http datasources console command and documentation refactoring

Author: codeyourweb

README.md

@@ -1,12 +1,14 @@
 ![Sentinel Kit](docs/img/sentinel-kit_logo.png)
 # 🛡️ Sentinel Kit: The Simplified Platform for Incident Response (SOC & DFIR)
 
-## WARNING: This project is currently in an early stage of development. Not all components have been ported to this repository, and the features are not yet stable enough for production use. 
+$\color{red}{\textsf{**WARNING**: This project is currently in an early stage of development. Not all components have been ported to this repository, and the features are not yet stable enough for production use.}}$
+
+The features already available online are documented [here](docs/index.md).
 ---
 
 **Sentinel Kit** is a comprehensive Docker stack designed to provide **Digital Forensics and Incident Response (DFIR)** and **Security Operations Center (SOC)** capabilities with unparalleled deployment simplicity.
 
-Ideal for **situational monitoring** or **rapid security incident response**, this integrated platform enables collection, analysis, detection, and immediate response to threats.
+Ideal for **situational monitoring** or **small-scale security incident response**, this integrated platform enables collection, analysis, detection, and immediate response to threats.
 
 ---
 
@@ -91,33 +93,34 @@ All of this can be edited in `.env` file
 
 ## 🛠️ Technical Architecture (via `docker-compose.yml`)
 
-The architecture is modular and relies on the interconnection of several services via the **sentinel-kit-network** network.
+The architecture is modular and relies on the interconnection of several services
 ![Sentinel-Kit architecture](docs/img/sentinel-kit_network_flow.png)
 
 ## ⚙️ Configuration
 
 Main configurations are located in the `config/` folder: (edit these elements only if you know what you are doing 😊)
 
-* `config/caddy_server`: Reverse proxy that serve front and back-end web applications
-* `config/certificates`: Contains TLS certification chains for elasticstack, caddy and backend JWT
+* `config/caddy_server`: Reverse proxy that serve front and back-end web applications.
 * `config/docker-config`: Server stack configuration (dockerfile, entrypoints...).
+* `config/elasticsearch`: Configuration of the Elasticsearch certification chain and nodes cluster.
 * `config/fluentbit_server`: Fluent Bit configuration files (inputs, filters, outputs to Elasticsearch).
 * `config/grafana`: Grafana initial setup (datasources and dashboards).
-* `config/prometheus/prometheus.yml`: Prometheus monitoring targets configuration.
+* `config/prometheus`: Prometheus monitoring targets configuration.
 * `config/sigma_ruleset`: sigma rules used on elasticsearch ingested logs
 * `config/yara_ruleset`: yara rules used on `data/yara_triage_data` folder or by *sentinel-kit_datamonitor* agent
 
 ## 📖 Data
 
 Persistent data are located in the `data/` folder:
 
-* `data/caddy_logs`: Store the caddy server access & error logs
-* `data/ftp_data`: Store file uploaded on the SFTP server
-* `data/grafana`: Contains a persistence of your grafana profile if you want to make your own dashboard and customizations
-* `data/kibana`: Kibana user customizations
-* `data/log_ingest_data`: Is designed to forward logs if you don't want to use fluentbit HTTP forwarder
-* `data/mysql_data`: Constains a persistence of the web backend database
-* `data/yara_triage_data`: is used to automatically scan any file placed in this folder  
+* `data/caddy_logs`: Store the caddy server access & error logs.
+* `data/fluentbit_db`: fluentbit ingest database (to avoid indexing same data several times).
+* `data/ftp_data`: Store file uploaded on the SFTP server.
+* `data/grafana`: Contains a persistence of your grafana profile if you want to make your own dashboard and customizations.
+* `data/kibana`: Kibana user customizations (dashboard, config...).
+* `data/log_ingest_data`: Is designed to forward logs if you don't want to use fluentbit HTTP forwarder.
+* `data/mysql_data`: Constains a persistence of the web backend database.
+* `data/yara_triage_data`: is used to automatically scan any file placed in this folder.  
 
 ---
 
@@ -129,11 +132,7 @@ To stop and remove the containers, networks, and volumes created by Docker Compo
 docker-compose down -v
 ```
 
-If you want to erase all user data:
-* remove the __content__ of every folder inside `data/`
-* remove the __content__ of `config/certificates/` in caddy_server, elasticsearch and jwt
-* remove the __content__ of `config/grafana`
-* finally, rebuild the stack with the following command:
+If you want to erase all user data, and start from a fresh and clean installation, there is a `clean-user-data` sh or powershell (depending on your OS) to help you erasing all personal data. Then, you can rebuild the whole stack with: 
 
 ```bash
 docker-compose up --build --force-recreate

docs/01-start-sentinel-kit.md

@@ -0,0 +1,75 @@
+# Sentinel-Kit quick start
+
+## ⚠️ Security warning
+Although the code in this stack is designed to be secure in terms of authentication and client/server exchanges (strong identification, certificates, JWT, etc.), it is your responsibility to limit the server's exposure (flow filtering, whitelisting, etc.). No filtering mechanism is provided in the project, so configure your flows to limit exposure as follows:
+
+![Sentinel Kit architecture and network flow](img/sentinel-kit_network_flow.png)
+
+**Exposed services:**
+| **Web API** | Used for clients<->server communications and admin actions over the web interface | 
+| **SFTP Server** | Secure file/evidence upload | 
+
+optional - for interoperability purpose with a forwarder like logstash / winlogbeat / fluentbit etc... It could also be done over Web API (see documentation)
+| **Syslog forwarder** | Fluentbit log forwarder to elasticsearch 
+
+**Admin access** 
+| **Web front end** | Access to the admin application (agents control, log analysis...) |
+
+**Admin extended features**
+| **PhpMyAdmin** | MySQL database management | 
+| **Grafana** | Monitoring dashboards (fluentbit forwarder logs / elasticsearch ingestion / stack health)
+| **Kibana** | Kibana complete access (for advanced usage only. Standard features are directly implemented in the admin web interface) 
+
+## Prerequisites
+This project is designed to be deployed in minutes using Docker Compose.
+* **Docker**
+* **Docker Compose** (or Docker Engine including Compose)
+* Minimum **8 GB of RAM** (essential for Elasticsearch)
+
+## 🚀 Let's start Sentinel-Kit
+Everything comes as a full docker-compose stack to avoid configuration and depencies and simplify the deployment. 
+
+First, clone sentinel kit repository 
+```bash
+git clone 
+cd sentinel-kit
+```
+
+Then, in a local environment, you need to define the following DNS entries: 
+```bash
+# OS `hosts` file
+127.0.0.1   sentinel-kit.local
+127.0.0.1   backend.sentinel-kit.local
+127.0.0.1   phpmyadmin.sentinel-kit.local
+127.0.0.1   kibana.sentinel-kit.local
+127.0.0.1   grafana.sentinel-kit.local
+```
+
+On advanced configuration, you can configure `config/caddy_server/Caddyfile` if you want to set your own nameserver. If so, you will also need to set your hostname, replacing the original ones in `.env` file. You can find details about advanced configuration [here](02-customize-stack.md).
+
+When your DNS configuration is ok. Start the stack with: 
+```bash
+    docker-compose up -d
+```
+Initial startup could be long as elastic configure two nodes and kibana. 
+
+Caddy server will generate a complete certification chain for the exposed services (frontend, backend, phpmyadmin, kibana, grafana). If you don't want to always accept untrusted certification chains, add root and intermediate CA to your browser certificates. They are located in ./config/certificates/caddy_server
+
+[https://sentinel-kit.local]https://sentinel-kit.local should return the following page:
+![Sentinel Kit Homepage](img/sentinel-kit_homepage.png)
+
+And, that's all, you are good to go!
+
+## 🛑 Stopping and Cleaning the Stack
+
+To stop and remove the containers, networks, and volumes created by Docker Compose:
+
+```bash
+docker-compose down -v
+```
+
+If you want to erase all user data, and start from a fresh and clean installation, there is a `clean-user-data` sh or powershell (depending on your OS) to help you erasing all personal data. Then, you can rebuild the whole stack with: 
+
+```bash
+docker-compose up --build --force-recreate
+```

docs/02-customize-stack.md

@@ -0,0 +1,88 @@
+# 🛠️ Environment Configuration
+
+Most of the parameters for this stack are defined in the **`.env`** file located at the root directory. These settings are loaded **before the stack starts**. If the stack is already running, you must **restart it** for any changes to take effect.
+
+---
+
+## ⚙️ Services and Profiles
+
+The following configuration block defines the active services using Docker Compose profiles and sets the Elasticsearch cluster mode.
+
+```bash
+COMPOSE_PROFILES=sftp,es-secondary-node,phpmyadmin,kibana,internal-monitoring
+ELASTICSEARCH_CLUSTER_MODE=multi-node
+``` 
+## Profile Customization
+
+You can remove certain services if you don't need them. Simply remove the corresponding profile from the `COMPOSE_PROFILES` list:
+
+* Remove internal-monitoring to disable access to Grafana features.
+* Remove phpmyadmin to disable direct access to the MySQL database.
+* Remove sftp if no external file upload functionality is required.
+
+## Elasticsearch Configuration
+
+By default, Elasticsearch is configured as a two-node cluster (multi-node). For environments with limited resources, you can switch to a single-node setup by removing the `es-secondary-node` profile and updating `ELASTICSEARCH_CLUSTER_MODE` as shown below:
+
+```bash
+COMPOSE_PROFILES=sftp,phpmyadmin,kibana,internal-monitoring
+ELASTICSEARCH_CLUSTER_MODE=single-node
+```
+
+**__Note:__** Switching between single-node and multi-node can be done at any point during the stack's lifecycle without requiring a complete reinstallation or data loss.
+
+### Elasticsearch Memory Limit
+To limit the memory allocated to the Elasticsearch cluster, modify the following variable (default is 4GB):
+```bash
+ELASTICSEARCH_MEMORY_LIMIT=4294967296
+```
+
+
+🌐 Domain Names
+The hostnames for the exposed services are customizable here. It is mandatory to map these hostnames to the stack's IP address either in your DNS configuration or in your local hosts file (for isolated local installations).
+| Service | Environment Variable | Default Hostname | 
+| Frontend | SENTINELKIT_FRONTEND_HOSTNAME | sentinel-kit.local | 
+| Backend API | SENTINELKIT_BACKEND_HOSTNAME | backend.sentinel-kit.local | 
+| phpMyAdmin | SENTINELKIT_PMA_HOSTNAME | phpmyadmin.sentinel-kit.local | 
+| Kibana | SENTINELKIT_KIBANA_HOSTNAME | kibana.sentinel-kit.local | 
+| Grafana | SENTINELKIT_GRAFANA_HOSTNAME | grafana.sentinel-kit.local | 
+
+🔒 Secrets and Credentials
+
+For production usage, you can change any of the default credentials below.
+
+⚠️ **__Important:__** Once the stack is initialized, changing certain secrets (like database or Elasticsearch credentials) can destabilize services. It is strongly recommended to modify these values only before the initial launch of the stack.
+
+```bash
+SENTINELKIT_DATAMONITOR_SERVER_TOKEN=9561ffd1b6de615286b9e52a9d5bc3226970449700c9461bdbe4225730b47b20
+BACKEND_JWT_PASSPHRASE=f164cfc913d2faf65a1b7bc8ccd4aa8b11b5958bce7c20c8cf159a576f8a75f7
+MYSQL_ROOT_PASSWORD=sentinel-kit_r00tp4ssw0rd
+MYSQL_USER=sentinel-kit_user
+MYSQL_PASSWORD=sentinel-kit_passwd
+MYSQL_DATABASE=sentinel-kit_db
+GF_SECURITY_ADMIN_USER=sentinel-kit_grafana_admin
+GF_SECURITY_ADMIN_PASSWORD=sentinel-kit_grafana_password
+SFTP_USER=sentinel-kit_sftp_user
+SFTP_PASSWORD=sentinel-kit_sftp_passwd
+ELASTICSEARCH_CLUSTER_NAME=sentinel-kit-elasticsearch-cluster
+ELASTICSEARCH_PASSWORD=sentinelkit_elastic_passwd
+```
+
+## 🛑 Stopping and Cleaning the Stack
+
+To only stop the stack, without removing existing data, just do the following command:
+```bash
+docker compose down
+```
+
+To stop __and remove the containers, networks, and volumes__ created by Docker Compose:
+
+```bash
+docker-compose down -v
+```
+
+If you want to erase all user data, and start from a fresh and clean installation, there is a `clean-user-data` sh or powershell (depending on your OS) to help you erasing all personal data. Then, you can rebuild the whole stack with: 
+
+```bash
+docker-compose up --build --force-recreate
+```

docs/03-create-admin-user.md

@@ -0,0 +1,66 @@
+# Create Sentinel Kit admin users
+
+Once installed and operational, the Sentinel Kit administration interface is accessible by default at https://sentinel-kit.local. No web recording functionality is implemented, separating the functions of the platform administrator and the analyst who operates it.
+![Sentinel-Kit login page](sentinel-kit_login.png)
+
+## Users management
+
+Every user management operations are done inside the backend container. You can connect to it like this:
+```bash
+docker exec -it sentinel-kit-app-backend /bin/bash
+```
+
+a console utility can be called with `php bin/console`. If you want to create a new user, just type the following command:
+
+```bash
+# app:users:create <email> <password>
+backend:/var/www/html# php bin/console app:users:create [email protected] MyPassword!
+
+ [OK] User successfully created                                                                                         
+                                                                                                                        
+==============================
+email: [email protected]
+OTP authenticator URL: https://backend.sentinel-kit.local/qrcode/b3RwYXV0aDovL3RvdHAvRGF0YU1vbml0b3IlMjBzZXJ2ZXIlM0FkZXYuanAuZ2FybmllciU0MGdtYWlsLmNvbSU0MERhdGFNb25pdG9yP2lzc3Vlcj1EYXRhTW9uaXRvciUyMHNlcnZlciZzZWNyZXQ9SzQzVVlIR1NTQlNETVlHU1hTQVNKN0ZDM0FVSTdFQTM3SExaN1c3QkhZUkZPNzM3VE9WUQ==    
+==============================
+```
+OTP is directly available if the admin wants to store it. You don't need to comunicate it to the end user, he will access it on the first successful login on the platform.
+![Login OTP form](img/sentinel-kit_login_otp.png)
+
+## Listing users
+Existing user accounts can be listed like this
+
+```bash
+backend:/var/www/html# php bin/console app:users:list
+User ID: 1 | Email: [email protected]
+```
+
+## Remove users
+You can delete an user providing its ID or email like this
+```bash
+backend:/var/www/html# php bin/console app:users:delete 1
+
+ [OK] User deleted successfully.                                                                                        
+                                                                                                                        
+```
+
+## Users secrets reset
+Password resetting could be done
+```bash
+backend:/var/www/html# php bin/console app:users:renew-password [email protected] MyNewPa$$w0rd
+
+ [OK] User password reset successful.                                                                                   
+```                                                                                                                        
+
+And you can also reset user OTP:
+```bash
+backend:/var/www/html# php bin/console app:users:renew-otp [email protected]
+
+ [OK] User OTP reset successful.                                                                                        
+                                                                                                                      
+==============================
+email: [email protected]
+OTP authenticator URL: https://localhost/qrcode/b3RwYXV0aDovL3RvdHAvRGF0YU1vbml0b3IlMjBzZXJ2ZXIlM0FkZW1vJTQwZXhhbXBsZS5jb20lNDBEYXRhTW9uaXRvcj9pc3N1ZXI9RGF0YU1vbml0b3IlMjBzZXJ2ZXImc2VjcmV0PVgzT1M3QVdDQ1Q3SUZISktCQ0JUUlczVjRWQlgzWDZCN1hLQ1I2NU5JRUZQTDVBNVVPR0E=
+```
+
+Your users can now login on the platform 
+![Sentinel-Kit Homepage](img/sentinel-kit_server_features.png)