Status: In Development
Elasticsearch and Kibana setup for Penetration testing and reconnaissance.
- An Original Idea? Nope.
- My own version? Yep.
Having to write custom shell scripts to parse and keep track of all th 8000 e data from many different security tools is time consuming and often results in a mountain of text files. Other solutions to this problem often include yet more tools, often times a license, and features that are never used. I needed something simple, lightweight, customisable, portable, and easy to deploy without all the "feature" bloat.
- Normalize useful tool output
- Team Collaboration
-
Clone
git clone https://github.com/c-sh0/santacruz.git -
Increase virtual memory for Elasticsearch
sysctl -w vm.max_map_count=262144
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf -
Setup the persistent storage volumes. Permissions need to match the elasticsearch and kibana container users, 1000:1000)
mkdir -p ./data/elasticsearch ./data/kibana
chown 1000:1000 ./data/elasticsearch ./data/kibana
The easiest approach when setting passwords is by following the steps below otherwise, your going to end up mucking with the containers and/or composer files later.
-
Start Elasticsearch container (&& watch logs to make sure it starts)
docker-compose up -d elasticsearch && docker logs elasticsearch --follow -
Change the default passwords for all built-in users, make note of the output.
docker exec elasticsearch /bin/bash -c "bin/elasticsearch-setup-passwords auto --batch" -
Since this is a
single-nodecluster, for all newly created indexes, create an index template that will setnumber_of_replicasto0curl -X PUT 'http://localhost:9200/_template/template_1' \ -H 'Content-Type: application/json' \ -d '{"index_patterns":["*"],"order":0,"settings":{"number_of_shards":1,"number_of_replicas": 0}}' \ -u elastic:<password from #2>
Refer to the documentation for more information and settings.
https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates-v1.html -
Update the Kibana and Santacruz configuration files with generated password from #2
conf/kibana.yml
conf/cli.yml -
Start Kibana container. It will take a min or two to fully start (&& watch logs to make sure it starts)
docker-compose up -d kibana && docker logs kibana --follow -
Login into the Kibana dashboard (user: elastic, password from #2)
http://your.ip:5601/ -
(Optional) Add additional users: Stack Management -> Users
By default, containers will not automaticaly start on system boot. The following commands will start the containers when docker starts
docker update --restart=always elasticsearch
docker update --restart=always kibanaSee: https://docs.docker.com/config/containers/start-containers-automatically/
- Documentation
- Rename this project
- Single CLI tool
- Logstash/Filebeat? (Doubtful, no need for it here)
- Other
Marco Lancini's writeup: Offensive ELK: Elasticsearch for Offensive Security
Elasticsearch: https://github.com/elastic/elasticsearch
Kibana: https://github.com/elastic/kibana
Nmap: https://nmap.org/
Project Discovery: https://github.com/projectdiscovery