Home

Awesome

redelk-server

OBSOLETE: please use https://github.com/fastlorenzo/redelk-ansible instead

Ansible role to deploy RedELK server components.

Variables

The following variables can be modified:

KeyTypeDefaultDescription
certs_dir_nginxstring"/etc/nginx/certs"Path to folder containing certificates in Nginx container
certs_dir_nginx_castring"/etc/nginx/ca_certs"Path to folder containing the CA certificate in Nginx container
certs_dir_nginx_ca_localstring"./mounts/certs/ca"Local path to folder containing the CA certificate
certs_dir_nginx_localstring"./mounts/certbot/conf/live/localhost"Local path to folder containing certificates. Replace localhost with the same value as external_domain
customer_ipslist[]List of customer's IP addresses
docker_dirstring"/var/lib/docker"Docker directory
domainslist[]List of domain names used for the exercise
es_elastic_passwordstring"elastic"ElasticSearch users
es_kibana_encryptionKeystring"sLOVUK5MLv0VDhKsMlQcjgAaSMLXLLVy"Kibana encryption key (32 char alphanumeric)
es_kibana_passwordstring"kibana"ElasticSearch kibana user's password
es_logstash_system_passwordstring"logstash_system"ElasticSearch logstash_system user's password
es_redelk_ingest_passwordstring"redelk"ElasticSearch redelk-ingest user's password (used by logstash)
es_redelk_passwordstring"redelk"ElasticSearch RedELK user's password
es_redelk_userstring"redelk"ElasticSearch RedELK username
es_versionstring"7.16.3"Elastic version
external_domainstring"localhost"External domain name to expose RedELK interface on. Will also be used to request Let's Encypt certificate
le_emailstring""Let's Encrypt email address
le_enablebooltrue
le_stagingint0Set to 1 to use Let's Encrypt staging endpoint.
monitor_hostsboolfalseSet to true to support monitoring hosts (metricbeat, packetbeat, ...)
neo4j_passwordstring"BloodHound"Neo4J password (user: neo4j)
optsec_dirstring"/opt"Base directory for components install (where customer data will be stored) - allows to store on an encrypted partition/disk
redelk_alarm_intervalstring"3600"
redelk_alarm_tempDirstring"/tmp"
redelk_alarmsobjectcf. belowAlarm configuration options
redelk_alarms.alarm_dummy.enabledboolfalseWether to enable the alarm
redelk_alarms.alarm_dummy.intervalint300Interval at which the alarm will run (in seconds)
redelk_alarms.alarm_filehash.enabledbooltrueWether to enable the alarm
redelk_alarms.alarm_filehash.ha_api_keystring"<<INSERT_API_KEY>>"Hybrid Analysis API key
redelk_alarms.alarm_filehash.ibm_basic_authstring"Basic <<REPLACE>>"IBM X-Force Exchange basic authentication
redelk_alarms.alarm_filehash.intervalint360Interval at which the alarm will run (in seconds)
redelk_alarms.alarm_filehash.vt_api_keystring"<<INSERT_API_KEY>>"VirusTotal API key
redelk_alarms.alarm_httptraffic.enabledbooltrueWether to enable the alarm
redelk_alarms.alarm_httptraffic.intervalint310Interval at which the alarm will run (in seconds)
redelk_alarms.alarm_httptraffic.notify_intervalint86400Only notify on the same IP hit at every notify_interval (in seconds)
redelk_alarms.alarm_useragent.enabledbooltrueWether to enable the alarm
redelk_alarms.alarm_useragent.intervalint320Interval at which the alarm will run (in seconds)
redelk_cert_pathstring"certificates/redelk"Local path to store RedELK certificates
redelk_client_connection_modestring"reverse"Sets how RedELK clients connects to filebeat direct (client connects to RedELK server IP directly) or reverse (reverse SSH tunnel is made from RedELK server to clients)
redelk_enrichobjectcf. belowSettings for data enrichment. You can keep these enabled even if you don't use a specific item.
redelk_enrich.enrich_csbeaconobjectcf. belowEnriches rtops data from Cobalt Strike implants.
redelk_enrich.enrich_csbeacon.enabledbooltrueWether to enable the enrichment module
redelk_enrich.enrich_csbeacon.intervalint300Interval (in seconds) at which the enrichment script will run
redelk_enrich.enrich_greynoiseobjectcf. belowEnriches redirtraffic data with info from Greynoise. If an IP address is listed in Greynoise, this data is added.
redelk_enrich.enrich_greynoise.cacheint86400How long the data will be cached (in seconds). If an IP was already seen within this period, a new call to GeryNoise API will not be made.
redelk_enrich.enrich_greynoise.enabledbooltrueWether to enable the enrichment module
redelk_enrich.enrich_greynoise.intervalint310Interval (in seconds) at which the enrichment script will run
redelk_enrich.enrich_iplistsobjectcf. belowBackground RedELK process that enriches redirtraffic data with IP lists configured in RedELK (via ES app or in configuration files). Better keep it enabled.
redelk_enrich.enrich_iplists.enabledbooltrueWether to enable the enrichment module
redelk_enrich.enrich_iplists.intervalint330Interval (in seconds) at which the enrichment script will run
redelk_enrich.enrich_stage1objectcf. belowEnriches rtops data from Outflank's custom C2 framework.
redelk_enrich.enrich_stage1.enabledboolfalseWether to enable the enrichment module
redelk_enrich.enrich_stage1.intervalint300Interval (in seconds) at which the enrichment script will run
redelk_enrich.enrich_synciplistsobjectcf. belowBackground RedELK process that syncs IP lists from configuration files with ES. Better keep it enabled.
redelk_enrich.enrich_synciplists.enabledbooltrueWether to enable the enrichment module
redelk_enrich.enrich_synciplists.intervalint360Interval (in seconds) at which the enrichment script will run
redelk_enrich.enrich_torobjectcf. belowEnriches redirtraffic with Tor. If an IP address is a known Tor exit node, this info is added.
redelk_enrich.enrich_tor.cacheint360How often the TOR endpoint list should be retrieved (in seconds).
redelk_enrich.enrich_tor.enabledbooltrueWether to enable the enrichment module
redelk_enrich.enrich_tor.intervalint360Interval (in seconds) at which the enrichment script will run
redelk_install_typestring"full"(full or limited) If full, Jupyter notebooks and BloodHound/Neo4J will be installed as well
redelk_loglevelstring"WARNING"Log level of the RedELK daemon.
redelk_notificationsobjectcf. belowAlarm notifications options
redelk_notifications.email.enabledboolfalseWether to enable alarm notifications via e-mail
redelk_notifications.email.fromstring"redelk@example.com"Source e-mail address to send RedELK notifications from
redelk_notifications.email.smtp.hoststring"example.com"SMTP server hostname or IP address
redelk_notifications.email.smtp.loginstring"redelk@example.com"SMTP username to authenticate
redelk_notifications.email.smtp.passstring"redelk"SMTP password to authenticate
redelk_notifications.email.smtp.portstring"587"SMTP server port
redelk_notifications.email.tolist["redelk@example.com"]List of e-mail addresses to send RedELK notifications to
redelk_notifications.msteams.enabledboolfalseWether to enable alarm notifications via Microsoft Teams WebHook
redelk_notifications.msteams.webhook_urlstring""Microsoft Teams WebHook URL
redelk_notifications.slack.enabledboolfalseWether to enable alarm notifications via Slack WebHook
redelk_notifications.slack.webhook_urlstring""Slack WebHook URL
redelk_repostring"outflanknl"RedELK docker image repository
redelk_repo_pathstring"RedELK"Local path to the RedELK git repository. will be cloned if doesn't exist
redelk_userstring"redelk"RedELK SSH username (used to sync data between RedELK monitoring server and the clients)
redelk_versionstring"master"RedELK version to install (ignored if the git repository defined in redelk_repo_path is already cloned)
redteam_ipslist[]List of Red Team's IP addresses
ssh_keys_pathstring"ssh_keys"Local path to store ssh keys
tls_nginx_ca_pathstring"/etc/nginx/ca_certs/ca.crt"Path to the CA file in Nginx container
tls_nginx_crt_pathstring"/etc/letsencrypt/live/{{ external_domain }}/fullchain.pem"Path to the certificate file in Nginx container
tls_nginx_key_pathstring"/etc/letsencrypt/live/{{ external_domain }}/privkey.pem"Path to the private key file in Nginx container
unknown_ipslist[]List of Unknown IP addresses

Dependencies

There is no specific dependency for this module.

Example Playbook

- name: Gather facts from all hosts
  hosts: all
  gather_facts: True

- name: Apply redelk-server role to monitoring server(s)
  hosts: monitoring
  gather_facts: True
  tags:
    - monitoring
  roles:
    - redelk-server

Example inventory

[monitoring]
redelk-server  ansible_user=rtoperator  ansible_host=192.168.20.150  ansible_become_password=redelk  type=monitoring

[teamservers]
c2-01          ansible_user=rtoperator  ansible_host=192.168.20.151  ansible_become_password=redelk  type=c2

[redirectors]
redir-01       ansible_user=rtoperator  ansible_host=192.168.20.152  ansible_become_password=redelk  type=redirector

Source Code

License

BSD 3-Clause

Maintainers

Lorenzo Bernardi / @fastlorenzo