├── README.md
├── kibana.yml.config
├── elasticsearch.yml.config
└── install-elasticedr.sh


/README.md:
--------------------------------------------------------------------------------
 1 | # Deploy-ElasticEDR
 2 | Just a janky bash script with templated yaml files to deploy elasticEDR (elasticsearch + kibana) on a host for testing purposes
 3 | 
 4 | After the deployment is done, it is required that the user generates kibana encryption keys and places them in the `kibana.yml` file.
 5 | 
 6 | ```bash
 7 | # Generate kibana encryption keys
 8 | /usr/share/kibana/bin/kibana-encryption-keys
 9 | ```
10 | 


--------------------------------------------------------------------------------
/kibana.yml.config:
--------------------------------------------------------------------------------
 1 | #
 2 | #
 3 | # Kibana configuration file
 4 | #
 5 | #
 6 | 
 7 | # This section was automatically generated during setup.
 8 | server.name: "ElasticEDR"
 9 | server.host: _HOST_IP_
10 | 
11 | elasticsearch.hosts: ['https://_HOST_IP_:9200']
12 | 
13 | # Change user here with newly created one
14 | elasticsearch.username: _ELASTICUSER_USERNAME_
15 | elasticsearch.password: _ELASTICUSER_PASSWORD_
16 | 
17 | logging.appenders.file.type: file
18 | logging.appenders.file.fileName: /var/log/kibana/kibana.log
19 | logging.appenders.file.layout.type: json
20 | logging.root.appenders: [default, file]
21 | 
22 | pid.file: /run/kibana/kibana.pid
23 | 
24 | server.ssl.enabled: true
25 | server.ssl.certificate: /etc/kibana/certs/kibana-server/kibana-server.crt
26 | server.ssl.key: /etc/kibana/certs/kibana-server/kibana-server.key
27 | elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/elasticsearch-ca.pem" ]
28 | 
29 | # elasticsearch.ssl.certificateAuthorities: [/var/lib/kibana/ca_1742379734159.crt]
30 | 
31 | # These settings will be different after the addition of a fleet server
32 | 
33 | # Replace with new encryption keys
34 | <Encryption keys here>
35 | 
36 | server.securityResponseHeaders.strictTransportSecurity: "31536000"
37 | server.protocol: http2
38 | server.http2.allowUnsecure: true
39 | server.ssl.supportedProtocols: ["TLSv1.2", "TLSv1.3"]


--------------------------------------------------------------------------------
/elasticsearch.yml.config:
--------------------------------------------------------------------------------
 1 | #
 2 | #
 3 | # Elasticsearch configuration file 
 4 | #
 5 | #
 6 | 
 7 | network.host: _HOST_IP_
 8 | 
 9 | # Create a new cluster with the current node only
10 | # Additional nodes can still join the cluster later
11 | cluster.initial_master_nodes: ["_HOSTNAME_"] # This needs to be the hostname of the machine 
12 | 
13 | # Path to log files:
14 | path.logs: /var/log/elasticsearch
15 | 
16 | # Path to directory where to store the data (separate multiple locations by comma):
17 | path.data: /var/lib/elasticsearch
18 | 
19 | # Cluster name
20 | cluster.name: ElasticEDR
21 | 
22 | # Allow HTTP API connections from anywhere
23 | # Connections are encrypted and require user authentication
24 | http.host: 0.0.0.0
25 | 
26 | # Enable security features
27 | xpack.security.enabled: true
28 | xpack.security.enrollment.enabled: true
29 | xpack.security.http.ssl.supported_protocols: ["TLSv1.2", "TLSv1.3"]
30 | 
31 | # Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
32 | xpack.security.http.ssl:
33 |   enabled: true
34 |   keystore.path: certs/elasticsearch/http.p12 # New certificate
35 | 
36 | # Enable encryption and mutual authentication between cluster nodes
37 | xpack.security.transport.ssl:
38 |   enabled: true
39 |   verification_mode: certificate
40 |   keystore.path: certs/transport.p12 # Still self-signed from original
41 |   truststore.path: certs/transport.p12 # as above


--------------------------------------------------------------------------------
/install-elasticedr.sh:
--------------------------------------------------------------------------------
  1 | # Installer is for DEB/APT based systems
  2 | # Tested on Ubuntu 24.02
  3 | 
  4 | ELASTICADMINUSER=$1
  5 | ELASTICADMINUSERPASSWORD=$2
  6 | HOST_IP=$3
  7 | 
  8 | if [ -z $ELASTICADMINUSER ] || [ -z $ELASTICADMINUSERPASSWORD ] || [ -z $HOST_IP ]; then
  9 |         echo "Usage: install-elasticedr.sh <Elastic Admin User> <Elastic Admin User Password> <IP Address Of Current Machine>"
 10 |         exit 0
 11 | fi
 12 | 
 13 | pause() {
 14 |  read -s -n 1 -p "Press [Enter] key to continue . . ."
 15 |  echo ""
 16 | }
 17 | 
 18 | HOSTNAME=$(`which hostname`)
 19 | 
 20 | # Change the config files with the user-supplied information
 21 | # - Change the IP address & hostname
 22 | # -- Elasticsearch
 23 | sed -i "s/_HOST_IP_/$HOST_IP/g" elasticsearch.yml.config
 24 | sed -i "s/_HOSTNAME_/$HOSTNAME/g" elasticsearch.yml.config
 25 | # -- Kibana
 26 | sed -i "s/_HOST_IP_/$HOST_IP/g" kibana.yml.config
 27 | 
 28 | # - Change the username of elasticsearch and password
 29 | # -- Kibana
 30 | sed -i "s/_ELASTICUSER_USERNAME_/$ELASTICADMINUSER/g" kibana.yml.config
 31 | sed -i "s/_ELASTICUSER_PASSWORD_/$ELASTICADMINUSERPASSWORD/g" kibana.yml.config
 32 | 
 33 | # Install some packages
 34 | 
 35 | echo "[+] Running 'apt update' and installing some packages"
 36 | sudo apt update
 37 | sudo apt install -y git apt-transport-https fish unzip p7zip-full
 38 | 
 39 | # Add the GPG key for the elastic repository
 40 | echo "Adding elastic repository"
 41 | wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
 42 | echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
 43 | echo "[+] Updating APT after elastic repository addition"
 44 | sudo apt update
 45 | 
 46 | # Install Elastic & Kibana
 47 | echo "[+] Installing Elastisearch and Kibana"
 48 | sudo apt install -y elasticsearch kibana
 49 | 
 50 | echo "[!] Make sure to copy the password from the installation output above"
 51 | pause
 52 | 
 53 | echo "[+] Backing up the original elasticsearch.yml file in /etc/elasticsearch/"
 54 | sudo mv /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.bak
 55 | 
 56 | echo "[+] Backing up the original kibana.yml file in /etc/kibana/"
 57 | sudo mv /etc/kibana/kibana.yml /etc/kibana/kibana.yml.bak
 58 | 
 59 | echo "[+] Adding new user $ELASTICADMINUSER"
 60 | sudo /usr/share/elasticsearch/bin/elasticsearch-users useradd $ELASTICADMINUSER -p $ELASTICADMINUSERPASSWORD
 61 | sudo /usr/share/elasticsearch/bin/elasticsearch-users roles $ELASTICADMINUSER -a kibana_system,kibana_admin,superuser
 62 | 
 63 | echo "[+] Creating a new CA and certificates for Elasticsearch and Kibana"
 64 | echo "Follow the steps... !"
 65 | sudo /usr/share/elasticsearch/bin/elasticsearch-certutil http # Elasticsearch and kibana
 66 | 
 67 | echo "[+] Adding the PKCS#12 password to the keystore of elasticsearch"
 68 | sudo /usr/share/elasticsearch/bin/elasticsearch-keystore add "xpack.security.http.ssl.keystore.secure_password" # PKCS12 password
 69 | 
 70 | echo "[+] Generate a certificate for Kibana using the Elasticsearch CA"
 71 | sudo mkdir /etc/kibana/certs/
 72 | sudo unzip /usr/share/elasticsearch/elasticsearch-ssl-http.zip -d /etc/elasticsearch/certs/
 73 | 
 74 | # Replace -dns options to match your environment
 75 | echo "[+] Generating Kibana SSL certificate"
 76 | sudo /usr/share/elasticsearch/bin/elasticsearch-certutil cert -pem -ca /etc/elasticsearch/certs/ca/ca.p12 -name kibana-server -dns kibana.qsec.local,kibana,10.10.10.26
 77 | 
 78 | sudo cp /etc/elasticsearch/certs/kibana/elasticsearch-ca.pem /etc/kibana/certs/elasticsearch-ca.pem
 79 | 
 80 | echo "Copying elasticsearch-ca certificate to /etc/kibana/"
 81 | sudo unzip /usr/share/elasticsearch/certificate-bundle.zip -d /etc/kibana/certs/
 82 | 
 83 | echo "Fixing permission of new kibana certs to 664"
 84 | sudo chmod 650 /etc/kibana/certs/kibana-server/
 85 | sudo chmod 640 /etc/kibana/certs/kibana-server/kibana-server.key
 86 | sudo chmod 640 /etc/kibana/certs/kibana-server/kibana-server.crt
 87 | sudo chown -R root:kibana /etc/kibana/certs/*
 88 | 
 89 | echo "[+] Adding the new configuration files for elasticsearch and kibana"
 90 | sudo cp elasticsearch.yml.config /etc/elasticsearch/elasticsearch.yml
 91 | sudo cp kibana.yml.config /etc/kibana/kibana.yml
 92 | 
 93 | # Generate encryption keys for kibana
 94 | echo "[+] Generating encryption keys for Kibana"
 95 | echo "\t==== Copy them to the kibana.yml file ===="
 96 | sudo /usr/share/kibana/bin/kibana-encryption-keys generate -f
 97 | 
 98 | echo "[+] Enable elasticsearch and kibana to start on boot"
 99 | sudo systemctl daemon-reload
100 | sudo systemctl enable elasticsearch
101 | sudo systemctl enable kibana
102 | 
103 | echo "[+] Cleaning up certificate-bundle.zip"
104 | sudo rm -rf /usr/share/elasticsearch/certificate-bundle.zip
105 | 
106 | echo "[+] Cleaning up elasticsearch-ssl-http.zip"
107 | sudo rm -rf /usr/share/elasticsearch/elasticsearch-ssl-http.zip
108 | 
109 | echo "[+] Finished !"
110 | echo "Make the changes to the configuration files and start the services"
111 | echo "systemctl start elasticsearch"
112 | echo "systemctl start kibana"
113 | 
114 | echo "[!] Do not forget to make the required changes to the config files to make it work"


--------------------------------------------------------------------------------