp/thehive/files

This path will be used in the configuration of TheHive.

Later, after having installed TheHive, ensure the user thehive owns the path chosen for storing files:

chown -R thehive:thehive /opt/thp/thehive/files

TheHive

This part contains instructions to install TheHive and then configure it.

Installation#

All packages are published on our packages repository. We support Debian and RPM packages as well as binary packages (zip archive). All packages are signed using our GPG key 562CBC1C. Its fingerprint is 0CD5 AC59 DE5C 5A8E 0EE1 3849 3D99 BB18 562C BC1C.

wget -O- https://archives.strangebee.com/keys/strangebee.gpg | sudo gpg --dearmor -o /usr/share/keyrings/strangebee-archive-keyring.gpg

Install TheHive menggunakan perintah berikut,

echo 'deb [signed-by=/usr/share/keyrings/strangebee-archive-keyring.gpg] https://deb.strangebee.com thehive-5.2 main' | sudo tee -a /etc/apt/sources.list.d/strangebee.list
sudo apt-get update
sudo apt-get install -y thehive

Konfigurasi

The configuration that comes with binary packages is ready for a standalone installation, everything on the same server.

In this context, and at this stage, you might need to set the following parameters accordingly:

/etc/thehive/application.conf

[..]
# Service configuration
application.baseUrl = "http://localhost:9000" # 
play.http.context = "/"                       # 
[..]

Following configurations are required to start TheHive successfully:

Secret key configuration Database configuration File storage configuration

Secret key configuration

The secret key is automatically generated and stored in /etc/thehive/secret.conf by package installation script.

Database & index#

By default, TheHive is configured to connect to Cassandra and Elasticsearch databases installed locally.

/etc/thehive/application.conf

# Database and index configuration
# By default, TheHive is configured to connect to local Cassandra 4.x and a
# local Elasticsearch services without authentication.
db.janusgraph {
storage {
    backend = cql
    hostname = ["127.0.0.1"]
    # Cassandra authentication (if configured)
    # username = "thehive"
    # password = "password"
    cql {
    cluster-name = thp
    keyspace = thehive
    }
}
index.search {
    backend = elasticsearch
    hostname = ["127.0.0.1"]
    index-name = thehive
}
}

File storage#

By default, TheHive is configured to store files locally in /opt/thp/thehive/files.

Local filesystem S3 If you chose to store files on the local filesystem:

Ensure thehive user has permissions on the destination folder

chown -R thehive:thehive /opt/thp/thehive/files

Default values in the configuration file

/etc/thehive/application.conf

# Attachment storage configuration
# By default, TheHive is configured to store files locally in the folder.
# The path can be updated and should belong to the user/group running thehive service. (by default: thehive:thehive)
storage {
provider = localfs
localfs.location = /opt/thp/thehive/files
}

Cortex & MISP#

By default the configuration file coming with packages contains following lines, enabling Cortex and MISP modules. If you are not using one them, you can comment the related line and restart the service.

/etc/thehive/application.conf

# Additional modules
#
# TheHive is strongly integrated with Cortex and MISP.
# Both modules are enabled by default. If not used, each one can be disabled by
# ommenting the configuration line.
scalligraph.modules += org.thp.thehive.connector.cortex.CortexModule
scalligraph.modules += org.thp.thehive.connector.misp.MispModule

Run#

sudo systemctl start thehive
sudo systemctl enable thehive

Please consider the service may take a while at the first start

Once it has started, open your browser and connect to http://YOUR_SERVER_ADDRESS:9000/.

The default admin user is admin@thehive.local with password secret. It is recommended to change the default password.

Advanced configuration# For additional configuration options, please refer to the Configuration Guides.

To setup HTTPS, refer to the dedicated page.

Usage & Licenses# By default, TheHive comes with no license token and let everyone use the application with 2 users and 1 organisation: this is the community version.

To unlock advanced features, contact StrangeBee to get a license - https://wwww.strangebee.com / contact@strangebee.com

First steps & license activation# Now the application is up & running, make your first steps as Administrator, and follow this guide to activate a license: Activate a license.

Referensi

• https://docs.strangebee.com/thehive/setup/installation/step-by-step-guide/

Pranala Menarik

• Cyber Security