Before you start RHEL#

Review these system requirements before proceeding to install EclecticIQ Intelligence Center from a rpm package.

Conventions#

Command and code examples#

Some examples require you to run terminal commands as root.

# Grant the currently logged in user root-level access
sudo -i
 
# Grant root-level access to a different user
sudo -i -u ${user_name}
 
# Run a command as a different user, with root-level access
sudo -i -u ${user_name} ${command} ${options}\

Placeholder variables#

Example commands may describe placeholder variables using bash parameter substitution like this:

${placeholder_variable_name}

In this case, the example usually asks you to set the value of placeholder_variable_name beforehand. You can also substitute it in the command yourself:

# Example given:
ssh ${username}@${domain}

# After substitution
ssh [email protected]

Software downloaders and package managers#

When the documentation includes code snippets to provide examples of how to retrieve a product to install, most code examples use wget or curl.

If these products are not installed on your system, download and install them.

Otherwise, feel free to use any other viable alternative that enables retrieving assets and resources from the Internet.

yum and rpm are standard package managers for both CentOS and RHEL.

Your system should also be able to pin/lock specific versions of Intelligence Center dependencies after installing them.

To do this, you can use yum-versionlock:

# Pin/Lock a package to the currently installed version
yum-versionlock ${package_name}
 
# Unpin/Unlock all packages, for example before an upgrade
yum-versionlock clear

Warning

If you need to troubleshoot the intelligence Center, do not use debuggers in production environments.

Debuggers can enable arbitrary code execution. This is a security risk.

About EclecticIQ Intelligence Center#

EclecticIQ Intelligence Center is powered by STIX and TAXII open standards.

It enables ingesting, consolidating, analyzing, integrating, and collaborating on cyber threat intelligence from multiple sources in a broad range of formats.

Feature

Description

Feed management

Manage multiple cyber threat intelligence feeds from any source, in many different formats.

Enrichment

Enrich existing intelligence with external data sources providing more context, and refine it with de-duplication and pattern recognition.

Sharing

Share threat intelligence together with partners to participate in a collaborative information ecosystem.

Collaboration

Analyze and author intelligence in together with other teams and departments.

Insights

Generate insight thanks to a high-fidelity, normalized view into your intelligence.

Integration

Understand how cyber threat intelligence relates to and how it can affect your organization and your environment.

Hardware requirements#

Hardware requirements for EclecticIQ Intelligence Center can vary, depending on the target system and the environment you plan to install EclecticIQ Intelligence Center to. The requirements outlined in this section are general guidelines that work in most cases, but they are not tailored to any specific situation or use case.

Single box#

Hardware requirement guidelines for EclecticIQ intelligence Center and related dependencies installation on a single system/machine.

Hardware

Minimum

Recommended

Notes

CPUs

4

8

Core count includes HT.

CPU speed

2.5 GHz

2.5 GHz or faster

Memory

32 GB

64 GB or more

  • A production environment should feature at least 64 GB memory.

    Consider increasing the memory to 96 GB when dealing with, for example, large data corpora ingestion or data-intensive graph visualizations.

  • Redis requires at least 4 GB memory (maxmemory 4gb in /etc/eclecticiq-redis/redis.conf).

    Consider increasing the memory to 8 GB or more to process very long queues (millions of queued items).

  • Operations and tasks carried out through the web-based GUI may be memory-intensive.

    Occasionally, the web browser may use ~1 GB or more.

  • Monitor system memory usage to determine if your system requires increasing memory to operate smoothly.

Storage

SATA, 100 IOPS

SSD, 200-500 IOPS

  • Local attached storage is preferable to SAN or NAS.

    Intelligence Center operations are write-intensive.

  • Recommended IOPS range: 200-500.

Drives

5

10

10 drives enable setting up 5 sets of mirrored drives (RAID 1).

Drive sizes (GB)

10, 10, 25, 50, 200

20, 20, 50, 75, 300

Each Intelligence Center database should be allocated to a dedicated drive for data storage.

Drive allocation (GB)

10

20

Root (EclecticIQ Intelligence Center + Redis).

10

20

Log data storage.

25

50

Neo4j, graph database.

100

150

Elasticsearch, searching and indexing.

On average, allocate Elasticsearch about half the amount of space you assign to PostgreSQL.

200

300

PostgreSQL, main data storage.

Network

2 network interfaces

2 network interfaces

One interface for production, the other for system management.

Install size

~240 GB

~240 GB

Full install, based on the VM image size.

Scaling out#

The easiest approach to scaling out involves allocating dedicated machines to the databases. In this scenario, you install each of the following components on a separate machine:

  • EclecticIQ Intelligence Center

  • PostgreSQL

  • Redis

  • Elasticsearch

  • Neo4j Enterprise Edition

    (This version implements multi-clustering. It is available after purchasing a license.)

To optimize read-write operations and to ensure that the storage drives are fast, set up dedicated drives per partition.

The SYSTEMD_SERVICES list in the platform_settings.py settings file stores a list of systemd services that EclecticIQ Intelligence Center should monitor.

Note

EclecticIQ Intelligence Center can only monitor local systemd services.

If Intelligence Center services are distributed across several virtual or physical machines, remove those remote services from the SYSTEMD_SERVICES list to stop EclecticIQ Intelligence Center from attempting to contact them.

Software requirements#

Credentials and host name#

To correctly configure the system after installing the required dependencies and third-party products, ensure you have the following information available:

  • Fully qualified domain name of the host machine you are going to use to access EclecticIQ Intelligence Center.

  • SSL certificate and key for the web server.

  • EclecticIQ Intelligence Center login credentials.

User name and password#

During the installation, you are prompted to assign the administrator account a user name and a password.

By default, when performing a Intelligence Center installation you are prompted to create only an administrator account, because at any given time EclecticIQ Intelligence Center requires at least one active administrator user profile.

Follow these guidelines to define a strong password:

  • It should be between 10 and 64 characters long.

  • It should contain at least one uppercase alphabetic character.

  • It should contain at least one special character

  • It should contain at least one number.

  • It should not reuse a previous password.

  • User password history logs the previous 100 passwords.

  • It should not be on NBP, the NIST Bad Passwords list.

  • It should not include the user name it is associated with.

For more information, see the NIST digital identity guidelines.

Operating systems#

Supported operating systems#

The following operating systems are supported:

Deprecated operating systems#

As of release 2.9.0, support for the following operating systems is deprecated:

  • CentOS 7.8 (2003)

  • CentOS 7.7 (1908)

  • CentOS 7.6 (1810)

  • Red Hat Enterprise Linux 7.8

  • Red Hat Enterprise Linux 7.7

  • Red Hat Enterprise Linux 7.6

  • Ubuntu Server 16.04 Xenial Xerus

CentOS 7.6 (1810), 7.7 (1908), and 7.8 (2003), and Red Hat Enterprise Linux 7.6, 7.7, and 7.8 are compatible with release 2.9.x. However, they are not supported.

Ubuntu Server is no longer supported.

Access permissions#

The installation procedure requires a umask value of 0022 to allow creating and modifying files and directories on the target system.

Encoding#

EclecticIQ Intelligence Center uses and expects text data in UTF-8.

Dependencies and components that exchange data with EclecticIQ Intelligence Center must use the same encoding.

The LANG environment variable must be set to en_US.UTF-8. Example: LANG=en_US.UTF-8

Locale#

The system locale must be en_US.UTF-8.

To check and, if necessary, set the system locale to en_US.UTF-8:

if [ "$LANG" != "en_US.UTF-8" ]; then localectl set-locale LANG=en_US.UTF-8; fi

Time zone#

The global time zone configuration must be UTC.

While you can set a local or a custom time zone value to display local time on EclecticIQ Intelligence Center, the host system time zone must be consistently on UTC time.

This includes OS, databases, as well as any other products or components that enable setting a time zone, and that interact/interoperate with EclecticIQ Intelligence Center.

To set the system time zone to UTC:

timedatectl set-timezone UTC

Data mount points#

When installing and configuring Intelligence Center components such as PostgreSQL, Redis, Elasticsearch, and Neo4j specify dedicated locations where these products store their data.

These are the recommended mount point paths for each data store:

Component

Mount point

Min. size (GB)

Reccommended size (GB)

Logs

/var/log

10

20

Elasticsearch

/media/elasticsearch

100

150

Neo4j

/media/neo4j

25

50

PostgreSQL

/media/pgsql

200

300

-Redis

/media/redis

10

20

Note

About Redis

In a single box installation scenario, Redis is installed to the root partition where EclecticIQ Intelligence Center is installed to.

During the configuration step, you can set the Redis data location in the redis.conf configuration file.

The recommended target directory for Redis data is /media/redis.

This is not a mount point on a separate partition, it is a subdirectory in the root partition.

Databases and network binding#

On a single machine installation, network interface bindings for services are set to 127.0.0.1 by default, except for PostgreSQL which has a different configuration.

Instructions may have asked you to change this to a more permissive binding in multi-machine installations, or you may be using an older installation where defaults were set to 0.0.0.0.

The table below shows a list of configuration files where network interface bindings are set for each service.

You may want to change these bindings to suit your environment.

Service name

File path(s)

Parameters

Notes

Elasticsearch

/etc/systemd/system/elasticsearch.service.d/20-eclecticiq.conf
[Service]
Environment=BINDING_ADDRESS=127.0.0.1

For more information, see Elasticsearch’s documentation.

Neo4j

/etc/eclecticiq-neo4j/neo4j.conf
dbms.connector.bolt.listen_address=:7687
dbms.connector.http.listen_address=:7474
dbms.connector.https.listen_address=:7473

dbms.connectors.default_listen_address is left unset, and defaults to 127.0.0.1.

For more information, see Configure connectors and dbms.connectors.default_listen_address.

PostgreSQL

/etc/eclecticiq-postgres/pg_hba.conf
TYPE    DATABASE        USER            ADDRESS                 METHOD
local   all             postgres                                trust
host    all             all             samenet                 md5
host    all             all             0.0.0.0/0               password

For more information, see The pg_hba.conf File.

Redis

/etc/eclecticiq-redis/redis.conf
bind 127.0.0.1

For more information, see Redis security and redis.conf.

Web browsers#

EclecticIQ Intelligence Center web interface supports the following browsers.

Fully supported (latest versions of):

  • Google Chrome

Functionally supported (latest versions of):

  • Microsoft Edge

  • Mozilla Firefox

  • Microsoft Internet Explorer 11

  • Opera

  • Apple Safari

Updating products at OS level#

We recommend that you review all operating system (OS) package updates when updating EclecticIQ Intelligence Center host.

To retrieve a list of libraries and the packages that make them available, start a terminal session, and then run the following command:

libraries_used=$(find /opt/eclecticiq-platform-backend/lib/python3.6/site-packages/ -name "*.so" | xargs ldd | sed -r '/^\s/!d' | awk '{print $1}' | sort -u); providing_packages=$(echo $libraries_used | xargs yum provides | sed -r '/^(Provides\s*:|Filename\s*:|Repo\s*:|Matched from\s*:).*$/d' | sort -u | grep -Ev "^(\s+|Loaded|Loading)"); echo -e "\nLibraries used:\n\n$libraries_used\n\n\nPackages that provide them:\n$providing_packages"

Example response output:

# Example output list of libraries and packages
# whose changelogs you should review
# for possible breaking changes
# before proceeding with updating them
 
 
Libraries used:
 
/lib64/ld-linux-x86-64.so.2
libcom_err-beb60336.so.2.1
libcom_err.so.2
libcrypto-c1fa9491.so.1.0.2q
libcrypto.so.10
libcrypt.so.1
libc.so.6
libdl.so.2
libffi-806b1a9d.so.6.0.4
libfreebl3.so
libgssapi_krb5-174f8956.so.2.2
libgssapi_krb5.so.2
libk5crypto-622ef25b.so.3.1
libk5crypto.so.3
libkeyutils-1-ff31573b.2.so
libkeyutils.so.1
libkrb5-fb0d2caa.so.3.3
libkrb5.so.3
libkrb5support-d7ce89d4.so.0.1
libkrb5support.so.0
liblber-2.4.so.2
liblber-2-d7edd0dc.4.so.2.10.7
libldap_r-2.4.so.2
libldap_r-2-9270213a.4.so.2.10.7
libmaxminddb.so.0
libm.so.6
libnspr4.so
libnss3.so
libnssutil3.so
libpcre.so.1
libplc4.so
libplds4.so
libpq-bd31fe2b.so.5.11
libpthread.so.0
libpython3.6m.so.1.0
libresolv.so.2
librt.so.1
libsasl2-e96a0dbf.so.2.0.22
libsasl2.so.3
libselinux-cf8f9094.so.1
libselinux.so.1
libsepol-b4f5b513.so.1
libsmime3.so
libssl3.so
libssl-c0c2ede4.so.1.0.2q
libssl.so.10
libutil.so.1
libyaml-0.so.2
libz-a147dcb0.so.1.2.3
libz.so.1
linux-vdso.so.1
 
 
Packages that provide them:
 
1:openssl-libs-1.0.2k-19.el7.i686 : A general purpose cryptography library with
cyrus-sasl-lib-2.1.26-23.el7.i686 : Shared libraries needed by applications
glibc-2.17-292.el7.i686 : The GNU libc libraries
glibc-2.17-292.el7.x86_64 : The GNU libc libraries
keyutils-libs-1.5.8-3.el7.i686 : Key utilities library
krb5-libs-1.15.1-37.el7_6.i686 : The non-admin shared libraries used by Kerberos
krb5-libs-1.15.1-37.el7_7.2.i686 : The non-admin shared libraries used by
libcom_err-1.42.9-16.el7.i686 : Common error description library
libmaxminddb-1.2.0-6.el7.i686 : C library for the MaxMind DB file format
libselinux-2.5-14.1.el7.i686 : SELinux library and simple utilities
libyaml-0.1.4-11.el7_0.i686 : YAML 1.1 parser and emitter written in C
nspr-4.21.0-1.el7.i686 : Netscape Portable Runtime
nss-3.44.0-4.el7.i686 : Network Security Services
nss-3.44.0-7.el7_7.i686 : Network Security Services
nss-softokn-freebl-3.44.0-5.el7.i686 : Freebl library for the Network Security
nss-softokn-freebl-3.44.0-8.el7_7.i686 : Freebl library for the Network Security
nss-util-3.44.0-3.el7.i686 : Network Security Services Utilities Library
nss-util-3.44.0-4.el7_7.i686 : Network Security Services Utilities Library
openldap-2.4.44-21.el7_6.i686 : LDAP support libraries
pcre-8.32-17.el7.i686 : Perl-compatible regular expression library
python3-libs-3.6.8-10.el7.i686 : Python runtime libraries
zlib-1.2.7-18.el7.i686 : The compression and decompression library

Third-party products#

EclecticIQ Intelligence Center is bundled with the following third-party packages:

eclecticiq-statsite

6.0.0

Metrics aggregator for the dashboard based on Statsite.

elasticsearch

7.16.3

Elasticsearch database.

jdk

11

OpenJDK Java Platform.

kibana

7.16.3

Kibana.

logstash

7.16.3

Logstash.

neo4j

3.5 Community

Neo4j graph database.

nginx

1.16.1

Nginx web server.

poppler-utils

0.26.5

poppler-utils download page.

postfix

2.10.1

Postfix email server.

postgresql11

11.5

PostgreSQL database.

python38

3.8.12

Python 3.8.

redis

5.0.6

Redis database.

unrar

5.3.0

unrar enables creating and extracting compressed archive files in .rar format.

xmlsec1

1.2.20

xmlsec1 enables signing, verifying, encrypting, and decrypting XML documents.

Note

About Elasticsearch

During complex index upgrades and reindexing operations, Elasticsearch may require additional disk space to store temporary working files and temporary copies of the existing indices.

Monitor your Elasticsearch partition usage.

Before it reaches 50% of the available space in the partition extend it, so that the new partition size is at least twice as large as the sum of the existing Elasticsearch indices.

Example

If Elasticsearch currently uses 43 GB of disk space, extend the partition where Elasticsearch lives to at least 86 GB.

Bundled third-party software#

EclecticIQ Platform is bundled with the following third-party software. Each product on the list abides by its own terms and conditions and its own license.

package.json (source from EIQ platform-ui)

Frontend third-party dependencies

  "dependencies": {
    "@currents/cli": "^2.0.0",
    "@headlessui/react": "^0.2.0",
    "@popperjs/core": "^2.9.2",
    "@sentry/browser": "^5.12.1",
    "@tinymce/tinymce-react": "^3.12.6",
    "@types/flux": "^3.1.11",
    "axios": "^0.27.2",
    "classnames": "^2.2.6",
    "clipboard-copy": "^3.1.0",
    "cypress-real-events": "^1.7.0",
    "debug": "^2.6.3",
    "dompurify": "2.2.3",
    "draft-convert": "^2.1.4",
    "draft-js": "^0.11.7",
    "escape-string-regexp": "^1.0.5",
    "filesize": "^3.5.6",
    "flux": "4.0.3",
    "he": "^1.1.1",
    "history": "^4.6.1",
    "image-size": "^0.5.0",
    "immutability-helper": "^2.4.0",
    "immutable": "3.8.1",
    "json-stable-stringify": "^1.0.1",
    "jwt-decode": "^2.2.0",
    "keycode": "^2.2.0",
    "keylines": "file:./src/vendor/keylines",
    "keymirror": "~0.1.0",
    "lodash": "^4.17.21",
    "markdown-it": "^12.3.2",
    "markdown-it-regexp": "^0.4.0",
    "microdata": "^1.1.3",
    "moment": "^2.24.0",
    "moment-timezone": "0.5.3",
    "pluralize": "^8.0.0",
    "postinstall-postinstall": "^2.1.0",
    "qrcode": "^1.4.4",
    "qs": "^6.10.1",
    "raw-loader": "^0.5.1",
    "react": "^17.0.2",
    "react-addons-shallow-compare": "^15.6.2",
    "react-click-outside": "^2.1.0",
    "react-dates": "17.0.0",
    "react-dnd": "^11.1.3",
    "react-dnd-html5-backend": "^11.1.3",
    "react-dom": "^17.0.2",
    "react-dropzone": "^3.3.2",
    "react-filtered-multiselect": "^0.4.2",
    "react-hook-form": "^7.20.2",
    "react-immutable-proptypes": "^1.5.0",
    "react-pdf": "^4.0.0",
    "react-popper": "^2.2.5",
    "react-query": "^3.16.0",
    "react-redux": "^7.2.5",
    "react-resize-detector": "^5.2.0",
    "react-router": "^5.2.0",
    "react-router-dom": "^5.2.0",
    "react-select": "1.0.1",
    "react-split": "^2.0.9",
    "react-string-replace": "^0.3.2",
    "react-tether": "^1.0.4",
    "react-time-picker": "^1.1.0",
    "react-treeview": "^0.4.2",
    "react-use": "^17.2.3",
    "redux": "^4.0.0",
    "redux-devtools-extension": "^2.13.8",
    "reselect": "^3.0.1",
    "scrollbar-width": "^3.1.1",
    "superagent": "^3.8.1",
    "superagent-promise": "^1.1.0",
    "superagent-throttle": "1.0.0",
    "tcomb-form": "0.9.20",
    "transit-immutable-js": "^0.5.2",
    "transit-js": "^0.8.846",
    "typed-immutable": "0.0.7",
    "word-wrap": "^1.2.3",
    "zeroday": "git+ssh://[email protected]:engineering/zeroday.git#^3.x.x"
  },

requirements-prod.txt (sourced from EIQ platform-backend)

Backend third-party dependencies

aiohttp==3.8.1
    # via geoip2
aiosignal==1.2.0
    # via aiohttp
alembic==1.7.4
    # via -r requirements/requirements-prod.in
amqp==5.0.9
    # via kombu
antlr4-python3-runtime==4.8
    # via stix2-patterns
apispec[yaml]==3.3.0
    # via
    #   -r requirements/requirements-prod.in
    #   apispec-webframeworks
apispec-webframeworks==0.5.0
    # via -r requirements/requirements-prod.in
appdirs==1.4.4
    # via urlextract
async-timeout==4.0.2
    # via aiohttp
attrs==21.4.0
    # via
    #   -r requirements/requirements-prod.in
    #   aiohttp
    #   cattrs
    #   jsonschema
    #   quuz
authlib==0.14.3
    # via flask-azure-oauth
backcall==0.2.0
    # via ipython
bcrypt==3.1.7
    # via paramiko
beautifulsoup4==4.7.1
    # via -r requirements/requirements-prod.in
billiard==3.6.4.0
    # via celery
blinker==1.4
    # via
    #   -r requirements/requirements-prod.in
    #   opentaxii
    #   quuz
boto3==1.20.24
    # via -r requirements/requirements-prod.in
botocore==1.23.24
    # via
    #   boto3
    #   s3transfer
cabby==0.1.23
    # via -r requirements/requirements-prod.in
cachetools==3.1.0
    # via -r requirements/requirements-prod.in
cairocffi==1.2.0
    # via
    #   cairosvg
    #   weasyprint
cairosvg==2.5.2
    # via weasyprint
cattrs==1.0.0
    # via -r requirements/requirements-prod.in
celery==5.2.3
    # via -r requirements/requirements-prod.in
certifi==2020.4.5.2
    # via
    #   elasticsearch
    #   elasticsearch-curator
    #   requests
    #   sentry-sdk
cffi==1.14.0
    # via
    #   bcrypt
    #   cairocffi
    #   cryptography
    #   pynacl
    #   weasyprint
chardet==4.0.0
    # via requests
charset-normalizer==2.0.12
    # via aiohttp
click==8.0.3
    # via
    #   -r requirements/requirements-prod.in
    #   celery
    #   click-didyoumean
    #   click-plugins
    #   click-repl
    #   flask
    #   objectivistix
    #   quuz
click-didyoumean==0.0.3
    # via celery
click-plugins==1.1.1
    # via celery
click-repl==0.2.0
    # via celery
colorama==0.3.9
    # via -r requirements/requirements-prod.in
colorlog==4.1.0
    # via cabby
cryptography==3.4.7
    # via
    #   -r requirements/requirements-prod.in
    #   authlib
    #   msal
    #   paramiko
    #   pyjwt
    #   pyopenssl
    #   pysaml2
cssselect2==0.3.0
    # via
    #   cairosvg
    #   weasyprint
datauri==1.0.0
    # via -r requirements/requirements-prod.in
dateparser==0.7.4
    # via -r requirements/requirements-prod.in
decorator==4.4.2
    # via
    #   ipdb
    #   ipython
    #   traitlets
    #   validators
defusedxml==0.6.0
    # via
    #   cairosvg
    #   pysaml2
deprecated==1.2.12
    # via pymisp
elasticsearch==7.17.0
    # via
    #   -r requirements/requirements-prod.in
    #   elasticsearch-curator
elasticsearch-curator==5.8.6.656971
    # via -r requirements/requirements-prod.in
elementpath==2.2.1
    # via xmlschema
exif==1.2.2
    # via -r requirements/requirements-prod.in
fancycompleter==0.9.1
    # via pdbpp
feedparser==6.0.8
    # via -r requirements/requirements-prod.in
flask==1.1.2
    # via
    #   -r requirements/requirements-prod.in
    #   flask-azure-oauth
    #   flask-classful
    #   flask-jwt
    #   flask-redis
    #   flask-sqlalchemy
    #   opentaxii
flask-azure-oauth==0.5.0
    # via -r requirements/requirements-prod.in
flask-classful==0.14.2
    # via -r requirements/requirements-prod.in
flask-jwt==0.2.0
    # via -r requirements/requirements-prod.in
flask-redis==0.3.0
    # via -r requirements/requirements-prod.in
flask-sqlalchemy==2.5.1
    # via -r requirements/requirements-prod.in
frozenlist==1.3.0
    # via
    #   aiohttp
    #   aiosignal
furl==2.0.0
    # via
    #   -r requirements/requirements-prod.in
    #   cabby
geoip2==4.5.0
    # via -r requirements/requirements-prod.in
greenlet==1.1.2
    # via sqlalchemy
gunicorn==20.1.0
    # via -r requirements/requirements-prod.in
html5lib==1.1
    # via weasyprint
idna==2.10
    # via
    #   requests
    #   urlextract
    #   yarl
importlib-metadata==4.8.1
    # via alembic
importlib-resources==5.1.2
    # via
    #   alembic
    #   pysaml2
inflect==5.0.2
    # via -r requirements/requirements-prod.in
ipdb==0.13.9
    # via -r requirements/requirements-prod.in
ipython==7.31.1
    # via
    #   -r requirements/requirements-prod.in
    #   ipdb
ipython-genutils==0.2.0
    # via traitlets
iso3166==1.0.1
    # via -r requirements/requirements-prod.in
itsdangerous==1.1.0
    # via
    #   flask
    #   flask-jwt
jedi==0.17.0
    # via ipython
jinja2==2.11.3
    # via
    #   -r requirements/requirements-prod.in
    #   flask
jmespath==0.10.0
    # via
    #   boto3
    #   botocore
jsonlines==1.2.0
    # via -r requirements/requirements-prod.in
jsonschema==3.0.2
    # via
    #   -r requirements/requirements-prod.in
    #   pymisp
kombu==5.2.3
    # via celery
libtaxii==1.1.118
    # via
    #   cabby
    #   opentaxii
lief==0.11.5
    # via pymisp
lxml==4.9.1
    # via
    #   -r requirements/requirements-prod.in
    #   libtaxii
    #   mixbox
    #   objectivistix
    #   opentaxii
    #   stix-validator
mako==1.2.2
    # via alembic
markupsafe==1.1.1
    # via
    #   -r requirements/requirements-prod.in
    #   jinja2
    #   mako
marshmallow==3.10.0
    # via
    #   -r requirements/requirements-prod.in
    #   opentaxii
matplotlib-inline==0.1.3
    # via ipython
maxminddb==2.2.0
    # via geoip2
mixbox==1.0.5
    # via stix-validator
msal==1.17.0
    # via -r requirements/requirements-prod.in
multidict==6.0.2
    # via
    #   aiohttp
    #   yarl
mypy-extensions==0.4.3
    # via opentaxii
objectivistix==1.2.2
    # via -r requirements/requirements-prod.in
opentaxii==0.9.3
    # via -r requirements/requirements-prod.in
ordered-set==4.0.1
    # via mixbox
ordereddict==1.1
    # via stix-validator
orderedmultidict==1.0.1
    # via furl
paramiko==2.10.1
    # via -r requirements/requirements-prod.in
parso==0.7.0
    # via jedi
pdbpp==0.9.5
    # via -r requirements/requirements-prod.in
pexpect==4.8.0
    # via ipython
pickleshare==0.7.5
    # via ipython
pillow==9.0.1
    # via
    #   cairosvg
    #   weasyprint
plum-py==0.3.1
    # via exif
ply==3.11
    # via plyara
plyara==2.0.3
    # via -r requirements/requirements-prod.in
prompt-toolkit==2.0.10
    # via
    #   click-repl
    #   ipython
psutil==5.6.7
    # via -r requirements/requirements-prod.in
psycopg2-binary==2.8.5
    # via -r requirements/requirements-prod.in
ptyprocess==0.6.0
    # via pexpect
punq==0.4.1
    # via -r requirements/requirements-prod.in
py-spy==0.3.10
    # via -r requirements/requirements-prod.in
pyasn1==0.4.8
    # via
    #   pyasn1-modules
    #   python-ldap
pyasn1-modules==0.2.8
    # via python-ldap
pycparser==2.20
    # via cffi
pygments==2.7.4
    # via
    #   ipython
    #   pdbpp
pyjwt[crypto]==2.4.0
    # via
    #   -r requirements/requirements-prod.in
    #   msal
    #   opentaxii
pymisp==2.4.121
    # via -r requirements/requirements-prod.in
pynacl==1.4.0
    # via paramiko
pyopenssl==19.1.0
    # via pysaml2
pyotp==2.3.0
    # via -r requirements/requirements-prod.in
pyphen==0.9.5
    # via weasyprint
pyrepl==0.9.0
    # via fancycompleter
pyrsistent==0.16.0
    # via jsonschema
pysaml2==6.5.1
    # via -r requirements/requirements-prod.in
python-dateutil==2.8.2
    # via
    #   -r requirements/requirements-prod.in
    #   botocore
    #   dateparser
    #   libtaxii
    #   mixbox
    #   pymisp
    #   pysaml2
    #   stix-validator
python-gnupg==0.4.4
    # via -r requirements/requirements-prod.in
python-ldap==3.4.0
    # via -r requirements/requirements-prod.in
python-magic==0.4.25
    # via -r requirements/requirements-prod.in
python-slugify==3.0.3
    # via -r requirements/requirements-prod.in
pytz==2021.3
    # via
    #   -r requirements/requirements-prod.in
    #   cabby
    #   celery
    #   dateparser
    #   opentaxii
    #   pysaml2
    #   stix2
    #   taxii2-client
    #   tzlocal
pyyaml==5.4
    # via
    #   -r requirements/requirements-prod.in
    #   apispec
    #   elasticsearch-curator
    #   objectivistix
    #   opentaxii
quuz==9.0.1
    # via -r requirements/requirements-prod.in
rarfile==4.0
    # via -r requirements/requirements-prod.in
redis==3.5.3
    # via
    #   -r requirements/requirements-prod.in
    #   flask-redis
regex==2020.6.8
    # via dateparser
requests==2.25.1
    # via
    #   -r requirements/requirements-prod.in
    #   cabby
    #   elasticsearch-curator
    #   flask-azure-oauth
    #   geoip2
    #   msal
    #   pymisp
    #   pysaml2
    #   stix2
    #   taxii2-client
retrying==1.3.3
    # via -r requirements/requirements-prod.in
rfc3986==1.2.0
    # via -r requirements/requirements-prod.in
s3transfer==0.5.0
    # via boto3
sanest==0.1.0
    # via -r requirements/requirements-prod.in
sentry-sdk==1.4.3
    # via
    #   -r requirements/requirements-prod.in
    #   structlog-sentry
sgmllib3k==1.0.0
    # via feedparser
simplejson==3.17.0
    # via stix2
six==1.15.0
    # via
    #   bcrypt
    #   cabby
    #   click-repl
    #   elasticsearch-curator
    #   furl
    #   html5lib
    #   jsonlines
    #   jsonschema
    #   libtaxii
    #   opentaxii
    #   orderedmultidict
    #   paramiko
    #   prompt-toolkit
    #   pymisp
    #   pynacl
    #   pyopenssl
    #   pyrsistent
    #   pysaml2
    #   python-dateutil
    #   retrying
    #   stix2-patterns
    #   structlog
    #   taxii2-client
    #   tld
    #   traitlets
    #   validators
soupsieve==2.0.1
    # via beautifulsoup4
sqlalchemy==1.4.25
    # via
    #   -r requirements/requirements-prod.in
    #   alembic
    #   flask-sqlalchemy
    #   opentaxii
    #   quuz
statsd==3.3.0
    # via -r requirements/requirements-prod.in
stix-validator==2.5.1
    # via -r requirements/requirements-prod.in
stix2[taxii]==3.0.1
    # via
    #   -r requirements/requirements-prod.in
    #   opentaxii
stix2-patterns==1.3.2
    # via
    #   -r requirements/requirements-prod.in
    #   stix2
structlog==20.1.0
    # via
    #   -r requirements/requirements-prod.in
    #   opentaxii
    #   quuz
structlog-sentry==1.4.0
    # via -r requirements/requirements-prod.in
tabulate==0.8.5
    # via -r requirements/requirements-prod.in
taxii2-client==2.3.0
    # via
    #   -r requirements/requirements-prod.in
    #   stix2
text-unidecode==1.2
    # via python-slugify
tinycss2==1.0.2
    # via
    #   cairosvg
    #   cssselect2
    #   weasyprint
tld==0.7.9
    # via -r requirements/requirements-prod.in
toml==0.10.2
    # via ipdb
traitlets==4.3.3
    # via
    #   ipython
    #   matplotlib-inline
typing-extensions==3.10.0.1
    # via quuz
tzlocal==2.1
    # via dateparser
uritools==3.0.0
    # via urlextract
urlextract==0.13.0
    # via -r requirements/requirements-prod.in
urllib3==1.26.11
    # via
    #   botocore
    #   elasticsearch
    #   elasticsearch-curator
    #   geoip2
    #   requests
    #   sentry-sdk
validators==0.15.0
    # via -r requirements/requirements-prod.in
vine==5.0.0
    # via
    #   amqp
    #   celery
    #   kombu
voluptuous==0.12.0
    # via elasticsearch-curator
wcwidth==0.2.4
    # via prompt-toolkit
weakrefmethod==1.0.3
    # via mixbox
weasyprint==52.5
    # via -r requirements/requirements-prod.in
webencodings==0.5.1
    # via
    #   cssselect2
    #   html5lib
    #   tinycss2
werkzeug==1.0.1
    # via
    #   -r requirements/requirements-prod.in
    #   flask
wmctrl==0.3
    # via pdbpp
wrapt==1.12.1
    # via deprecated
xlrd==1.2.0
    # via stix-validator
xmlschema==1.5.3
    # via pysaml2
xmltodict==0.11.0
    # via -r requirements/requirements-prod.in
yarl==1.7.2
    # via aiohttp
zipp==3.6.0
    # via importlib-metadata
zxcvbn==4.4.27
    # via -r requirements/requirements-prod.in

SELinux#

EclecticIQ Platform supports SELinux.

  • If you are using or plan to use SELinux in the environment where the platform is installed, you should carry out this check.

  • If you are not using SELinux and are not planning to implement it in the environment where the platform is installed, you do not need to do anything and you can safely disregard this section.

Check SELinux status#

If SELinux is installed, check if it is enabled or disabled by running the following command:

sestatus -v

If SELinux is disabled, the response includes the following line:

SELinux status: disabled

Check SELinux mode#

You can check which SELinux mode is currently active by running the following command:

getenforce

The allowed modes are:

  • enforcing

  • permissive

  • disabled

The active mode may not be the same as the SELINUX value defined in the SELinux global configuration file:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

This can occur after changing and saving SELinux global configuration file, and before executing a system reboot for the changes to become effective.

Set SELinux to permissive mode#

The recommended SELinux mode to offload complexity during installation and configuration is permissive.

To set SELinux to work permissively run the following command:

setenforce permissive

Post-installation check#

  • If SELinux is installed and it is enabled, run the following command:

    # Enforce SELinux to the platform backend files
    semanage fcontext -a -t etc_t "/opt/eclecticiq-platform-backend(/.*)?"
      
    # Enforce SELinux to Nginx web server files
    semanage fcontext -a -t httpd_config_t "/opt/eclecticiq-platform-backend/etc/nginx(/.*)?"
    semanage fcontext -a -t httpd_config_t "/opt/eclecticiq-platform-backend/etc/eclecticiq-nginx(/.*)?"
      
    # Enforce SELinux to Redis files
    # Replace '${path_to_redis_data_dir}' with the actual path to the the Redis data dir
    semanage fcontext -a -t redis_var_lib_t "${path_to_redis_data_dir}/redis(/.*)?"
      
    # By default, newly created files and directories inherit the SELinux type
    # of the corresponding parents, so that log files have the correct type.
    # However, we do not want to relabel existing logs.
    semanage fcontext -a -t var_log_t -f d "/var/log"
    
  • If SELinux policy-related errors occur, the command returns a response that can be similar to this example:

    SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version.
    SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.31:  No such file or directory
    /sbin/load_policy:  Can't load policy: No such file or directory libsemanage.semanage_reload_policy: load_policy returned error code 2.
    

    The response provides more context about the affected files and the reasons why it was not possible to set the security labels.

SELinux is not installed#

If SELinux is not installed on the target system, do the following:

  • After completing the platform installation, install and enable SELinux.

  • To set the correct security contexts, execute the following script:

    BASE_PATH="/opt/eclecticiq-platform-backend"
      
    if [ -x "$(command -v semanage)" ]; then SELINUX_MODE=$(getenforce)
      
        if ! [ $SELINUX_MODE == "Disabled" ]; then semanage fcontext -a -t etc_t "$BASE_PATH(/.*)?"
      
            # Enforce SELinux to the platform backend files
            semanage fcontext -a -t etc_t "$BASE_PATH(/.*)?"
      
            # Enforce SELinux to Nginx web server files
            semanage fcontext -a -t httpd_config_t "$BASE_PATH/etc/nginx(/.*)?"
            semanage fcontext -a -t httpd_config_t "$BASE_PATH/etc/eclecticiq-nginx(/.*)?"
      
            # Enforce SELinux to Redis files
            # Replace '${path_to_redis_data_dir}' with the actual path to the the Redis data dir
            semanage fcontext -a -t redis_var_lib_t "${path_to_redis_data_dir}/redis(/.*)?"
      
            # By default, newly created files and directories inherit the SELinux type
            # of the corresponding parents, so that log files have the correct type.
            # However, we do not want to relabel existing logs.
            semanage fcontext -a -t var_log_t -f d "/var/log"
      
            restorecon -RF $BASE_PATH
      
            echo "SELinux security labels configured."
        else echo "SELinux is not enabled. Security labels won't be configured."
        fi else echo "SELinux is not installed. Security labels won't be configured."
    fi
    

    You may need to reboot the system for the changes to become effective.

SELinux is installed but it is not enabled#

If SELinux is installed on the target system but it is not enabled, do the following:

  • Enable SELinux, either by editing its configuration file, and then by rebooting the system, or by running one of the following commands:

    # Set SELinux to permissive mode
    $ setenforce 0
      
    # Set SELinux to enforcing mode
    $ setenforce 1
      
    # Create the following bash script:
    BASE_PATH="/opt/eclecticiq-platform-backend"
      
    if [ -x "$(command -v semanage)" ]; then SELINUX_MODE=$(getenforce)
      
        if ! [ $SELINUX_MODE == "Disabled" ]; then semanage fcontext -a -t etc_t "$BASE_PATH(/.*)?"
              
            # Enforce SELinux to the platform backend files
            semanage fcontext -a -t etc_t "$BASE_PATH(/.*)?"
      
            # Enforce SELinux to Nginx web server files
            semanage fcontext -a -t httpd_config_t "$BASE_PATH/etc/nginx(/.*)?"
            semanage fcontext -a -t httpd_config_t "$BASE_PATH/etc/eclecticiq-nginx(/.*)?"
      
            # Enforce SELinux to Redis files
            # Replace '${path_to_redis_data_dir}' with the actual path to the the Redis data dir
            semanage fcontext -a -t redis_var_lib_t "${path_to_redis_data_dir}/redis(/.*)?"
      
            # By default, newly created files and directories inherit the SELinux type
            # of the corresponding parents, so that log files have the correct type.
            # However, we do not want to relabel existing logs.
            semanage fcontext -a -t var_log_t -f d "/var/log"
      
            restorecon -RF $BASE_PATH
      
            echo "SELinux security labels configured."
        else echo "SELinux is not enabled. Security labels won't be configured."
        fi else echo "SELinux is not installed. Security labels won't be configured."
    fi
    
  • Save it, make it executable, and then run it.

  • You may need to reboot the system for the changes to become effective.