Separate installation of Kaspersky CyberTrace Service and Feed Utility (Linux)
February 27, 2024
ID 171559
You can install Kaspersky CyberTrace Service and Feed Utility on separate computers. This allows you to isolate the computer, on which event data is matched against feeds, from the internet.
Do not delete the dmz
directory from the distribution kit of Kaspersky CyberTrace, even if you are not going to use Kaspersky CyberTrace Service and Feed Utility on separate computers.
You can install Feed Utility on a Windows computer. For this you must have the distribution package for Windows, which also contains instructions on how to perform the installation.
How Kaspersky CyberTrace Service and Feed Utility work in the DMZ
The following diagram describes how Kaspersky CyberTrace Service and Feed Utility work in the DMZ.
Workflow when Kaspersky CyberTrace Service and Feed Utility are installed on separate computers
CyberTrace limitations when operating in an isolated environment
Since CyberTrace will be running on a host without direct internet access, the following CyberTrace operation limitations will apply:
- No possibility of graph enrichment from third-party sources on the CyberTrace local host.
- For adding feeds, the CyberTrace settings should be transferred from the local host to the DMZ host, changed, and then moved back to the local host. For more information, see section "Changing feed settings after installing Kaspersky CyberTrace Service and Feed Utility on separate computers".
Installing Kaspersky CyberTrace Service and Feed Utility on separate computers
The following procedure describes how to configure the DMZ host and the local host for installing Kaspersky CyberTrace Service on one computer (in this section, referred to as local) and Feed Utility on another computer (in this section, referred to as DMZ).
Configuring a DMZ host
To configure a DMZ host, do the following:
- Install CyberTrace on the DMZ host, for easy configuration of the feeds that are supposed to be loaded to CyberTrace in an isolated environment.
- In the Initial Setup Wizard, specify the required SIEM settings (name, connection details).
These settings will be used for the local host.
Also, add the PEM-formatted certificate for configuring Kaspersky feeds that will be used. It is not necessary to add the Kaspersky CyberTrace license key on the DMZ host, since the Community edition allows the configuration of all supported feed types. Adding a license key is obligatory on the local host.
- If necessary, add or additionally configure the feeds on the Settings > Feeds page after specifying the settings in the Initial Setup Wizard.
Ensure that the feeds are configured correctly by running a feeds update in CyberTrace at least once.
- Export the settings from CyberTrace by clicking the Export configuration files button on the Settings > Service page.
If custom feeds were previously configured in Kaspersky CyberTrace, also save the
httpsrv/etc/custom_feed_list.conf
file for further use. - Copy the
%service_dir%/dmz
directory to a location other than the%service_dir%
directory (for example, to the/opt
or/usr/local/etc
directory).Hereafter, the path to this directory will be referred as
%dmz_fu%
. - Remove CyberTrace.
If you have to add new feeds, install CyberTrace on the DMZ host again.
- Move sections
Settings
>Feeds
andSettings
>ProxySettings
from the exportedkl_feed_util.conf
file (see Step 4) to the%dmz_fu%/kl_feed_util.conf
file (if the section is present in the target configuration file, replace this section).Do not remove the instance of the
kl_feed_util.conf
file exported from CyberTrace, as well as thekl_feed_service.conf
. These files will be used on local host. - Specify
accepted
in theSettings
>EULA
tag of the%dmz_fu%/kl_feed_util.conf
file. - Specify
<WorkDir>tmp_download</WorkDir>
in theSettings/WorkDir
of the%dmz_fu%/kl_feed_util.conf
file. - Add
%dmz_fu%/cron_dmz.sh
to the list of the cron tasks.The
cron_dmz.sh
script enables downloading feeds on the DMZ host.For example, specify the following line in the cron configuration file:
*/30 * * * * %dmz_fu%/cron_dmz.sh
In the example above, the
cron_dmz.sh
script runs once in 30 minutes. You can set your own schedule to run the script.Make sure that a cron user has access for running the
%dmz_fu%/cron_dmz.sh
file.
Configuring a local host
To configure a local host, do the following:
- Check if the DMZ host is accessible for the local host, by using the RSync utility (to do this, perform the steps from section "Synchronizing directories that contain feeds").
- On the local host, install the same version as CyberTrace that was previously installed on the DMZ host.
- Stop CyberTrace after installation by running the
systemctl stop cybertrace.service
command. - Remove the
%service_dir%/bin/.need_run_wizard
file.This action disables the initial configuration wizard, since configuration was previously completed on the DMZ host.
- Replace the
%service_dir%/etc/kl_feed_util.conf
and%service_dir%/etc/kl_feed_service.conf
files with the files that were obtained in Step 4 of section "Configuring a DMZ host".If custom feeds were previously configured in Kaspersky CyberTrace, replace or add (if the file was not present) the
httpsrv/etc/custom_feed_list.conf
file. - Open the
%service_dir%/etc/kl_feed_util.conf
file, and then specify the following parameters:<NotifyKTFS path="../bin">true</NotifyKTFS>
<WorkDir>output</WorkDir>
<FeedsDir>../feeds/download</FeedsDir>
- Configure the following in the
%service_dir%/etc/kl_feed_service.conf
file:- Specify settings in:
Configuration
>InputSettings
>ConnectionString
Configuration
>GUISettings
>HTTPServer
>ConnectionString
Configuration
>GUISettings
>HTTPServer
>ResourcesIP
Set 0
in theupdate_frequency
attribute.This customization is applied, since the feeds files loaded on the DMZ host will be periodically synchronized by CRON, not CyberTrace.
- Specify settings in:
- (Recommended) Rename the
%service_dir%/dmz/feeds.pem
file tofeeds.pem.0
to avoid incorrect feeds updating when clicking the Launch update now button. - Open the
%service_dir%/scripts/cron_cybertrace.sh
file, and then specify the following:RSYNC_USER
(user name on the DMZ host for authorization).RSYNC_HOST
(host name/IP address of the DMZ host).PATH_TO_FEEDS
(path to the%dmz_fu%/download
directory on the DMZ host).DOWNLOAD_DIR
("output").SSH_KEY
(make sure that you specified the same RSA key file path as described in Step 1 of section "Synchronizing directories that contain feeds").
- Add
%service_dir%/scripts/cron_cybertrace.sh
to the list of the cron tasks.The
cron_cybertrace.sh
script starts synchronizing the feeds files from the DMZ host. The example below shows that thecron_cybertrace.sh
file is launched once in 30 minutes and is started with five-minute delay relative to thecron_dmz.sh
script on the DMZ host:5-59/30 * * * * /opt/kaspersky/ktfs/scripts/cron_cybertrace.sh
You can set your own schedule to run the script.
Make sure that the cron user has access for running the
%service_dir%/scripts/cron_cybertrace.sh
file. - Start CyberTrace.
Run the
systemctl start cybertrace.service
command. - Open CyberTrace Web in a browser, by using the details specified in Step 7 in
Configuration
>GUISettings
>HTTPServer
>ConnectionString
. - Make sure that the settings for the feeds on the Settings>Feeds page are similar to the settings on the DMZ host.
- On the Settings>Feeds page, set
Never
for theUpdate frequency
parameter. - On the Settings>Licensing page, add a license key.
- Configure other settings that are not related to feeds updating.
Changing feed settings after installing Kaspersky CyberTrace Service and Feed Utility on separate computers
Since the DMZ host is only for feeds downloading, you can configure the below settings for the previously enabled feeds in CyberTrace on the local host. You can change the following feeds parameters:
- Feed
confidence
value (except for Kaspersky feeds) - Limit number of feed entries being processed
- Retention period (except for Kaspersky feeds)
- Available fields for a feed
- Filtering rules
- Actionable fields
You can also disable any feed that was previously enabled (in this case, the disabled feeds will continue to be downloaded on the DMZ host and transferred to the local host, until you disable them in %dmz_fu%/kl_feed_util.conf
).
You can configure the proxy server settings directly in the %dmz_fu%/kl_feed_util.conf
file on the DMZ host.
If necessary, you can add a new feed as described below.
If any feed was previously disabled on the local host, the actions below will stop the download of this feed on the DMZ host.
To add a new feed, do the following:
- On the local host:
- Export the current settings from CyberTrace by clicking the Export configuration files button on the Settings>Service page.
If custom feeds were previously configured in Kaspersky CyberTrace, also save the
httpsrv/etc/custom_feed_list.conf
file for further use. - Stop the CyberTrace service.
Run the
systemctl stop cybertrace.service
command.
- Export the current settings from CyberTrace by clicking the Export configuration files button on the Settings>Service page.
- On the DMZ host:
- Install the same CyberTrace version as on the local host.
If you did not remove CyberTrace on the DMZ host during initial setup, skip this step.
- Stop the CyberTrace service.
Run the
systemctl stop cybertrace.service
command. - Remove the
%service_dir%/bin/.need_run_wizard
file.If you did not remove CyberTrace on the DMZ host during initial setup, skip this step.
- Replace the
%service_dir%/etc/kl_feed_service.conf
and%service_dir%/etc/kl_feed_util.conf
files with the files exported from the local host in Step 1 above.If custom feeds were previously configured in Kaspersky CyberTrace, also replace or add (if the file was not present) the
httpsrv/etc/custom_feed_list.conf
file.Specify the proper
Configuration
>GUISettings
>HTTPServer
>ConnectionString
to open CyberTrace Web in a browser. - Start the CyberTrace service.
Run the
systemctl start cybertrace.service
command. - Add and configure new feeds using CyberTrace Web at the address specified in
Configuration/GUISettings/HTTPServer/ConnectionString
of the%service_dir%/etc/kl_feed_service.conf
file.Ensure that the feed is configured correctly by running a feeds update in CyberTrace at least once.
- Export the updated settings from CyberTrace by clicking the Export configuration files button on the Settings>Service page.
If custom feeds were previously configured in Kaspersky CyberTrace, also save the
httpsrv/etc/custom_feed_list.conf
file for further use. - Remove CyberTrace.
- Move (replace) the sections
Settings
>Feeds
andSettings
>ProxySettings
from thekl_feed_util.conf
exported file to the%dmz_fu%/kl_feed_util.conf
file.Do not remove the instance of the
kl_feed_util.conf
file exported from CyberTrace, as well as thekl_feed_service.conf
. These files will be also used on the local host.
- Install the same CyberTrace version as on the local host.
- On the local host:
- Replace the
%service_dir%/etc/kl_feed_service.conf
and%service_dir%/etc/kl_feed_util.conf
files with the files exported from the DMZ host.If custom feeds were previously configured in Kaspersky CyberTrace, also replace or add (if the file was not present) the
httpsrv/etc/custom_feed_list.conf
file.Specify a proper
Configuration
>GUISettings
>HTTPServer
>ConnectionString
to open CyberTrace Web in browser. - Start the CyberTrace service.
Run the
systemctl start cybertrace.service
command. - Using the address specified in
Configuration
>GUISettings
>HTTPServer
>ConnectionString
, open CyberTrace Web and make sure that the Settings>Feeds page contains the new feed, and its settings are similar to settings on the DMZ host. Also, make sure that all other feeds are configured correctly. - On the Settings>Feeds page, set
Never
in theUpdate frequency
parameter.
- Replace the
Synchronizing directories that contain feeds
For synchronizing feeds on both the local and DMZ hosts, you can use the RSync utility.
If the DMZ host is a Windows computer, the RSync utility can be run by using Cygwin. See how to install Cygwin in section "Separate installation of Kaspersky CyberTrace Service and Feed Utility (Windows)".
To configure synchronization on the DMZ host:
- On the DMZ host, configure the OpenSSH components as follows:
- Run the following command as root:
ssh-host-config
You can answer
"Yes"
every time. The main point is to run the sshd daemon as a service. - Run the following command:
net start sshd
- Run the following command as root:
The sshd daemon will start automatically.
To configure synchronization on the local host:
- Create a private key and a corresponding public key.
For this purpose, run the following command on the local host:
ssh-keygen -t rsa -q -N '' -f /home/<user>/.ssh/dmz_rsa_key
Specify the user login instead of
<user>
. The keys will be created without a password. - Copy the public key from the local host to the DMZ host by running the following command:
ssh-copy-id -i /home/<user>/.ssh/dmz_rsa_key <DMZ_user>@<DMZ_host>
When you run this command, you will be asked for the password to
<DMZ_user>@<DMZ_host>
. - Test the synchronization of the contents of directories that contain feeds by running the following command on the local host:
rsync -a --delete-before --delay-updates -e "ssh -i /home/<user>/.ssh/dmz_rsa_key" <DMZ_user>@<DMZ_host>:/<Path_to_feeds>/ /<Path_to_feeds_on_Local>/
In this command,
<Path_to_feeds_on_Local>
is the path to the directory containing feeds on the local host (namely,%service_dir%/feeds
), and<Path_to_feeds>
is the path to the directory on which updated feeds are stored on the DMZ host.To pass the synchronization test, the contents of the
<Path_to_feeds_on_Local>
directory on the local host must be the same as the contents of the<Path_to_feeds>
directory on the DMZ host.
Upgrading CyberTrace from a previous version
To upgrade CyberTrace and Feed Utility to newer versions, do the following:
- On the local host, upgrade CyberTrace as described in section "Upgrading automatically on Linux".
- From the
%service_dir%/dmz
directory on the local host, move thekl_feed_util
file to%dmz_fu%
on the DMZ host.