initial commit

.gitignore

@@ -11,7 +11,7 @@
 /tmp/
 
 # Used by dotenv library to load environment variables.
-# .env
+.env
 
 ## Specific to RubyMotion:
 .dat*
@@ -48,3 +48,5 @@ build-iPhoneSimulator/
 
 # unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
 .rvmrc
+
+/.vagrant

Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gem 'itamae'

Gemfile.lock

@@ -0,0 +1,32 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ansi (1.5.0)
+    hashie (3.5.7)
+    itamae (1.9.11)
+      ansi
+      hashie
+      schash (~> 0.1.0)
+      specinfra (>= 2.64.0, < 3.0.0)
+      thor
+    net-scp (1.2.1)
+      net-ssh (>= 2.6.5)
+    net-ssh (4.2.0)
+    net-telnet (0.1.1)
+    schash (0.1.2)
+    sfl (2.3)
+    specinfra (2.73.2)
+      net-scp
+      net-ssh (>= 2.7, < 5.0)
+      net-telnet
+      sfl
+    thor (0.20.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  itamae
+
+BUNDLED WITH
+   1.16.1

README.md

@@ -0,0 +1,19 @@
+# itamae-thehive
+
+## Description
+
+Automated installation of [TheHive](https://github.com/TheHive-Project/TheHive) by using [itamae](https://github.com/itamae-kitchen/itamae).
+
+## How to use
+
+```bash
+itamae ssh cookbooks/hive/default.rb
+```
+
+- TheHive: `8080/tcp`
+- Cortex: `9000/tcp`
+- Elasticsearch: `9300/tcp`
+
+## TODO
+
+- Enriching this document more.

Vagrantfile

@@ -0,0 +1,66 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# configures the configuration version (we support older styles for
+# backwards compatibility). Please don't change it unless you know what
+# you're doing.
+Vagrant.configure("2") do |config|
+  config.vm.box = "ubuntu/xenial64"
+
+  # Disable automatic box update checking. If you disable this, then
+  # boxes will only be checked for updates when the user runs
+  # `vagrant box outdated`. This is not recommended.
+  # config.vm.box_check_update = false
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine. In the example below,
+  # accessing "localhost:8080" will access port 80 on the guest machine.
+  # NOTE: This will enable public access to the opened port
+  config.vm.network "forwarded_port", guest: 8080, host: 8080
+  config.vm.network "forwarded_port", guest: 9000, host: 9000
+  config.vm.network "forwarded_port", guest: 9300, host: 9300
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine and only allow access
+  # via 127.0.0.1 to disable public access
+  # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
+
+  # Create a private network, which allows host-only access to the machine
+  # using a specific IP.
+  # config.vm.network "private_network", ip: "192.168.33.10"
+
+  # Create a public network, which generally matched to bridged network.
+  # Bridged networks make the machine appear as another physical device on
+  # your network.
+  # config.vm.network "public_network"
+
+  # Share an additional folder to the guest VM. The first argument is
+  # the path on the host to the actual folder. The second argument is
+  # the path on the guest to mount the folder. And the optional third
+  # argument is a set of non-required options.
+  # config.vm.synced_folder "../data", "/vagrant_data"
+
+  # Provider-specific configuration so you can fine-tune various
+  # backing providers for Vagrant. These expose provider-specific options.
+  # Example for VirtualBox:
+  #
+  config.vm.provider "virtualbox" do |vb|
+    # Display the VirtualBox GUI when booting the machine
+    # vb.gui = true
+
+    # Customize the amount of memory on the VM:
+    vb.memory = "4096"
+  end
+  #
+  # View the documentation for the provider you are using for more
+  # information on available options.
+
+  # Enable provisioning with a shell script. Additional provisioners such as
+  # Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
+  # documentation for more information about their specific syntax and use.
+  # config.vm.provision "shell", inline: <<-SHELL
+  #   apt-get update
+  #   apt-get install -y apache2
+  # SHELL
+end

cookbooks/hive/default.rb

@@ -0,0 +1,71 @@
+require 'securerandom'
+
+remote_file "/etc/apt/sources.list.d/elastic-5.x.list" do
+  source "files/elastic/elastic-5.x.list"
+end
+
+remote_file "/etc/apt/sources.list.d/thehive-project.list" do
+  source "files/thehive/thehive-project.list"
+end
+
+# install jvm
+execute "sudo add-apt-repository -y ppa:openjdk-r/ppa"
+execute "sudo apt-get update"
+package "openjdk-8-jre-headless"
+
+# install elasticsearch
+execute "sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key D88E42B4"
+execute "sudo apt install -y apt-transport-https"
+execute "sudo apt-get update"
+package "elasticsearch"
+
+remote_file "/etc/elasticsearch/elasticsearch.yml" do
+  source "files/elastic/elasticsearch.yml"
+end
+
+# install thehive & cortex
+execute "sudo apt-key adv --keyserver hkp://pgp.mit.edu --recv-key 562CBC1C"
+execute "sudo apt-get update"
+package "thehive"
+package "cortex"
+
+template "/etc/thehive/application.conf" do
+  source "templates/thehive/application.conf"
+  variables(secret: SecureRandom.hex)
+end
+
+remote_file "/usr/lib/systemd/system/thehive.service" do
+  source "files/thehive/thehive.service"
+end
+
+template "/etc/cortex/application.conf" do
+  source "templates/cortex/application.conf"
+  variables(secret: SecureRandom.hex)
+end
+
+# install cortex analyzers
+"git python-pip python2.7-dev ssdeep libfuzzy-dev libfuzzy2 libimage-exiftool-perl libmagic1 build-essential libssl-dev".split.each do |name|
+  package name
+end
+
+git "/opt/cortex/Cortex-Analyzers" do
+  repository "https://github.com/CERT-BDF/Cortex-Analyzers"
+end
+
+execute "install analyzers" do
+  cwd "/opt/cortex/Cortex-Analyzers/analyzers"
+  command "sudo pip install $(sort -u */requirements.txt)"
+end
+
+# set proper user:group
+execute "sudo chown -R elasticsearch:elasticsearch /etc/elasticsearch/"
+execute "sudo chown -R thehive:thehive /etc/thehive"
+execute "sudo chown -R thehive:thehive /opt/thehive"
+execute "sudo chown -R cortex:cortex /etc/cortex"
+execute "sudo chown -R cortex:cortex /opt/cortex"
+
+execute "sudo systemctl daemon-reload"
+["elasticsearch", "cortex", "thehive"].each do |name|
+  execute "sudo systemctl enable #{name}"
+  execute "sudo systemctl start #{name}"
+end

cookbooks/hive/files/elastic/elastic-5.x.list

@@ -0,0 +1 @@
+deb https://artifacts.elastic.co/packages/5.x/apt stable main

cookbooks/hive/files/elastic/elasticsearch.yml

@@ -0,0 +1,6 @@
+network.host: 127.0.0.1
+script.inline: on
+cluster.name: hive
+thread_pool.index.queue_size: 100000
+thread_pool.search.queue_size: 100000
+thread_pool.bulk.queue_size: 100000

cookbooks/hive/files/thehive/thehive-project.list

@@ -0,0 +1 @@
+deb https://dl.bintray.com/cert-bdf/debian any main

cookbooks/hive/files/thehive/thehive.service

@@ -0,0 +1,38 @@
+[Unit]
+Description=TheHive
+Documentation=https://thehive-project.org
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+WorkingDirectory=/opt/thehive
+
+User=thehive
+Group=thehive
+
+ExecStart=/opt/thehive/bin/thehive \
+        -Dconfig.file=/etc/thehive/application.conf \
+        -Dlogger.file=/etc/thehive/logback.xml \
+        -Dpidfile.path=/dev/null \
+        -Dhttp.port=8080
+
+StandardOutput=journal
+StandardError=inherit
+
+# Specifies the maximum file descriptor number that can be opened by this process
+LimitNOFILE=65536
+
+# Disable timeout logic and wait until process is stopped
+TimeoutStopSec=0
+
+# SIGTERM signal is used to stop the Java process
+KillSignal=SIGTERM
+
+# Java process is never killed
+SendSIGKILL=no
+
+# When a JVM receives a SIGTERM signal it exits with code 143
+SuccessExitStatus=143
+
+[Install]
+WantedBy=multi-user.target