SOLDR is an Endpoint Detection and Response system which consists of centralised management part with extensive Web UI and Agents being installed on endpoint systems. SOLDR allows you not only to configure security policies but also write your own modules and make detection of the comprehensive security events as well as do almost instant response on the security alarms.
build- storage of all built artifactscmd- services entry pointsdb- database migrationsinternal- services implementationscripts- supplemental scriptssecurity- security configurationweb- web interface source
- docker-ce
- docker-compose
- protobuf
- go
protoc-gen-go- install with
go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
- install with
- node, recommended node 16 LTS
python2mysqlclient- minio client
- Note: better install as
mclidue to conflict
- Note: better install as
sudo apt update
sudo apt install build-essential ca-certificates openssl software-properties-common curl git mysql-client jq
# golang 1.19
sudo add-apt-repository ppa:longsleep/golang-backports
sudo apt-get install golang-go
# node 16 LTS
curl -fsSL https://deb.nodesource.com/setup_16.x | sudo -E bash -
sudo apt-get install -y nodejs
# yarn
curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/yarnkey.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
sudo apt-get update && sudo apt-get install yarn
# docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
usermod -aG docker "$USER"
newgrp dockerSetup an environment configuration:
cp .env.template .envDocker images stored in vxcontrol docker hub account.
This scenario requires .env and docker-compose.yml files.
docker compose pulldocker compose up -ddocker compose --profile obs up -ddocker compose downdocker compose down -vSOLDR require prepared DB schema and additional data stored in S3 for proper initialization. Pull dependencies and start MySQL and Minio servers for simplicity using docker.
docker compose pull
docker compose up -d mysql minioWait until MySQL and Minio starts (approx. 30 seconds for the first run), and seed required data:
make db-init
make s3-initGenerate certificates and other crypto materials:
Attention: Regeneration of crypto configuration will lead to communication breakage for already stored modules and running agents after rebuild the server components.
make generate-allBuild services and a Web UI:
make build-allIn case of some issues you can use build with prepared environment in docker image:
make build-backend-vxbuildUpload agent binary into binary storage and register it:
make s3-upload-vxagent
Configure web UI proxy:
make setup-web-proxyStart a web UI:
make run-webAn API Server:
make run-apiAn Agent Server:
make run-serverAn Agent instance:
make run-agentAnd finally, upload SOLDR modules to local storage:
docker compose up -d modulesOpen http://localhost in a browser. Follow the login process and use default credentials: admin / admin.
Click on Modules tab in the top menu bar, then open module creation wizard using Create a module button.
Name your first module and select Basic template, rest leave as is.
Click on Create button, which will lead you to a Module editor. Now, when a module is created, let's assign it to a policy.
Open Groups of agents tab in the top menu bar, then click Create a group button and give some name to a new group.
To assign an Agent to a new group, open Agents tab in the top menu, select All agents filter group, then click on an agent name in the list and on the Move to group button in the top right corner of the interface. Finally, select the group that you have just created and finish the process using button Move.
Now we need to create a policy that will contain our new module and assign it to that group. To create a policy, open Policies tab in the top menu bar, then click on Create a policy button, name your first policy and proceed with Create button.
Using Link to groups button in the top right corner of the interface, create a link between a group and a policy - click on a link icon in the list right near the name of the group that you want to link.
Let's then add the first created module to the policy - Being in the Policices tab, you should see Modules section with Available to be added group being selected by default. Click on Install button to the right of the module name in the list.
As a final step, let's validate that the module has been installed on the Agent according to assigned policy and that this module can successfully communicate with other parts of the system. Open Agents tab, then get into a module by clicking on its name. In the Modules section you will find one module being installed on an agent and information that this module is configured by a policy. Using the gear-looking button to the right of the module name to get into the interactive interface of the module.
Then click on Send data button and check the log right below - it should contain following log lines which tells that test data was sent to the agent part of the module and as a result some data was returned:
2:04:20 PM.152 SEND DATA: {"type":"hs_browser","data":"test test test"}
2:04:20 PM.166 RECV DATA: {"data":"pong","type":"hs_server"}
Congratulations! The setup of the SOLDR project is done, it is fully functioning and ready for you to dig into the wilderness of the Endpoint Detection and Response!
Check the configuration in the .env file and in web/proxy.conf.json to understand the service's configuration, so you can start them using your preferred installation topology.
For the regular start-up of the services, just start an API server, an Agent server and a Web UI.
- Install EnvFile plugin, which will add ability to include file in Run configuration.
- Open
Edit configuratons->Go build, selectRun Kind-Package. Add package path, for examplesoldr/cmd/api - Open EnvFile tab, enable it and add
.envfile to file paths. - Run
Use .vscode/launch.json
Launch on of the available debug tasks:
- launch vxapi
- launch vxserver
- launch vxagent
- launch web ui
Observability stack collect metrics, traces, logs from SOLDR components. Stack consist of:
Grafana- querying and visualizing observability dataVictoriaMetrics- datastore for server and SOLDR components metricsnode-exporterandelasticsearch-exporter- scraping metricsJaeger- storing and querying tracesElasticsearch- datastore forJaegerOpenTelemetry collector- single entry point to receive, process and export all observability data
For more information about collector, visit
https://opentelemetry.io/docs/collector.
Run observability stack components and then open Grafana in a browser https://localhost:3000. Default credentials: admin/admin. After default password for admin user changed, you can check provisioned SOLDR dashboards by click Dashboards icon on menu bar. On this SOLDR dashboards you can view server, agents and modules resource utilization, events statistics etc.
For checking traces, you need to click Explore icon on menu bar, then choose Jaeger data source from dropdown in the top left. Now you can query and filter traces by Service Name, Operation Name, Tags, duration and Time ranges.
Full observability stack requires more resources compare to clean SOLDR.
Remove all build files and other security keys:
Attention: Removing of crypto configuration and keys will lead to communication breakage for already stored modules and running agents after rebuild the server components.
make clean-allOnly artefacts from build directory (golang services binaries):
make clean-buildOnly artefacts from web directory (node-modules and result of building frontend):
make clean-webDangerous step to remove security files (use it in edge case):
make clean-sec