A Step-by-Step Guide to Installing Cortex on Ubuntu 22.04
In the world of cybersecurity, speed and efficiency are paramount. Security Operations Center (SOC) analysts are often inundated with alerts, and the ability to quickly analyze observables like IP addresses, domains, and file hashes is crucial for effective incident response. This is where Cortex, a powerful observable analysis engine, comes into play.
Cortex automates the analysis process by integrating with a vast library of tools, called “analyzers,” allowing you to enrich threat intelligence with a single click. When paired with TheHive, it creates a formidable platform for incident response management.
This guide provides a comprehensive walkthrough for installing and configuring Cortex on an Ubuntu 22.04 LTS server.
Prerequisites: What You’ll Need
Before we begin the installation, ensure your system meets the following requirements:
- An Ubuntu Server 22.04 LTS instance: A fresh, minimal installation is recommended.
- Root or sudo access: You will need administrative privileges to install packages and modify configuration files.
- A static IP address: This is essential for reliable access to the Cortex web interface.
- Minimum 4GB of RAM and 2 CPU cores: Cortex and its dependencies, particularly Elasticsearch, can be resource-intensive.
Step 1: System Preparation and Updates
First, let’s ensure your system is up-to-date. Connect to your server via SSH and run the following commands to update the package lists and upgrade existing packages:
sudo apt update && sudo apt upgrade -y
Next, install a few essential utilities that will be needed during the process:
sudo apt install -y apt-transport-https curl gnupg
Step 2: Install Java Development Kit (JDK)
Cortex and Elasticsearch are built on Java, so the Java Development Kit is a critical dependency. We will install OpenJDK 11, which is a stable and recommended version.
sudo apt install -y openjdk-11-jdk
After the installation completes, you can verify that Java is correctly installed by checking its version:
java -version
You should see output confirming that OpenJDK version 11 is active.
Step 3: Install and Configure Elasticsearch
Elasticsearch is the database engine that Cortex uses to store its data. It’s vital to install and configure it correctly for Cortex to function.
First, import the Elasticsearch GPG key to authenticate the package repository:
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg
Next, add the Elasticsearch repository to your system’s sources list:
echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
Now, update your package lists again and install Elasticsearch:
sudo apt update
sudo apt install -y elasticsearch
Once installed, we need to make a small but important configuration change. Open the main Elasticsearch configuration file:
sudo nano /etc/elasticsearch/elasticsearch.yml
Find the cluster.name and network.host lines. Uncomment them (remove the # at the beginning) and set the values as follows. Using a unique cluster name is highly recommended.
cluster.name: cortex
network.host: 127.0.0.1
This configuration ensures Elasticsearch only listens on the local machine, which is a crucial security measure. Save the file and exit the editor (Ctrl+X, then Y, then Enter).
Finally, start and enable the Elasticsearch service so it runs automatically on boot:
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch
Give it a minute to start up, then check its status to confirm it’s running correctly:
sudo systemctl status elasticsearch
Step 4: Install Cortex
With the dependencies in place, we can now install Cortex. Similar to Elasticsearch, we’ll add the official Cortex repository first.
Add the GPG key for the Cortex repository:
curl -fsSL https://get.strangebee.com/GPG-KEY-STRANGEBEE | sudo gpg --dearmor -o /usr/share/keyrings/strangebee-keyring.gpg
Add the repository to your system’s sources:
echo 'deb [signed-by=/usr/share/keyrings/strangebee-keyring.gpg] https://get.strangebee.com/cortex/ aneto main' | sudo tee -a /etc/apt/sources.list.d/strangebee.list
Now, update the package lists and install Cortex:
sudo apt update
sudo apt install -y cortex
Step 5: Configure Cortex
The primary Cortex configuration file is located at /etc/cortex/application.conf. We need to edit this file to set a secret key and connect it to our Elasticsearch instance.
Open the file for editing:
sudo nano /etc/cortex/application.conf
First, and most importantly, you must generate a secret key. This key is used to secure authentication cookies. Cortex will not start without it. You can generate a random string using the following command:
openssl rand -base64 32
Copy the output of this command.
Inside the application.conf file, find the line play.http.secret.key and paste your generated key between the double quotes.
It should look like this (but with your unique key):
play.http.secret.key = "YourVeryLongAndRandomSecretKeyHere"
Next, scroll down to the Elasticsearch configuration section. Since we are using the default settings we configured earlier (cluster.name: cortex and network.host: 127.0.0.1), the default configuration in Cortex should work. However, it’s good practice to verify the settings. Ensure the search.cluster setting matches the cluster name you set in elasticsearch.yml.
# Elasticsearch configuration
search {
# Name of the ES cluster (must match cluster.name in elasticsearch.yml)
cluster = "cortex"
# List of ES hosts
uris = ["http://127.0.0.1:9200"]
}
Save the file and exit the editor.
Now, start and enable the Cortex service:
sudo systemctl daemon-reload
sudo systemctl enable cortex
sudo systemctl start cortex
You can check its status to ensure it has started without errors:
sudo systemctl status cortex
Step 6: Finalize the Setup and Access the Web UI
Cortex is now running. You can access its web interface by navigating to http://<your-server-ip>:9001 in your web browser.
Upon your first visit, Cortex will prompt you to create an administrator account. This is a one-time operation, so store these credentials securely.
- Click Update database to initialize the database schema.
- Once complete, you will see a form to Create administrator account. Fill in your desired username (login) and password.
- After creating the admin account, you will be prompted to create an organization. Enter a name for your organization (e.g., “SOC-Main”).
- Finally, create the first user account for that organization. This can be the same as your admin login or a new user dedicated to analysis tasks.
You have now successfully installed and configured Cortex!
Essential Security Best Practices
A default installation is a great start, but for a production environment, you should implement additional security measures:
- Configure a Reverse Proxy with SSL/TLS: Never expose Cortex directly to the internet over HTTP. Use a web server like Nginx or Apache as a reverse proxy to enable HTTPS, encrypting all traffic between your users and the server.
- Firewall Rules: Ensure your server’s firewall (like UFW) is configured to only allow traffic on necessary ports (e.g., 22 for SSH, 443 for HTTPS). Block direct access to ports 9001 and 9200 from the internet.
- Regular Backups: Regularly back up your Elasticsearch data and Cortex configuration files to prevent data loss.
- Keep Software Updated: Periodically run
sudo apt update && sudo apt upgradeto ensure Cortex, Elasticsearch, and all underlying system components are patched against security vulnerabilities.
Source: https://kifarunix.com/install-cortex-on-ubuntu/
