Installation Steps

First, you need to clone the repository:

git clone https://github.com/yevonnaelandrew/t-guard

Move to the directory and execute the installation script:

cd t-guard
chmod +x setup.sh
./setup.sh

To install the main T-Guard components, you need to install from step 1 to step 8. Step 9 is only necessary for simulation and POC.

In the step 1, during update system and install prerequisites, if you encounter a popup, just click Ok.

In the step 2, after Docker installation, to make sure the Docker service is running well, you can execute the following command:

systemctl status docker

The green text indicates Docker is running well. We can proceed to the next step, installing Wazuh, which serves as SIEM. This step will take quite a long time, depending on the internet connection speed.

After the installation finished, indicated by the containers started, we can open the Wazuh interfaces at https://<your ip>

You will see a warning from the browser that the certificate is invalid. This is normal because we haven’t installed the signed SSL certificate, which is recommended for production. For now, just click proceed.

The default credential for T-Guard:

Service

Web Interface

Username

Password

Wazuh

https://<ip>

admin

SecretPassword

DFIR-IRIS

https://<ip>:8443

administrator

MySuperAdminPassword!

Shuffle

http://<ip>:3001

administrator

MySuperAdminPassword!

MISP

https://<ip>:1443

admin@admin.test

admin

Now, back to the installation script, please execute Step 4, Step 5 and Step 6, installing Shuffle, DFIR-IRIS and MISP respectively.

After the components installation is done, we will first integrate Wazuh with IRIS. Before executing the script, first go to the IRIS, and login with the default credential.

Then go to My settings and take note of the API Key, we will need this for the integration.

Go to the Linux console, edit file t-guard/wazuh/config/wazuh_cluster/wazuh_manager.conf using a text editor (e.g. nano), find section <api_key>APIKEY</api_key>, then replace APIKEY with the key obtained from the IRIS web interface.

Save the changes, then execute the setup.sh script again, select Step 7.

Now, go to the IRIS web interface, then select Alerts in the Investigation section.

You should now be able to see the received alerts from Wazuh in IRIS. You can modify the threshold which Wazuh should send to IRIS.

PreviousPrerequisites NextUser Manual

Last updated 8 months ago