Before you start CentOS
Contents
Review these system requirements before proceeding to install the Intelligence Center from a rpm package.
Conventions
Command and code examples
Some examples require you to run terminal commands as root.
# Grant the currently logged in user root-level accesssudo -i # Grant root-level access to a different usersudo -i -u ${user_name} # Run a command as a different user, with root-level accesssudo -i -u ${user_name} ${command} ${options}\Placeholder variables
Example commands may describe placeholder variables using bash parameter substitution like this:
${placeholder_variable_name}In this case, the example usually asks you to set the value of placeholder_variable_name beforehand. You can also substitute it in the command yourself:
Software downloaders and package managers
When the documentation includes code snippets to provide examples of how to retrieve a product to install, most code examples use wget or curl.
If these products are not installed on your system, download and install them.
Otherwise, feel free to use any other viable alternative that enables retrieving assets and resources from the Internet.
yum and rpm are standard package managers for both CentOS and RHEL.
Your system should also be able to pin/lock specific versions of Intelligence Center dependencies after installing them.
To do this, you can use yum-versionlock:
# Pin/Lock a package to the currently installed versionyum-versionlock ${package_name} # Unpin/Unlock all packages, for example before an upgradeyum-versionlock clearIf you need to troubleshoot the intelligence Center, do not use debuggers in production environments.
Debuggers can enable arbitrary code execution. This is a security risk.
About EclecticIQ Intelligence Center
EclecticIQ Intelligence Center is powered by STIX and TAXII open standards.
It enables ingesting, consolidating, analyzing, integrating, and collaborating on cyber threat intelligence from multiple sources in a broad range of formats.
|
Feature |
Description |
|
Feed management |
Manage multiple cyber threat intelligence feeds from any source, in many different formats. |
|
Enrichment |
Enrich existing intelligence with external data sources providing more context, and refine it with de-duplication and pattern recognition. |
|
Sharing |
Share threat intelligence together with partners to participate in a collaborative information ecosystem. |
|
Collaboration |
Analyze and author intelligence in together with other teams and departments. |
|
Insights |
Generate insight thanks to a high-fidelity, normalized view into your intelligence. |
|
Integration |
Understand how cyber threat intelligence relates to and how it can affect your organization and your environment. |
Hardware requirements
Hardware requirements for EclecticIQ Intelligence Center can vary, depending on the target system and the environment you plan to install the Intelligence Center to. The requirements outlined in this section are general guidelines that work in most cases, but they are not tailored to any specific situation or use case.
Single box
Hardware requirement guidelines for EclecticIQ intelligence Center and related dependencies installation on a single system/machine.
|
Hardware |
Minimum |
Recommended |
Notes |
|
CPUs |
4 |
8 |
Core count includes HT. |
|
CPU speed |
2.5 GHz |
2.5 GHz or faster |
|
|
Memory |
32 GB |
64 GB or more |
|
|
Storage |
SATA, 100 IOPS |
SSD, 200-500 IOPS |
|
|
Drives |
5 |
10 |
10 drives enable setting up 5 sets of mirrored drives (RAID 1). |
|
Drive sizes (GB) |
10, 10, 25, 50, 200 |
20, 20, 50, 75, 300 |
Each Intelligence Center database should be allocated to a dedicated drive for data storage. |
|
Drive allocation (GB) |
10 |
20 |
Root (EclecticIQ Intelligence Center + Redis). |
|
|
10 |
20 |
Log data storage. |
|
|
25 |
50 |
Neo4j, graph database. |
|
|
100 |
150 |
Elasticsearch, searching and indexing. On average, allocate Elasticsearch about half the amount of space you assign to PostgreSQL. |
|
|
200 |
300 |
PostgreSQL, main data storage. |
|
Network |
2 network interfaces |
2 network interfaces |
One interface for production, the other for system management. |
|
Install size |
~240 GB |
~240 GB |
Full install, based on the VM image size. |
Scaling out
The easiest approach to scaling out involves allocating dedicated machines to the databases. In this scenario, you install each of the following components on a separate machine:
EclecticIQ Intelligence Center
PostgreSQL
Redis
Elasticsearch
Neo4j Enterprise Edition
(This version implements multi-clustering. It is available after purchasing a license.)
To optimize read-write operations and to ensure that the storage drives are fast, set up dedicated drives per partition.
The SYSTEMD_SERVICES list in the platform_settings.py settings file stores a list of systemd services that the Intelligence Center should monitor.
The Intelligence Center can only monitor local systemd services.
If Intelligence Center services are distributed across several virtual or physical machines, remove those remote services from the SYSTEMD_SERVICES list to stop the Intelligence Center from attempting to contact them.
Software requirements
Credentials and host name
To correctly configure the system after installing the required dependencies and third-party products, ensure you have the following information available:
Fully qualified domain name of the host machine you are going to use to access the Intelligence Center.
SSL certificate and key for the web server.
EclecticIQ Intelligence Center login credentials.
User name and password
During the installation, you are prompted to assign the administrator account a user name and a password. By default, when performing a Intelligence Center installation you are prompted to create only an administrator account, because at any given time the Intelligence Center requires at least one active administrator user profile.
Follow these guidelines to define a strong password:
It should be between 10 and 64 characters long.
It should contain at least one uppercase alphabetic character.
It should contain at least one special character
It should contain at least one number.
It should not reuse a previous password.
User password history logs the previous 100 passwords.
It should not be on NBP, the NIST Bad Passwords list.
It should not include the user name it is associated with.
For more information, see the NIST digital identity guidelines.
Operating systems
Supported operating systems
The following operating systems are supported:
CentOS 7 latest release – currently CentOS 7.9 (2009)
Red Hat Enterprise Linux 7 latest release – currently Red Hat Enterprise Linux 7.9
Deprecated operating systems
As of release 2.9.0, support for the following operating systems is deprecated:
CentOS 7.8 (2003)
CentOS 7.7 (1908)
CentOS 7.6 (1810)
Red Hat Enterprise Linux 7.8
Red Hat Enterprise Linux 7.7
Red Hat Enterprise Linux 7.6
Ubuntu Server 16.04 Xenial Xerus
CentOS 7.6 (1810), 7.7 (1908), and 7.8 (2003), and Red Hat Enterprise Linux 7.6, 7.7, and 7.8 are compatible with release 2.9.x. However, they are not supported.
Ubuntu Server is no longer supported.
Access permissions
The installation procedure requires a umask value of 0022 to allow creating and modifying files and directories on the target system.
Encoding
The Intelligence Center uses and expects text data in UTF-8.
Dependencies and components that exchange data with the Intelligence Center must use the same encoding.
The LANG environment variable must be set to en_US.UTF-8. Example: LANG=en_US.UTF-8
Locale
The system locale must be en_US.UTF-8.
To check and, if necessary, set the system locale to en_US.UTF-8:
if [ "$LANG" != "en_US.UTF-8" ]; then localectl set-locale LANG=en_US.UTF-8; fiTime zone
The global time zone configuration must be UTC.
While you can set a local or a custom time zone value to display local time on the Intelligence Center, the host system time zone must be consistently on UTC time.
This includes OS, databases, as well as any other products or components that enable setting a time zone, and that interact/interoperate with the Intelligence Center.
To set the system time zone to UTC:
timedatectl set-timezone UTCData mount points
When installing and configuring Intelligence Center components such as PostgreSQL, Redis, Elasticsearch, and Neo4j specify dedicated locations where these products store their data.
These are the recommended mount point paths for each data store:
|
Component |
Mount point |
Min. size (GB) |
Reccommended size (GB) |
|
Logs |
/var/log |
10 |
20 |
|
Elasticsearch |
/media/elasticsearch |
100 |
150 |
|
Neo4j |
/media/neo4j |
25 |
50 |
|
PostgreSQL |
/media/pgsql |
200 |
300 |
|
-Redis |
/media/redis |
10 |
20 |
About Redis
In a single box installation scenario, Redis is installed to the root partition where the Intelligence Center is installed to.
During the configuration step, you can set the Redis data location in the redis.conf configuration file.
The recommended target directory for Redis data is /media/redis.
This is not a mount point on a separate partition, it is a subdirectory in the root partition.
Databases and network binding
On a single machine installation, network interface bindings for services are set to 127.0.0.1 by default, except for PostgreSQL which has a different configuration.
Instructions may have asked you to change this to a more permissive binding in multi-machine installations, or you may be using an older installation where defaults were set to 0.0.0.0.
The table below shows a list of configuration files where network interface bindings are set for each service.
You may want to change these bindings to suit your environment.
|
Service name |
File path(s) |
Parameters |
Notes |
|
Elasticsearch |
/etc/systemd/system/elasticsearch.service.d/20-eclecticiq.conf |
[Service]Environment=BINDING_ADDRESS=127.0.0.1 |
For more information, see Elasticsearch’s documentation. |
|
Neo4j |
/etc/eclecticiq-neo4j/neo4j.conf |
dbms.connector.bolt.listen_address=:7687dbms.connector.http.listen_address=:7474dbms.connector.https.listen_address=:7473dbms.connectors.default_listen_address is left unset, and defaults to 127.0.0.1. |
For more information, see Configure connectors and dbms.connectors.default_listen_address. |
|
PostgreSQL |
/etc/eclecticiq-postgres/pg_hba.conf |
TYPE DATABASE USER ADDRESS METHODlocal all postgres trusthost all all samenet md5host all all 0.0.0.0/0 password |
For more information, see The pg_hba.conf File. |
|
Redis |
/etc/eclecticiq-redis/redis.conf |
bind 127.0.0.1 |
For more information, see Redis security and redis.conf. |
Web browsers
The Intelligence Center web interface supports the following browsers.
Fully supported (latest versions of):
Google Chrome
Functionally supported (latest versions of):
Microsoft Edge
Mozilla Firefox
Microsoft Internet Explorer 11
Opera
Apple Safari
Updating products at OS level
We recommend that you review all operating system (OS) package updates when updating the Intelligence Center host.
To retrieve a list of libraries and the packages that make them available, start a terminal session, and then run the following command:
libraries_used=$(find /opt/eclecticiq-platform-backend/lib/python3.6/site-packages/ -name "*.so" | xargs ldd | sed -r '/^\s/!d' | awk '{print $1}' | sort -u); providing_packages=$(echo $libraries_used | xargs yum provides | sed -r '/^(Provides\s*:|Filename\s*:|Repo\s*:|Matched from\s*:).*$/d' | sort -u | grep -Ev "^(\s+|Loaded|Loading)"); echo -e "\nLibraries used:\n\n$libraries_used\n\n\nPackages that provide them:\n$providing_packages"Example response output:
# Example output list of libraries and packages# whose changelogs you should review# for possible breaking changes# before proceeding with updating them Libraries used: /lib64/ld-linux-x86-64.so.2libcom_err-beb60336.so.2.1libcom_err.so.2libcrypto-c1fa9491.so.1.0.2qlibcrypto.so.10libcrypt.so.1libc.so.6libdl.so.2libffi-806b1a9d.so.6.0.4libfreebl3.solibgssapi_krb5-174f8956.so.2.2libgssapi_krb5.so.2libk5crypto-622ef25b.so.3.1libk5crypto.so.3libkeyutils-1-ff31573b.2.solibkeyutils.so.1libkrb5-fb0d2caa.so.3.3libkrb5.so.3libkrb5support-d7ce89d4.so.0.1libkrb5support.so.0liblber-2.4.so.2liblber-2-d7edd0dc.4.so.2.10.7libldap_r-2.4.so.2libldap_r-2-9270213a.4.so.2.10.7libmaxminddb.so.0libm.so.6libnspr4.solibnss3.solibnssutil3.solibpcre.so.1libplc4.solibplds4.solibpq-bd31fe2b.so.5.11libpthread.so.0libpython3.6m.so.1.0libresolv.so.2librt.so.1libsasl2-e96a0dbf.so.2.0.22libsasl2.so.3libselinux-cf8f9094.so.1libselinux.so.1libsepol-b4f5b513.so.1libsmime3.solibssl3.solibssl-c0c2ede4.so.1.0.2qlibssl.so.10libutil.so.1libyaml-0.so.2libz-a147dcb0.so.1.2.3libz.so.1linux-vdso.so.1 Packages that provide them: 1:openssl-libs-1.0.2k-19.el7.i686 : A general purpose cryptography library withcyrus-sasl-lib-2.1.26-23.el7.i686 : Shared libraries needed by applicationsglibc-2.17-292.el7.i686 : The GNU libc librariesglibc-2.17-292.el7.x86_64 : The GNU libc librarieskeyutils-libs-1.5.8-3.el7.i686 : Key utilities librarykrb5-libs-1.15.1-37.el7_6.i686 : The non-admin shared libraries used by Kerberoskrb5-libs-1.15.1-37.el7_7.2.i686 : The non-admin shared libraries used bylibcom_err-1.42.9-16.el7.i686 : Common error description librarylibmaxminddb-1.2.0-6.el7.i686 : C library for the MaxMind DB file formatlibselinux-2.5-14.1.el7.i686 : SELinux library and simple utilitieslibyaml-0.1.4-11.el7_0.i686 : YAML 1.1 parser and emitter written in Cnspr-4.21.0-1.el7.i686 : Netscape Portable Runtimenss-3.44.0-4.el7.i686 : Network Security Servicesnss-3.44.0-7.el7_7.i686 : Network Security Servicesnss-softokn-freebl-3.44.0-5.el7.i686 : Freebl library for the Network Securitynss-softokn-freebl-3.44.0-8.el7_7.i686 : Freebl library for the Network Securitynss-util-3.44.0-3.el7.i686 : Network Security Services Utilities Librarynss-util-3.44.0-4.el7_7.i686 : Network Security Services Utilities Libraryopenldap-2.4.44-21.el7_6.i686 : LDAP support librariespcre-8.32-17.el7.i686 : Perl-compatible regular expression librarypython3-libs-3.6.8-10.el7.i686 : Python runtime librarieszlib-1.2.7-18.el7.i686 : The compression and decompression libraryThird-party products
Third-party software includes required dependencies for EclecticIQ Platform to operate correctly.
Make sure that the following software products are already installed on the target system before installing the platform.
During installation, the platform checks for the dependencies.
If they are missing, the installation procedure aborts.
|
eclecticiq-statsite |
5.0.1 |
Metrics aggregator for the dashboard based on Statsite. |
|
elasticsearch |
7.16.3 |
Elasticsearch database. |
|
jdk |
11 |
OpenJDK Java Platform. |
|
kibana |
7.16.3 |
Kibana reference documentation. |
|
logstash |
7.16.3 |
Logstash reference documentation. |
|
neo4j |
3.5 Community |
Neo4j graph database. |
|
nginx |
1.16.1 |
Nginx web server. |
|
poppler-utils |
0.26.5 |
poppler-utils download page. |
|
postfix |
2.10.1 |
Postfix email server. |
|
postgresql11 |
11.5 |
PostgreSQL database. |
|
python38 |
3.8.12 |
Python 3.8. |
|
redis |
5.0.6 |
Redis database. |
|
unrar |
5.3.0 |
unrar enables creating and extracting compressed archive files in .rar format. |
|
xmlsec1 |
1.2.20 |
xmlsec1 enables signing, verifying, encrypting, and decrypting XML documents. |
About Elasticsearch
During complex index upgrades and reindexing operations, Elasticsearch may require additional disk space to store temporary working files and temporary copies of the existing indices.
Monitor your Elasticsearch partition usage.
Before it reaches 50% of the available space in the partition extend it, so that the new partition size is at least twice as large as the sum of the existing Elasticsearch indices.
Example
If Elasticsearch currently uses 43 GB of disk space, extend the partition where Elasticsearch lives to at least 86 GB.
Bundled third-party software
EclecticIQ Platform is bundled with the following third-party software. Each product on the list abides by its own terms and conditions and its own license.
SELinux
EclecticIQ Platform supports SELinux.
If you are using or plan to use SELinux in the environment where the platform is installed, you should carry out this check.
If you are not using SELinux and are not planning to implement it in the environment where the platform is installed, you do not need to do anything and you can safely disregard this section.
Check SELinux status
If SELinux is installed, check if it is enabled or disabled by running the following command:
sestatus -vIf SELinux is disabled, the response includes the following line:
SELinux status: disabledCheck SELinux mode
You can check which SELinux mode is currently active by running the following command:
getenforceThe allowed modes are:
enforcing
permissive
disabled
The active mode may not be the same as the SELINUX value defined in the SELinux global configuration file:
# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - No SELinux policy is loaded.SELINUX=permissive# SELINUXTYPE= can take one of three two values:# targeted - Targeted processes are protected,# minimum - Modification of targeted policy. Only selected processes are protected.# mls - Multi Level Security protection.SELINUXTYPE=targetedThis can occur after changing and saving SELinux global configuration file, and before executing a system reboot for the changes to become effective.
Set SELinux to permissive mode
The recommended SELinux mode to offload complexity during installation and configuration is permissive.
To set SELinux to work permissively run the following command:
setenforce permissivePost-installation check
If SELinux is installed and it is enabled, run the following command:
# Enforce SELinux to the platform backend filessemanage fcontext-a-t etc_t"/opt/eclecticiq-platform-backend(/.*)?"# Enforce SELinux to Nginx web server filessemanage fcontext-a-t httpd_config_t"/opt/eclecticiq-platform-backend/etc/nginx(/.*)?"semanage fcontext-a-t httpd_config_t"/opt/eclecticiq-platform-backend/etc/eclecticiq-nginx(/.*)?"# Enforce SELinux to Redis files# Replace '${path_to_redis_data_dir}' with the actual path to the the Redis data dirsemanage fcontext-a-t redis_var_lib_t"${path_to_redis_data_dir}/redis(/.*)?"# By default, newly created files and directories inherit the SELinux type# of the corresponding parents, so that log files have the correct type.# However, we do not want to relabel existing logs.semanage fcontext-a-t var_log_t-f d"/var/log"If SELinux policy-related errors occur, the command returns a response that can be similar to this example:
SELinux: Couldnotdowngrade policyfile/etc/selinux/targeted/policy/policy.31, searchingforan older version.SELinux: Couldnotopenpolicyfile<=/etc/selinux/targeted/policy/policy.31: No suchfileordirectory/sbin/load_policy: Can't load policy: No suchfileordirectory libsemanage.semanage_reload_policy: load_policy returned error code2.The response provides more context about the affected files and the reasons why it was not possible to set the security labels.
SELinux is not installed
If SELinux is not installed on the target system, do the following:
After completing the platform installation, install and enable SELinux.
To set the correct security contexts, execute the following script:
BASE_PATH="/opt/eclecticiq-platform-backend"if[-x"$(command -v semanage)"]; then SELINUX_MODE=$(getenforce)if! [ $SELINUX_MODE=="Disabled"]; then semanage fcontext-a-t etc_t"$BASE_PATH(/.*)?"# Enforce SELinux to the platform backend filessemanage fcontext-a-t etc_t"$BASE_PATH(/.*)?"# Enforce SELinux to Nginx web server filessemanage fcontext-a-t httpd_config_t"$BASE_PATH/etc/nginx(/.*)?"semanage fcontext-a-t httpd_config_t"$BASE_PATH/etc/eclecticiq-nginx(/.*)?"# Enforce SELinux to Redis files# Replace '${path_to_redis_data_dir}' with the actual path to the the Redis data dirsemanage fcontext-a-t redis_var_lib_t"${path_to_redis_data_dir}/redis(/.*)?"# By default, newly created files and directories inherit the SELinux type# of the corresponding parents, so that log files have the correct type.# However, we do not want to relabel existing logs.semanage fcontext-a-t var_log_t-f d"/var/log"restorecon-RF $BASE_PATHecho"SELinux security labels configured."elseecho"SELinux is not enabled. Security labels won't be configured."fielseecho"SELinux is not installed. Security labels won't be configured."fiYou may need to reboot the system for the changes to become effective.
SELinux is installed but it is not enabled
If SELinux is installed on the target system but it is not enabled, do the following:
Enable SELinux, either by editing its configuration file, and then by rebooting the system, or by running one of the following commands:
# Set SELinux to permissive mode$ setenforce0# Set SELinux to enforcing mode$ setenforce1# Create the following bash script:BASE_PATH="/opt/eclecticiq-platform-backend"if[-x"$(command -v semanage)"]; then SELINUX_MODE=$(getenforce)if! [ $SELINUX_MODE=="Disabled"]; then semanage fcontext-a-t etc_t"$BASE_PATH(/.*)?"# Enforce SELinux to the platform backend filessemanage fcontext-a-t etc_t"$BASE_PATH(/.*)?"# Enforce SELinux to Nginx web server filessemanage fcontext-a-t httpd_config_t"$BASE_PATH/etc/nginx(/.*)?"semanage fcontext-a-t httpd_config_t"$BASE_PATH/etc/eclecticiq-nginx(/.*)?"# Enforce SELinux to Redis files# Replace '${path_to_redis_data_dir}' with the actual path to the the Redis data dirsemanage fcontext-a-t redis_var_lib_t"${path_to_redis_data_dir}/redis(/.*)?"# By default, newly created files and directories inherit the SELinux type# of the corresponding parents, so that log files have the correct type.# However, we do not want to relabel existing logs.semanage fcontext-a-t var_log_t-f d"/var/log"restorecon-RF $BASE_PATHecho"SELinux security labels configured."elseecho"SELinux is not enabled. Security labels won't be configured."fielseecho"SELinux is not installed. Security labels won't be configured."fiSave it, make it executable, and then run it.
You may need to reboot the system for the changes to become effective.