From 2162b9d11013e3d2ee9c6e59eaca5f25350d6679 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Leonard?= Date: Sat, 24 Oct 2020 08:25:45 +0200 Subject: [PATCH] #70 update installation guide --- installation/install-guide.md | 46 ++++++++++++++--------------------- 1 file changed, 18 insertions(+), 28 deletions(-) diff --git a/installation/install-guide.md b/installation/install-guide.md index 5525527..06ab2bc 100644 --- a/installation/install-guide.md +++ b/installation/install-guide.md @@ -55,7 +55,7 @@ And setup your system to connect the RPM repository. Create and edit the file `/ enabled=1 priority=1 name=TheHive-Project RPM repository -baseurl=http://rpm.thehive-project.org/stable/noarch +baseurl=http://rpm.thehive-project.org/stable/es7 gpgcheck=1 ``` @@ -102,7 +102,7 @@ To install the Debian package, use the following commands: ```bash curl https://raw.githubusercontent.com/TheHive-Project/TheHive/master/PGP-PUBLIC-KEY | sudo apt-key add - -echo 'deb https://deb.thehive-project.org stable main' | sudo tee -a /etc/apt/sources.list.d/thehive-project.list +echo 'deb https://deb.thehive-project.org stable main es7' | sudo tee -a /etc/apt/sources.list.d/thehive-project.list sudo apt-get update sudo apt-get install cortex ``` @@ -147,7 +147,7 @@ The behaviour of the Cortex Docker image can be customized using environment var At the end of the generated configuration, the file `/etc/cortex/application.conf` is included. Thus you can override any setting by binding your own `application.conf` into this file: ``` -docker run --volume /path/to/my/application.conf:/etc/cortex/application.conf thehiveproject/cortex:3.1.0-0.3RC1 --es-uri http://elasticsearch.local:9200 +docker run --volume /path/to/my/application.conf:/etc/cortex/application.conf thehiveproject/cortex:3.1.0-1 --es-uri http://elasticsearch.local:9200 ``` Cortex uses docker to run analyzers and responders. If you run Cortex inside a docker, you can: @@ -157,19 +157,19 @@ Cortex uses docker to run analyzers and responders. If you run Cortex inside a d #### Cortex uses main docker service In order to use docker service the docker socket must be bound into Cortex container. Moreover, as Cortex shares files with analyzers, a folder must be bound between them. ``` -docker run --volume /var/run/docker.sock:/var/run/docker.sock --volume /var/run/cortex/jobs:/tmp/cortex-jobs thehiveproject/cortex:3.1.0-0.3RC1 --job-directory /tmp/cortex-jobs --docker-job-directory /var/run/cortex/jobs +docker run --volume /var/run/docker.sock:/var/run/docker.sock --volume /var/run/cortex/jobs:/tmp/cortex-jobs thehiveproject/cortex:3.1.0-1 --job-directory /tmp/cortex-jobs --docker-job-directory /var/run/cortex/jobs ``` Cortex can instantiate docker container by using the docker socket `/var/run/docker.sock`. The folder `/var/run/cortex/jobs` is used to store temporary file of jobs. The folder `/tmp/cortex-jobs` is job folder inside the docker. In order to make job file visible to analyzer docker, Cortex needs to know both folders (parameters `--job-directory` and `-docker-job-directory`). On most cases, job directories are the same and `--docker-job-directory` can be omitted. If you run Cortex in Windows, the docker service is accessible through the named pipe `\\.\pipe\docker_engine`. The command becomes ``` -docker run --volume //./pipe/docker_engine://./pipe/docker_engine --volume C:\\CORTEX\\JOBS:/tmp/cortex-jobs thehiveproject/cortex:3.1.0-0.3RC1 --job-directory /tmp/cortex-jobs --docker-job-directory C:\\CORTEX\\JOBS +docker run --volume //./pipe/docker_engine://./pipe/docker_engine --volume C:\\CORTEX\\JOBS:/tmp/cortex-jobs thehiveproject/cortex:3.1.0-1 --job-directory /tmp/cortex-jobs --docker-job-directory C:\\CORTEX\\JOBS ``` #### Docker in docker (docker-ception) You can also run docker service inside Cortex container, a docker in a docker with `--start-docker` parameter. The container must be run in privileged mode. ``` -docker run --privileged thehiveproject/cortex:3.1.0-0.3RC1 --start-docker +docker run --privileged thehiveproject/cortex:3.1.0-1 --start-docker ``` In this case you don't need to bind job directory. @@ -183,7 +183,7 @@ file starts Elasticsearch and Cortex: version: "2" services: elasticsearch: - image: elasticsearch:7.8.1 + image: elasticsearch:7.9.1 environment: - http.host=0.0.0.0 - discovery.type=single-node @@ -193,7 +193,7 @@ services: volumes: - /path/to/data:/usr/share/elasticsearch/data cortex: - image: thehiveproject/cortex:3.1.0-0.3RC1 + image: thehiveproject/cortex:3.1.1 environment: - job_directory=${job_directory} volumes: @@ -224,7 +224,7 @@ You can still use legacy method (process) but you must ensure that Neuron files In order to add dependencies, you need to extends docker image with your own dockerfile: ``` -FROM thehiveproject/cortex:3.1.0-0.1RC1 +FROM thehiveproject/cortex:3.1.0-1 USER root RUN apt update && apt install -y python3-pip && rm -rf /var/lib/apt/lists/* @@ -236,16 +236,16 @@ USER daemon Once the Docker image is up and running, proceed to the configuration using the [Quick Start Guide](../admin/quick-start.md). For more advanced configuration options, please refer to the [Administration Guide](../admin/admin-guide.md). #### Pre-release Versions -If you would like to use pre-release, beta versions of our Docker images and help us find bugs to the benefit of the whole community, please use `thehiveproject/cortex:version-RCx`. For example `thehiveproject/cortex:3.0.0-RC4`. +If you would like to use pre-release, beta versions of our Docker images and help us find bugs to the benefit of the whole community, please use `thehiveproject/cortex:version-RCx`. For example `thehiveproject/cortex:3.1.0-0.1RC1`. ### Binary The following section contains the instructions to manually install Cortex using binaries on **Ubuntu**. #### 1. Minimal Ubuntu Installation -Install a minimal Ubuntu 16.04 system with the following software: +Install a minimal Ubuntu 20.04 system with the following software: - Java runtime environment 1.8+ (JRE) -- Elasticsearch 6.x for Cortex 3.0, 7.x for Cortex 3.1 +- Elasticsearch 7.x for Cortex 3.1 Make sure your system is up-to-date: @@ -262,14 +262,14 @@ You can install either Oracle Java or OpenJDK. echo 'deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main' | sudo tee -a /etc/apt/sources.list.d/java.list sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key EEA14886 sudo apt-get update -sudo apt-get install oracle-java8-installer +sudo apt-get install oracle-java11-installer ``` ##### 2.2 OpenJDK ``` sudo add-apt-repository ppa:openjdk-r/ppa sudo apt-get update -sudo apt-get install openjdk-8-jre-headless +sudo apt-get install openjdk-11-jre-headless ``` @@ -454,12 +454,9 @@ Proceed to [installing the analyzers](#analyzers-and-responders) as outlined in Edit `/etc/elasticsearch/elasticsearch.yml` and add the following lines: ``` -network.host: 127.0.0.1 -script.inline: on +http.host: 127.0.0.1 cluster.name: hive -thread_pool.index.queue_size: 100000 thread_pool.search.queue_size: 100000 -thread_pool.bulk.queue_size: 1000 ``` Start the service: @@ -596,7 +593,7 @@ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key D88E42B4 # wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - # Debian repository configuration -echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list +echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list # Install https support for apt sudo apt install apt-transport-https @@ -621,12 +618,9 @@ The cluster name must also be set (`hive` for example). Threadpool queue size mu Edit `/etc/elasticsearch/elasticsearch.yml` and add the following lines: ``` -network.host: 127.0.0.1 -script.inline: on +http.host: 127.0.0.1 cluster.name: hive -thread_pool.index.queue_size: 100000 thread_pool.search.queue_size: 100000 -thread_pool.bulk.queue_size: 100000 ``` ### Start the Service @@ -653,15 +647,11 @@ docker run \ --hostname elasticsearch \ --rm \ --publish 127.0.0.1:9200:9200 \ - --publish 127.0.0.1:9300:9300 \ --volume ***DATA_DIR***:/usr/share/elasticsearch/data \ -e "http.host=0.0.0.0" \ - -e "transport.host=0.0.0.0" \ -e "xpack.security.enabled=false" \ -e "cluster.name=hive" \ -e "script.inline=true" \ - -e "thread_pool.index.queue_size=100000" \ -e "thread_pool.search.queue_size=100000" \ - -e "thread_pool.bulk.queue_size=100000" \ - docker.elastic.co/elasticsearch/elasticsearch:5.6.0 + docker.elastic.co/elasticsearch/elasticsearch:7.9.1 ```