Skip to content
This repository has been archived by the owner on Sep 11, 2023. It is now read-only.

fastlorenzo/redelk-server

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

redelk-server

OBSOLETE: please use https://github.com/fastlorenzo/redelk-ansible instead

Ansible role to deploy RedELK server components.

Variables

The following variables can be modified:

Key Type Default Description
certs_dir_nginx string "/etc/nginx/certs" Path to folder containing certificates in Nginx container
certs_dir_nginx_ca string "/etc/nginx/ca_certs" Path to folder containing the CA certificate in Nginx container
certs_dir_nginx_ca_local string "./mounts/certs/ca" Local path to folder containing the CA certificate
certs_dir_nginx_local string "./mounts/certbot/conf/live/localhost" Local path to folder containing certificates. Replace localhost with the same value as external_domain
customer_ips list [] List of customer's IP addresses
docker_dir string "/var/lib/docker" Docker directory
domains list [] List of domain names used for the exercise
es_elastic_password string "elastic" ElasticSearch users
es_kibana_encryptionKey string "sLOVUK5MLv0VDhKsMlQcjgAaSMLXLLVy" Kibana encryption key (32 char alphanumeric)
es_kibana_password string "kibana" ElasticSearch kibana user's password
es_logstash_system_password string "logstash_system" ElasticSearch logstash_system user's password
es_redelk_ingest_password string "redelk" ElasticSearch redelk-ingest user's password (used by logstash)
es_redelk_password string "redelk" ElasticSearch RedELK user's password
es_redelk_user string "redelk" ElasticSearch RedELK username
es_version string "7.16.3" Elastic version
external_domain string "localhost" External domain name to expose RedELK interface on. Will also be used to request Let's Encypt certificate
le_email string "" Let's Encrypt email address
le_enable bool true
le_staging int 0 Set to 1 to use Let's Encrypt staging endpoint.
monitor_hosts bool false Set to true to support monitoring hosts (metricbeat, packetbeat, ...)
neo4j_password string "BloodHound" Neo4J password (user: neo4j)
optsec_dir string "/opt" Base directory for components install (where customer data will be stored) - allows to store on an encrypted partition/disk
redelk_alarm_interval string "3600"
redelk_alarm_tempDir string "/tmp"
redelk_alarms object cf. below Alarm configuration options
redelk_alarms.alarm_dummy.enabled bool false Wether to enable the alarm
redelk_alarms.alarm_dummy.interval int 300 Interval at which the alarm will run (in seconds)
redelk_alarms.alarm_filehash.enabled bool true Wether to enable the alarm
redelk_alarms.alarm_filehash.ha_api_key string "<<INSERT_API_KEY>>" Hybrid Analysis API key
redelk_alarms.alarm_filehash.ibm_basic_auth string "Basic <<REPLACE>>" IBM X-Force Exchange basic authentication
redelk_alarms.alarm_filehash.interval int 360 Interval at which the alarm will run (in seconds)
redelk_alarms.alarm_filehash.vt_api_key string "<<INSERT_API_KEY>>" VirusTotal API key
redelk_alarms.alarm_httptraffic.enabled bool true Wether to enable the alarm
redelk_alarms.alarm_httptraffic.interval int 310 Interval at which the alarm will run (in seconds)
redelk_alarms.alarm_httptraffic.notify_interval int 86400 Only notify on the same IP hit at every notify_interval (in seconds)
redelk_alarms.alarm_useragent.enabled bool true Wether to enable the alarm
redelk_alarms.alarm_useragent.interval int 320 Interval at which the alarm will run (in seconds)
redelk_cert_path string "certificates/redelk" Local path to store RedELK certificates
redelk_client_connection_mode string "reverse" Sets how RedELK clients connects to filebeat direct (client connects to RedELK server IP directly) or reverse (reverse SSH tunnel is made from RedELK server to clients)
redelk_enrich object cf. below Settings for data enrichment. You can keep these enabled even if you don't use a specific item.
redelk_enrich.enrich_csbeacon object cf. below Enriches rtops data from Cobalt Strike implants.
redelk_enrich.enrich_csbeacon.enabled bool true Wether to enable the enrichment module
redelk_enrich.enrich_csbeacon.interval int 300 Interval (in seconds) at which the enrichment script will run
redelk_enrich.enrich_greynoise object cf. below Enriches redirtraffic data with info from Greynoise. If an IP address is listed in Greynoise, this data is added.
redelk_enrich.enrich_greynoise.cache int 86400 How long the data will be cached (in seconds). If an IP was already seen within this period, a new call to GeryNoise API will not be made.
redelk_enrich.enrich_greynoise.enabled bool true Wether to enable the enrichment module
redelk_enrich.enrich_greynoise.interval int 310 Interval (in seconds) at which the enrichment script will run
redelk_enrich.enrich_iplists object cf. below Background RedELK process that enriches redirtraffic data with IP lists configured in RedELK (via ES app or in configuration files). Better keep it enabled.
redelk_enrich.enrich_iplists.enabled bool true Wether to enable the enrichment module
redelk_enrich.enrich_iplists.interval int 330 Interval (in seconds) at which the enrichment script will run
redelk_enrich.enrich_stage1 object cf. below Enriches rtops data from Outflank's custom C2 framework.
redelk_enrich.enrich_stage1.enabled bool false Wether to enable the enrichment module
redelk_enrich.enrich_stage1.interval int 300 Interval (in seconds) at which the enrichment script will run
redelk_enrich.enrich_synciplists object cf. below Background RedELK process that syncs IP lists from configuration files with ES. Better keep it enabled.
redelk_enrich.enrich_synciplists.enabled bool true Wether to enable the enrichment module
redelk_enrich.enrich_synciplists.interval int 360 Interval (in seconds) at which the enrichment script will run
redelk_enrich.enrich_tor object cf. below Enriches redirtraffic with Tor. If an IP address is a known Tor exit node, this info is added.
redelk_enrich.enrich_tor.cache int 360 How often the TOR endpoint list should be retrieved (in seconds).
redelk_enrich.enrich_tor.enabled bool true Wether to enable the enrichment module
redelk_enrich.enrich_tor.interval int 360 Interval (in seconds) at which the enrichment script will run
redelk_install_type string "full" (full or limited) If full, Jupyter notebooks and BloodHound/Neo4J will be installed as well
redelk_loglevel string "WARNING" Log level of the RedELK daemon.
redelk_notifications object cf. below Alarm notifications options
redelk_notifications.email.enabled bool false Wether to enable alarm notifications via e-mail
redelk_notifications.email.from string "[email protected]" Source e-mail address to send RedELK notifications from
redelk_notifications.email.smtp.host string "example.com" SMTP server hostname or IP address
redelk_notifications.email.smtp.login string "[email protected]" SMTP username to authenticate
redelk_notifications.email.smtp.pass string "redelk" SMTP password to authenticate
redelk_notifications.email.smtp.port string "587" SMTP server port
redelk_notifications.email.to list ["[email protected]"] List of e-mail addresses to send RedELK notifications to
redelk_notifications.msteams.enabled bool false Wether to enable alarm notifications via Microsoft Teams WebHook
redelk_notifications.msteams.webhook_url string "" Microsoft Teams WebHook URL
redelk_notifications.slack.enabled bool false Wether to enable alarm notifications via Slack WebHook
redelk_notifications.slack.webhook_url string "" Slack WebHook URL
redelk_repo string "outflanknl" RedELK docker image repository
redelk_repo_path string "RedELK" Local path to the RedELK git repository. will be cloned if doesn't exist
redelk_user string "redelk" RedELK SSH username (used to sync data between RedELK monitoring server and the clients)
redelk_version string "master" RedELK version to install (ignored if the git repository defined in redelk_repo_path is already cloned)
redteam_ips list [] List of Red Team's IP addresses
ssh_keys_path string "ssh_keys" Local path to store ssh keys
tls_nginx_ca_path string "/etc/nginx/ca_certs/ca.crt" Path to the CA file in Nginx container
tls_nginx_crt_path string "/etc/letsencrypt/live/{{ external_domain }}/fullchain.pem" Path to the certificate file in Nginx container
tls_nginx_key_path string "/etc/letsencrypt/live/{{ external_domain }}/privkey.pem" Path to the private key file in Nginx container
unknown_ips list [] List of Unknown IP addresses

Dependencies

There is no specific dependency for this module.

Example Playbook

- name: Gather facts from all hosts
  hosts: all
  gather_facts: True

- name: Apply redelk-server role to monitoring server(s)
  hosts: monitoring
  gather_facts: True
  tags:
    - monitoring
  roles:
    - redelk-server

Example inventory

[monitoring]
redelk-server  ansible_user=rtoperator  ansible_host=192.168.20.150  ansible_become_password=redelk  type=monitoring

[teamservers]
c2-01          ansible_user=rtoperator  ansible_host=192.168.20.151  ansible_become_password=redelk  type=c2

[redirectors]
redir-01       ansible_user=rtoperator  ansible_host=192.168.20.152  ansible_become_password=redelk  type=redirector

Source Code

License

BSD 3-Clause

Maintainers

Lorenzo Bernardi / @fastlorenzo