Installation on Linux systems

This section describes the process of installing Kaspersky CyberTrace on Linux systems.

Installation methods

On Linux systems, you can install Kaspersky CyberTrace by three methods:

• RPM installation

  In this type of installation, you run the installation script, run.sh. The installation script installs the RPM package and runs the configurator. The configurator performs an interactive setup of Feed Service, Feed Utility, and Log Scanner.

• DEB installation

  The same as RPM installation.

• TGZ installation

  In this type of installation, you manually unpack the TGZ archive to the /opt/kaspersky/ktfs directory and create symbolic links for configuration files and startup scripts. You must then manually run the configurator binary file and accept the End User License Agreement. The configurator binary file performs an interactive setup of Feed Service, Feed Utility, and Log Scanner.

  If you do not run the configurator after performing the TGZ installation, Kaspersky CyberTrace will not work. You must accept the End User License Agreement and specify configuration parameters for Feed Service, Feed Utility, and Log Scanner using the configurator.

RPM installation

Kaspersky CyberTrace is installed in the /opt/kaspersky/ktfs directory. This directory is called %service_dir% in this document.

The user account that performs the RPM installation must have root privileges.

To perform the RPM installation of Kaspersky CyberTrace:

1. Unpack the distribution kit contents to any directory on your system. In the following command, substitute %temp_dir% with this directory and %SIEM% with the name of your SIEM solution (Splunk, RSA, ArcSight, QRadar, Log_Scanner). If your SIEM solution is not in the list of SIEM solutions above, use the Log_Scanner value.

   tar -C %temp_dir% -xvzf Kaspersky_CyberTrace_for_%SIEM%_Linux-architecture-version-Release.rpm.tar.gz --no-same-owner

   The RPM package, installation script, and documentation will be unpacked to this directory.

   The archive can have a different name, for example, %SIEM%-rpm.tar.gz. You can either use the existing name or rename the archive by using the mv command.

2. Run the installation script:

   run.sh install

   The installation script will install the RPM package and add Feed Service to the list of services by using chkconfig. Feed Service will start automatically on system boot.

   After the RPM package is installed, the installation script automatically runs the configurator.

3. In the configurator, configure Feed Service, Feed Utility, and Log Scanner.

   For more information about using the configurator, see subsection "Interactive setup with configurator" below.

   If you interrupt the process of configuration, you can resume it by running the following command: /opt/kaspersky/ktfs/bin/configure –i –s %SIEM%. In this command, replace %SIEM% with the name of your SIEM solution (Splunk, RSA, ArcSight, QRadar, Log_Scanner).

4. (Recommended) Configure Kaspersky CyberTrace further through its Web UI. Perform actions described in section "Configuring Kaspersky CyberTrace using the web interface" below.

DEB installation

Kaspersky CyberTrace is installed in the /opt/kaspersky/ktfs directory. This directory is called %service_dir% in this document.

The user account that performs the DEB installation must have root privileges.

To perform the DEB installation of Kaspersky CyberTrace:

1. Unpack the distribution kit contents to any directory on your system. In the following command, substitute %temp_dir% with this directory and %SIEM% with the name of your SIEM solution (Splunk, RSA, ArcSight, QRadar, Log_Scanner). If your SIEM solution is not in the list of SIEM solutions above, use the Log_Scanner value.

   tar -C %temp_dir% -xvzf Kaspersky_CyberTrace_for_%SIEM%_Linux-architecture-version-Release.deb.tar.gz --no-same-owner

   The DEB package, installation script, and documentation will be unpacked to this directory.

   The archive can have a different name, for example, %SIEM%-deb.tar.gz. You can either use the existing name or rename the archive by using the mv command.

2. Run the installation script:

   run.sh install

   The installation script will install the DEB package and add Feed Service to the list of services by using systemd. Feed Service will start automatically on system boot.

   After the DEB package is installed, the installation script automatically runs the configurator.

3. In the configurator, configure Feed Service, Feed Utility, and Log Scanner.

   For more information about using the configurator, see subsection "Interactive setup with configurator" below.

   If you interrupt the process of configuration, you can resume it by running the following command: /opt/kaspersky/ktfs/bin/configure –i –s %SIEM%. In this command, replace %SIEM% with the name of your SIEM solution (Splunk, RSA, ArcSight, QRadar, Log_Scanner).

4. (Recommended) Configure Kaspersky CyberTrace further through its Web UI. Perform actions described in section "Configuring Kaspersky CyberTrace using the web interface" below.

TGZ installation

To perform the TGZ installation of Kaspersky CyberTrace:

1. Create the /opt/kaspersky/ktfs directory. This directory is called %service_dir% in this document.
2. Unpack the distribution kit contents to /opt/kaspersky/ktfs directory.

   tar -C /opt/kaspersky/ktfs -xvzf Kaspersky_CyberTrace_for_%SIEM%_Linux-architecture-version-Release.tar.gz --strip-components 1

   You must unpack the distribution kit contents to the /opt/kaspersky/ktfs directory. Do not use other directories, because the configurator configures Feed Service, Feed Utility, and Log Scanner to use this directory.

3. Use the ln utility to create symbolic links (symlinks) for configuration files and startup scripts:

   ln -s /opt/kaspersky/ktfs/etc/init.d/kl_feed_service /etc/init.d/kl_feed_service

   ln -s /opt/kaspersky/ktfs/etc/kl_feed_service.conf /etc/kl_feed_service.conf

4. Use the chkconfig utility to add Feed Service to the list of system services in Red Hat-based distributions:

   chkconfig --add kl_feed_service

   Use the update-rc utility to add Feed Service to the list of system services in Debian-based distributions:

   update-rc.d kl_feed_service defaults

5. Run the configurator:

   /opt/kaspersky/ktfs/bin/configure -i -s %SIEM%

   In the command above, substitute %SIEM% with one of the following values, depending on the SIEM solution used: Splunk, RSA, ArcSight, QRadar, or Log_Scanner. If your SIEM solution is not in the list of SIEM solutions, use the Log_Scanner value.

   For more information about running the configurator, see subsection "Configurator command-line parameters" below.

6. In the configurator, configure Feed Service, Feed Utility, and Log Scanner.

   For more information about using the configurator, see subsection "Interactive setup with configurator" below.

7. (Recommended) Configure Kaspersky CyberTrace further through its Web UI. Perform actions described in section "Configuring Kaspersky CyberTrace using the web interface" below.

Interactive setup with configurator

The configurator setup has the following steps:

1. Accepting the End User License Agreement.

   Use the PAGE UP and PAGE DOWN keys to navigate. Type q to quit.

   To accept the End User License Agreement, print Yes.

2. Specifying proxy server settings.

   Follow the instructions and specify proxy server settings. The specified proxy credentials will be stored in encrypted form.

   You always can stop using a proxy through CyberTrace Web. For more information, see section "Service settings".

3. Specifying connection parameters

   The configurator automatically checks if the specified connection parameters are correct. For example, the configurator checks that a SIEM solution is present in the address and port for outbound events.

   The IP addresses must consist of four decimal octets, separated by a dot. For example, 192.0.2.254 is a valid IP address.

   Depending on the specific SIEM solution name, connection parameters may include:

   • IP address and port for incoming events

     Feed Service listens for incoming events on the specified address and port or UNIX domain socket.

   • SIEM solution connection string

     Feed Service sends outbound events to the specified IP address and port or UNIX domain socket.

After that, Kaspersky CyberTrace will be launched. Two links will be displayed:

• Link to the Kaspersky CyberTrace web user interface.
• Link to the Kaspersky CyberTrace documentation, where you can find the credentials to authorize in Kaspersky CyberTrace Web.

Configuring Kaspersky CyberTrace using the web interface

To configure Kaspersky CyberTrace using the web interface:

1. Open Kaspersky CyberTrace Web in your browser at https://127.0.0.1.
2. Specify IP addresses and ports (or Windows named pipes) that Feed Service will use for incoming and outgoing events by means of the Settings > Service tab.
3. If you want to use Log Scanner, specify the IP address and port (or the Windows named pipe) that the utility will use to interact with Feed Service in the Connection element of the Log Scanner configuration file.

   The Log Scanner configuration file is located at %service_dir%\log_scanner\log_scanner.conf.

4. If you want to use normalizing rules to process the events sent by various sources or if you want to use custom regular expressions, configure them on the Matching tab.
5. If you want Feed Utility to access Kaspersky servers through a proxy server, specify proxy settings on the Settings > Service tab.
6. If you have a commercial license key, you can add it to Kaspersky CyberTrace by means of the Licensing tab.
7. If you have a commercial certificate for downloading feeds, you can import it by using the Feeds update period section.
8. In the Filtering rules for feeds section of CyberTrace Web, select the feeds that must be downloaded and processed by Feed Utility.

Configurator command-line parameters

The configurator is a binary file that configures Feed Service, Feed Utility, and Log Scanner.

The file has the following command-line syntax:

configure -s SIEM [options]

The following positional arguments are available:

• -s [ --siem ] arg

  Name of the SIEM solution.

  The following values are possible: Splunk, RSA, ArcSight, QRadar, Log_Scanner.

The following options are available:

• -h [ --help ]

  Display a help message and exit.

• -i [ --install ]

  Perform the post-installation configuration.

• -c [ --change ]

  Change the Feed Service, Feed Utility, and Log Scanner configuration.

Page top