Content

Installation requirements

Supported operating systems

RHEL 7/CentOS 7
RHEL 8/CentOS 8 Stream/Rocky Linux 8
RHEL 9/CentOS 9 Stream/Rocky Linux 9

Only new installation of operating system without any additional applications is supported. For AWS Marketplace deployments the recommended system version is already pre-installed.

System requirements

Minimal

1 CPU
2 GiB RAM
1 GiB HDD for application + additional storage for files sent by the application.

Clarification

The requirements are for the SOFiE application only, for an average installation of up to a 100 users. For larger installations we recommend to double these values.

Additional installed components might have additional requirements (for example for ClamAV we recommend another + 1 GiB RAM and 1 CPU).

Default communication ports

Inbound:
- http (80/tcp) - for Let’s Encrypt certificates
- https (443/tcp) - for main application web interface
Outbound:
- smtp (25/tcp) - for sending out e-mails, can be limited to smtp relay server’s address
- http (80/tcp), https (443/tcp) - for downloading updates and license
- ldap (389/tcp, 636/tcp) - for integration with Active Directory, can be limited to AD’s address
- diagnostics (2222/tcp) - for allowing remote diagnostics, can be limited to recon.sonpo.io address

When installing and running behind an SSL inspection proxy (optional)

Copy the inspection’s certificate authority, for example CA.crt, into /etc/pki/ca-trust/source/anchors and run:

update-ca-trust extract

Installation of application

When deploying from AWS Marketplace, skip this chapter and continue with First start below.
Install required packages:

RHEL/CentOS 7 (deprecated):

yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y curl tar ansible libsemanage-python policycoreutils-python

RHEL/CentOS/Rocky 8:

dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf install -y curl tar ansible python3-libsemanage python3-policycoreutils

RHEL/CentOS/Rocky 9 (recommended):

dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
dnf install -y curl tar ansible python3-libsemanage python3-policycoreutils

Download and run installation script:

sh -c "$(curl -sL https://install.sofie.cloud/latest/sofie-install.sh)"

After running the installation script you will be asked to fill these parameters:

FQDN - This value is required. It is server's fully qualified domain name. Application will be licensed to this FQDN and all applications links will be directed to this FQDN.
Let's Encrypt status - If enabled, it will create Let’s Encrypt certificate for the entered FQDN.

After starting the installation with option 4, the script will install required packages and it will create and run application services. When the services are running, application will be available in user and administrator sections. If you chose installation without Let's Encrypt certificate, you will have to set up usage of different certificate for https connection(see Basic settings), or else the application will not be accessible, because it has HSTS enabled by default, only allowing access by https with a valid certificate.

External PostgreSQL database (optional)

Installation script automatically installs and configures local PostgreSQL instance that is dedicated to SOFiE application and is accessible only from local host.

External PostgreSQL instance can also be used, under following conditions:

PostgreSQL version 11 - 16
dedicated user and database for SOFiE are created manually (creation of external database and user is not supported by installation script)
pgcrypto extension is installed in SOFiE database
dedicated user is owner of SOFiE database

Connection properties must be manually configured in two files:

/etc/sofie/production.properties (for database migrations - in section “JDBC connection properties”)
/etc/sofie/META-INF/microprofile-config.properties (for SOFiE application - in section “JDBC configuration”)

Syntax of JDBC URL with all possible parameters is described at PostgreSQL JDBC driver page:

https://jdbc.postgresql.org/documentation/use/#connecting-to-the-database

Restricting access to the admin interface (optional)

Optionally, since version 2.4, it is possible to restrict access to the admin interface (/admin) not just on the application level, but also on the nginx web server level. It can be done by modifying the configuration file “/etc/nginx/sofie.d/http_admin-restriction.conf”:

# Limit access to admin gui
#
# Example:
#
# allow 10.10.10.0/24;
# allow 1.1.1.1/32;
# allow 8.8.8.8/32;
# deny all;

allow all;
deny all;

First start

The application is started automatically after the installation. When deploying from AWS Marketplace the application is already pre-installed and is started right after deployment. After the application is started the user’s and administrator’s interface is available using web browser at the following addresses:

User section	https://<FQDN>
Administrator section	https://<FQDN>/admin

For the administrator to be able to log in to the web interface, he should proceed after the start with basic settings as described bellow, including setting administrator’s password.

Basic settings

The following steps need to be performed in the command line of the running application server.
To access the web interface there must be a working https certificate set up. If it is not working or we are deploying from the AWS Marketplace, run the following commands:
# To set the correct FQDN of the serveru and the application: sofie set-fqdn <fqdn> # To prepare certificates for this new FQDN: sofie recreate-cert [--le | --selfsigned | --current] # To apply the changes, nginx and sofie application need to be restarted: systemctl restart nginx sofie restart
(optional) You can install your own certificate by overwriting files of generated self-signed certificate. Copy certificate file to “/etc/nginx/cert/certificate.crt” and private key file to “/etc/nginx/cert/private.key”:
# Certificate file ssl_certificate /etc/nginx/cert/certificate.crt; # Private key file ssl_certificate_key /etc/nginx/cert/private.key;
Then restart nginx.
(up to version 2.2.7) Default administrator account is “admin” with password “sofieadmin”. We recommend changing this password after first login (Settings/Administrators). The administrator has to login to the admin section (/admin), not the user section.
(since version 2.2.8 + AWS) Default administrator account is “admin” with a random generated password. The administrator has to login to the admin section (/admin), not the user section. The password must be reset before a first login to a new random one, that will be shown once in the console, using the following command:
/opt/sofie-root/bin/sofie reset-admin-password
For the application to work correctly, you must also configure the SMTP server. This is done in the administrator’s web interface in Settings/Configuration/E-mail.
For further settings and correct setup of the application the administrator should read and make himself familiar with the Administrator manual.

Update of application

To be performed according to the instructions here: Upgrade notes (Instructions for upgrading to a new version)

Installation of the CDR module (optional)

Since version 2.3 the SOFiE application supports an optional internal module “Content Disarm and Reconstruction (CDR)“. The module enables conversion of supported file types (typically Office documents) into a safe format, specifically a PDF without active content. To be able to use the module, it must be installed first by performing the following steps:

# install and run the docker
dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
dnf install docker-ce docker-ce-cli containerd.io uuid
systemctl start docker
systemctl enable docker

# activation of new necessary services
systemctl enable sofie-cdr
systemctl start sofie-cdr

After the installation the administrator can activate and configure the CDR module using the web interface, in the section Settings - Detection settings.

Installation of antivirus engines (optional)

You can configure paths to antivirus engines in “/etc/sofie/META-INF/microprofile-config.properties” section “# AV”

scanner.bitdefender.exec=/opt/bitdefender-security-tools/bin/bduitool
scanner.clamav.exec=/usr/bin/clamdscan
scanner.eset.exec=/opt/eset/efs/sbin/cls/cls
scanner.kaspersky.exec=/usr/bin/kesl-control
scanner.sophos.exec=/opt/sophos-av/bin/savscan

Avast

Supported version: Avast Business Antivirus for Linux
(https://www.avast.com/business/products/linux-antivirus#pc)
Manuál: https://repo.avcdn.net/linux-av/doc/avast-techdoc.pdf
Add Avast repository:

echo '[avast]
name=Avast
baseurl=https://repo.avcdn.net/linux-av/rpm/el$releasever/release
enabled=1
gpgcheck=1
' > /etc/yum.repos.d/avast.repo

Import Avast GPG key:

rpm --import https://repo.avcdn.net/linux-av/doc/avast-gpg-key.asc

Install Avast packages:

dnf install avast avast-license

Download license file:

avastlic -o license.avastlic -c <activation code>

Copy license file to /etc/avast/license.avastlic:

cp ./license.avastlic /etc/avast/license.avastlic

If needed modify configuration in /etc/avast/*
Enable and start Avast service:

systemctl enable avast
systemctl start avast

BitDefender

Supported version: Bitdefender Endpoint Security Tools 7.x (https://www.bitdefender.com/business/support/en/77209-157515-bitdefender-endpoint-security-tools-for-linux-quick-start-guide.html)
Create a new package in GravityZone portal/Network/Installation packages with settings:

Modules: only AntiMalware
Additional Settings: turn off "Remove Competitors"
Scan mode / Custom / For computers: Local Scan
Scan mode / Custom / For virtual machines: Local Scan
Settings: turn everything off

Download package as “Kit (Intel, AMD x86 64-bit)”
Extract and run installation:

tar -xvf fullKit_unix64_7.4.0.200181.tar
chmod +x installer
./installer

Run a test scan:

/opt/bitdefender-security-tools/bin/bduitool scan -s custom /opt/bitdefender-security-tools/bin/bduitool

Create a server policy in GravityZone portal/Policies with settings:

Antimalware / On-Access: turn everything off
Antimalware / On-Execute: turn everything off
Antimalware / On-Demand: turn everything off
Antimalware / On-Demand / Contextual Scan / Miscellaneous: turn on - Scan for rootkits, Scan for keyloggers, Scan network shares, Scan only new and changed files, Scan for Potentially Unwanted Applications (PUA)
Antimalware / On-Demand / Contextual Scan / Actions: change everything to ignore
Antimalware / On-Demand / External Device Scan: set up the same as Contextual Scan
Antimalware / Anti-Tampering: vše vypneme
Antimalware / Advanced Anti-Exploit: turn everything off
Antimalware / Settings: turn everything off

Assign created policy to the server in GravityZone portal/Network.

ClamAV

Install ClamAV from epel repository

dnf install -y clamav clamd

/usr/bin/freshclam

Change configuration in “/etc/clamd.d/scan.conf” :

# comment out
#Example
 
# set up socket
LocalSocket /var/run/clamd.scan/clamd.sock
 
# change to your liking
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000

Modify systemd file:

mv /usr/lib/systemd/system/clamd@.service /usr/lib/systemd/system/clamd.service

sed -i 's/^\(ExecStart = \/usr\/sbin\/clamd -c\)\(.*\)/\1 \/etc\/clamd.d\/scan.conf/' /usr/lib/systemd/system/clamd.service

Run the ClamAV service :

systemctl enable clamd clamav-freshclam

systemctl start clamd clamav-freshclam

ESET

Supported version: ESET Server Security for Linux 11
Download: https://www.eset.com/int/business/file-security-linux/download/ (Download CentOS/RedHat version.) Manual: https://help.eset.com/essl/11.1/en-US/, TL;DR:

# these packages are required before installing ESET
dnf install glibc.i686 ed tar
 
# download and install ESET antivirus
wget https://download.eset.com/com/eset/apps/business/efs/linux/latest/efs.x86_64.bin

sh efs.x86_64.bin

# import licence key
/opt/eset/efs/sbin/lic -k XXXX-XXXX...

Download file with configuration and import:

# import configuration
wget https://wikisonpo.atlassian.net/wiki/download/attachments/887423004/efs-config6
/opt/eset/efs/sbin/cfg --import-xml=efs-config6

# restart efs daemon
systemctl restart efs

FortiClient

FortiClient Endpoint Management Server (FortiClient EMS) should already be installed.
Download FortiClient 7.x version. We download a headless linux version: forticlient_server_7.4.1.1697_x86_64.rpm
Install FortiClient:

dnf install forticlient_server_7.4.1.1697_x86_64.rpm

Register FortiClient to EMS:

/opt/forticlient/forticlient-cli epctrl register <address of EMS server>

Check registration and licence:

/opt/forticlient/forticlient-cli epctrl detail

In FortiClient EMS administration make these changes:
- “Endpoints/Workgroups” create group for registered server.
- “Endpoints/Group Assignment Rules” assign registered server to created group.
- “Endpoint Profiles/Manage Profiles” create profile for registered server. Profile should contain these settings:
- “Endpoint Policy and Components“ create policy for group containing registered server and assign created profile.

Kaspersky

Supported version: Kaspersky Endpoint Security 12 for Linux
Download: https://support.kaspersky.com/kes-for-linux/12.0 . Download RPM (x64). For example:

wget https://products.s.kaspersky-labs.com/endpoints/keslinux10/12.0.0.6672/multilanguage-12.0.0.6672/3739343633347c44454c7c31/kesl-12.0.0-6672.x86_64.rpm

Install kaspersky antivirus:

dnf install kesl-12.0.0-6672.x86_64.rpm

Run configuration:

dnf install -y perl-File-Copy

/opt/kaspersky/kesl/bin/kesl-setup.pl

After installation turn off resident protection:

kesl-control --stop-task File_Threat_Protection
kesl-control --stop-task Device_Control
kesl-control --stop-task Behavior_Detection

Change default scan options:

kesl-control --set-settings Scan_File ScanMailBases=Yes ScanPlainMail=Yes

Import your license:

kesl-control -L --add-active-key <activation code/key file>

Sophos

! WARNING ! - Sophos cannot be installed on the same server as BitDefender.
Download: https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx .
Install sophos antivirus:

tar -xzvf sav-linux-free-9.tgz
chmod +x install.sh
./install.sh

Set up during installation:

Do you want to enable on-access scanning? Yes(Y)/No(N) [Y]
> N
Which type of auto-updating do you want? From Sophos(s)/From own server(o)/None(n) [s]
> s
Do you wish to install the Free (f) or Supported (s) version of SAV for Linux? [s]
> f

Turn off email notifications:

/opt/sophos-av/bin/savconfig set SendErrorEmail false
/opt/sophos-av/bin/savconfig set SendThreatEmail false
/opt/sophos-av/bin/savconfig set EmailDemandSummaryIfThreat false
/opt/sophos-av/bin/savconfig set EmailNotifier false

Trellix

Supported version: Trellix Command Line Scanner for Linux
(https://kcm.trellix.com/corporate/index?page=content&id=KB94726)
License is part of product “Trellix Protect Standard”
Download product after filling license grant number and email address at https://www.trellix.com/en-us/downloads/my-products.html . Download “Command Line Scanner”/”Command Line Scanner for Linux 64-bit Version 7.0.3”
Downloaded file “cls-l64-703-l.tar.gz” copy to the server.
Extract the file and run the installer:

dnf install -y unzip

mkdir trellix

tar -xzvf cls-l64-703-l.tar.gz --directory ./trellix

cd trellix

# All install options leave at default values
./install-uvscan /opt/trellix/uvscan

Download DAT files from https://update.nai.com/products/commonupdater/current/vscandat1000/dat/0000/ and extract them (number after “avvdat-” must be replaced by current one)

cd /opt/trellix/uvscan

wget https://update.nai.com/products/commonupdater/current/vscandat1000/dat/0000/avvdat-10733.zip

unzip -u avvdat-10733.zip

Download update script

cd /opt/trellix/uvscan

wget https://wikisonpo.atlassian.net/wiki/download/attachments/887423004/dat-update

chmod +x dat-update

Create cron job for update script

echo 'SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
5 * * * * root /opt/trellix/uvscan/dat-update >> /opt/trellix/uvscan/dat-update.log 2>&1' > /etc/cron.d/trellix-update

Custom SSL CA (optional)

Add a certificate authority to the system

RHEL:

trust anchor Fortinet_CA_SSL.crt

Windows:

cd C:\Program Files\Java\jdk8u192-b12\jre\lib\security
..\..\bin\keytool.exe -import -trustcacerts -file y:\ca1.cer -keystore cacerts -alias NAZEV

Memory Shortage Diagnostics

In some situations, a memory shortage may occur, which manifests as malfunctioning package processing and the following error in the application log of the worker (/opt/sofie-worker-distribution/logs/sofie.log):

java.lang.OutOfMemoryError: GC overhead limit exceeded

If such a situation arises, the service is automatically terminated and restarted.

The cause is usually a too high limit on the maximum file size in one of the internal detection tools (DLP, Encrypted Content Detection, MIME). If reducing the maximum file size does not help and the situation occurs repeatedly, it is possible to activate memory content (heap) dumping for diagnostics. This can be achieved by creating a file:

/opt/sofie-worker-distribution/bin/setenv.local.sh

with the following content:

JAVA_OPTS="$JAVA_OPTS -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/sofie/data/"

The settings mentioned above activate saving a memory dump (heap dump) to disk at the specified path when memory is low. The target directory needs to have enough space, at least the size of the server's memory. If there is not enough space in the path /var/sofie/data/, it is possible to change the path to another in the HeapDumpPath parameter.

To reflect the configuration change, the worker needs to be restarted:

systemctl restart sofie-worker

SOFiE documentation

Installation manual

Analytics