Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 71 Current »

Content

Installation requirements

Supported operating systems

  • RHEL 7/CentOS 7

  • RHEL 8/CentOS 8 Stream/Rocky Linux 8

  • RHEL 9/CentOS 9 Stream/Rocky Linux 9

Only new installation of operating system without any additional applications is supported. For AWS Marketplace deployments the recommended system version is already pre-installed.

System requirements

Minimal

  • 1 CPU

  • 2 GiB RAM

  • 1 GiB HDD for application + additional storage for files sent by the application.

  • 2 CPU

  • 4 GiB RAM

  • 1 GiB HDD for application + additional storage for files sent by the application.

Clarification

The requirements are for the SOFiE application only, for an average installation of up to a 100 users. For larger installations we recommend to double these values.

Additional installed components might have additional requirements (for example for ClamAV we recommend another + 1 GiB RAM and 1 CPU).

Default communication ports

  • Inbound:

    • http (80/tcp) - for Let’s Encrypt certificates

    • https (443/tcp) - for main application web interface

  • Outbound:

    • smtp (25/tcp) - for sending out e-mails, can be limited to smtp relay server’s address

    • http (80/tcp), https (443/tcp) - for downloading updates and license

    • ldap (389/tcp, 636/tcp) - for integration with Active Directory, can be limited to AD’s address

    • diagnostics (2222/tcp) - for allowing remote diagnostics, can be limited to recon.sonpo.io address

When installing and running behind an SSL inspection proxy (optional)

Copy the inspection’s certificate authority, for example CA.crt, into /etc/pki/ca-trust/source/anchors and run:

update-ca-trust extract

Installation of application

  • When deploying from AWS Marketplace, skip this chapter and continue with First start below.

  • Install required packages:

RHEL/CentOS 7 (deprecated):

yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y curl tar ansible libsemanage-python policycoreutils-python

RHEL/CentOS/Rocky 8:

dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf install -y curl tar ansible python3-libsemanage python3-policycoreutils

RHEL/CentOS/Rocky 9 (recommended):

dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
dnf install -y curl tar ansible python3-libsemanage python3-policycoreutils

  • Download and run installation script:

sh -c "$(curl -sL https://install.sofie.cloud/latest/sofie-install.sh)"

  • After running the installation script you will be asked to fill these parameters:

FQDN - This value is required. It is server's fully qualified domain name. Application will be licensed to this FQDN and all applications links will be directed to this FQDN.
Let's Encrypt status - If enabled, it will create Let’s Encrypt certificate for the entered FQDN.

  • After starting the installation with option 4, the script will install required packages and it will create and run application services. When the services are running, application will be available in user and administrator sections. If you chose installation without Let's Encrypt certificate, you will have to set up usage of different certificate for https connection(see Basic settings), or else the application will not be accessible, because it has HSTS enabled by default, only allowing access by https with a valid certificate.

External PostgreSQL database (optional)

Installation script automatically installs and configures local PostgreSQL instance that is dedicated to SOFiE application and is accessible only from local host.

External PostgreSQL instance can also be used, under following conditions:

  • PostgreSQL version 11 - 16

  • dedicated user and database for SOFiE are created manually (creation of external database and user is not supported by installation script)

  • pgcrypto extension is installed in SOFiE database

  • dedicated user is owner of SOFiE database

Connection properties must be manually configured in two files:

  • /etc/sofie/production.properties (for database migrations - in section “JDBC connection properties”)

  • /etc/sofie/META-INF/microprofile-config.properties (for SOFiE application - in section “JDBC configuration”)

Syntax of JDBC URL with all possible parameters is described at PostgreSQL JDBC driver page:

https://jdbc.postgresql.org/documentation/use/#connecting-to-the-database

First start

The application is started automatically after the installation. When deploying from AWS Marketplace the application is already pre-installed and is started right after deployment. After the application is started the user’s and administrator’s interface is available using web browser at the following addresses:

User section

https://<FQDN>

Administrator section

https://<FQDN>/admin

For the administrator to be able to log in to the web interface, he should proceed after the start with basic settings as described bellow, including setting administrator’s password.

Basic settings

  • The following steps need to be performed in the command line of the running application server.

  • To access the web interface there must be a working https certificate set up. If it is not working or we are deploying from the AWS Marketplace, run the following commands:

    # To set the correct FQDN of the serveru and the application:
sofie set-fqdn <fqdn>

# To prepare certificates for this new FQDN:
sofie recreate-cert [--le | --selfsigned | --current]

# To apply the changes, nginx and sofie application need to be restarted:
systemctl restart nginx
sofie restart

  • (optional) You can install your own certificate by overwriting files of generated self-signed certificate. Copy certificate file to “/etc/nginx/cert/certificate.crt” and private key file to “/etc/nginx/cert/private.key”:

    # Certificate file
ssl_certificate /etc/nginx/cert/certificate.crt;

# Private key file
ssl_certificate_key /etc/nginx/cert/private.key;

    Then restart nginx.

  • (up to version 2.2.7) Default administrator account is “admin” with password “sofieadmin”. We recommend changing this password after first login (Settings/Administrators). The administrator has to login to the admin section (/admin), not the user section.

  • (since version 2.2.8 + AWS) Default administrator account is “admin” with a random generated password. The administrator has to login to the admin section (/admin), not the user section. The password must be reset before a first login to a new random one, that will be shown once in the console, using the following command:

    /opt/sofie-root/bin/sofie reset-admin-password

  • For the application to work correctly, you must also configure the SMTP server. This is done in the administrator’s web interface in Settings/Configuration/E-mail.

  • For further settings and correct setup of the application the administrator should read and make himself familiar with the https://wikisonpo.atlassian.net/wiki/spaces/SPEN/pages/1069940737/Administrator+manual.

Update of application

To be performed according to the instructions here: https://wikisonpo.atlassian.net/wiki/spaces/SPEN/pages/2955509761

Installation of the CDR module (optional)

Since version 2.3 the SOFiE application supports an optional internal module “Content Disarm and Reconstruction (CDR)“. The module enables conversion of supported file types (typically Office documents) into a safe format, specifically a PDF without active content. To be able to use the module, it must be installed first by performing the following steps:

# install and run the docker
dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
dnf install docker-ce docker-ce-cli containerd.io uuid
systemctl start docker
systemctl enable docker

# download and run the neccessary docker container
docker run -d --name libreoffice -p 8100:8100 hdejager/libreoffice-api

After the installation the administrator can activate and configure the CDR module using the web interface, in the section Settings - Detection settings.

Installation of antivirus engines (optional)

  • You can configure paths to antivirus engines in “/etc/sofie/META-INF/microprofile-config.properties” section “# AV”

scanner.bitdefender.exec=/opt/bitdefender-security-tools/bin/bduitool
scanner.clamav.exec=/usr/bin/clamdscan
scanner.eset.exec=/opt/eset/efs/sbin/cls/cls
scanner.kaspersky.exec=/usr/bin/kesl-control
scanner.sophos.exec=/opt/sophos-av/bin/savscan

Avast

echo '[avast]
name=Avast
baseurl=https://repo.avcdn.net/linux-av/rpm/el$releasever/release
enabled=1
gpgcheck=1
' > /etc/yum.repos.d/avast.repo

  • Import Avast GPG key:

rpm --import https://repo.avcdn.net/linux-av/doc/avast-gpg-key.asc

  • Install Avast packages:

dnf install avast avast-license

  • Download license file:

avastlic -o license.avastlic -c <activation code>

  • Copy license file to /etc/avast/license.avastlic:

cp ./license.avastlic /etc/avast/license.avastlic

  • If needed modify configuration in /etc/avast/*

  • Enable and start Avast service:

systemctl enable avast
systemctl start avast

BitDefender

Modules: only AntiMalware
Scan mode / Custom / For computers: Local Scan
Scan mode / Custom / For virtual machines: Local Scan
Settings: turn everything off

  • Download package as Linux kit (64-bit)

  • Extract and run installation:

tar -xvf fullKit_unix64_7.0.3.1927.tar
chmod +x installer
./installer

  • Run a test scan:

/opt/bitdefender-security-tools/bin/bduitool scan -s custom /opt/bitdefender-security-tools/bin/bduitool

  • Create a server policy in GravityZone portal with settings:

Antimalware / On-Access: turn everything off
Antimalware / On-Execute: turn everything off
Antimalware / On-Demand: turn everything off
Antimalware / On-Demand / Contextual Scan / Miscellaneous: turn on - Scan for rootkits, Scan for keyloggers, Scan network shares, Scan only new and changed files, Scan for Potentially Unwanted Applications (PUA)
Antimalware / On-Demand / Contextual Scan / Actions: change everything to ignore
Antimalware / On-Demand / External Device Scan: set up the same as Contextual Scan
Antimalware / Advanced Anti-Exploit: turn everything off
Antimalware / Settings: turn everything off

  • Assign created policy to the server in GravityZone portal.

ClamAV

  • Install ClamAV from epel repository

yum install -y clamav clamd

/usr/bin/freshclam

  • Change configuration in “/etc/clamd.d/scan.conf” :

# comment out
#Example
 
# set up socket
LocalSocket /var/run/clamd.scan/clamd.sock
 
# change to your liking
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000

  • Modify systemd file:

mv /usr/lib/systemd/system/clamd@.service /usr/lib/systemd/system/clamd.service

sed -i 's/^\(ExecStart = \/usr\/sbin\/clamd -c\)\(.*\)/\1 \/etc\/clamd.d\/scan.conf/' /usr/lib/systemd/system/clamd.service

  • Run the ClamAV service :

systemctl enable clamd clamav-freshclam

systemctl start clamd clamav-freshclam

ESET

# these packages are required before installing ESET
yum install glibc.i686 ed tar
 
# download and install ESET antivirus
wget https://download.eset.com/com/eset/apps/business/efs/linux/latest/efs.x86_64.bin
sh efs.x86_64.bin
 
# import licence key
/opt/eset/efs/sbin/lic -k XXXX-XXXX...

  • Download file with configuration and import:

# import configuration
wget https://wikisonpo.atlassian.net/wiki/download/attachments/887423004/efs-config6
/opt/eset/efs/sbin/cfg --import-xml=efs-config6

# restart efs daemon
systemctl restart efs

FortiClient

  • FortiClient Endpoint Management Server (FortiClient EMS) should already be installed.

  • Download FortiClient 7.x version. We download a headless linux version: forticlient_server_7.0.2.0063_x86_64.rpm

  • Install FortiClient:

yum install forticlient_server_7.0.2.0063_x86_64.rpm

  • Register FortiClient to EMS:

/opt/forticlient/epctrl -r <address of EMS server>

  • Check registration and licence:

/opt/forticlient/epctrl -d

  • In FortiClient EMS administration make these changes:

    • “Endpoints/Workgroups” create group for registered server.

    • “Endpoints/Group Assignment Rules” assign registered server to created group.

    • “Endpoint Profiles/Manage Profiles” create profile for registered server. Profile should contain these settings:

    • “Endpoint Policy and Components“ create policy for group containing registered server and assign created profile.

Kaspersky

wget https://products.s.kaspersky-labs.com/endpoints/keslinux10/12.0.0.6672/multilanguage-12.0.0.6672/3739343633347c44454c7c31/kesl-12.0.0-6672.x86_64.rpm

  • Install kaspersky antivirus:

yum install kesl-12.0.0-6672.x86_64.rpm

  • Run configuration:

yum install -y perl-File-Copy

/opt/kaspersky/kesl/bin/kesl-setup.pl

  • After installation turn off resident protection:

kesl-control --stop-task File_Threat_Protection
kesl-control --stop-task Device_Control
kesl-control --stop-task Behavior_Detection

  • Change default scan options:

kesl-control --set-settings Scan_File ScanMailBases=Yes ScanPlainMail=Yes

  • Import your license:

kesl-control -L --add-active-key <activation code/key file>

Sophos

tar -xzvf sav-linux-free-9.tgz
chmod +x install.sh
./install.sh

  • Set up during installation:

Do you want to enable on-access scanning? Yes(Y)/No(N) [Y]
> N
Which type of auto-updating do you want? From Sophos(s)/From own server(o)/None(n) [s]
> s
Do you wish to install the Free (f) or Supported (s) version of SAV for Linux? [s]
> f

  • Turn off email notifications:

/opt/sophos-av/bin/savconfig set SendErrorEmail false
/opt/sophos-av/bin/savconfig set SendThreatEmail false
/opt/sophos-av/bin/savconfig set EmailDemandSummaryIfThreat false
/opt/sophos-av/bin/savconfig set EmailNotifier false

Trellix

dnf install -y unzip

mkdir trellix

tar -xzvf cls-l64-703-l.tar.gz --directory ./trellix

cd trellix

# All install options leave at default values
./install-uvscan /opt/trellix/uvscan
cd /opt/trellix/uvscan

wget https://update.nai.com/products/commonupdater/current/vscandat1000/dat/0000/avvdat-10733.zip

unzip -u avvdat-10733.zip

  • Download update script

cd /opt/trellix/uvscan

wget https://wikisonpo.atlassian.net/wiki/download/attachments/887423004/dat-update

chmod +x dat-update

  • Create cron job for update script

echo 'SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
5 * * * * root /opt/trellix/uvscan/dat-update >> /opt/trellix/uvscan/dat-update.log 2>&1' > /etc/cron.d/trellix-update

Custom SSL CA (optional)

Add a certificate authority to the system

RHEL:

trust anchor Fortinet_CA_SSL.crt

Windows:

cd C:\Program Files\Java\jdk8u192-b12\jre\lib\security
..\..\bin\keytool.exe -import -trustcacerts -file y:\ca1.cer -keystore cacerts -alias NAZEV

Memory Shortage Diagnostics

In some situations, a memory shortage may occur, which manifests as malfunctioning package processing and the following error in the application log of the worker (/opt/sofie-worker-distribution/logs/sofie.log):

java.lang.OutOfMemoryError: GC overhead limit exceeded

If such a situation arises, the service is automatically terminated and restarted.

The cause is usually a too high limit on the maximum file size in one of the internal detection tools (DLP, Encrypted Content Detection, MIME). If reducing the maximum file size does not help and the situation occurs repeatedly, it is possible to activate memory content (heap) dumping for diagnostics. This can be achieved by creating a file:

/opt/sofie-worker-distribution/bin/setenv.local.sh

with the following content:

JAVA_OPTS="$JAVA_OPTS -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/sofie/data/"

The settings mentioned above activate saving a memory dump (heap dump) to disk at the specified path when memory is low. The target directory needs to have enough space, at least the size of the server's memory. If there is not enough space in the path /var/sofie/data/, it is possible to change the path to another in the HeapDumpPath parameter.

To reflect the configuration change, the worker needs to be restarted:

systemctl restart sofie-worker
  • No labels