This operation guide is intended to provide assistance and instruction for the operation of hosted IMPEX systems. The document gives general and specific information regarding the operation of stations, ICC and Repo server. This document does not describe the system or application structure which is described in a separate document. This documentation will not explain troubleshooting of USB Protect or DataLock which is described in a separate document.
| Word | Definition |
|---|---|
| IMPEX | The family name of USB Protect, ICC, Repo and DataLock |
| Stations | The family name of USB Protect and DataLock |
| ICC | The server which control the Stations |
| USB Protect | The kiosk computer used to scan mass storage devices |
| Repo | The server that has the updates and definitions |
| DataLock | Server used for network flows that will scan files before transferring them onwards |
| Network flows | This is the description of data being scanned and transferred through the Data Lock to a remote destination. A Data Lock can have multiple remote destinations configured |
| Operators | The users who will use the administrative interface on the ICC server |
Customers with a valid support contract can send support emails to
support@sysctl.se
USB Protect is a system for scanning data on USB-devices in a kiosk solution, the stations are managed from a central ICC server. USB Protect scan files from USB-devices and can deny the content by using different rules and technologies. USB Protect initiates all communications to the ICC server on port TCP/443 and uses TLS1.2 for encryption during transit. USB Protect will get the current time and the configuration from the ICC. USB Protect will push logs and operation results from scans and other actions to the ICC server. USB Protect will get engine definitions updates, operating system patches and application upgrades from the Repo server, the Repo server can be installed on the ICC server or on a separate server called Repo server.
The DataLock is just like an USB Protect station but it uses SFTP over the network instead of USB devices and it scans and sends files in different flows.
The ICC server exposes a REST API that requires authentication. The stations will use the REST API but it is also possible to use the interface for other types of integrations. The Repo will sync engine definitions and updates from updates.sysctl.se on port TCP/443 over TLS and expose them to the stations.
All systems(USB Protect, DataLock, ICC and Repo) use CentOS 7 as the base OS. USB Protect and DataLock are not supposed to be logged in to and remote access is not possible, all configuration is created as configuration cards on the ICC server. The ICC and Repo server use local accounts by default, but can be connected to Active Directory, Red Hat Identity Manager, FreeIPA or other LDAP service when using central accounts. Administrators can log in to the Repo and ICC server with SSH or from the console. The application on the ICC has local accounts and the configuration that can be done is mail relay, DNS, NTP and syslog, other configurations are related to the USB Protect and DataLock. System owners can use the web interface to manage the USB Protect and DataLock. It is also possible to analyze the results from the nodes.
The impex solution is built to be in architectures based on IEC62443 and similiar zone concept solution as well as other network designs. These are a few examples of how an IMPEX solution can fit in a network. The ICC and the Repo can exist on the same machine and do not need to be separated servers. The solution supports proxies but a proxy is not required.
+-------------------+ +--------------+
| updates.sysctl.se | | Lets Encrypt |
+------^------------+ +-----^--------+
Internet | |
| +----------------+
| |
+------------------------------------------------------------+
| |
DMZ +---+-----+---+
| Firewall <------+
+-------------+ |
|
+-----+----+
+-------------> Proxy |
| | if used |
| +----------+
|
|
+----+--------------------+
| |
| ICC and optional Repo <------+
| | |
+-------^-----------------+ +----^----+
| | Proxy |
| | if used |
| +-+-------+
| |
+------------------------+---------------------+-------------+
| |
Peripheral Network | |
| |
+------+-------+ +-------+------+
| USB Protect | | USB Protect |
+--------------+ +--------------+
+-------------------+ +--------------+
| updates.sysctl.se | | Lets Encrypt |
+------^------------+ +-----^--------+
Internet | |
| +----------------+
| |
+------------------------------------------------------------+
| |
DMZ +---+-----+---+
| Firewall <------+
+-------------+ |
|
+-----+----+
+------------------> Proxy |
| | if used |
| +----------+
+----+-------------+
| |
| Repo, if used |
| |
+----+-------------+
|
+------------------------------------------------------------+
|
Internal network |
|
+----+--------------------+
| |
| ICC and optional Repo <------+
| | |
+-------^-----------------+ +----^----+
| | Proxy |
| | if used |
| +-+-------+
| |
+------------------------+---------------------+-------------+
| |
Peripheral Network | |
| |
+------+-------+ +-------+------+
| USB Protect | | USB Protect |
+--------------+ +--------------+
+-------------------+ +--------------+
| updates.sysctl.se | | Lets Encrypt |
+------^------------+ +-----^--------+
Internet | |
| +----------------+
| |
+---------------------------------------------------------------------+
| |
DMZ +---+-----+---+
| Firewall <------+
+-------------+ |
|
+-----+----+
+-------------> Proxy |
| | if used |
| +----------+
|
|
+----+--------------------+
| |
| ICC and optional Repo <------+
| | |
+-------^-----------------+ +----^----+
| | Proxy |
| | if used |
| +-+-------+
| |
+------------------------+---------------------+-----------------------+
| |
Office Network | |
| |
| |
+--------+ +----+-----+ +-----+----+ +--------+
| Sender |-------> DataLock | | DataLock <------| Sender |
+--------+ +----------+ +----------+ +--------+
| |
| |
+------------------------+---------------------+------------------------+
| |
Protected Network | |
+-----v----+ +----v-----+
| Receiver | | Receiver |
+----------+ +----------+
The table explains the normal interactions used by the system, but it may differ depending on the actual installation if other integrations are used, like Active Directory.
| Data | Delivers to | Receives from | Tool | Protocol/ Port | Short Description |
|---|---|---|---|---|---|
| smtp.tld | ICC | Mail Relay | SMTP TCP/25 | Information from ICC to end users | |
| Time | ICC | ntp.tld | NTP | NTP UDP/123 | Time source to ICC |
| Time | Repo | ntp.tld | NTP | NTP UDP/123 | Time source to Repo |
| DNS | ICC | resolver.dns | DNS resolver | DNS UDP/53 | DNS lookup for ICC |
| DNS | ICC | resolver.dns | DNS resolver | DNS TCP/53 | DNS lookup for ICC |
| DNS | Repo | resolver.dns | DNS resolver | DNS UDP/53 | DNS lookup for Repo |
| DNS | Repo | resolver.dns | DNS resolver | DNS TCP/53 | DNS lookup for Repo |
| Logs | syslog.tld | ICC | Syslog | Syslog UDP/514 | Sending syslog to log collector |
| Logs | syslog.tld | Repo | Syslog | Syslog UDP/514 | Sending syslog to log collector |
| Updates | USB Protect | Repo | Patches/ Signatures | HTTPS TCP/443 | Gets updates from Repo |
| Updates | DataLock | Repo | Patches/ Signatures | HTTPS TCP/443 | Gets updates from Repo |
| Updates | ICC | Repo | Patches/ Signatures | HTTPS TCP/443 | Gets updates from Repo |
| Updates | Repo | updates. sysctl.se | Patches/ Signatures | HTTPS TCP/443 | Sync updates from sysctl |
| Cert | ICC | letsencrypt. org | Certificate renew | ACME TCP/443 | Get certificate from letsencrypt |
| Cert | letsencrypt. org | ICC | Certificate renew | ACME TCP/80 | Get certificate challenge from ICC |
Software needed to manage the systems.
A modern version with one of the following browsers.
SSH client software to access the ICC or Repo.
Description of different tasks that may be needed for administrative changes.
The systems are self maintained and no operations are needed. The systems will check for new updates on a daily basis and regularly check for definition updates several times every day. The systems will reboot every week.
USB Protect and DataLock will check for new definitions every hour with a random delay of maximum 30 minutes.
If the letsencrypt module is not installed and used the certificate needs to be renewed on the servers before the certificate expires. With an expired certificate the USB Protect and DataLock will not get new updates. No other tasks are needed for the day to day work.
Sysctl will fetch new definitions and publish them every hour with exception for ClamAV and F-Secure which have rate limiting and those definitions will be fetched every third hour.
Repo will search for new definitions published at updates.sysctl.se every hour with a random delay of maximum 60 minutes.
The USB Protect and DataLock use a random root password generated during the installation
The root password is rotated on a daily basis and only accessible from the ICC
The ICC server has two passwords configured after the installation
root password for the underlying operating system
The root password is created manually during the installation by the owner of the system
admin password for the application
The admin password is randomly generated during installation and saved in the file /root/icc_admin which only can be read by the root user.
The admin password should be changed before the service is in production
The Repo server has one password configured manually during the installation
root password for the underlying operating systemThe password for the root user must be set during installation. SYSCTL has no knowledge of the passwords.
The password for the admin user is created by the system with a random string and stored in /root/icc_admin. SYSCTL recommends that the password is changed during installation.
USB Protect rotates the root password on a daily basis DataLock rotates the root password on a daily basis
SSH or console access is required to reset the application password. To reset a user’s password the following commands must be used.
sudo -i
cd /opt/sysctl/impex-server/django-app
sudo -u impex-server ./manage.sh changepassword <username>
Login to the system can be done on the server console or remote by using SSH.
By default no other interactive user than root exists in the system. If users are added to the system they can only use the sudo command with the root password. If the user’s password should be used for sudo, /etc/sudoers.d/users needs to be modified.
The servers have one root account with a password set during the initial installation. The password is created during the installation by the system owner. The password is not known by Sysctl. No other accounts besides the root account can be used to log in to the system after installation. SSH with root account is not allowed and login is only possible from the console. Personal accounts are recommended to use for remote login with SSH, and tasks can be performed from a user account with privilege escalations. Personal accounts can exist in a LDAP server like Active Directory.
Use the following command to get root permissions from a personal account.
sudo -i
systemctl stop impex-server
systemctl start impex-server
systemctl poweroff
systemctl reboot
The servers will check for updates and update the system automatically every day at 01:00, with a random delay of 1 hour. The servers will reboot if needed.
Certificates are only required for the ICC server and the Repo server (if a separate Repo server is used).
The installation and renewal of certificates depend on the customer’s PKI policies.
Certificate installation and renewal is automatic when the letsencrypt module is installed.
Proxy configuration of the Let’s Encrypt module can be done in /etc/sysconfig/impex-letsencrypt
When the ICC uses a certificate from an internal CA or uses a certificate from an external vendor must the certificate be renewed manually.
If the certificate is created outside the ICC or Repo installation, it must be imported into the servers, including the full chain. The files must be stored correctly according to the Certificate path instructions.
If the certificate is created on the ICC or Repo server, some helper scripts can be used after the initial configuration has been completed.
Copy the certificate configuration file
Modify the configuration file and ensure the the section [ v3_req ] have the following content:
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = host1.domain.tld
Run the script bash /opt/sysctl/impex-server/tools/cert.sh and answer the certificate questions, the script requires that the server has a correct hostname. The script will save the private key(hostname.key), and the certificate request(hostname.csr) in the directory /root/pki/timestamp_in_epoch/
The cert.sh also include helper commands if the signed certificate needs to be converted from der or pkcs7 format.
To renew a certificate request the following command can be used: openssl req -new -key “_path_to_private_key” -out “_path_to_new_csr” -config /root/openssl.conf
When a new certificate is signed by the CA, save the cert and chain in the correct directories according to Certificate paths
The paths used for certificates is defined in:
/opt/sysctl/impex-server/etc/apache/conf.d/cert.d/cert.conf
and has by default the following content
Other filenames can be used if configured in the cert.conf file, the FQDN is normally used for the file names.
The certificate chain file must include the root CA and all intermediate issuing certificates ordered by root CA down to the issuer certificate.
Snapshots of the servers can be done to create backups. With every upgrade of the ICC software the update will create a local backup (snapshot) of the database.
The repo server can always resync all the data from Sysctl. There is no need to backup any repository data or signature data.
The ICC stores all application data in a SQLite database.
/opt/sysctl/impex-server/django-app/db/db.sqlite3
To backup the database, the following command can be used.
sqlite3 /opt/sysctl/impex-server/django-app/db/db.sqlite3 .dump > new_backup_file
If YARA rules are used one might want to backup any custom rules uploaded. They are stored as plain files under
/opt/sysctl/impex-server/django-app/upload/yara/custom
Since these were files uploaded by an ICC admin they might already be backed up depending on where they came from.
The ICC can enable USB Protect and DataLock online monitoring and send email if any is offline.
The following should be monitored by an external system on the ICC and Repo.
The ICC will generate a syslog message when USB Protect or DataLock has uploaded a scan report that contains malware. The following format is used for the message
Dec 24 15:00:00 icc journal: ICC WARNING [ICC:14] \
Station detected malware (https://icc.domain.tld/v/operations?byId=2)
The message includes a link to the actual scan report on the ICC. It will not include any sensitive information about the data.
ICC application has support for configuring remote syslog and is documented in the ICC manual.
Remote syslog configuration in the Repo server needs to be configured from the console.
Create the file /etc/rsyslog.d/remote.conf and add the below configuration example to send syslog to a remote server.
local6.* action(type="omfwd"
queue.type="linkedlist"
queue.filename="icc_remote_queue"
action.resumeRetryCount="-1"
queue.saveOnShutdown="on"
target="IP_ADRESS_OR_FQDN" port="514" protocol="tcp"
)
The value for target must be changed to a real value and the value for protocol can be either tcp or udp
Before changing any other values please consult with sysctl support.
systemctl restart rsyslog