This operation guide is intended to provide assistance and instruction for the operation of hosted IMPEX systems. The document gives general and specific information regarding the operation of stations and the ICC. This document does not describe the system or application structure which is described in a separate document. This documentation will not explain troubleshooting of a station which is in a separate document.
| Word | Definition |
|---|---|
| ICC | IMPEX Control Center |
| Station | IMPEX scanning kiosk |
| Repo | Update service, included in ICC or a separate server |
Customers with a valid support contract can send support emails to
support@sysctl.se
IMPEX is a system for scanning data on USB-devices in a kiosk solution, the stations are managed from a central ICC server. The stations scan files from USB-devices and can deny the content by using different rules and technologies. The stations initiate all communications to the ICC server on port TCP/443 and use TLS1.2 for encryption during transit. The stations will get the current time and the configuration from the ICC. The stations will push logs and operation results from scans and other actions to the ICC server. The stations will get AV-signatures updates, operatingsystem patches and application upgrades from the Repo server, the Repo server can be installed on the ICC server or on a separate server called Repo server.
The ICC server exposes a REST API that requires authentication. The stations will use the REST API but it is also possible to use the interface for other types of integrations. The Repo will sync AV-singatures and updates from updates.sysctl.se on port TCP/443 over TLS and expose them to the stations.
All systems(Stations, ICC and Repo) use CentOS 7 as the base OS. The stations are not supposed to be logged in to and remote access is not possible, all configuration is created as configuration cards on the ICC server. The ICC and Repo server use local accounts by default, but can be connected to Active Directory, Redhat Identity Manager, FreeIPA or other LDAP service when using central accounts. Administrators can log in to the Repo and ICC server with SSH or from the console. The application on the ICC has local accounts and the only configuration that can be done is related to the stations. System owners can use the web interface to manage the stations and to analyze the results from the stations.
+-------------------+ +--------------+
| updates.sysctl.se | | Lets Encrypt |
+---^---------------+ +---^----------+
| |
Internet | |
| +----------------+
| |
+------------------------------------------------------------+
| |
DMZ +---+-----+---+
| Firewall <------+
+-------------+ |
|
+-----+----+
+-------------> Proxy |
| | if used |
| +----------+
|
+----+----+
| |
| Repo |
| |
+----+----+
|
|
+------------------------------------------------------------+
|
Internal network |
|
+----+----+
| |
| ICC <-------------------+
| | |
+-------^-+ +----^----+
| | Proxy |
| | if used |
| +----+----+
| |
+------------------------+---------------------+-------------+
| |
Peripheral Network | |
| |
| |
| |
+----+----------+ +-------+-------+
| IMPEX STATION | | IMPEX STATION |
+---------------+ +---------------+
The table explains the normal interactions used by the system, but it may differ depending on the actual installation if other integrations are used, like Active Directory.
| Data | Delivers to | Receives from | Tool | Protocol/ Port | Short Description |
|---|---|---|---|---|---|
| smtp.tld | ICC | Mail Relay | SMTP TCP/25 | Information from ICC to end users | |
| Time | ICC | ntp.tld | NTP | NTP UDP/123 | Time source to ICC |
| Time | Repo | ntp.tld | NTP | NTP UDP/123 | Time source to Repo |
| DNS | ICC | resolver.dns | DNS resolver | DNS UDP/53 | DNS lookup for ICC |
| DNS | Repo | resolver.dns | DNS resolver | DNS UDP/53 | DNS lookup for Repo |
| Logs | syslog.tld | ICC | Syslog | Syslog UDP/514 | Sending syslog to log collector |
| Logs | syslog.tld | Repo | Syslog | Syslog UDP/514 | Sending syslog to log collector |
| Updates | Station | Repo | Patches/ Signatures | HTTPS TCP/443 | Gets updates from Repo |
| Updates | ICC | Repo | Patches/ Signatures | HTTPS TCP/443 | Gets updates from Repo |
| Updates | Repo | updates. sysctl.se | Patches/ Signatures | HTTPS TCP/443 | Sync updates from sysctl |
| Cert | ICC | letsencrypt. org | Certificate renew | ACME TCP/443 | Get certificate from letsencrypt |
| Cert | letsencrypt. org | ICC | Certificate renew | ACME TCP/80 | Get certificate challenge from ICC |
Software needed to manage the systems.
A modern version with one of the following browsers.
SSH client software to access the ICC or Repo.
Description of different tasks that may be needed for administrative tasks.
The stations are self maintained and no operations is needed. The stations will check for new updates on daily basis and regulary check for signature updates several times every day. The station will reboot every night.
If the letsencrypt module is not installed and used the certificate need to be renewed on the servers before the certificate expires. With an expired certificate the station will not get new updates. No other tasks is needed for the day to day work.
sudo -i
cd /opt/sysctl/impex-server/django-app
sudo -u impex-server ./manage.sh changepassword <username>
Login to the system can be done on the server console or remote using SSH.
The servers have one root account with a password set during the initial installation. The password is created during the installation by the system owner. The password is not known by sysctl. No other accounts besides the root account can be used to log in to the system after installation. SSH with root account is not allowed and login is only possible from the console. Personal accounts are recommended to use for remote login with SSH, and tasks can be performed from a user account with privilege escalations. Personal account can exist in a LDAP server like Active Directory.
Use the following command to get root permissions from a personal account.
sudo -i
systemctl stop impex-server
systemctl start impex-server
systemctl poweroff
systemctl reboot
The servers will check for updates and update the system automatically every day at 01:00 with a random delay of 1 hour. The servers will reboot if needed.
Certificates is only needed on the ICC server and Repo server if a separate server is used.
Renewing certificates depends on the current installation.
Certificate renewal is automatic if the letsencrypt module is installed. If it is not installed the certificate must be renewed by the administrator before it expires.
When the ICC use a certificate from an internal CA or use a certificate from an external vendor must the certificate be renewed manually. A new CSR must be created and signed by the CA. The following paths are used for certificates.
Snapshots of the servers can be done to create backups. With every update of the ICC software the update will create a local backup of the database.
The repo server can always resync all the data from sysctl. There is no need to backup any repository data or signature data.
The ICC store all application data in a SQLite database.
/opt/sysctl/impex-server/django-app/db/db.sqlite3
To backup the database, the following command can be used.
sqlite3 /opt/sysctl/impex-server/django-app/db/db.sqlite3 .dump > new_backup_file
If YARA rules are used one might want to backup any custom rules uploaded. They are stored as plain files under
/opt/sysctl/impex-server/django-app/upload/yara/custom
Since these were files uploaded by an ICC admin they might already be backed up depending on where they came from.
The ICC can enable Station online monitoring and send email if a station is offline.
The following should be monitored by an external system on the ICC and Repo.
The ICC will generate a syslog message when a station has uploaded a scan report that contains malware. The following format is used for the message
Dec 24 15:00:00 icc journal: ICC WARNING [ICC:14] \
Station detected malware (https://icc.domain.tld/v/operations?byId=2)
The message includes a link to the actual scan report on the ICC. It will not include any sensitive information about the data.