IMPEX Operation Guide

This operation guide is intended to provide assistance and instruction for the operation of hosted IMPEX systems. The document gives general and specific information regarding the operation of stations and the ICC. This document does not describe the system or application structure which is described in a separate document. This documentation will not explain troubleshooting of a station which is in a separate document.

Definitions

Word Definition
ICC IMPEX Control Center
Station IMPEX scanning kiosk
Repo Update service, included in ICC or a separate server

Contacts

Customers with a valid support contract can send support emails to

support@sysctl.se

System overview

IMPEX is a system for scanning data on USB-devices in a kiosk solution, the stations are managed from a central ICC server. The stations scan files from USB-devices and can deny the content by using different rules and technologies. The stations initiate all communications to the ICC server on port TCP/443 and use TLS1.2 for encryption during transit. The stations will get the current time and the configuration from the ICC. The stations will push logs and operation results from scans and other actions to the ICC server. The stations will get AV-signatures updates, operatingsystem patches and application upgrades from the Repo server, the Repo server can be installed on the ICC server or on a separate server called Repo server.

The ICC server exposes a REST API that requires authentication. The stations will use the REST API but it is also possible to use the interface for other types of integrations. The Repo will sync AV-singatures and updates from updates.sysctl.se on port TCP/443 over TLS and expose them to the stations.

All systems(Stations, ICC and Repo) use CentOS 7 as the base OS. The stations are not supposed to be logged in to and remote access is not possible, all configuration is created as configuration cards on the ICC server. The ICC and Repo server use local accounts by default, but can be connected to Active Directory, Redhat Identity Manager, FreeIPA or other LDAP service when using central accounts. Administrators can log in to the Repo and ICC server with SSH or from the console. The application on the ICC has local accounts and the only configuration that can be done is related to the stations. System owners can use the web interface to manage the stations and to analyze the results from the stations.

System drawing

                     +-------------------+  +--------------+
                     | updates.sysctl.se |  | Lets Encrypt |
                     +---^---------------+  +---^----------+
                         |                      |
    Internet             |                      |
                         |     +----------------+
                         |     |
+------------------------------------------------------------+
                         |     |
    DMZ              +---+-----+---+
                     |  Firewall   <------+
                     +-------------+      |
                                          |
                                    +-----+----+
                      +------------->  Proxy   |
                      |             | if used  |
                      |             +----------+
                      |
                 +----+----+
                 |         |
                 |  Repo   |
                 |         |
                 +----+----+
                      |
                      |
+------------------------------------------------------------+
                      |
    Internal network  |
                      |
                 +----+----+
                 |         |
                 |   ICC   <-------------------+
                 |         |                   |
                 +-------^-+              +----^----+
                         |                | Proxy   |
                         |                | if used |
                         |                +----+----+
                         |                     |
+------------------------+---------------------+-------------+
                         |                     |
    Peripheral Network   |                     |
                         |                     |
                         |                     |
                         |                     |
                    +----+----------+  +-------+-------+
                    | IMPEX STATION |  | IMPEX STATION |
                    +---------------+  +---------------+

Interactions with other systems

The table explains the normal interactions used by the system, but it may differ depending on the actual installation if other integrations are used, like Active Directory.

Data Delivers to Receives from Tool Protocol/ Port Short Description
Mail smtp.tld ICC Mail Relay SMTP TCP/25 Information from ICC to end users
Time ICC ntp.tld NTP NTP UDP/123 Time source to ICC
Time Repo ntp.tld NTP NTP UDP/123 Time source to Repo
DNS ICC resolver.dns DNS resolver DNS UDP/53 DNS lookup for ICC
DNS Repo resolver.dns DNS resolver DNS UDP/53 DNS lookup for Repo
Logs syslog.tld ICC Syslog Syslog UDP/514 Sending syslog to log collector
Logs syslog.tld Repo Syslog Syslog UDP/514 Sending syslog to log collector
Updates Station Repo Patches/ Signatures HTTPS TCP/443 Gets updates from Repo
Updates ICC Repo Patches/ Signatures HTTPS TCP/443 Gets updates from Repo
Updates Repo updates. sysctl.se Patches/ Signatures HTTPS TCP/443 Sync updates from sysctl
Cert ICC letsencrypt. org Certificate renew ACME TCP/443 Get certificate from letsencrypt
Cert letsencrypt. org ICC Certificate renew ACME TCP/80 Get certificate challenge from ICC

Client software requirements

Software needed to manage the systems.

Using the ICC application

A modern version with one of the following browsers.

Administrative tasks

SSH client software to access the ICC or Repo.

Operation description

Description of different tasks that may be needed for administrative tasks.

Station

The stations are self maintained and no operations is needed. The stations will check for new updates on daily basis and regulary check for signature updates several times every day. The station will reboot every night.

ICC and Repo servers

If the letsencrypt module is not installed and used the certificate need to be renewed on the servers before the certificate expires. With an expired certificate the station will not get new updates. No other tasks is needed for the day to day work.

Reset user password in application

sudo -i
cd /opt/sysctl/impex-server/django-app
sudo -u impex-server ./manage.sh changepassword <username>

Administrative login

Login to the system can be done on the server console or remote using SSH.

Service accounts

The servers have one root account with a password set during the initial installation. The password is created during the installation by the system owner. The password is not known by sysctl. No other accounts besides the root account can be used to log in to the system after installation. SSH with root account is not allowed and login is only possible from the console. Personal accounts are recommended to use for remote login with SSH, and tasks can be performed from a user account with privilege escalations. Personal account can exist in a LDAP server like Active Directory.

Use the following command to get root permissions from a personal account.

sudo -i

Termination procedures

Application shutdown

systemctl stop impex-server

Application start

systemctl start impex-server

System shutdown

systemctl poweroff

Server reboot

systemctl reboot

Service window

The servers will check for updates and update the system automatically every day at 01:00 with a random delay of 1 hour. The servers will reboot if needed.

Renew of Certificates

Certificates is only needed on the ICC server and Repo server if a separate server is used.

Renewing certificates depends on the current installation.

By using letsencrypt

Certificate renewal is automatic if the letsencrypt module is installed. If it is not installed the certificate must be renewed by the administrator before it expires.

By using a internal CA

When the ICC use a certificate from an internal CA or use a certificate from an external vendor must the certificate be renewed manually. A new CSR must be created and signed by the CA. The following paths are used for certificates.

Backup

Snapshots of the servers can be done to create backups. With every update of the ICC software the update will create a local backup of the database.

Repo

The repo server can always resync all the data from sysctl. There is no need to backup any repository data or signature data.

ICC

The ICC store all application data in a SQLite database.

/opt/sysctl/impex-server/django-app/db/db.sqlite3

To backup the database, the following command can be used.

sqlite3 /opt/sysctl/impex-server/django-app/db/db.sqlite3 .dump > new_backup_file

If YARA rules are used one might want to backup any custom rules uploaded. They are stored as plain files under

/opt/sysctl/impex-server/django-app/upload/yara/custom

Since these were files uploaded by an ICC admin they might already be backed up depending on where they came from.

Monitoring

The ICC can enable Station online monitoring and send email if a station is offline.

The following should be monitored by an external system on the ICC and Repo.

Syslog

The ICC will generate a syslog message when a station has uploaded a scan report that contains malware. The following format is used for the message

Dec 24 15:00:00 icc journal: ICC WARNING [ICC:14] \
Station detected malware (https://icc.domain.tld/v/operations?byId=2)

The message includes a link to the actual scan report on the ICC. It will not include any sensitive information about the data.