docker-compose¶

Quickstart¶

A full docker-compose setup is included that can start neo4j, dynamodb, telegraph, seizu (and its workers), and can provide a quick way of running cartography to load your neo4j database with data.

First clone the seizu repo:

$> git clone https://github.com/mappedsky/seizu
$> cd seizu

Note that chrome will not allow you to use websockets without SSL when using localhost. So, it’s necessary to generate an SSL certificate that will be used by the docker-compose setup.

A script is included that will generate a CA and cert, and put it into your trust root:

$> make add_ssl

localhost certificate is missing; adding it...

Creating a minica CA, and a localhost certificate...

Add the minica CA to the system keychain trust:

  (OSX) sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/.minica/minica.pem
  (Ubuntu) sudo cp ~/.minica/minica.pem /usr/local/share/ca-certificates/minica.crt; sudo update-ca-certificates

To remove the CA:

  (OSX) sudo security remove-trusted-cert -d ~/.minica/minica.pem
  (Ubuntu) sudo rm /usr/local/share/ca-certificates/minica.crt; sudo update-ca-certificates

$> sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/.minica/minica.pem
Enter PIN for 'Certificate For PIV Authentication (Yubico PIV Authentication)':

After adding the SSL, you can start seizu using docker-compose:

$> export NEO4J_PASSWORD=<some_value>
$> make up -d
$> make logs seizu-node

Once fully started, the UI will be accessible at: https://localhost:8443/

The UI is also accessible directly through nodejs, which will recompile the UI on changes to the source. This is useful for development. This version of the UI is accessible at: https://localhost:8443/

It’s necessary to install the node modules prior to using the nodejs UI:

$> make bun install

Loading CVE data¶

(temporary) build cartography’s docker image¶

.. note::

Cartography recently added the CVE module, which isn’t yet tagged into a release. Also, cartography is currently working on adding a docker image into a public registry. Until then, it’s necessary to first build cartography’s image locally.

$> git clone https://github.com/lyft/cartography
$> cd cartography
$> docker build -t ghcr.io/lyft/cartography .

Run the make target¶

The quickstart configuration provided by the docker-compose is based around the NIST CVE data, which can be easily loaded via a make target:

$> make sync_cve

Seeding reports¶

Report and dashboard configurations are stored in DynamoDB Local. After starting the stack for the first time, seed the example reports from the YAML config:

make seed_dashboard

This reads .config/dev/seizu/reporting-dashboard.yaml, creates each report in DynamoDB, and sets the dashboard pointer. After resetting the DynamoDB volume, re-run make seed_dashboard to repopulate.

To reset the DynamoDB data volume:

docker compose down
docker volume rm seizu_dynamodb_data
docker compose up
make seed_dashboard

Updating configuration¶

The up make target, prior to running docker-compose, copies a number of default configuration files into a git and docker ignored .compose directory. Once these initial files are copied in, they won’t be overwritten or modified. If you need to change the YAML configuration (queries, scheduled queries), update .compose/seizu/reporting-dashboard.yaml. Report and dashboard configurations are managed via the API or the seizu CLI (make seed_dashboard).