AlienVault. Unified Security Management 4.4-5.x Offline Update and Software Restoration Procedures

AlienVault Unified Security Management 4.4-5.x Offline Update and Software Restoration Procedures

USM 4.4-5.x Offline Update and Software Restoration Procedures Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM, and OSSIM are trademarks or service marks of AlienVault, Inc. All other registered trademarks, trademarks or service marks are the property of their respective owners. November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 2 of 19

Contents Contents Introduction... 4 Requirements... 4 Burning ISO Images... 4 Burning to a USM Flash Drive... 4 Linux... 4 Mac OS X... 5 Windows... 6 Burning to a CD... 7 Updating USM Offline... 7 Restoring Software on a USM... 10 Changing the BIOS Setup... 10 Restoring an appliance from a USB Flash Drive... 14 November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 3 of 19

Burning to a USM Flash Drive Introduction This procedure describes the required process to update an AlienVault appliance when there is not an Internet connection available. It also describes how to restore the software of an AlienVault appliance. Requirements These are the requirements to update the AlienVault appliances: USM version 4.4 or greater. ISO image provided by AlienVault, see Downloading the AlienVault USM ISO for Offline Update USB flash drive or external USB CD/DVD R/RW drive. Burning ISO Images Burning to a USM Flash Drive Important: This process deletes all files stored in the USB. Linux To burn an ISO Image using a USB Flash Drive from Linux 1. Insert your USB flash drive into the USB port. It is recommended to copy the ISO image in a temporary directory, for example /tmp. 2. Execute the following command to copy the ISO image: sudo dd if=<usb_image.iso> of=<usb_device> bs=4m <USB_image.iso>, replace this by the ISO image file path. Note that it is necessary to write the whole path where the file is located. <USB_device> refers to the USB device name. For example, having a file called image.iso and with the USB device name /dev/sdb, the command to write will be: November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 4 of 19

Burning to a USM Flash Drive sudo dd if=/home/user/temp/image.iso of=/dev/sdb bs=4m Mac OS X To burn an ISO Image using a USB Flash Drive from Mac OS X 1. Insert your USB flash drive into the USB port. Copy the image in a temporary directory or in your own user directory. 2. Run the following comand to identify the USB device name: diskutil list Figure 1. Burning ISO image using MAC OS X: example of a diskutil command According to Figure 1, the name of the USB device is /dev/disk1. 3. Unmount your USB device before burning the image: diskutil unmountdisk <USB_device> <USB_device> refers to your USB device name. For example: diskutil unmountdisk /dev/disk1 4. Copy the image: sudo dd if=<usb_image.iso> of=<usb_device> bs=1m <USB_image.iso>, replace it by the ISO image file path. Note that it is necessary to write the whole path where the file is located. <USB_device> refers to your USB device name. For example, having a file called image.iso and being /dev/disk1 the USB device name, the command to write will be the following: sudo dd if=/home/user/temp/image.iso of=/dev/disk1 bs=1m 5. Eject the device: diskutil eject <USB_device> November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 5 of 19

Burning to a USM Flash Drive <USB_device> refers to your USB device name. Windows To burn an ISO Image using a USB Flash Drive from Windows 1. Connect your USB flash drive. 2. List the devices connected to the Windows platform using dd.exe 1, similar to the dd command on Linux, so you can identify where your USB flash drive has been mounted: C:\Users\myuser\Desktop>dd.exe --list rawwrite dd for windows version 0.6beta3. Written by John Newbigin <jn@it.swin.edu.au> This program is covered by terms of the GPL Version 2. Win32 Available Volume Information \\.\Volume{93c9c543-7952-11e3-8953-806e6f6e6963} \ link to \\?\Device\HarddiskVolume1 fixed media Mounted on \\.\c: \\.\Volume{a7bddb16-7b9e-11e4-b358-6003089d6c19}\ link to \\?\Device\HarddiskVolume2 removeable media Mounted on \\.\e: \\.\Volume{93c9c547-7952-11e3-8953-806e6f6e6963}\ link to \\?\Device\Floppy0 1 dd.exe is a Windows version of the "dd" command used in Linux/Mac. The tool site is http://www.chrysocome.net/dd. November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 6 of 19

Burning to a CD removeable media Mounted on \\.\a: 3. Once you identify where your USB flash drive has been mounted, execute the following command to burn the ISO image file onto the device: C:\Users\myuser\Desktop>dd bs=4m if=alienvault_usm_update-for-64bits_xxxxx.iso of=\\.\e: --progress rawwrite dd for windows version 0.6beta3. Written by John Newbigin <jn@it.swin.edu.au> This program is covered by terms of the GPL Version 2. 794M 198+1 records in 198+1 records out 4. Eject securely the device from the computer. Note: In case you are asked for formatting the unit during the process, please, do no accept the operation. The device should not be formatted. Burning to a CD Burn the ISO image file by using any CD burning software. The method you use will depend on which CD writing software package you have available on your Operating System. Once the ISO file is burned as an image, the resulting CD is bootable, but it is a clone of the original file, so it contains the same folders, files, and properties as the original ISO. Updating USM Offline To update a USM offline 1. Insert a USB drive or connect a CD/DVD drive. 2. Open a console terminal and write the following command: ssh root@ip_address IP_address refers to the default IP of your appliance. November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 7 of 19

Burning to a CD 3. The AlienVault Setup main menu appears: Figure 2. AlienVault Setup Main Menu 4. Move to System Preferences. 5. Press Enter to accept the selection (<OK>). Figure 3. System Preferences Menu 6. Move to Update AlienVault System. 7. Press Enter to accept the selection (<OK>). November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 8 of 19

Burning to a CD Figure 4. Update AlienVault System Menu 8. Move to Update (Offline). 9. Press Enter to accept the selection (<OK>). Figure 5. Update (Offline) option 10. If you did not do it in the first step, connect your USB to the appliance you want to upgrade. 11. Click OK. When the process ends the following message appears. November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 9 of 19

Changing the BIOS Setup Figure 6. AlienVault Setup: system updated successfully 12. Press Enter to accept the selection (<OK>). The System Updates menu appears. 13. Press Tab to move from <OK> to <Back>. 14. Remove your USB device. Restoring Software on a USM Changing the BIOS Setup Sometimes you may want to restore the software on a USM to its factory status. In order to do this, you must Burn the corresponding ISO image on a USB flash drive, see Burning ISO Images. Change the BIOS Setup so that it boots from the USB. Note: If the BIOS is already configured to boot up from a USB, go to Restoring an appliance from a USB Flash Drive. To change the BIOS Setup 1. Reboot your appliance, press Del in the initial screen and go to BIOS Setup. 2. Move to Boot Settings. November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 10 of 19

Changing the BIOS Setup Figure 7. BIOS Setup Utility: Boot Settings 3. Select Boot Device Priority through cursor arrow keys. 4. Press Enter: November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 11 of 19

Changing the BIOS Setup Figure 8. BIOS Setup Utility: Boot Device Priority 5. Move to 1 st Boot Device by using the arrow keys. 6. Select your USB device by using + and keys. 7. Press ESC key. 8. Move to the Exit and select Save Changes and Exit. November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 12 of 19

Changing the BIOS Setup Figure 9. BIOS Setup Utility: Exit Options 9. Press Enter. November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 13 of 19

Restoring USM from a USB Flash Drive Figure 10. BIOS Setup Utility: Save Configuration Changes 10. Press Enter to accept the selection (<OK>). 11. Reboot your appliance. Restoring USM from a USB Flash Drive Before starting the restore process, you need a USB flash drive containing the ISO image for the USM version you d like to restore. See Burning ISO Images. Note: Make sure your USB flash drive is connected to the USB port before rebooting the appliance. To restore USM from a USB Flash Drive 1. Reboot the system. The following screen displays: November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 14 of 19

Restoring USM from a USB Flash Drive Figure 11. USB restore initial screen 2. Select Restore AlienVault <your-appliance-type> to restore your appliance. Select Local operating system in hard drive (if available) to cancel the data restoration process. Important: The restore process deletes all the data stored in your USM. After selecting the data restoration option, the system will ask for a confirmation: November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 15 of 19

Restoring USM from a USB Flash Drive Figure 12. Data Restoration: confirmation of the process 3. Press y and Enter to confirm to continue with the restore process. A progress screen displays. November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 16 of 19

Restoring USM from a USB Flash Drive Figure 13. Data Restoration: progress screen When the process finishes, the system reboots automatically. Note: Remove your USB before the system reboots. If you forget to remove it, the system will continue to boot from your USB. November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 17 of 19

Restoring USM from a USB Flash Drive Figure 14. Data Restoration: process finished A reboot may take several minutes. After that, the initial user login prompt appears in the console: November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 18 of 19

Restoring USM from a USB Flash Drive Figure 15. Data Restoration: initial login screen This screen displays the root username and a randomly generated password for you to enter. 4. In the login: field, enter root. 5. In the password field, enter the displayed randomly generated password, then press Enter. 6. When prompted whether you would like to change your password, click Yes. 7. Reboot again for finishing the data restoration. After this second reboot, the appliance will be ready. Note: For further information about how to deploy the appliance, see the AlienVault document Initial Setup Guide. November 2, 2015 USM 4.4-5.x Offline Update and Software Restoration Procedures Page 19 of 19