User interface for the OpenSOC platform. The UI is a modified version of Kibana 3 which is served by a node JS backend.
- Create a config file:
echo "{}" > ~/.opensoc-ui - Install opensoc-ui:
npm install -g opensoc-ui - Start opensoc-ui:
opensoc-ui
This will start the server in the same process. To start/stop a daemonized server use opensoc-ui start and opensoc-ui stop. You can view the location of the log file with opensoc-ui logs. The daemon is started using the forever node package. You can tack on other command line flags that the library supports. More information about this is available at https://www.npmjs.com/package/forever.
Next, head over to the "Configuration" section for more information about the config file.
OpenSOC UI requires access to the following services:
- ElasticSearch with OpenSOC data.
- PCAP Service for access to raw pcaps.
- Active Directory or LDAP for authentication.
In addition raw PCAP access is restricted to any set groups. If you are using OpenLDAP, you must configure the memberOf overlay to provide reverse group membership information. Once these services are up and running, you are ready to setup the OpenSOC UI.
The commands in this section are for deployment on Ubuntu 14.04. These instructions will need to be altered for Ubuntu 12.04 as the nodejs package is too old. It should be straight forward to adapt these instructions to other architectures as long as you are able to install the required packages.
apt-get update
apt-get install -y libpcap-dev tshark nodejs npm
ln -s /usr/bin/nodejs /usr/bin/node
npm install -g opensoc-uiBefore you can spin up the UI, you need to point it to the various services and configure other deployment specific settings. The application will look for an application config using in the following places in order:
~/.opensoc-ui- Path specified by the environment variable
OPENSOC_UI_CONFIG - Path specified by the npm package config setting
path. Once the package is installed, this can be set withnpm config set opensoc-ui:path "/path/to/config.json"
opensoc-uiThis will run the server without daemonizing that may make it easier to debug any issues with your setup. You can exit the test server with Ctrl+C.
opensoc-ui startIncidentally, to stop the server use:
opensoc-ui stopand to restart it use:
opensoc-ui restartFor logs:
opensoc-ui logsThe OpenSOC-UI is configured using a JSON file.
-
auth: Set totrueto enable authentication with ldap. -
host: IP address the server should listen on. -
port: Port the server should listen on. -
secret: A random string that used to sign cookies. -
elasticsearch: Must be a JSON object with the following keys:url: URI to OpenSOC ElasticSearch cluster.
-
ldap: Only required ifauthis set to true. Must be a JSON object with the following keys:url: URI to LDAP service.searchBase: LDAP search base.adminDn: LDAP admin distinguished name.adminPassword: LDAP admin password.
-
pcap: Must be a JSON object with the following keys:url: URI to the OpenSOC PCAP API service. The PCAP service uses the prefixpcap/pcapGetter. This should be included as it is a configurable in the PCAP service. For clarification, see the example config below.mock: This should be set tofalse.
-
permissions: Must be a JSON object with the following keys:pcap: List of AD/LDAP groups that should have access to raw pcap data.
The following is an example config.json file. This config will not work for you in production but is meant to serve as an example. It assumes that ElasticSearch, LDAP, and the OpenSOC PCAP service are running on 192.168.100.1:
{
"secret": "b^~BN-IdQ9gdp5sa2K$N=d5DV06eN7Y",
"elasticsearch": {
"url": "http://192.168.100.1:9200"
},
"ldap": {
"url": "ldap://192.168.100.1:389",
"searchBase": "dc=opensoc,dc=dev",
"searchFilter": "(mail={{username}})",
"searchAttributes": ["cn", "uid", "mail", "givenName", "sn", "memberOf"],
"adminDn": "cn=admin,dc=opensoc,dc=dev",
"adminPassword": "opensoc"
},
"pcap": {
"url": "http://192.168.100.1/pcap/pcapGetter",
"mock": false
},
"permissions": {
"pcap": ["cn=investigators,ou=groups,dc=opensoc,dc=dev"]
}
}These instructions are only for local development on the OpenSOC UI. Development is done in an Ubuntu 14.04(trusty) virtual machine that is provisioned using vagrant. It is intended to provided an isolated environment with all the dependencies and services either installed or stubbed. None of these instructions should be used for deployments. If that was not clear enough, these instructions are NOT FOR DEPLOYMENT.
Download the latest package for your platform here:
git clone git@github.com:OpenSOC/opensoc-ui.git
cd opensoc-ui
git submodule update --initvagrant upYou might see a couple warnings, but usually these can be ignored. Check for any obvious errors as this can cause problems running the portal later.
All dependencies will be installed in the VM. The repository root is shared between the host and VM. The shared volume is mounted at /vagrant. Use the following command to ssh into the newly built VM:
vagrant ssh
cd /vagrantYou can now run the tests:
npm testThe nodemon utility automatically watches for changed files and reloads the node server automatically. Run the following commands from with the vagrant vm.
vagrant ssh
cd /vagrant
npm install -g nodemon
nodemonYou can then access the OpenSOC ui at http://localhost:5000.
Two default accounts: mail: joesmith@opensoc.dev, maryfodder@opensoc.dev The default password is: opensoc
When the VM is provisioned, elasticsearch and LDAP are provided some seed data to get you started. This fake data tries to mimic data from the OpenSOC platform to set you up for local development without running the entire platform. Occasionally, you may need to regenerate your seed data. To do this, use the following command.
script/es_gen.jsOn the other hand, to duplicate another ES installation use:
ES_HOST=changeme.com script/es_fetch.jsYou should now have seed data in seed/es. You can load this into the dev ES instance with:
script/es_seedFor authentication, make sure you set up the LDAP directory structure with:
script/ldap_seed