Separate installation of Kaspersky CyberTrace Service and Feed Utility (Linux)

February 27, 2024

ID 171559

You can install Kaspersky CyberTrace Service and Feed Utility on separate computers. This allows you to isolate the computer, on which event data is matched against feeds, from the internet.

Do not delete the dmz directory from the distribution kit of Kaspersky CyberTrace, even if you are not going to use Kaspersky CyberTrace Service and Feed Utility on separate computers.

You can install Feed Utility on a Windows computer. For this you must have the distribution package for Windows, which also contains instructions on how to perform the installation.

How Kaspersky CyberTrace Service and Feed Utility work in the DMZ

The following diagram describes how Kaspersky CyberTrace Service and Feed Utility work in the DMZ.

Diagram of workflow when Feed Service and Feed Utility are installed on separate computers.

Workflow when Kaspersky CyberTrace Service and Feed Utility are installed on separate computers

CyberTrace limitations when operating in an isolated environment

Since CyberTrace will be running on a host without direct internet access, the following CyberTrace operation limitations will apply:

  • No possibility of graph enrichment from third-party sources on the CyberTrace local host.
  • For adding feeds, the CyberTrace settings should be transferred from the local host to the DMZ host, changed, and then moved back to the local host. For more information, see section "Changing feed settings after installing Kaspersky CyberTrace Service and Feed Utility on separate computers".

Installing Kaspersky CyberTrace Service and Feed Utility on separate computers

The following procedure describes how to configure the DMZ host and the local host for installing Kaspersky CyberTrace Service on one computer (in this section, referred to as local) and Feed Utility on another computer (in this section, referred to as DMZ).

Configuring a DMZ host

To configure a DMZ host, do the following:

  1. Install CyberTrace on the DMZ host, for easy configuration of the feeds that are supposed to be loaded to CyberTrace in an isolated environment.
  2. In the Initial Setup Wizard, specify the required SIEM settings (name, connection details).

    These settings will be used for the local host.

    Also, add the PEM-formatted certificate for configuring Kaspersky feeds that will be used. It is not necessary to add the Kaspersky CyberTrace license key on the DMZ host, since the Community edition allows the configuration of all supported feed types. Adding a license key is obligatory on the local host.

  3. If necessary, add or additionally configure the feeds on the Settings > Feeds page after specifying the settings in the Initial Setup Wizard.

    Ensure that the feeds are configured correctly by running a feeds update in CyberTrace at least once.

  4. Export the settings from CyberTrace by clicking the Export configuration files button on the Settings > Service page.

    If custom feeds were previously configured in Kaspersky CyberTrace, also save the httpsrv/etc/custom_feed_list.conf file for further use.

  5. Copy the %service_dir%/dmz directory to a location other than the %service_dir% directory (for example, to the /opt or /usr/local/etc directory).

    Hereafter, the path to this directory will be referred as %dmz_fu%.

  6. Remove CyberTrace.

    If you have to add new feeds, install CyberTrace on the DMZ host again.

  7. Move sections Settings>Feeds and Settings>ProxySettings from the exported kl_feed_util.conf file (see Step 4) to the %dmz_fu%/kl_feed_util.conf file (if the section is present in the target configuration file, replace this section).

    Do not remove the instance of the kl_feed_util.conf file exported from CyberTrace, as well as the kl_feed_service.conf. These files will be used on local host.

  8. Specify accepted in the Settings>EULA tag of the %dmz_fu%/kl_feed_util.conf file.
  9. Specify <WorkDir>tmp_download</WorkDir> in the Settings/WorkDir of the %dmz_fu%/kl_feed_util.conf file.
  10. Add %dmz_fu%/cron_dmz.sh to the list of the cron tasks.

    The cron_dmz.sh script enables downloading feeds on the DMZ host.

    For example, specify the following line in the cron configuration file:

    */30 * * * * %dmz_fu%/cron_dmz.sh

    In the example above, the cron_dmz.sh script runs once in 30 minutes. You can set your own schedule to run the script.

    Make sure that a cron user has access for running the %dmz_fu%/cron_dmz.sh file.

Configuring a local host

To configure a local host, do the following:

  1. Check if the DMZ host is accessible for the local host, by using the RSync utility (to do this, perform the steps from section "Synchronizing directories that contain feeds").
  2. On the local host, install the same version as CyberTrace that was previously installed on the DMZ host.
  3. Stop CyberTrace after installation by running the systemctl stop cybertrace.service command.
  4. Remove the %service_dir%/bin/.need_run_wizard file.

    This action disables the initial configuration wizard, since configuration was previously completed on the DMZ host.

  5. Replace the %service_dir%/etc/kl_feed_util.conf and %service_dir%/etc/kl_feed_service.conf files with the files that were obtained in Step 4 of section "Configuring a DMZ host".

    If custom feeds were previously configured in Kaspersky CyberTrace, replace or add (if the file was not present) the httpsrv/etc/custom_feed_list.conf file.

  6. Open the %service_dir%/etc/kl_feed_util.conf file, and then specify the following parameters:
    • <NotifyKTFS path="../bin">true</NotifyKTFS>
    • <WorkDir>output</WorkDir>
    • <FeedsDir>../feeds/download</FeedsDir>
  7. Configure the following in the %service_dir%/etc/kl_feed_service.conf file:
    • Specify settings in:
    • Set 0 in the update_frequency attribute.

      This customization is applied, since the feeds files loaded on the DMZ host will be periodically synchronized by CRON, not CyberTrace.

  8. (Recommended) Rename the %service_dir%/dmz/feeds.pem file to feeds.pem.0 to avoid incorrect feeds updating when clicking the Launch update now button.
  9. Open the %service_dir%/scripts/cron_cybertrace.sh file, and then specify the following:
    • RSYNC_USER (user name on the DMZ host for authorization).
    • RSYNC_HOST (host name/IP address of the DMZ host).
    • PATH_TO_FEEDS (path to the %dmz_fu%/download directory on the DMZ host).
    • DOWNLOAD_DIR ("output").
    • SSH_KEY (make sure that you specified the same RSA key file path as described in Step 1 of section "Synchronizing directories that contain feeds").
  10. Add %service_dir%/scripts/cron_cybertrace.sh to the list of the cron tasks.

    The cron_cybertrace.sh script starts synchronizing the feeds files from the DMZ host. The example below shows that the cron_cybertrace.sh file is launched once in 30 minutes and is started with five-minute delay relative to the cron_dmz.sh script on the DMZ host:

    5-59/30 * * * * /opt/kaspersky/ktfs/scripts/cron_cybertrace.sh

    You can set your own schedule to run the script.

    Make sure that the cron user has access for running the %service_dir%/scripts/cron_cybertrace.sh file.

  11. Start CyberTrace.

    Run the systemctl start cybertrace.service command.

  12. Open CyberTrace Web in a browser, by using the details specified in Step 7 in Configuration>GUISettings>HTTPServer>ConnectionString.
  13. Make sure that the settings for the feeds on the Settings>Feeds page are similar to the settings on the DMZ host.
  14. On the Settings>Feeds page, set Never for the Update frequency parameter.
  15. On the Settings>Licensing page, add a license key.
  16. Configure other settings that are not related to feeds updating.

Changing feed settings after installing Kaspersky CyberTrace Service and Feed Utility on separate computers

Since the DMZ host is only for feeds downloading, you can configure the below settings for the previously enabled feeds in CyberTrace on the local host. You can change the following feeds parameters:

  • Feed confidence value (except for Kaspersky feeds)
  • Limit number of feed entries being processed
  • Retention period (except for Kaspersky feeds)
  • Available fields for a feed
  • Filtering rules
  • Actionable fields

You can also disable any feed that was previously enabled (in this case, the disabled feeds will continue to be downloaded on the DMZ host and transferred to the local host, until you disable them in %dmz_fu%/kl_feed_util.conf).

You can configure the proxy server settings directly in the %dmz_fu%/kl_feed_util.conf file on the DMZ host.

If necessary, you can add a new feed as described below.

If any feed was previously disabled on the local host, the actions below will stop the download of this feed on the DMZ host.

To add a new feed, do the following:

  1. On the local host:
    1. Export the current settings from CyberTrace by clicking the Export configuration files button on the Settings>Service page.

      If custom feeds were previously configured in Kaspersky CyberTrace, also save the httpsrv/etc/custom_feed_list.conf file for further use.

    2. Stop the CyberTrace service.

      Run the systemctl stop cybertrace.service command.

  2. On the DMZ host:
    1. Install the same CyberTrace version as on the local host.

      If you did not remove CyberTrace on the DMZ host during initial setup, skip this step.

    2. Stop the CyberTrace service.

      Run the systemctl stop cybertrace.service command.

    3. Remove the %service_dir%/bin/.need_run_wizard file.

      If you did not remove CyberTrace on the DMZ host during initial setup, skip this step.

    4. Replace the %service_dir%/etc/kl_feed_service.conf and %service_dir%/etc/kl_feed_util.conf files with the files exported from the local host in Step 1 above.

      If custom feeds were previously configured in Kaspersky CyberTrace, also replace or add (if the file was not present) the httpsrv/etc/custom_feed_list.conf file.

      Specify the proper Configuration>GUISettings>HTTPServer>ConnectionString to open CyberTrace Web in a browser.

    5. Start the CyberTrace service.

      Run the systemctl start cybertrace.service command.

    6. Add and configure new feeds using CyberTrace Web at the address specified in Configuration/GUISettings/HTTPServer/ConnectionString of the %service_dir%/etc/kl_feed_service.conf file.

      Ensure that the feed is configured correctly by running a feeds update in CyberTrace at least once.

    7. Export the updated settings from CyberTrace by clicking the Export configuration files button on the Settings>Service page.

      If custom feeds were previously configured in Kaspersky CyberTrace, also save the httpsrv/etc/custom_feed_list.conf file for further use.

    8. Remove CyberTrace.
    9. Move (replace) the sections Settings>Feeds and Settings>ProxySettings from the kl_feed_util.conf exported file to the %dmz_fu%/kl_feed_util.conf file.

      Do not remove the instance of the kl_feed_util.conf file exported from CyberTrace, as well as the kl_feed_service.conf. These files will be also used on the local host.

  3. On the local host:
    1. Replace the %service_dir%/etc/kl_feed_service.conf and %service_dir%/etc/kl_feed_util.conf files with the files exported from the DMZ host.

      If custom feeds were previously configured in Kaspersky CyberTrace, also replace or add (if the file was not present) the httpsrv/etc/custom_feed_list.conf file.

      Specify a proper Configuration>GUISettings>HTTPServer>ConnectionString to open CyberTrace Web in browser.

    2. Start the CyberTrace service.

      Run the systemctl start cybertrace.service command.

    3. Using the address specified in Configuration>GUISettings>HTTPServer>ConnectionString, open CyberTrace Web and make sure that the Settings>Feeds page contains the new feed, and its settings are similar to settings on the DMZ host. Also, make sure that all other feeds are configured correctly.
    4. On the Settings>Feeds page, set Never in the Update frequency parameter.

Synchronizing directories that contain feeds

For synchronizing feeds on both the local and DMZ hosts, you can use the RSync utility.

If the DMZ host is a Windows computer, the RSync utility can be run by using Cygwin. See how to install Cygwin in section "Separate installation of Kaspersky CyberTrace Service and Feed Utility (Windows)".

To configure synchronization on the DMZ host:

  1. On the DMZ host, configure the OpenSSH components as follows:
    1. Run the following command as root:

      ssh-host-config

      You can answer "Yes" every time. The main point is to run the sshd daemon as a service.

    2. Run the following command:

      net start sshd

The sshd daemon will start automatically.

To configure synchronization on the local host:

  1. Create a private key and a corresponding public key.

    For this purpose, run the following command on the local host:

    ssh-keygen -t rsa -q -N '' -f /home/<user>/.ssh/dmz_rsa_key

    Specify the user login instead of <user>. The keys will be created without a password.

  2. Copy the public key from the local host to the DMZ host by running the following command:

    ssh-copy-id -i /home/<user>/.ssh/dmz_rsa_key <DMZ_user>@<DMZ_host>

    When you run this command, you will be asked for the password to <DMZ_user>@<DMZ_host>.

  3. Test the synchronization of the contents of directories that contain feeds by running the following command on the local host:

    rsync -a --delete-before --delay-updates -e "ssh -i /home/<user>/.ssh/dmz_rsa_key" <DMZ_user>@<DMZ_host>:/<Path_to_feeds>/ /<Path_to_feeds_on_Local>/

    In this command, <Path_to_feeds_on_Local> is the path to the directory containing feeds on the local host (namely, %service_dir%/feeds), and <Path_to_feeds> is the path to the directory on which updated feeds are stored on the DMZ host.

    To pass the synchronization test, the contents of the <Path_to_feeds_on_Local> directory on the local host must be the same as the contents of the <Path_to_feeds> directory on the DMZ host.

Upgrading CyberTrace from a previous version

To upgrade CyberTrace and Feed Utility to newer versions, do the following:

  1. On the local host, upgrade CyberTrace as described in section "Upgrading automatically on Linux".
  2. From the %service_dir%/dmz directory on the local host, move the kl_feed_util file to %dmz_fu% on the DMZ host.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.