Ansible README

These are the steps used to create a SOF-ELK instance from scratch. These steps are a good starting point for those wishing to deploy their own SOF-ELK capabilities via these Ansible playbooks. Obviously, you'd need to adjust these instructions to your environment and platform.

Building a public release of the VM

1. Virtual Machine configuration (only applicable if installing to virtual machine)
   • Name: FOR572 SOF-ELK
   • 4 cores
   • 4096 MB RAM
   • Enable hypervisor applications
   • Disable 3D graphics acceleration
   • USB 3.1 Controller
   • Remove Sound
   • Remove Printer
   • Remove Camera
   • Hardware (compatibility) version at $current-1 (or $current if this is your own build)
   • 500GB SATA HDD, single file, named SOF-ELK.vmdk
     • Classroom build: FOR572 SOF-ELK.vmdk
   • One or more CD/DVD-ROM device(s) as needed
     • Classroom build: Three IDE CD/DVD-ROM devices. Disable the two that are not attached to the installer ISO.
   • Disable Side Channel Mitigations
2. CentOS 7 network install
   • I had to append vga=794 to the kernel command line or the windows got cut off
   • Enable networking (DHCP)
   • Hostname: sof-elk
   • Timezone: Etc/Coordinated Universal Time (NOT GMT), network time enabled
   • Install via network, URL: http://mirrors.sonic.net/centos/7/os/x86_64/
   • Software selection: Minimal
   • Installation destination: ~500GB HDD, but select "I will configure partitions"
     • Click "Click here to create them automatically"
     • Remove /home so it will reside on /
     • Change / to 250GB
       • Note: Use approximately 50% of total storage volume if using an HDD >500GB
     • Create /var/lib/elasticsearch partition and leave size blank - should auto-fill disk at ~256GB (this is >500GB because of delta between 2^30 and 10^9 bytes)
       • Note: Size will differ if using an HDD >500GB
   • Click "Begin installation"
   • Set a strong root password. It is recommended to disable direct use of this account after the system is installed. This is selectable during the Ansbile installation but it is the default behavior.
   • During install, create a user
     • Full name: SOF-ELK User
     • Username: elk_user
     • Select "Make this user an administrator"
     • Set password as desired
       • Classroom build: forensics. This weak password will requires you to click "Done" twice.
   • You may need to manually remove the installation ISO file from the VMX file when initial installation is complete.
   • Reboot the VM.
3. yum -y update (as root or with sudo) This may not be needed, depending on the installation method used.
4. reboot (as root or with sudo)
5. yum -y install epel-release (as root or with sudo)
6. yum -y install git ansible (as root or with sudo)
7. git clone https://github.com/philhagen/sof-elk /tmp/sof-elk (as root or with sudo)
   • Change to the desired branch in the cloned repository, e.g.git checkout public/v20200229. This branch will be the same as what is deployed in the completed installation.
8. ansible-playbook -i 127.0.0.1, --connection=local /tmp/sof-elk/ansible/sof-elk_single_vm.yml
   • The installation includes December 2022 MaxMind GeoIP databases, which have an appropriate license for distribution. You will need a free GeoIP account and license key if you want the latest databases. You can learn more about the GeoLite2 databases, as well as sign up for a free MaxMind account by clicking here. To get the latest databases, run sudo geoip_bootstrap.sh after installation is complete.
9. rm -rf /tmp/sof-elk
10. Stage sample evidence archive files
    • Old Lab 2.3 (Logs)
    • Old Lab 3.1 (NetFlow)
11. Run ~root/distro_prep.sh as root
    • Log in as elk_user
    • set +o history this disables subsequent history tracking
    • sudo su -
    • set +o history (in the root shell)
    • ./distro_prep.sh (in the root shell while in ~/)
    • Follow prompts - don't forget to set VM comment with username/password
12. Halt and power down the VM
13. Take a release candidate snapshot
14. Reboot the VM. (Technically not required, but ensures all is set up to start on boot.)
15. Test:
    • Data load (syslog, httpdlog, netflow, passivedns)
    • sof-elk_clear.py -i list
16. Remove release candidate snapshot
17. Create 7z archive for distribution (max compression)
    • Ensure the VMware Workstation/Fusion interface does not have the VM selected as
    • Only include .vmx and *.vmdk files

Course-specific Version Preparation

1. Remove public sample evidence files and load course-specific ones. For FOR572:
   • Lab 2.3 (Logs)
   • Lab 3.1 (NetFlow) - load with nfdump2sof-elk.sh script, as indicated in lab text. Adjust background in lab instructions to match if needed.
2. If required by the course, integrate the Electronic Workbook per standard procedures
   • This will include installing httpd and some supporting packages
3. Customize /etc/issue.prep so the course this is built for is first in the list
4. Create class/v* branch in git and check this branch out in VM. Delete all other branches.
5. Run ~root/distro_prep.sh as root
   • Log in as elk_user
   • set +o history this disables subsequent history tracking
   • sudo su -
   • set +o history (in the root shell)
   • ./distro_prep.sh (in the root shell while in ~/)
   • Follow prompts - don't forget to set VM comment with username/password
6. Halt and power down the VM
7. Take a release candidate snapshot
8. Reboot
9. Test:
   • Data load (syslog, httpdlog, netflow, passivedns)
   • sof-elk_clear.py -i list
10. Remove release candidate snapshot
11. Create 7z archive for distribution (max compression)
    • Ensure the VMware Workstation/Fusion interface does not have the VM selected as
    • Only include .vmx and *.vmdk files