-
Notifications
You must be signed in to change notification settings - Fork 70
Installation: OpenSSL Signed Installation Guide
This type of installation is for users with some experience with linux administration. It is ideal for those that are required to build upon a baseline (gold disk) image. It also works very well for cloud based instances as a build script. It ensures that the most recent versions of the software are used and that it is configured the same way every time. Also note that all ciphers and keys are generated at run time and therefore are as unique as any script can make them.
-
Start with Ubuntu 16.04 LTS Server base image
-
Log into system with an account that has sudo privledges
-
The buildskadi.sh script downloads the signed buildskadi.tgz file and verifies the signature using openssl. If anything interrupts the download or if the signature doesn't match then the installation exits with an error message.
-
Start the script from a terminal using the commands below This could take anywhere from 5 - 60+ minutes depending on the speed of the internet connection
wget -O /tmp/buildskadi.sh https://raw.githubusercontent.com/orlikoski/skadi/master/scripts/buildskadi.sh
sudo bash /tmp/buildskadi.sh
export DEFAULT_PASSWORDS="true"
wget -O /tmp/buildskadi.sh https://raw.githubusercontent.com/orlikoski/skadi/master/scripts/buildskadi.sh
sudo -E bash /tmp/buildskadi.sh
The final completion will look something like the following. Make sure to note the usernames and passwords as they will be needed to access the tools:
NOTE: The OS account will only appear if the skadi
user did not already exist
Skadi Setup is Complete
The Nginx reverse proxy setup and can be accessed at http://<IP Address> or http://localhost if installed locally:
The following are the credentials needed to access this build and are stored in /opt/skadi_credentials if run-time generated credentials was chosen:
Proxy & Grafana Account:
- Username: skadi_<random chars>
- Password: <random chars>
TimeSketch Account:
- Username: skadi_<random chars>
- Password: <random chars>
OS Account:
- Username: skadi
- Password: <random chars>
The following files have credentials used in the build process stored in them:
- /opt/skadi_credentials (only if run-time generated credentials chosen)
- /opt/Skadi/Docker/.env
- /opt/Skadi/Docker/skadi_dockprom/.env
Not 100% complete, but very close. The reason this is for advanced users is that the remaining items require loading sample data into the ElasticSearch in order to create the default index in Kibana as well as load the pre-made Dashboards, Visualizations, and Searches into Kibana (requires the correct indexes to work).
- Run sample data through CDQR into the ElasticSearch database (sample Virtual Machines can be found at the DFIR Training site or by using CyLR to collect from a sample host (much faster).
- Sample Command:
~/cdqr.py -p win <disk image or CyLR resulting .zip file> --es_kb testing
- The first time logged into Kibana it asks to create a default index. Use
case_cdqr-*
for the index and ensure that the data is fully loaded from previous step - In Kibana click Management -> Saved Objects -> Import and use the file that has all of the Skadi specific Dashboards/Visualizations/Searches kibana_6.x.json