Install TheHive4 and Cortex on Ubuntu 20.04LTS..
Jan 8, 2021Edits:
- 2020-01-08 - First Init
Caveats:
- I am no experienced TheHive / Cortex user, so this may contain errors.
- Not so much testing made yet, If you test it out and you find something. Leave a message in the comments :)
Like the last guides:
This installation is not made for public facing servers, there is no built in security in this setup.
I take no responsibility if this guide bork you server, burn your house down to ashes, make your christmas tree self combust or makes your cat to leave you..
It’s under the “it worked for me[tm]” clause.
This is as always a work in progress.
Preparation is key
Prepare a can of coffee and (if at home) put on your best comfy clothes.
When writhing this, Murderfolk Playlist - Essential Dark Folk and Southern Gothic was playing in the headphones..
Fire up an vanilla Ubuntu 20.04 LTS on a vm for some testing and start the installation.
Install nothing but ssh-server and “standard system utilities”
install requirements
sudo apt update &&\
sudo apt -y dist-upgrade &&\
sudo apt -y autoremove &&\
sudo apt install -y software-properties-common openjdk-8-jre-headless
configure JAVA_HOME
echo JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64" | sudo tee /etc/environment
export JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64"
falk@thehive:~$ sudo update-alternatives --config java
There are 2 choices for the alternative java (providing /usr/bin/java).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/lib/jvm/java-14-openjdk-amd64/bin/java 1411 auto mode
1 /usr/lib/jvm/java-14-openjdk-amd64/bin/java 1411 manual mode
2 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java 1081 manual mode
Press <enter> to keep the current choice[*], or type selection number: 2
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java to provide /usr/bin/java (java) in manual mode
install Cassandra
curl -fsSL https://www.apache.org/dist/cassandra/KEYS | sudo apt-key add -
echo "deb http://www.apache.org/dist/cassandra/debian 311x main" | sudo tee -a /etc/apt/sources.list.d/cassandra.sources.list
sudo apt update
sudo apt install cassandra
check that Cassandra is running
falk@thehive:~$ nodetool status
Datacenter: datacenter1
=======================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
-- Address Load Tokens Owns (effective) Host ID Rack
UN 127.0.0.1 127.43 KiB 256 100.0% 91e64e04-e2b2-48e2-b088-6aebc5d8cb7b rack1
configure Cassandra
falk@thehive:~$ cqlsh localhost 9042
Connected to Test Cluster at localhost:9042.
[cqlsh 5.0.1 | Cassandra 3.11.9 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cqlsh> UPDATE system.local SET cluster_name = 'thp' where key='local';
cqlsh>
nodetool flush
Make a backup on the default distro cassandra config file
sudo cp /etc/cassandra/cassandra.yaml /etc/cassandra/cassandra.yaml_DIST
Edit the new file with theese settings
sudo sed -i "s|cluster_name: 'Test Cluster'|cluster_name: 'thp'|g" /etc/cassandra/cassandra.yaml
Restart cassandra with the new settings
sudo systemctl restart cassandra
Todo: Security To add security measures in Cassandra , refer the the related administration guide.
install TheHive4
curl https://raw.githubusercontent.com/TheHive-Project/TheHive/master/PGP-PUBLIC-KEY | sudo apt-key add - &&\
echo 'deb https://deb.thehive-project.org release main' | sudo tee -a /etc/apt/sources.list.d/thehive-project.list &&\
sudo apt update
sudo apt install thehive4
Prepare storage for attachments
sudo mkdir -p /opt/thp_data/files/thehive &&\
sudo chown -R thehive:thehive /opt/thp_data/files/thehive
configure TheHive4
Database
To use Cassandra database, TheHive configuration file (/etc/thehive/application.conf) has to be edited and updated with following lines:
db.janusgraph {
storage {
## Cassandra configuration
# More information at https://docs.janusgraph.org/basics/configuration-reference/#storagecql
backend: cql
hostname: [ "127.0.0.1" ]
# Cassandra authentication (if configured)
// username: "thehive"
// password: "password"
cql {
cluster-name: thp
keyspace: thehive
read-consistency-level: ONE
write-consistency-level: ONE
}
}
Attachmentstorage
Local filesystem
Edit this in the storage section
storage {
provider = localfs
localfs.location = /opt/thp_data/files/thehive
}
Start TheHive4
sudo systemctl restart thehive
TL;DR
- Default administrator account: admin@thehive.local/secret
- Login with default account
- Create an organisaton
- Create a user account