opensoc-ui
v0.0.15
Published
OpenSOC Portal
Downloads
8
Readme
OpenSOC UI
User interface for the OpenSOC platform. The UI is a modified version of Kibana 3 which is served by a node JS backend.
Deployment
Quick start
- Create a config file:
echo "{}" > ~/.opensoc-ui
- Install opensoc-ui:
npm install -g opensoc-ui
- Start opensoc-ui:
opensoc-ui
This will start the server in the same process. To start/stop a daemonized server use opensoc-ui start
and opensoc-ui stop
. You can view the location of the log file with opensoc-ui logs
. The daemon is started using the forever
node package. You can tack on other command line flags that the library supports. More information about this is available at https://www.npmjs.com/package/forever.
Next, head over to the "Configuration" section for more information about the config file.
Indepth guide
Step 1: Setup required services
OpenSOC UI requires access to the following services:
- ElasticSearch with OpenSOC data.
- PCAP Service for access to raw pcaps.
- Active Directory or LDAP for authentication.
In addition raw PCAP access is restricted to any set groups. If you are using OpenLDAP, you must configure the memberOf overlay to provide reverse group membership information. Once these services are up and running, you are ready to setup the OpenSOC UI.
Step 2: Install required packages
The commands in this section are for deployment on Ubuntu 14.04. These instructions will need to be altered for Ubuntu 12.04 as the nodejs package is too old. It should be straight forward to adapt these instructions to other architectures as long as you are able to install the required packages.
apt-get update
apt-get install -y libpcap-dev tshark nodejs npm
ln -s /usr/bin/nodejs /usr/bin/node
npm install -g opensoc-ui
Step 3: Configure the UI
Before you can spin up the UI, you need to point it to the various services and configure other deployment specific settings. The application will look for an application config using in the following places in order:
~/.opensoc-ui
- Path specified by the environment variable
OPENSOC_UI_CONFIG
- Path specified by the npm package config setting
path
. Once the package is installed, this can be set withnpm config set opensoc-ui:path "/path/to/config.json"
Step 4: Test the server
opensoc-ui
This will run the server without daemonizing that may make it easier to debug any issues with your setup. You can exit the test server with Ctrl+C
.
Step 5: Start daemonized server
opensoc-ui start
Incidentally, to stop the server use:
opensoc-ui stop
and to restart it use:
opensoc-ui restart
For logs:
opensoc-ui logs
Configuration
The OpenSOC-UI is configured using a JSON file.
Fields
auth
: Set totrue
to enable authentication with ldap.host
: IP address the server should listen on.port
: Port the server should listen on.secret
: A random string that used to sign cookies.elasticsearch
: Must be a JSON object with the following keys:url
: URI to OpenSOC ElasticSearch cluster.
ldap
: Only required ifauth
is set to true. Must be a JSON object with the following keys:url
: URI to LDAP service.searchBase
: LDAP search base.adminDn
: LDAP admin distinguished name.adminPassword
: LDAP admin password.
pcap
: Must be a JSON object with the following keys:url
: URI to the OpenSOC PCAP API service. The PCAP service uses the prefixpcap/pcapGetter
. This should be included as it is a configurable in the PCAP service. For clarification, see the example config below.mock
: This should be set tofalse
.
permissions
: Must be a JSON object with the following keys:pcap
: List of AD/LDAP groups that should have access to raw pcap data.
Example config
The following is an example config.json
file. This config will not work for you in production but is meant to serve as an example. It assumes that ElasticSearch, LDAP, and the OpenSOC PCAP service are running on 192.168.100.1:
{
"secret": "b^~BN-IdQ9gdp5sa2K$N=d5DV06eN7Y",
"elasticsearch": {
"url": "http://192.168.100.1:9200"
},
"ldap": {
"url": "ldap://192.168.100.1:389",
"searchBase": "dc=opensoc,dc=dev",
"searchFilter": "(mail={{username}})",
"searchAttributes": ["cn", "uid", "mail", "givenName", "sn", "memberOf"],
"adminDn": "cn=admin,dc=opensoc,dc=dev",
"adminPassword": "opensoc"
},
"pcap": {
"url": "http://192.168.100.1/pcap/pcapGetter",
"mock": false
},
"permissions": {
"pcap": ["cn=investigators,ou=groups,dc=opensoc,dc=dev"]
}
}
Development
These instructions are only for local development on the OpenSOC UI. Development is done in an Ubuntu 14.04(trusty) virtual machine that is provisioned using vagrant. It is intended to provided an isolated environment with all the dependencies and services either installed or stubbed. None of these instructions should be used for deployments. If that was not clear enough, these instructions are NOT FOR DEPLOYMENT.
Step 1: Install Virtualbox and Vagrant
Download the latest package for your platform here:
Step 2: Get the code
git clone [email protected]:OpenSOC/opensoc-ui.git
cd opensoc-ui
git submodule update --init
Step 3: Download and provision the development environment
vagrant up
You might see a couple warnings, but usually these can be ignored. Check for any obvious errors as this can cause problems running the portal later.
Step 4: SSH into the vm
All dependencies will be installed in the VM. The repository root is shared between the host and VM. The shared volume is mounted at /vagrant. Use the following command to ssh into the newly built VM:
vagrant ssh
cd /vagrant
Step 5: Ensure tests pass
You can now run the tests:
npm test
Step 6: Launch the server
The nodemon
utility automatically watches for changed files and reloads the node server automatically. Run the following commands from with the vagrant vm.
vagrant ssh
cd /vagrant
npm install -g nodemon
nodemon
You can then access the OpenSOC ui at http://localhost:5000
.
Two default accounts: mail: [email protected], [email protected] The default password is: opensoc
Seed data for development
When the VM is provisioned, elasticsearch and LDAP are provided some seed data to get you started. This fake data tries to mimic data from the OpenSOC platform to set you up for local development without running the entire platform. Occasionally, you may need to regenerate your seed data. To do this, use the following command.
script/es_gen.js
On the other hand, to duplicate another ES installation use:
ES_HOST=changeme.com script/es_fetch.js
You should now have seed data in seed/es
. You can load this into the dev ES instance with:
script/es_seed
For authentication, make sure you set up the LDAP directory structure with:
script/ldap_seed