search

outflanknl / RedELK

Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.
BSD 3-Clause "New" or "Revised" License
2.35k stars 371 forks source link

Add bloodhound community #304

Closed alcastronic closed 9 months ago

alcastronic commented 10 months ago

Description

This PR adds the docker containers for the bloodhound community edition to the RedELK full installation.

When installing full

Three additional containers are deployed

Bloodhound-community is configured with a random password like the other apps are.

Because bloodhound-community can only be present at the root of a webserver a new server configuration-template has been included with nginx-conf which will listen on port 8443. As of now, the same certificate as for the Kibana server is being used.

The server will be reachable at: https://my-server:8443/ui/login

When installing limited

When the limited option is chosen, bloodhound is not installed and the nginx config is commented out.

Known issues

alcastronic commented 10 months ago

Fixed an error with the awk command that retrieves the password from the .env file once set. This had prevented the password from being present in the redelk_passwords.cfg when an .env file had already existed.

alcastronic commented 10 months ago

Secrets are currently still placed directly into the elkserver/mounts/bloodhound-config/bloodhound.config.json config file because I did not manage to make the app connect when setting it over docker environment. However that should not make a huge difference.

An issue could occur however when the password is regenerated by the install script but the volume which is used to store the bloodhound app persistent data is not. I think this is an edgecase which is unlikely to be hit.

alcastronic commented 10 months ago

@MarcOverIP Did you already have had a chance to look into this. If so, Is there anything you would like to have added or changed?

MarcOverIP commented 10 months ago

Hi @alcastronic Im extremely happy with the work. I was offline for holidays. This week is busy, but next week I have some time allocated for this. Ill update you then.

MarcOverIP commented 9 months ago

Secrets are currently still placed directly into the elkserver/mounts/bloodhound-config/bloodhound.config.json config file because I did not manage to make the app connect when setting it over docker environment. However that should not make a huge difference.

An issue could occur however when the password is regenerated by the install script but the volume which is used to store the bloodhound app persistent data is not. I think this is an edgecase which is unlikely to be hit.

Agree.

MarcOverIP commented 9 months ago

@alcastronic seems like solid work! Thank you.

I havent done a lot of testing. But Im merging. In the case issues still arise we can troubleshoot. Merging now, keeping thread open for some time.