Skip to content

Installation: OpenSSL Signed Installation Guide

@AlanOrlikoski edited this page Apr 12, 2018 · 25 revisions

OpenSSL Signed Installation On Existing Server

This type of installation is for users with some experience with linux administration. It is ideal for those that are required to build upon a baseline (gold disk) image. It also works very well for cloud based instances as a build script. It ensures that the most recent versions of the software are used and that it is configured the same way every time. Also note that all ciphers and keys are generated at run time and therefore are as unique as any script can make them.

This installation will do the following:

Installs and configures, including the creation of systemd services if not included otherwise, the following items onto a base image of Ubuntu/Debian.

  • Plaso
  • CDQR
  • CyLR
  • Docker
  • ElasticSearch, Logstash, Kibana (ELK)
  • Redis
  • Neo4j
  • Celery
  • Cerebro
  • Various dependencies of the above

Installation instructions

  • Start with Ubuntu 16.04 LTS or equivalent Debian based installation
  • Log into system with an account that has sudo privledges (The name doesn't have be cdqr but it is nostalgic)
  • The buildskadi.sh script downloads the signed buildskadi.tgz file and verifies the signature using openssl. If anything interrupts the download or if the signature doesn't match then the installation exits with an error message.
  • Start the script from a terminal using the commands below

This could take anywhere from 5 - 60+ minutes depending on the speed of the internet connection

wget -O /tmp/buildskadi.sh https://raw.githubusercontent.com/orlikoski/skadi/master/scripts/buildskadi.sh
bash /tmp/buildskadi.sh

Post Installation

The final completion will look something like this (version numbers may change over time):

Installed Software Version Checks (Where it is supported)
plaso - log2timeline version 20180127
CDQR Version: 4.1.5
CyLR Version 1.4.0.0
Docker version 18.03.0-ce, build 0520e24
ELK Version: "6.2.3"
Redis server v=4.0.9 sha=00000000:0 malloc=jemalloc-4.0.3 bits=64 build=3bcf075214098f11
neo4j 3.3.4
Celery version: 4.1.0 (latentcall)
Cerebro version: 0.7.2


System Health Checks
  Bringing up elasticsearch
  Bringing up postgresql
  Bringing up celery
  Bringing up neo4j
  Bringing up redis
  Bringing up kibana
  Bringing up timesketch

  elasticsearch service is: active
  postgresql service is: active
  celery service is: active
  neo4j service is: active
  redis service is: active
  kibana service is: active
  timesketch service is: active

Logstash is installed but not enabled by default
To enable run the following commands
    sudo systemctl restart logstash  
    sudo systemctl enable logstash  

TimeSketch Initial User Information (reset with 'tsctl add_user -u cdqr_<random chars> -p <password>')
Username: cdqr_<random chars>
Password: <random 32 character string>

Setup Kibana

Not 100% complete, but very close. The reason this is for advanced users is that the remaining items require loading sample data into the ElasticSearch in order to create the default index in Kibana as well as load the pre-made Dashboards, Visualizations, and Searches into Kibana (requires the correct indexes to work).

Complete the remaining items:

  • Run sample data through CDQR into the ElasticSearch database (sample Virtual Machines can be found at the DFIR Training site or by using CyLR to collect from a sample host (much faster).
  • Sample Command: ~/cdqr.py -p win <disk image or CyLR resulting .zip file> --es_kb testing
  • The first time logged into Kibana it asks to create a default index. Use case_cdqr-* for the index and ensure that the data is fully loaded from previous step
  • In Kibana click Management -> Saved Objects -> Import and use the file that has all of the Skadi specific Dashboards/Visualizations/Searches kibana_6.x.json