Before you start CentOS#
Review these system requirements before proceeding to install EclecticIQ Intelligence Center from a rpm package.
Conventions#
Command and code examples#
Some examples require you to run terminal commands as root.
# Grant the currently logged in user root-level access
sudo -i
# Grant root-level access to a different user
sudo -i -u ${user_name}
# Run a command as a different user, with root-level access
sudo -i -u ${user_name} ${command} ${options}\
Placeholder variables#
Example commands may describe placeholder variables using bash parameter substitution like this:
${placeholder_variable_name}
In this case, the example usually asks you to set the
value of placeholder_variable_name
beforehand.
You can also substitute it in the command yourself:
# Example given:
ssh ${username}@${domain}
# After substitution
ssh [email protected]
Software downloaders and package managers#
When the documentation includes code snippets to provide examples of how to retrieve a product to install, most code examples use wget or curl.
If these products are not installed on your system, download and install them.
Otherwise, feel free to use any other viable alternative that enables retrieving assets and resources from the Internet.
yum and rpm are standard package managers for both CentOS and RHEL.
Your system should also be able to pin/lock specific versions of Intelligence Center dependencies after installing them.
To do this, you can use yum-versionlock
:
# Pin/Lock a package to the currently installed version
yum-versionlock ${package_name}
# Unpin/Unlock all packages, for example before an upgrade
yum-versionlock clear
Warning
If you need to troubleshoot the intelligence Center, do not use debuggers in production environments.
Debuggers can enable arbitrary code execution. This is a security risk.
About EclecticIQ Intelligence Center#
EclecticIQ Intelligence Center is powered by STIX and TAXII open standards.
It enables ingesting, consolidating, analyzing, integrating, and collaborating on cyber threat intelligence from multiple sources in a broad range of formats.
Feature |
Description |
---|---|
Feed management |
Manage multiple cyber threat intelligence feeds from any source, in many different formats. |
Enrichment |
Enrich existing intelligence with external data sources providing more context, and refine it with de-duplication and pattern recognition. |
Sharing |
Share threat intelligence together with partners to participate in a collaborative information ecosystem. |
Collaboration |
Analyze and author intelligence in together with other teams and departments. |
Insights |
Generate insight thanks to a high-fidelity, normalized view into your intelligence. |
Integration |
Understand how cyber threat intelligence relates to and how it can affect your organization and your environment. |
Hardware requirements#
Hardware requirements for EclecticIQ Intelligence Center can vary, depending on the target system and the environment you plan to install EclecticIQ Intelligence Center to. The requirements outlined in this section are general guidelines that work in most cases, but they are not tailored to any specific situation or use case.
Single box#
Hardware requirement guidelines for EclecticIQ intelligence Center and related dependencies installation on a single system/machine.
Hardware |
Minimum |
Recommended |
Notes |
---|---|---|---|
CPUs |
4 |
8 |
Core count includes HT. |
CPU speed |
2.5 GHz |
2.5 GHz or faster |
|
Memory |
32 GB |
64 GB or more |
|
Storage |
SATA, 100 IOPS |
SSD, 200-500 IOPS |
|
Drives |
5 |
10 |
10 drives enable setting up 5 sets of mirrored drives (RAID 1). |
Drive sizes (GB) |
10, 10, 25, 50, 200 |
20, 20, 50, 75, 300 |
Each Intelligence Center database should be allocated to a dedicated drive for data storage. |
Drive allocation (GB) |
10 |
20 |
Root (EclecticIQ Intelligence Center + Redis). |
10 |
20 |
Log data storage. |
|
25 |
50 |
Neo4j, graph database. |
|
100 |
150 |
Elasticsearch, searching and indexing. On average, allocate Elasticsearch about half the amount of space you assign to PostgreSQL. |
|
200 |
300 |
PostgreSQL, main data storage. |
|
Network |
2 network interfaces |
2 network interfaces |
One interface for production, the other for system management. |
Install size |
~240 GB |
~240 GB |
Full install, based on the VM image size. |
Scaling out#
The easiest approach to scaling out involves allocating dedicated machines to the databases. In this scenario, you install each of the following components on a separate machine:
EclecticIQ Intelligence Center
PostgreSQL
Redis
Elasticsearch
Neo4j Enterprise Edition
(This version implements multi-clustering. It is available after purchasing a license.)
To optimize read-write operations and to ensure that the storage drives are fast, set up dedicated drives per partition.
The SYSTEMD_SERVICES
list in the platform_settings.py
settings file stores a list of systemd services that EclecticIQ Intelligence Center should monitor.
Note
EclecticIQ Intelligence Center can only monitor local systemd services.
If Intelligence Center services are distributed across several virtual or physical machines, remove those remote services from the SYSTEMD_SERVICES
list to stop EclecticIQ Intelligence Center from attempting to contact them.
Software requirements#
Credentials and host name#
To correctly configure the system after installing the required dependencies and third-party products, ensure you have the following information available:
Fully qualified domain name of the host machine you are going to use to access EclecticIQ Intelligence Center.
SSL certificate and key for the web server.
EclecticIQ Intelligence Center login credentials.
User name and password#
During the installation, you are prompted to assign the administrator account a user name and a password.
By default, when performing a Intelligence Center installation you are prompted to create only an administrator account, because at any given time EclecticIQ Intelligence Center requires at least one active administrator user profile.
Follow these guidelines to define a strong password:
It should be between 10 and 64 characters long.
It should contain at least one uppercase alphabetic character.
It should contain at least one special character
It should contain at least one number.
It should not reuse a previous password.
User password history logs the previous 100 passwords.
It should not be on NBP, the NIST Bad Passwords list.
It should not include the user name it is associated with.
For more information, see the NIST digital identity guidelines.
Operating systems#
Supported operating systems#
The following operating systems are supported:
CentOS 7 latest release – currently CentOS 7.9 (2009)
Red Hat Enterprise Linux 7 latest release – currently Red Hat Enterprise Linux 7.9
Deprecated operating systems#
As of release 2.9.0, support for the following operating systems is deprecated:
CentOS 7.8 (2003)
CentOS 7.7 (1908)
CentOS 7.6 (1810)
Red Hat Enterprise Linux 7.8
Red Hat Enterprise Linux 7.7
Red Hat Enterprise Linux 7.6
Ubuntu Server 16.04 Xenial Xerus
CentOS 7.6 (1810), 7.7 (1908), and 7.8 (2003), and Red Hat Enterprise Linux 7.6, 7.7, and 7.8 are compatible with release 2.9.x. However, they are not supported.
Ubuntu Server is no longer supported.
Access permissions#
The installation procedure requires a umask value of 0022 to allow creating and modifying files and directories on the target system.
Encoding#
EclecticIQ Intelligence Center uses and expects text data in UTF-8.
Dependencies and components that exchange data with EclecticIQ Intelligence Center must use the same encoding.
The LANG environment variable must be set to en_US.UTF-8. Example: LANG=en_US.UTF-8
Locale#
The system locale must be en_US.UTF-8.
To check and, if necessary, set the system locale to en_US.UTF-8:
if [ "$LANG" != "en_US.UTF-8" ]; then localectl set-locale LANG=en_US.UTF-8; fi
Time zone#
The global time zone configuration must be UTC.
While you can set a local or a custom time zone value to display local time on EclecticIQ Intelligence Center, the host system time zone must be consistently on UTC time.
This includes OS, databases, as well as any other products or components that enable setting a time zone, and that interact/interoperate with EclecticIQ Intelligence Center.
To set the system time zone to UTC:
timedatectl set-timezone UTC
Data mount points#
When installing and configuring Intelligence Center components such as PostgreSQL, Redis, Elasticsearch, and Neo4j specify dedicated locations where these products store their data.
These are the recommended mount point paths for each data store:
Component |
Mount point |
Min. size (GB) |
Reccommended size (GB) |
---|---|---|---|
Logs |
|
10 |
20 |
Elasticsearch |
|
100 |
150 |
Neo4j |
|
25 |
50 |
PostgreSQL |
|
200 |
300 |
-Redis |
|
10 |
20 |
Note
About Redis
In a single box installation scenario, Redis is installed to the root partition where EclecticIQ Intelligence Center is installed to.
During the configuration step, you can set the Redis data location in the redis.conf configuration file.
The recommended target directory for Redis data is /media/redis
.
This is not a mount point on a separate partition, it is a subdirectory in the root partition.
Databases and network binding#
On a single machine installation, network interface bindings for services are set
to 127.0.0.1
by default, except for PostgreSQL which has a different configuration.
Instructions may have asked you to change this to a more permissive
binding in multi-machine installations, or you may be
using an older installation where defaults were set to 0.0.0.0
.
The table below shows a list of configuration files where network interface bindings are set for each service.
You may want to change these bindings to suit your environment.
Service name |
File path(s) |
Parameters |
Notes |
---|---|---|---|
Elasticsearch |
/etc/systemd/system/elasticsearch.service.d/20-eclecticiq.conf
|
[Service]
Environment=BINDING_ADDRESS=127.0.0.1
|
For more information, see Elasticsearch’s documentation. |
Neo4j |
/etc/eclecticiq-neo4j/neo4j.conf
|
dbms.connector.bolt.listen_address=:7687
dbms.connector.http.listen_address=:7474
dbms.connector.https.listen_address=:7473
|
For more information, see Configure connectors and dbms.connectors.default_listen_address. |
PostgreSQL |
/etc/eclecticiq-postgres/pg_hba.conf
|
TYPE DATABASE USER ADDRESS METHOD
local all postgres trust
host all all samenet md5
host all all 0.0.0.0/0 password
|
For more information, see The pg_hba.conf File. |
Redis |
/etc/eclecticiq-redis/redis.conf
|
bind 127.0.0.1
|
For more information, see Redis security and redis.conf. |
Web browsers#
EclecticIQ Intelligence Center web interface supports the following browsers.
Fully supported (latest versions of):
Google Chrome
Functionally supported (latest versions of):
Microsoft Edge
Mozilla Firefox
Microsoft Internet Explorer 11
Opera
Apple Safari
Updating products at OS level#
We recommend that you review all operating system (OS) package updates when updating EclecticIQ Intelligence Center host.
To retrieve a list of libraries and the packages that make them available, start a terminal session, and then run the following command:
libraries_used=$(find /opt/eclecticiq-platform-backend/lib/python3.6/site-packages/ -name "*.so" | xargs ldd | sed -r '/^\s/!d' | awk '{print $1}' | sort -u); providing_packages=$(echo $libraries_used | xargs yum provides | sed -r '/^(Provides\s*:|Filename\s*:|Repo\s*:|Matched from\s*:).*$/d' | sort -u | grep -Ev "^(\s+|Loaded|Loading)"); echo -e "\nLibraries used:\n\n$libraries_used\n\n\nPackages that provide them:\n$providing_packages"
Example response output:
# Example output list of libraries and packages
# whose changelogs you should review
# for possible breaking changes
# before proceeding with updating them
Libraries used:
/lib64/ld-linux-x86-64.so.2
libcom_err-beb60336.so.2.1
libcom_err.so.2
libcrypto-c1fa9491.so.1.0.2q
libcrypto.so.10
libcrypt.so.1
libc.so.6
libdl.so.2
libffi-806b1a9d.so.6.0.4
libfreebl3.so
libgssapi_krb5-174f8956.so.2.2
libgssapi_krb5.so.2
libk5crypto-622ef25b.so.3.1
libk5crypto.so.3
libkeyutils-1-ff31573b.2.so
libkeyutils.so.1
libkrb5-fb0d2caa.so.3.3
libkrb5.so.3
libkrb5support-d7ce89d4.so.0.1
libkrb5support.so.0
liblber-2.4.so.2
liblber-2-d7edd0dc.4.so.2.10.7
libldap_r-2.4.so.2
libldap_r-2-9270213a.4.so.2.10.7
libmaxminddb.so.0
libm.so.6
libnspr4.so
libnss3.so
libnssutil3.so
libpcre.so.1
libplc4.so
libplds4.so
libpq-bd31fe2b.so.5.11
libpthread.so.0
libpython3.6m.so.1.0
libresolv.so.2
librt.so.1
libsasl2-e96a0dbf.so.2.0.22
libsasl2.so.3
libselinux-cf8f9094.so.1
libselinux.so.1
libsepol-b4f5b513.so.1
libsmime3.so
libssl3.so
libssl-c0c2ede4.so.1.0.2q
libssl.so.10
libutil.so.1
libyaml-0.so.2
libz-a147dcb0.so.1.2.3
libz.so.1
linux-vdso.so.1
Packages that provide them:
1:openssl-libs-1.0.2k-19.el7.i686 : A general purpose cryptography library with
cyrus-sasl-lib-2.1.26-23.el7.i686 : Shared libraries needed by applications
glibc-2.17-292.el7.i686 : The GNU libc libraries
glibc-2.17-292.el7.x86_64 : The GNU libc libraries
keyutils-libs-1.5.8-3.el7.i686 : Key utilities library
krb5-libs-1.15.1-37.el7_6.i686 : The non-admin shared libraries used by Kerberos
krb5-libs-1.15.1-37.el7_7.2.i686 : The non-admin shared libraries used by
libcom_err-1.42.9-16.el7.i686 : Common error description library
libmaxminddb-1.2.0-6.el7.i686 : C library for the MaxMind DB file format
libselinux-2.5-14.1.el7.i686 : SELinux library and simple utilities
libyaml-0.1.4-11.el7_0.i686 : YAML 1.1 parser and emitter written in C
nspr-4.21.0-1.el7.i686 : Netscape Portable Runtime
nss-3.44.0-4.el7.i686 : Network Security Services
nss-3.44.0-7.el7_7.i686 : Network Security Services
nss-softokn-freebl-3.44.0-5.el7.i686 : Freebl library for the Network Security
nss-softokn-freebl-3.44.0-8.el7_7.i686 : Freebl library for the Network Security
nss-util-3.44.0-3.el7.i686 : Network Security Services Utilities Library
nss-util-3.44.0-4.el7_7.i686 : Network Security Services Utilities Library
openldap-2.4.44-21.el7_6.i686 : LDAP support libraries
pcre-8.32-17.el7.i686 : Perl-compatible regular expression library
python3-libs-3.6.8-10.el7.i686 : Python runtime libraries
zlib-1.2.7-18.el7.i686 : The compression and decompression library
Third-party products#
EclecticIQ Intelligence Center is bundled with the following third-party packages:
eclecticiq-statsite |
6.0.0 |
Metrics aggregator for the dashboard based on Statsite. |
elasticsearch |
7.16.3 |
Elasticsearch database. |
jdk |
11 |
OpenJDK Java Platform. |
kibana |
7.16.3 |
Kibana. |
logstash |
7.16.3 |
Logstash. |
neo4j |
3.5 Community |
Neo4j graph database. |
nginx |
1.16.1 |
Nginx web server. |
poppler-utils |
0.26.5 |
poppler-utils download page. |
postfix |
2.10.1 |
Postfix email server. |
postgresql11 |
11.5 |
PostgreSQL database. |
python38 |
3.8.12 |
Python 3.8. |
redis |
5.0.6 |
Redis database. |
unrar |
5.3.0 |
unrar enables creating and extracting compressed archive files in .rar format. |
xmlsec1 |
1.2.20 |
xmlsec1 enables signing, verifying, encrypting, and decrypting XML documents. |
Note
About Elasticsearch
During complex index upgrades and reindexing operations, Elasticsearch may require additional disk space to store temporary working files and temporary copies of the existing indices.
Monitor your Elasticsearch partition usage.
Before it reaches 50% of the available space in the partition extend it, so that the new partition size is at least twice as large as the sum of the existing Elasticsearch indices.
Example
If Elasticsearch currently uses 43 GB of disk space, extend the partition where Elasticsearch lives to at least 86 GB.
Bundled third-party software#
EclecticIQ Platform is bundled with the following third-party software. Each product on the list abides by its own terms and conditions and its own license.
package.json (source from EIQ platform-ui)
Frontend third-party dependencies
"dependencies": {
"@currents/cli": "^2.0.0",
"@headlessui/react": "^0.2.0",
"@popperjs/core": "^2.9.2",
"@sentry/browser": "^5.12.1",
"@tinymce/tinymce-react": "^3.12.6",
"@types/flux": "^3.1.11",
"axios": "^0.27.2",
"classnames": "^2.2.6",
"clipboard-copy": "^3.1.0",
"cypress-real-events": "^1.7.0",
"debug": "^2.6.3",
"dompurify": "2.2.3",
"draft-convert": "^2.1.4",
"draft-js": "^0.11.7",
"escape-string-regexp": "^1.0.5",
"filesize": "^3.5.6",
"flux": "4.0.3",
"he": "^1.1.1",
"history": "^4.6.1",
"image-size": "^0.5.0",
"immutability-helper": "^2.4.0",
"immutable": "3.8.1",
"json-stable-stringify": "^1.0.1",
"jwt-decode": "^2.2.0",
"keycode": "^2.2.0",
"keylines": "file:./src/vendor/keylines",
"keymirror": "~0.1.0",
"lodash": "^4.17.21",
"markdown-it": "^12.3.2",
"markdown-it-regexp": "^0.4.0",
"microdata": "^1.1.3",
"moment": "^2.24.0",
"moment-timezone": "0.5.3",
"pluralize": "^8.0.0",
"postinstall-postinstall": "^2.1.0",
"qrcode": "^1.4.4",
"qs": "^6.10.1",
"raw-loader": "^0.5.1",
"react": "^17.0.2",
"react-addons-shallow-compare": "^15.6.2",
"react-click-outside": "^2.1.0",
"react-dates": "17.0.0",
"react-dnd": "^11.1.3",
"react-dnd-html5-backend": "^11.1.3",
"react-dom": "^17.0.2",
"react-dropzone": "^3.3.2",
"react-filtered-multiselect": "^0.4.2",
"react-hook-form": "^7.20.2",
"react-immutable-proptypes": "^1.5.0",
"react-pdf": "^4.0.0",
"react-popper": "^2.2.5",
"react-query": "^3.16.0",
"react-redux": "^7.2.5",
"react-resize-detector": "^5.2.0",
"react-router": "^5.2.0",
"react-router-dom": "^5.2.0",
"react-select": "1.0.1",
"react-split": "^2.0.9",
"react-string-replace": "^0.3.2",
"react-tether": "^1.0.4",
"react-time-picker": "^1.1.0",
"react-treeview": "^0.4.2",
"react-use": "^17.2.3",
"redux": "^4.0.0",
"redux-devtools-extension": "^2.13.8",
"reselect": "^3.0.1",
"scrollbar-width": "^3.1.1",
"superagent": "^3.8.1",
"superagent-promise": "^1.1.0",
"superagent-throttle": "1.0.0",
"tcomb-form": "0.9.20",
"transit-immutable-js": "^0.5.2",
"transit-js": "^0.8.846",
"typed-immutable": "0.0.7",
"word-wrap": "^1.2.3",
"zeroday": "git+ssh://[email protected]:engineering/zeroday.git#^3.x.x"
},
requirements-prod.txt (sourced from EIQ platform-backend)
Backend third-party dependencies
aiohttp==3.8.1
# via geoip2
aiosignal==1.2.0
# via aiohttp
alembic==1.7.4
# via -r requirements/requirements-prod.in
amqp==5.0.9
# via kombu
antlr4-python3-runtime==4.8
# via stix2-patterns
apispec[yaml]==3.3.0
# via
# -r requirements/requirements-prod.in
# apispec-webframeworks
apispec-webframeworks==0.5.0
# via -r requirements/requirements-prod.in
appdirs==1.4.4
# via urlextract
async-timeout==4.0.2
# via aiohttp
attrs==21.4.0
# via
# -r requirements/requirements-prod.in
# aiohttp
# cattrs
# jsonschema
# quuz
authlib==0.14.3
# via flask-azure-oauth
backcall==0.2.0
# via ipython
bcrypt==3.1.7
# via paramiko
beautifulsoup4==4.7.1
# via -r requirements/requirements-prod.in
billiard==3.6.4.0
# via celery
blinker==1.4
# via
# -r requirements/requirements-prod.in
# opentaxii
# quuz
boto3==1.20.24
# via -r requirements/requirements-prod.in
botocore==1.23.24
# via
# boto3
# s3transfer
cabby==0.1.23
# via -r requirements/requirements-prod.in
cachetools==3.1.0
# via -r requirements/requirements-prod.in
cairocffi==1.2.0
# via
# cairosvg
# weasyprint
cairosvg==2.5.2
# via weasyprint
cattrs==1.0.0
# via -r requirements/requirements-prod.in
celery==5.2.3
# via -r requirements/requirements-prod.in
certifi==2020.4.5.2
# via
# elasticsearch
# elasticsearch-curator
# requests
# sentry-sdk
cffi==1.14.0
# via
# bcrypt
# cairocffi
# cryptography
# pynacl
# weasyprint
chardet==4.0.0
# via requests
charset-normalizer==2.0.12
# via aiohttp
click==8.0.3
# via
# -r requirements/requirements-prod.in
# celery
# click-didyoumean
# click-plugins
# click-repl
# flask
# objectivistix
# quuz
click-didyoumean==0.0.3
# via celery
click-plugins==1.1.1
# via celery
click-repl==0.2.0
# via celery
colorama==0.3.9
# via -r requirements/requirements-prod.in
colorlog==4.1.0
# via cabby
cryptography==3.4.7
# via
# -r requirements/requirements-prod.in
# authlib
# msal
# paramiko
# pyjwt
# pyopenssl
# pysaml2
cssselect2==0.3.0
# via
# cairosvg
# weasyprint
datauri==1.0.0
# via -r requirements/requirements-prod.in
dateparser==0.7.4
# via -r requirements/requirements-prod.in
decorator==4.4.2
# via
# ipdb
# ipython
# traitlets
# validators
defusedxml==0.6.0
# via
# cairosvg
# pysaml2
deprecated==1.2.12
# via pymisp
elasticsearch==7.17.0
# via
# -r requirements/requirements-prod.in
# elasticsearch-curator
elasticsearch-curator==5.8.6.656971
# via -r requirements/requirements-prod.in
elementpath==2.2.1
# via xmlschema
exif==1.2.2
# via -r requirements/requirements-prod.in
fancycompleter==0.9.1
# via pdbpp
feedparser==6.0.8
# via -r requirements/requirements-prod.in
flask==1.1.2
# via
# -r requirements/requirements-prod.in
# flask-azure-oauth
# flask-classful
# flask-jwt
# flask-redis
# flask-sqlalchemy
# opentaxii
flask-azure-oauth==0.5.0
# via -r requirements/requirements-prod.in
flask-classful==0.14.2
# via -r requirements/requirements-prod.in
flask-jwt==0.2.0
# via -r requirements/requirements-prod.in
flask-redis==0.3.0
# via -r requirements/requirements-prod.in
flask-sqlalchemy==2.5.1
# via -r requirements/requirements-prod.in
frozenlist==1.3.0
# via
# aiohttp
# aiosignal
furl==2.0.0
# via
# -r requirements/requirements-prod.in
# cabby
geoip2==4.5.0
# via -r requirements/requirements-prod.in
greenlet==1.1.2
# via sqlalchemy
gunicorn==20.1.0
# via -r requirements/requirements-prod.in
html5lib==1.1
# via weasyprint
idna==2.10
# via
# requests
# urlextract
# yarl
importlib-metadata==4.8.1
# via alembic
importlib-resources==5.1.2
# via
# alembic
# pysaml2
inflect==5.0.2
# via -r requirements/requirements-prod.in
ipdb==0.13.9
# via -r requirements/requirements-prod.in
ipython==7.31.1
# via
# -r requirements/requirements-prod.in
# ipdb
ipython-genutils==0.2.0
# via traitlets
iso3166==1.0.1
# via -r requirements/requirements-prod.in
itsdangerous==1.1.0
# via
# flask
# flask-jwt
jedi==0.17.0
# via ipython
jinja2==2.11.3
# via
# -r requirements/requirements-prod.in
# flask
jmespath==0.10.0
# via
# boto3
# botocore
jsonlines==1.2.0
# via -r requirements/requirements-prod.in
jsonschema==3.0.2
# via
# -r requirements/requirements-prod.in
# pymisp
kombu==5.2.3
# via celery
libtaxii==1.1.118
# via
# cabby
# opentaxii
lief==0.11.5
# via pymisp
lxml==4.9.1
# via
# -r requirements/requirements-prod.in
# libtaxii
# mixbox
# objectivistix
# opentaxii
# stix-validator
mako==1.2.2
# via alembic
markupsafe==1.1.1
# via
# -r requirements/requirements-prod.in
# jinja2
# mako
marshmallow==3.10.0
# via
# -r requirements/requirements-prod.in
# opentaxii
matplotlib-inline==0.1.3
# via ipython
maxminddb==2.2.0
# via geoip2
mixbox==1.0.5
# via stix-validator
msal==1.17.0
# via -r requirements/requirements-prod.in
multidict==6.0.2
# via
# aiohttp
# yarl
mypy-extensions==0.4.3
# via opentaxii
objectivistix==1.2.2
# via -r requirements/requirements-prod.in
opentaxii==0.9.3
# via -r requirements/requirements-prod.in
ordered-set==4.0.1
# via mixbox
ordereddict==1.1
# via stix-validator
orderedmultidict==1.0.1
# via furl
paramiko==2.10.1
# via -r requirements/requirements-prod.in
parso==0.7.0
# via jedi
pdbpp==0.9.5
# via -r requirements/requirements-prod.in
pexpect==4.8.0
# via ipython
pickleshare==0.7.5
# via ipython
pillow==9.0.1
# via
# cairosvg
# weasyprint
plum-py==0.3.1
# via exif
ply==3.11
# via plyara
plyara==2.0.3
# via -r requirements/requirements-prod.in
prompt-toolkit==2.0.10
# via
# click-repl
# ipython
psutil==5.6.7
# via -r requirements/requirements-prod.in
psycopg2-binary==2.8.5
# via -r requirements/requirements-prod.in
ptyprocess==0.6.0
# via pexpect
punq==0.4.1
# via -r requirements/requirements-prod.in
py-spy==0.3.10
# via -r requirements/requirements-prod.in
pyasn1==0.4.8
# via
# pyasn1-modules
# python-ldap
pyasn1-modules==0.2.8
# via python-ldap
pycparser==2.20
# via cffi
pygments==2.7.4
# via
# ipython
# pdbpp
pyjwt[crypto]==2.4.0
# via
# -r requirements/requirements-prod.in
# msal
# opentaxii
pymisp==2.4.121
# via -r requirements/requirements-prod.in
pynacl==1.4.0
# via paramiko
pyopenssl==19.1.0
# via pysaml2
pyotp==2.3.0
# via -r requirements/requirements-prod.in
pyphen==0.9.5
# via weasyprint
pyrepl==0.9.0
# via fancycompleter
pyrsistent==0.16.0
# via jsonschema
pysaml2==6.5.1
# via -r requirements/requirements-prod.in
python-dateutil==2.8.2
# via
# -r requirements/requirements-prod.in
# botocore
# dateparser
# libtaxii
# mixbox
# pymisp
# pysaml2
# stix-validator
python-gnupg==0.4.4
# via -r requirements/requirements-prod.in
python-ldap==3.4.0
# via -r requirements/requirements-prod.in
python-magic==0.4.25
# via -r requirements/requirements-prod.in
python-slugify==3.0.3
# via -r requirements/requirements-prod.in
pytz==2021.3
# via
# -r requirements/requirements-prod.in
# cabby
# celery
# dateparser
# opentaxii
# pysaml2
# stix2
# taxii2-client
# tzlocal
pyyaml==5.4
# via
# -r requirements/requirements-prod.in
# apispec
# elasticsearch-curator
# objectivistix
# opentaxii
quuz==9.0.1
# via -r requirements/requirements-prod.in
rarfile==4.0
# via -r requirements/requirements-prod.in
redis==3.5.3
# via
# -r requirements/requirements-prod.in
# flask-redis
regex==2020.6.8
# via dateparser
requests==2.25.1
# via
# -r requirements/requirements-prod.in
# cabby
# elasticsearch-curator
# flask-azure-oauth
# geoip2
# msal
# pymisp
# pysaml2
# stix2
# taxii2-client
retrying==1.3.3
# via -r requirements/requirements-prod.in
rfc3986==1.2.0
# via -r requirements/requirements-prod.in
s3transfer==0.5.0
# via boto3
sanest==0.1.0
# via -r requirements/requirements-prod.in
sentry-sdk==1.4.3
# via
# -r requirements/requirements-prod.in
# structlog-sentry
sgmllib3k==1.0.0
# via feedparser
simplejson==3.17.0
# via stix2
six==1.15.0
# via
# bcrypt
# cabby
# click-repl
# elasticsearch-curator
# furl
# html5lib
# jsonlines
# jsonschema
# libtaxii
# opentaxii
# orderedmultidict
# paramiko
# prompt-toolkit
# pymisp
# pynacl
# pyopenssl
# pyrsistent
# pysaml2
# python-dateutil
# retrying
# stix2-patterns
# structlog
# taxii2-client
# tld
# traitlets
# validators
soupsieve==2.0.1
# via beautifulsoup4
sqlalchemy==1.4.25
# via
# -r requirements/requirements-prod.in
# alembic
# flask-sqlalchemy
# opentaxii
# quuz
statsd==3.3.0
# via -r requirements/requirements-prod.in
stix-validator==2.5.1
# via -r requirements/requirements-prod.in
stix2[taxii]==3.0.1
# via
# -r requirements/requirements-prod.in
# opentaxii
stix2-patterns==1.3.2
# via
# -r requirements/requirements-prod.in
# stix2
structlog==20.1.0
# via
# -r requirements/requirements-prod.in
# opentaxii
# quuz
structlog-sentry==1.4.0
# via -r requirements/requirements-prod.in
tabulate==0.8.5
# via -r requirements/requirements-prod.in
taxii2-client==2.3.0
# via
# -r requirements/requirements-prod.in
# stix2
text-unidecode==1.2
# via python-slugify
tinycss2==1.0.2
# via
# cairosvg
# cssselect2
# weasyprint
tld==0.7.9
# via -r requirements/requirements-prod.in
toml==0.10.2
# via ipdb
traitlets==4.3.3
# via
# ipython
# matplotlib-inline
typing-extensions==3.10.0.1
# via quuz
tzlocal==2.1
# via dateparser
uritools==3.0.0
# via urlextract
urlextract==0.13.0
# via -r requirements/requirements-prod.in
urllib3==1.26.11
# via
# botocore
# elasticsearch
# elasticsearch-curator
# geoip2
# requests
# sentry-sdk
validators==0.15.0
# via -r requirements/requirements-prod.in
vine==5.0.0
# via
# amqp
# celery
# kombu
voluptuous==0.12.0
# via elasticsearch-curator
wcwidth==0.2.4
# via prompt-toolkit
weakrefmethod==1.0.3
# via mixbox
weasyprint==52.5
# via -r requirements/requirements-prod.in
webencodings==0.5.1
# via
# cssselect2
# html5lib
# tinycss2
werkzeug==1.0.1
# via
# -r requirements/requirements-prod.in
# flask
wmctrl==0.3
# via pdbpp
wrapt==1.12.1
# via deprecated
xlrd==1.2.0
# via stix-validator
xmlschema==1.5.3
# via pysaml2
xmltodict==0.11.0
# via -r requirements/requirements-prod.in
yarl==1.7.2
# via aiohttp
zipp==3.6.0
# via importlib-metadata
zxcvbn==4.4.27
# via -r requirements/requirements-prod.in
SELinux#
EclecticIQ Platform supports SELinux.
If you are using or plan to use SELinux in the environment where the platform is installed, you should carry out this check.
If you are not using SELinux and are not planning to implement it in the environment where the platform is installed, you do not need to do anything and you can safely disregard this section.
Check SELinux status#
If SELinux is installed, check if it is enabled or disabled by running the following command:
sestatus -v
If SELinux is disabled, the response includes the following line:
SELinux status: disabled
Check SELinux mode#
You can check which SELinux mode is currently active by running the following command:
getenforce
The allowed modes are:
enforcing
permissive
disabled
The active mode may not be the same as the SELINUX
value defined in the
SELinux global configuration file:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
This can occur after changing and saving SELinux global configuration file, and before executing a system reboot for the changes to become effective.
Set SELinux to permissive mode#
The recommended SELinux mode to offload complexity during installation and configuration is permissive.
To set SELinux to work permissively run the following command:
setenforce permissive
Post-installation check#
If SELinux is installed and it is enabled, run the following command:
# Enforce SELinux to the platform backend files semanage fcontext -a -t etc_t "/opt/eclecticiq-platform-backend(/.*)?" # Enforce SELinux to Nginx web server files semanage fcontext -a -t httpd_config_t "/opt/eclecticiq-platform-backend/etc/nginx(/.*)?" semanage fcontext -a -t httpd_config_t "/opt/eclecticiq-platform-backend/etc/eclecticiq-nginx(/.*)?" # Enforce SELinux to Redis files # Replace '${path_to_redis_data_dir}' with the actual path to the the Redis data dir semanage fcontext -a -t redis_var_lib_t "${path_to_redis_data_dir}/redis(/.*)?" # By default, newly created files and directories inherit the SELinux type # of the corresponding parents, so that log files have the correct type. # However, we do not want to relabel existing logs. semanage fcontext -a -t var_log_t -f d "/var/log"
If SELinux policy-related errors occur, the command returns a response that can be similar to this example:
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version. SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.31: No such file or directory /sbin/load_policy: Can't load policy: No such file or directory libsemanage.semanage_reload_policy: load_policy returned error code 2.
The response provides more context about the affected files and the reasons why it was not possible to set the security labels.
SELinux is not installed#
If SELinux is not installed on the target system, do the following:
After completing the platform installation, install and enable SELinux.
To set the correct security contexts, execute the following script:
BASE_PATH="/opt/eclecticiq-platform-backend" if [ -x "$(command -v semanage)" ]; then SELINUX_MODE=$(getenforce) if ! [ $SELINUX_MODE == "Disabled" ]; then semanage fcontext -a -t etc_t "$BASE_PATH(/.*)?" # Enforce SELinux to the platform backend files semanage fcontext -a -t etc_t "$BASE_PATH(/.*)?" # Enforce SELinux to Nginx web server files semanage fcontext -a -t httpd_config_t "$BASE_PATH/etc/nginx(/.*)?" semanage fcontext -a -t httpd_config_t "$BASE_PATH/etc/eclecticiq-nginx(/.*)?" # Enforce SELinux to Redis files # Replace '${path_to_redis_data_dir}' with the actual path to the the Redis data dir semanage fcontext -a -t redis_var_lib_t "${path_to_redis_data_dir}/redis(/.*)?" # By default, newly created files and directories inherit the SELinux type # of the corresponding parents, so that log files have the correct type. # However, we do not want to relabel existing logs. semanage fcontext -a -t var_log_t -f d "/var/log" restorecon -RF $BASE_PATH echo "SELinux security labels configured." else echo "SELinux is not enabled. Security labels won't be configured." fi else echo "SELinux is not installed. Security labels won't be configured." fi
You may need to reboot the system for the changes to become effective.
SELinux is installed but it is not enabled#
If SELinux is installed on the target system but it is not enabled, do the following:
Enable SELinux, either by editing its configuration file, and then by rebooting the system, or by running one of the following commands:
# Set SELinux to permissive mode $ setenforce 0 # Set SELinux to enforcing mode $ setenforce 1 # Create the following bash script: BASE_PATH="/opt/eclecticiq-platform-backend" if [ -x "$(command -v semanage)" ]; then SELINUX_MODE=$(getenforce) if ! [ $SELINUX_MODE == "Disabled" ]; then semanage fcontext -a -t etc_t "$BASE_PATH(/.*)?" # Enforce SELinux to the platform backend files semanage fcontext -a -t etc_t "$BASE_PATH(/.*)?" # Enforce SELinux to Nginx web server files semanage fcontext -a -t httpd_config_t "$BASE_PATH/etc/nginx(/.*)?" semanage fcontext -a -t httpd_config_t "$BASE_PATH/etc/eclecticiq-nginx(/.*)?" # Enforce SELinux to Redis files # Replace '${path_to_redis_data_dir}' with the actual path to the the Redis data dir semanage fcontext -a -t redis_var_lib_t "${path_to_redis_data_dir}/redis(/.*)?" # By default, newly created files and directories inherit the SELinux type # of the corresponding parents, so that log files have the correct type. # However, we do not want to relabel existing logs. semanage fcontext -a -t var_log_t -f d "/var/log" restorecon -RF $BASE_PATH echo "SELinux security labels configured." else echo "SELinux is not enabled. Security labels won't be configured." fi else echo "SELinux is not installed. Security labels won't be configured." fi
Save it, make it executable, and then run it.
You may need to reboot the system for the changes to become effective.