RHEL 7/CentOS 7
RHEL 8/CentOS 8 Stream/Rocky Linux 8
RHEL 9/CentOS 9 Stream/Rocky Linux 9
Only new installation of operating system without any additional applications is supported. For AWS Marketplace deployments the recommended system version is already pre-installed.
1 CPU
2 GiB RAM
1 GiB HDD for application + additional storage for files sent by the application.
2 CPU
4 GiB RAM
1 GiB HDD for application + additional storage for files sent by the application.
The requirements are for the SOFiE application only, for an average installation of up to a 100 users. For larger installations we recommend to double these values.
Additional installed components might have additional requirements (for example for ClamAV we recommend another + 1 GiB RAM and 1 CPU).
Inbound:
http (80/tcp) - for Let’s Encrypt certificates
https (443/tcp) - for main application web interface
Outbound:
smtp (25/tcp) - for sending out e-mails, can be limited to smtp relay server’s address
http (80/tcp), https (443/tcp) - for downloading updates and license
ldap (389/tcp, 636/tcp) - for integration with Active Directory, can be limited to AD’s address
diagnostics (2222/tcp) - for allowing remote diagnostics, can be limited to recon.sonpo.io address
Copy the inspection’s certificate authority, for example CA.crt, into /etc/pki/ca-trust/source/anchors and run:
update-ca-trust extract |
When deploying from AWS Marketplace, skip this chapter and continue with First start below.
Install required packages:
RHEL/CentOS 7 (deprecated):
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum install -y curl tar ansible libsemanage-python policycoreutils-python |
RHEL/CentOS/Rocky 8:
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm dnf install -y curl tar ansible python3-libsemanage python3-policycoreutils |
RHEL/CentOS/Rocky 9 (recommended):
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm dnf install -y curl tar ansible python3-libsemanage python3-policycoreutils |
Download and run installation script:
sh -c "$(curl -sL https://install.sofie.cloud/latest/sofie-install.sh)" |
After running the installation script you will be asked to fill these parameters:
FQDN - This value is required. It is server's fully qualified domain name. Application will be licensed to this FQDN and all applications links will be directed to this FQDN. Let's Encrypt status - If enabled, it will create Let’s Encrypt certificate for the entered FQDN. |
After starting the installation with option 4, the script will install required packages and it will create and run application services. When the services are running, application will be available in user and administrator sections. If you chose installation without Let's Encrypt certificate, you will have to set up usage of different certificate for https connection(see Basic settings), or else the application will not be accessible, because it has HSTS enabled by default, only allowing access by https with a valid certificate.
Installation script automatically installs and configures local PostgreSQL instance that is dedicated to SOFiE application and is accessible only from local host.
External PostgreSQL instance can also be used, under following conditions:
PostgreSQL version 11 - 16
dedicated user and database for SOFiE are created manually (creation of external database and user is not supported by installation script)
pgcrypto extension is installed in SOFiE database
dedicated user is owner of SOFiE database
Connection properties must be manually configured in two files:
/etc/sofie/production.properties
(for database migrations - in section “JDBC connection properties”)
/etc/sofie/META-INF/microprofile-config.properties
(for SOFiE application - in section “JDBC configuration”)
Syntax of JDBC URL with all possible parameters is described at PostgreSQL JDBC driver page:
https://jdbc.postgresql.org/documentation/use/#connecting-to-the-database
The application is started automatically after the installation. When deploying from AWS Marketplace the application is already pre-installed and is started right after deployment. After the application is started the user’s and administrator’s interface is available using web browser at the following addresses:
User section | https://<FQDN> |
Administrator section | https://<FQDN>/admin |
For the administrator to be able to log in to the web interface, he should proceed after the start with basic settings as described bellow, including setting administrator’s password.
The following steps need to be performed in the command line of the running application server.
To access the web interface there must be a working https certificate set up. If it is not working or we are deploying from the AWS Marketplace, run the following commands:
# To set the correct FQDN of the serveru and the application: sofie set-fqdn <fqdn> # To prepare certificates for this new FQDN: sofie recreate-cert [--le | --selfsigned | --current] # To apply the changes, nginx and sofie application need to be restarted: systemctl restart nginx sofie restart |
(optional) You can install your own certificate by overwriting files of generated self-signed certificate. Copy certificate file to “/etc/nginx/cert/certificate.crt” and private key file to “/etc/nginx/cert/private.key”:
# Certificate file ssl_certificate /etc/nginx/cert/certificate.crt; # Private key file ssl_certificate_key /etc/nginx/cert/private.key; |
Then restart nginx.
(up to version 2.2.7) Default administrator account is “admin” with password “sofieadmin”. We recommend changing this password after first login (Settings/Administrators). The administrator has to login to the admin section (/admin), not the user section.
(since version 2.2.8 + AWS) Default administrator account is “admin” with a random generated password. The administrator has to login to the admin section (/admin), not the user section. The password must be reset before a first login to a new random one, that will be shown once in the console, using the following command:
/opt/sofie-root/bin/sofie reset-admin-password |
For the application to work correctly, you must also configure the SMTP server. This is done in the administrator’s web interface in Settings/Configuration/E-mail.
For further settings and correct setup of the application the administrator should read and make himself familiar with the https://wikisonpo.atlassian.net/wiki/spaces/SPEN/pages/1069940737/Administrator+manual.
To be performed according to the instructions here: https://wikisonpo.atlassian.net/wiki/spaces/SPEN/pages/2955509761
Since version 2.3 the SOFiE application supports an optional internal module “Content Disarm and Reconstruction (CDR)“. The module enables conversion of supported file types (typically Office documents) into a safe format, specifically a PDF without active content. To be able to use the module, it must be installed first by performing the following steps:
# install and run the docker dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo dnf install docker-ce docker-ce-cli containerd.io uuid systemctl start docker systemctl enable docker # download and run the neccessary docker container docker run -d --name libreoffice -p 8100:8100 hdejager/libreoffice-api |
After the installation the administrator can activate and configure the CDR module using the web interface, in the section Settings - Detection settings.
You can configure paths to antivirus engines in “/etc/sofie/META-INF/microprofile-config.properties” section “# AV”
scanner.bitdefender.exec=/opt/bitdefender-security-tools/bin/bduitool scanner.clamav.exec=/usr/bin/clamdscan scanner.eset.exec=/opt/eset/efs/sbin/cls/cls scanner.kaspersky.exec=/usr/bin/kesl-control scanner.sophos.exec=/opt/sophos-av/bin/savscan |
Supported version: Avast Business Antivirus for Linux
(https://www.avast.com/business/products/linux-antivirus#pc)
Manuál: https://repo.avcdn.net/linux-av/doc/avast-techdoc.pdf
Add Avast repository:
echo '[avast] name=Avast baseurl=https://repo.avcdn.net/linux-av/rpm/el$releasever/release enabled=1 gpgcheck=1 ' > /etc/yum.repos.d/avast.repo |
Import Avast GPG key:
rpm --import https://repo.avcdn.net/linux-av/doc/avast-gpg-key.asc |
Install Avast packages:
dnf install avast avast-license |
Download license file:
avastlic -o license.avastlic -c <activation code> |
Copy license file to /etc/avast/license.avastlic:
cp ./license.avastlic /etc/avast/license.avastlic |
If needed modify configuration in /etc/avast/*
Enable and start Avast service:
systemctl enable avast systemctl start avast |
Supported version: Bitdefender Endpoint Security Tools 7.x (https://www.bitdefender.com/business/support/en/77209-157515-bitdefender-endpoint-security-tools-for-linux-quick-start-guide.html)
Create a new package in GravityZone portal with settings:
Modules: only AntiMalware Scan mode / Custom / For computers: Local Scan Scan mode / Custom / For virtual machines: Local Scan Settings: turn everything off |
Download package as Linux kit (64-bit)
Extract and run installation:
tar -xvf fullKit_unix64_7.0.3.1927.tar chmod +x installer ./installer |
Run a test scan:
/opt/bitdefender-security-tools/bin/bduitool scan -s custom /opt/bitdefender-security-tools/bin/bduitool |
Create a server policy in GravityZone portal with settings:
Antimalware / On-Access: turn everything off Antimalware / On-Execute: turn everything off Antimalware / On-Demand: turn everything off Antimalware / On-Demand / Contextual Scan / Miscellaneous: turn on - Scan for rootkits, Scan for keyloggers, Scan network shares, Scan only new and changed files, Scan for Potentially Unwanted Applications (PUA) Antimalware / On-Demand / Contextual Scan / Actions: change everything to ignore Antimalware / On-Demand / External Device Scan: set up the same as Contextual Scan Antimalware / Advanced Anti-Exploit: turn everything off Antimalware / Settings: turn everything off |
Assign created policy to the server in GravityZone portal.
Install ClamAV from epel repository
yum install -y clamav clamd /usr/bin/freshclam |
Change configuration in “/etc/clamd.d/scan.conf” :
# comment out #Example # set up socket LocalSocket /var/run/clamd.scan/clamd.sock # change to your liking MaxScanSize 100M MaxFileSize 25M MaxRecursion 16 MaxFiles 10000 |
Modify systemd file:
mv /usr/lib/systemd/system/clamd@.service /usr/lib/systemd/system/clamd.service sed -i 's/^\(ExecStart = \/usr\/sbin\/clamd -c\)\(.*\)/\1 \/etc\/clamd.d\/scan.conf/' /usr/lib/systemd/system/clamd.service |
Run the ClamAV service :
systemctl enable clamd clamav-freshclam systemctl start clamd clamav-freshclam |
Supported version: ESET File Security pro Linux 10
Download: https://www.eset.com/int/business/file-security-linux/download/ (Download CentOS/RedHat version.) Manual: https://help.eset.com/essl/10.2/en-US/, TL;DR:
# these packages are required before installing ESET yum install glibc.i686 ed tar # download and install ESET antivirus wget https://download.eset.com/com/eset/apps/business/efs/linux/latest/efs.x86_64.bin sh efs.x86_64.bin # import licence key /opt/eset/efs/sbin/lic -k XXXX-XXXX... |
Download file with configuration and import:
# import configuration wget https://wikisonpo.atlassian.net/wiki/download/attachments/887423004/efs-config6 /opt/eset/efs/sbin/cfg --import-xml=efs-config6 # restart efs daemon systemctl restart efs |
FortiClient Endpoint Management Server (FortiClient EMS) should already be installed.
Download FortiClient 7.x version. We download a headless linux version: forticlient_server_7.0.2.0063_x86_64.rpm
Install FortiClient:
yum install forticlient_server_7.0.2.0063_x86_64.rpm |
Register FortiClient to EMS:
/opt/forticlient/epctrl -r <address of EMS server> |
Check registration and licence:
/opt/forticlient/epctrl -d |
In FortiClient EMS administration make these changes:
“Endpoints/Workgroups” create group for registered server.
“Endpoints/Group Assignment Rules” assign registered server to created group.
“Endpoint Profiles/Manage Profiles” create profile for registered server. Profile should contain these settings:
“Endpoint Policy and Components“ create policy for group containing registered server and assign created profile.
Supported version: Kaspersky Endpoint Security 12 for Linux
Download: https://support.kaspersky.com/kes-for-linux/12.0 . Download RPM (x64). For example:
wget https://products.s.kaspersky-labs.com/endpoints/keslinux10/12.0.0.6672/multilanguage-12.0.0.6672/3739343633347c44454c7c31/kesl-12.0.0-6672.x86_64.rpm |
Install kaspersky antivirus:
yum install kesl-12.0.0-6672.x86_64.rpm |
Run configuration:
yum install -y perl-File-Copy /opt/kaspersky/kesl/bin/kesl-setup.pl |
After installation turn off resident protection:
kesl-control --stop-task File_Threat_Protection kesl-control --stop-task Device_Control kesl-control --stop-task Behavior_Detection |
Change default scan options:
kesl-control --set-settings Scan_File ScanMailBases=Yes ScanPlainMail=Yes |
Import your license:
kesl-control -L --add-active-key <activation code/key file> |
! WARNING ! - Sophos cannot be installed on the same server as BitDefender.
Download: https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx .
Install sophos antivirus:
tar -xzvf sav-linux-free-9.tgz chmod +x install.sh ./install.sh |
Set up during installation:
Do you want to enable on-access scanning? Yes(Y)/No(N) [Y] > N Which type of auto-updating do you want? From Sophos(s)/From own server(o)/None(n) [s] > s Do you wish to install the Free (f) or Supported (s) version of SAV for Linux? [s] > f |
Turn off email notifications:
/opt/sophos-av/bin/savconfig set SendErrorEmail false /opt/sophos-av/bin/savconfig set SendThreatEmail false /opt/sophos-av/bin/savconfig set EmailDemandSummaryIfThreat false /opt/sophos-av/bin/savconfig set EmailNotifier false |
Supported version: Trellix Command Line Scanner for Linux
(https://kcm.trellix.com/corporate/index?page=content&id=KB94726)
License is part of product “Trellix Protect Standard”
Download product after filling license grant number and email address at https://www.trellix.com/en-us/downloads/my-products.html . Download “Command Line Scanner”/”Command Line Scanner for Linux 64-bit Version 7.0.3”
Downloaded file “cls-l64-703-l.tar.gz” copy to the server.
Extract the file and run the installer:
dnf install -y unzip mkdir trellix tar -xzvf cls-l64-703-l.tar.gz --directory ./trellix cd trellix # All install options leave at default values ./install-uvscan /opt/trellix/uvscan |
Download DAT files from https://update.nai.com/products/commonupdater/current/vscandat1000/dat/0000/ and extract them (number after “avvdat-” must be replaced by current one)
cd /opt/trellix/uvscan wget https://update.nai.com/products/commonupdater/current/vscandat1000/dat/0000/avvdat-10733.zip unzip -u avvdat-10733.zip |
Download update script
cd /opt/trellix/uvscan wget https://wikisonpo.atlassian.net/wiki/download/attachments/887423004/dat-update chmod +x dat-update |
Create cron job for update script
echo 'SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root 5 * * * * root /opt/trellix/uvscan/dat-update >> /opt/trellix/uvscan/dat-update.log 2>&1' > /etc/cron.d/trellix-update |
RHEL:
trust anchor Fortinet_CA_SSL.crt |
Windows:
cd C:\Program Files\Java\jdk8u192-b12\jre\lib\security ..\..\bin\keytool.exe -import -trustcacerts -file y:\ca1.cer -keystore cacerts -alias NAZEV |
In some situations, a memory shortage may occur, which manifests as malfunctioning package processing and the following error in the application log of the worker (/opt/sofie-worker-distribution/logs/sofie.log):
java.lang.OutOfMemoryError: GC overhead limit exceeded |
If such a situation arises, the service is automatically terminated and restarted.
The cause is usually a too high limit on the maximum file size in one of the internal detection tools (DLP, Encrypted Content Detection, MIME). If reducing the maximum file size does not help and the situation occurs repeatedly, it is possible to activate memory content (heap) dumping for diagnostics. This can be achieved by creating a file:
/opt/sofie-worker-distribution/bin/setenv.local.sh |
with the following content:
JAVA_OPTS="$JAVA_OPTS -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/sofie/data/" |
The settings mentioned above activate saving a memory dump (heap dump) to disk at the specified path when memory is low. The target directory needs to have enough space, at least the size of the server's memory. If there is not enough space in the path /var/sofie/data/, it is possible to change the path to another in the HeapDumpPath parameter.
To reflect the configuration change, the worker needs to be restarted:
systemctl restart sofie-worker |