Perforce Helix Threat Detection OVA Deployment Guide
OVA Deployment Guide 1 Introduction For a Perforce Helix Threat Analytics solution there are two servers to be installed: an analytics server (Analytics, Hadoop, Spark) and a reporting server (Helix reporting). After importing the OVA you will choose one of two profiles for the machine: 1. Analytics Server 2. Reporting Server 1.1 Server Hardware Setup Make sure you have the appropriate hardware allocated for each kind of server, and then open the OVA file using a Virtual Machine manager to create it.
2 System Setup Analytics Server The analytics server runs HDFS, HBase, Spark, and Analytics Minimum Requirements Recommended Requirements 8 CPU Cores, 16 GB RAM, 100 GB HDD 16 CPU Cores, 32 GB RAM, 100GB HDD 2.1 Startup Startup the virtual machine after installing the OVA, it should reboot once on its own. If you see a message relating to intel_rapl, simply press enter to skip it. Log in with the following credentials: user: interset password: qwer1234 3.2. Setup Find the ip address of the server by running the following command: ifconfig In the home directory run the following command:./setup.sh Follow the onscreen prompts to perform an installation of an Endpoint Analytics server. When it asks for server type input: 3 Note: The script will initially need input from the user for the I.P. address of the Analytics server and heap sizes, please have that information available. A message will be displayed when the installation is complete.
2.2 Required Configuration 2.2.1 Configure Server Connection On the first server (usually the 'analytics' server) create an ssh key with the name report when prompted : ssh-keygen Then copy the key to the other server: ssh-copy-id -i report interset@<$hostname> Ensure that you're able to ssh from each server to the other without entering a password (i.e. ssh <server> should give you a remote shell without prompting for a password). This will allow the analytics to automatically send its findings to the reporting server. 2.2.2 Ingest Configure the interset.conf configuration file: cd /opt/interset/analytics/conf vi interset.conf Configure the scmtype to be the desired log type and the repoformat to be consistent. Configure the ingestfolder, ingestingfolder and ingestedfolder to be the desired locations. Defaults will work if the file is left unaltered. Configure the reportservers with the conclusive list of all your Reporting servers. Running jps will now show the Ingest process as running. If you restart the server you will need to restart the service manually (but don t do it right now!): /opt/interset/analytics/bin/ingest.sh /opt/interset/analytics/conf/interset.conf Log file for the ingest is located in: tail -f /opt/interset/analytics/logs/ingest.0.log NOTE: The settings in the conf file can be modified on the fly without restarting the process/service, changing the ingest folder(s) location(s) will change where the system looks at (i.e. ingest, ingested, ingesting and ingesterror) to pick them up. You have now completed the setup of the Analytics server and the server is ready to ingest logs.
2.3 Optional Configuration Further configure your installation and learn how to check the status of various processes following the steps below. 2.3.1 HDFS A good check is to load up the HDFS web-ui. By default it can be found at: http://hostname:50070 Where hostname is the namenode running HDFS. 2.3.2 HBase The HBase web-ui is also available at: http://hostname:60010 2.3.3 Spark As a quick check for HDFS, HBase, and Spark, enter the jps command and the output should match: 28352 HMaster 28258 HQuorumPeer 29140 Worker 28538 HRegionServer 27723 DataNode 28957 Master 29422 Jps 27567 NameNode As a quick test, run one of the examples that came with spark: /opt/interset/spark/bin/run-example SparkPi 10 It will output a lot of info and a line approximating the value of Pi.
3 Reporting Server Setup The analytics server runs Reporting. Minimum Requirements Recommended Requirements 8 CPU Cores, 16 GB RAM, 100 GB HDD 16 CPU Cores, 32 GB RAM, 100GB HDD 3.1 Startup Startup the virtual machine after installing the OVA, it should reboot once on its own. If you see a message relating to intel_rapl, simply press enter to skip it. Log in with the following credentials: user: interset password: qwer1234 3.2 Setup Find the ip address of the server by running the following command: ifconfig In the home directory run the following command:./setup.sh Follow the onscreen prompts to perform an installation of an Endpoint Analytics server. When it asks for server type input: 4 Note: The script will initially need input from the user for the I.P. address of the Analytics server and heap sizes, please have that information available. When entering the memory heap size only enter the number. A message will be displayed when the installation is complete.
3.3 Optional Configuration Further configure your installation and learn how to check the status of various processes following the steps below. 3.3.1 Reporting The users are: User name: user, password password. User name: admin, password password. Reporting will now start automatically at system startup. Use the service command to start, stop and restart the reporting service as shown below: sudo service reporting restart There is a log file for the Reporting server that you may wish to monitor: tail -f /opt/interset/reporting/logs/reporting.log The reporting web UI is available at: http://<reporting>/ You have now completed the setup of the Reporting server and the server is ready to display the results of the Analytics. You can use the accounts user / password and admin / password to log in.
4 Configure Kerberos For Kerberos to function properly, the hostname and DNS must be configured correctly. All servers and clients must be able to be resolved by the Active Directory names on the hosts. There are two options for setting up the server. Using the supplied script on a domain controller or manually making the changes. Upload Keytab files to the Api server 1. Open a browser and point it to https://$analytics/webadmin. You will be prompted for a user name and password. 2. The default values are: admin/qwer1234 3. Select Kerberos Details. 4. Select Browse and then filetrekkey from from C:\. Select Upload key. 5. Select Generate keytab. 6. The following should be displayed: Key generated on the following hosts $ANALYTICS.
5 Appendix 5.1 Assign Static IP Address By default the VM is configured to obtain IP address from a DHCP server. You can assign a static IP Address by running static_ip.py script: Note: run the script from server console. If run on a remote session (i.e. SSH) you will lose the connection when the IP address is changed. Run the script: cd /opt/interset/flow/tools sudo./static_ip.py Enter the following info when you are prompted: Enter IP Address, example: 192.198.1.10: enter static IP address which you want to assign Enter Subnet Mask, example: 255.255.255.0: enter subnet mask Enter Gateway IP Address, example: 192.168.1.254: enter default gateway Enter DNS Server IP Address, example: 192.168.1.2: enter DNS server s IP address. Multiple DNS server can be separated by space Enter Domain Name, example: mydomain.com: enter Windows Active Directory domain Review the information that you have provided and if everything is OK. Press Enter, otherwise Ctrl-c Try to ping default-gateway, you should get reply. To verify the IP address and routing table, you can run ifconfig and route -n commands. Check /etc/hosts and verify that the only reference to 127.0.0.1 is localhost. Reboot the Api Server now: sudo reboot now 5.2 Change the Host Name of the Server It is optional to change the server s name. The default host name for the VM is 'ft-server- <random four digit number>. Edit and change the following configuration files: sudo editor /etc/hostname Change the host name. Reboot the server sudo reboot now
5.3 Setting up DNS Kerberos relies on the presence of both forward and reverse lookup entries in DNS. Check that the host name of the FileTrek Server can be resolved to its IP address, and that its IP address can be resolved to its host name. DNS aliasing is allowed, but must be done with an CNAME records. To create an A record for the server: 1. Log in to the DNS server and go to: Start > All Programs > Administrative Tools > DNS. 2. Expand Forward Lookup Zones and select your domain name. 3. From the Action menu, select New Host (A or AAAA). This opens a new Window. 4. Type the host name of server in Name, and its IP address in IP_address. 5. Select Create associated pointer (PTR) record and select Add Host. 6. You should see a message similar to: "The host record server.mydomain.com was successfully created." 7. Click on OK and Done. 5.4 Create user and keytab files in Domain Controller 6 Log in to domain controller and follow instructions below. 6.0.1 Create an Active Directory account 1. Go to Start> All Programs > Administrative Tools > Active Directory Users and Computer. 2. Expand the Active Directory domain name and right-click Users, and then select New User. 3. Note: User can be member of any of organizational unit. 4. First name: Enter a display name 5. User logon name: This name is used in the setspn and ktpass commands. API server will use this name to communicate with AD. 6. Click Next, and enter and confirm password. 7. Check User cannot change password and Password never expires, and then select then Next. 8. Click Finish to create the user. 6.0.2 Create Keytab file A Kerberos keytab file contains a list of keys that are similar to user passwords.
Note: https://$analytics/webadmin/kerberossetup offers a form that will test the DNS and user accounts that have been setup for the filetrek server to use. Then create the commands that will be needed to be run on the domain controller. On the domain controller, open a command prompt and type the following command: ktpass -out C:\filetrekkey -princ HTTP/internet-server.mydomain.com@MYDOMAIN.COM -mapuser username@mydomain.com -mapop set -pass password -setupn -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL Update the following: $ANALYTICS.mydomain.com - the full DNS name of the server MYDOMAIN.COM - your domain name. This must be uppercase username@mydomain.com - the user that was created in previous step password - the user s password Notes: ktpass doesn't validate if the password is correct When you change the user s password, you must recreate the keytab file and repeat the setup procedure Values are case sensitive 6.0.3 Map Service Principal Name (SPN) to the User On the domain controller, open a command prompt and type: setspn -s HTTP/$ANALYTICS.mydomain.com username setspn -s HTTP/$ANALYTICS username Update the following: $ANALYTICS.mydomain.com - the full DNS name of the API server username - the user that was created in previous step Notes: When issuing the setspn command, if may see a message, Duplicate SPN found, aborting operation!. You can ignore this. Values are case sensitive setspn.exe and ktpass.exe are not installed by default on Windows server 2003 and are included in Microsoft Windows Server 2003 Support Tools. To install Windows Server 2003 Support Tools, double-click Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD. To verify that the SPN is registered, type:
setspn -l username A list of registered SPNs will be displayed.