dockerでOpenCTIサーバー構築

banister@soc:~/soc$ df -h
Filesystem      Size  Used Avail Use% Mounted on
tmpfs           1.6G  2.1M  1.6G   1% /run
/dev/sda3      1007G   21G  936G   3% /
tmpfs           7.9G     0  7.9G   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
/dev/sda2       512M  6.1M  506M   2% /boot/efi
tmpfs           1.6G  112K  1.6G   1% /run/user/1000
/dev/sr0        4.6G  4.6G     0 100% /media/banister/Ubuntu 22.04.2 LTS amd64

公式ドキュメント

https://docs.opencti.io/6.0.X/deployment/installation/

インストール

$ git clone https://github.com/OpenCTI-Platform/docker.git opencti-docker
$ cd opencti-docker

公式ドキュメントでは、thread_pool.search.queue_size を 5000 にするように推奨されているが、docker-compose.ymlに既にその記述があったので、そのまま進めます。

      - xpack.ml.enabled=false
      - xpack.security.enabled=false
      - thread_pool.search.queue_size=5000
      - logger.org.elasticsearch.discovery="ERROR"
      - "ES_JAVA_OPTS=-Xms${ELASTIC_MEMORY_SIZE} -Xmx${ELASTIC_MEMORY_SIZE}"

.env.sample ファイルは残しつつ、以下のコマンドで新規の .env ファイルを作成

$ (cat << EOF
OPENCTI_ADMIN_EMAIL=admin@opencti.io
OPENCTI_ADMIN_PASSWORD=ChangeMePlease
OPENCTI_ADMIN_TOKEN=$(cat /proc/sys/kernel/random/uuid)
OPENCTI_BASE_URL=http://localhost:8080
MINIO_ROOT_USER=$(cat /proc/sys/kernel/random/uuid)
MINIO_ROOT_PASSWORD=$(cat /proc/sys/kernel/random/uuid)
RABBITMQ_DEFAULT_USER=guest
RABBITMQ_DEFAULT_PASS=guest
ELASTIC_MEMORY_SIZE=4G
CONNECTOR_HISTORY_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_CSV_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_IMPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_TXT_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_IMPORT_DOCUMENT_ID=$(cat /proc/sys/kernel/random/uuid)
SMTP_HOSTNAME=localhost
EOF
) > .env

ErasticSearch様に、Linuxカーネルのプロセスが持つことができるメモリマップ領域の最大数をデフォルトの65530から1048575に増やす。

$ sudo sysctl -w vm.max_map_count=1048575
[sudo] hoge のパスワード: 
vm.max_map_count = 1048575

上記設定の永続化のため、/etc/sysctl.conf に以下を追加

# for OpenCTI ElasticSearch
vm.max_map_count=1048575

起動

$ docker compose up

えらいたくさんエラーが出るけど、必要なワーカーが動き出すとエラーも収まるのでご安心を。

コンテナの確認

$ docker compose ps
WARN[0000] /home/banister/soc/opencti-docker/docker-compose.yml: `version` is obsolete 
NAME                                          IMAGE                                                  COMMAND                   SERVICE                      CREATED              STATUS              PORTS
opencti-docker-connector-export-file-csv-1    opencti/connector-export-file-csv:6.0.8                "/entrypoint.sh"          connector-export-file-csv    About a minute ago   Up 41 seconds       
opencti-docker-connector-export-file-stix-1   opencti/connector-export-file-stix:6.0.8               "/entrypoint.sh"          connector-export-file-stix   About a minute ago   Up 41 seconds       
opencti-docker-connector-export-file-txt-1    opencti/connector-export-file-txt:6.0.8                "/entrypoint.sh"          connector-export-file-txt    About a minute ago   Up 41 seconds       
opencti-docker-connector-import-document-1    opencti/connector-import-document:6.0.8                "/entrypoint.sh"          connector-import-document    About a minute ago   Up 37 seconds       
opencti-docker-connector-import-file-stix-1   opencti/connector-import-file-stix:6.0.8               "/entrypoint.sh"          connector-import-file-stix   About a minute ago   Up 38 seconds       
opencti-docker-elasticsearch-1                docker.elastic.co/elasticsearch/elasticsearch:8.12.2   "/bin/tini -- /usr/l…"   elasticsearch                About a minute ago   Up About a minute   9200/tcp, 9300/tcp
opencti-docker-minio-1                        minio/minio:RELEASE.2024-01-16T16-07-38Z               "/usr/bin/docker-ent…"   minio                        About a minute ago   Up About a minute   0.0.0.0:9000->9000/tcp, :::9000->9000/tcp
opencti-docker-opencti-1                      opencti/platform:6.0.8                                 "/sbin/tini -- node …"   opencti                      About a minute ago   Up About a minute   0.0.0.0:8080->8080/tcp, :::8080->8080/tcp
opencti-docker-rabbitmq-1                     rabbitmq:3.13-management                               "docker-entrypoint.s…"   rabbitmq                     About a minute ago   Up About a minute   4369/tcp, 5671-5672/tcp, 15671-15672/tcp, 15691-15692/tcp, 25672/tcp
opencti-docker-redis-1                        redis:7.2.4                                            "docker-entrypoint.s…"   redis                        About a minute ago   Up About a minute   6379/tcp
opencti-docker-worker-1                       opencti/worker:6.0.8                                   "python3 worker.py"       worker                       About a minute ago   Up 41 seconds       
opencti-docker-worker-2                       opencti/worker:6.0.8                                   "python3 worker.py"       worker                       About a minute ago   Up 41 seconds       
opencti-docker-worker-3                       opencti/worker:6.0.8                                   "python3 worker.py"       worker                       About a minute ago   Up 41 seconds       

ブラウザで、http://localhost:8080 にアクセス。

.envのデフォルトのままなので、admin@opencti.io と ChangeMePlease でログイン。無事に動きました。

banister@soc:~/soc/opencti-docker$ df -h
Filesystem      Size  Used Avail Use% Mounted on
tmpfs           1.6G  3.1M  1.6G   1% /run
/dev/sda3      1007G   26G  930G   3% /
tmpfs           7.9G     0  7.9G   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
/dev/sda2       512M  6.1M  506M   2% /boot/efi
tmpfs           1.6G  120K  1.6G   1% /run/user/1000
/dev/sr0        4.6G  4.6G     0 100% /media/banister/Ubuntu 22.04.2 LTS amd64

起動設定

/etc/systemd/system/docker-compose-soc-opencti.service を作成して以下のように記述。

[Unit]
Description=Docker Compose SOC MISP Service
Requires=docker.service
After=docker.service

[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/home/banister/soc/opencti-docker
ExecStart=docker compose up -d
ExecStop=docker compose down
TimeoutStartSec=0

[Install]
WantedBy=multi-user.target

有効化

$ sudo systemctl enable docker-compose-soc-opencti.service

[connector] cve

https://github.com/OpenCTI-Platform/connectors/tree/master/external-import/cve

docker-compose.yml

  connector-cve:
    image: opencti/connector-cve:6.0.8
    environment:
      - OPENCTI_URL=http://localhost
      - OPENCTI_TOKEN=ChangeMe
      - CONNECTOR_ID=ChangeMe
      - CONNECTOR_NAME=Common Vulnerabilities and Exposures
      - CONNECTOR_SCOPE=identity,vulnerability
      - CONNECTOR_CONFIDENCE_LEVEL=75 # From 0 (Unknown) to 100 (Fully trusted)
      - CONNECTOR_RUN_AND_TERMINATE=false
      - CONNECTOR_LOG_LEVEL=error
      - CVE_BASE_URL=https://services.nvd.nist.gov/rest/json/cves
      - CVE_API_KEY=ChangeMe # Required
      - CVE_INTERVAL=2 # Required, in hours advice min 2
      - CVE_MAX_DATE_RANGE=120 # In days, max 120
      - CVE_MAINTAIN_DATA=true # Required, retrieve only updated data
      - CVE_PULL_HISTORY=false # If true, CVE_HISTORY_START_YEAR is required
      - CVE_HISTORY_START_YEAR=2019 # Required if pull_history is True, min 2019 (see documentation CVE and CVSS base score V3.1)
    restart: always

これを以下のように修正して、OpenCTIのdocker-compose.ymlのservicesの中に追記する。

  connector-cve:
    image: opencti/connector-cve:6.0.8
    environment:
      - OPENCTI_URL=http://opencti:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=# uuidgenで作成したuuid
      - CONNECTOR_NAME=Common Vulnerabilities and Exposures
      - CONNECTOR_SCOPE=identity,vulnerability
      - CONNECTOR_CONFIDENCE_LEVEL=75 # From 0 (Unknown) to 100 (Fully trusted)
      - CONNECTOR_RUN_AND_TERMINATE=false
      - CONNECTOR_LOG_LEVEL=error
      - CVE_BASE_URL=https://services.nvd.nist.gov/rest/json/cves
      - CVE_API_KEY=ChangeMe # Required
      - CVE_INTERVAL=2 # Required, in hours advice min 2
      - CVE_MAX_DATE_RANGE=120 # In days, max 120
      - CVE_MAINTAIN_DATA=true # Required, retrieve only updated data
      - CVE_PULL_HISTORY=false # If true, CVE_HISTORY_START_YEAR is required
      - CVE_HISTORY_START_YEAR=2019 # Required if pull_history is True, min 2019 (see documentation CVE and CVSS base score V3.1)
    restart: always

[connector] MISP

MISPの構築はこちら。

https://blog.yuhei.yokohama/?p=1315

こちらから、docker-compose.ymlの内容をコピーして、OpenCTIの、docker-compose.ymlのservicesに追加する。

connector-misp:
    image: opencti/connector-misp:6.0.8
    environment:
      - OPENCTI_URL=https://localhost
      - OPENCTI_TOKEN=ChangeMe
      - CONNECTOR_ID=ChangeMe
      - CONNECTOR_NAME=MISP
      - CONNECTOR_SCOPE=misp
      - CONNECTOR_CONFIDENCE_LEVEL=25 # From 0 (Unknown) to 100 (Fully trusted)
      - CONNECTOR_LOG_LEVEL=error
      - CONNECTOR_EXPOSE_METRICS=false
      - MISP_URL=http://localhost # Required
      - MISP_REFERENCE_URL= # Optional, will be used to create external reference to MISP event (default is "url")
      - MISP_KEY=ChangeMe # Required
      - MISP_SSL_VERIFY=false # Required
      - MISP_DATETIME_ATTRIBUTE=timestamp # Required, filter to be used in query for new MISP events
      - MISP_REPORT_DESCRIPTION_ATTRIBUTE_FILTER= # Optional, filter to be used to find the attribute with report description (example: "type=comment,category=Internal reference")
      - MISP_CREATE_REPORTS=true # Required, create report for MISP event
      - MISP_CREATE_INDICATORS=true # Required, create indicators from attributes
      - MISP_CREATE_OBSERVABLES=true # Required, create observables from attributes
      - MISP_CREATE_OBJECT_OBSERVABLES=true # Required, create text observables for MISP objects
      - MISP_CREATE_TAGS_AS_LABELS=true # Optional, create tags as labels (sanitize MISP tag to OpenCTI labels)
      - MISP_GUESS_THREAT_FROM_TAGS=false # Optional, try to guess threats (threat actor, intrusion set, malware, etc.) from MISP tags when they are present in OpenCTI
      - MISP_AUTHOR_FROM_TAGS=false # Optional, map creator:XX=YY (author of event will be YY instead of the author of the event)
      - MISP_MARKINGS_FROM_TAGS=false # Optional, map marking:XX=YY (in addition to TLP, add XX:YY as marking definition, where XX is marking type, YY is marking value)
      - MISP_ENFORCE_WARNING_LIST=false # Optional, enforce warning list in MISP queries
      - MISP_REPORT_TYPE=misp-event # Optional, report_class if creating report for event
      - MISP_IMPORT_FROM_DATE=2000-01-01 # Required, import all event from this date
      - MISP_IMPORT_TAGS=opencti:import,type:osint # Optional, list of tags used for import events
      - MISP_IMPORT_TAGS_NOT= # Optional, list of tags to not include
      - MISP_IMPORT_CREATOR_ORGS= # Optional, only import events created by those orgs (put the identifiers here)
      - MISP_IMPORT_CREATOR_ORGS_NOT= # Optional, do not import events created by those orgs (put the identifiers here)
      - MISP_IMPORT_OWNER_ORGS= # Optional, only import events owned by those orgs (put the identifiers here)
      - MISP_IMPORT_OWNER_ORGS_NOT= # Optional, do not import events owned by those orgs (put the identifiers here)
      - MISP_IMPORT_KEYWORD= # Optional, search only events based on a keyword
      - MISP_IMPORT_DISTRIBUTION_LEVELS= # Optional, only import events with the given distribution levels (ex: 0,1,2,3)
      - MISP_IMPORT_THREAT_LEVELS= # Optional only import events with the given threat levels (ex: 1,2,3,4)
      - MISP_IMPORT_ONLY_PUBLISHED=false
      - MISP_IMPORT_WITH_ATTACHMENTS=false # Optional, try to import a PDF file from the attachment attribute
      - MISP_IMPORT_TO_IDS_NO_SCORE=40 # Optional, use as a score for the indicator/observable if the attribute to_ids is no
      - MISP_IMPORT_UNSUPPORTED_OBSERVABLES_AS_TEXT=false #  Optional, import unsupported observable as x_opencti_text
      - MISP_IMPORT_UNSUPPORTED_OBSERVABLES_AS_TEXT_TRANSPARENT=true #  Optional, import unsupported observable as x_opencti_text just with the value
      - MISP_INTERVAL=5 # Required, in minutes
    restart: always

この後、必要な項目を編集していくが、先にMISP_KEYをMISPサーバーから取得します。

今回は、OpenCTI 様に新たに作成しました。

また、CONNECTOR_IDに使用する、uuidを作成します。

$ uuidgen 
d7c07a17-ad57-49a1-bc6a-0236143d2776

OpenCTI の、docker-compose.ymlの以下の部分を編集します。

      - OPENCTI_URL=<OpneCTIサーバーのURL>
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=<上記で作成したUUID version4>
      - MISP_URL=<MISPサーバーのURL>
      - MISP_KEY=<上記で発行した、MISPのAuthentication key>

自作MISPには連携失敗している模様。OpenCTI側でなにもデータが取り込まれていない。