Install a CDO Connector to Support an SEC Using Your VM Image

The CDO Connector VM is a virtual machine on which you install an SEC. The purpose of the CDO Connector is solely to support an SEC for Cisco Security Analytics and Logging (SaaS) customers.

This is the first of three steps you need to complete in order install and configure your Secure Event Connector (SEC). After this procedure, you need to complete the following procedures:

Before you begin

  • Purchase the Cisco Security and Analytics Logging, Logging and Troubleshootinglicense, you may also purchase the Logging Analytics and Detection and Total Network Analytics and Monitoring licenses to apply Secure Cloud Analytics to the events.

    If you would rather, you can request a trial version of Security Analytics and Logging by logging in to CDO, and on the main navigation bar, choose Analytics > Event Logging and click Request Trial.

  • CDO requires strict certificate checking and does not support a Web/Content Proxy between the CDO Connector and the Internet.

  • The CDO Connector must have full outbound access to the Internet on TCP port 443.

  • Review Connect to Cisco Defense Orchestrator using Secure Device Connectorto ensure proper network access for the CDO Connector.

  • VMware ESXi host installed with vCenter web client or ESXi web client.

    Note
    We do not support installation using the vSphere desktop client.
  • ESXi 5.1 hypervisor.

  • Cent OS 7 guest operating system.

  • System requirements for a VM to host only a CDO Connector and an SEC:

    • CPU: Assign 4 CPUs to accommodate the SEC.

    • Memory: Assign 8 GB of memory for the SEC.

    • Disk Space: 64 GB

  • Users performing this procedure should be comfortable working in a Linux environment and using the vi visual editor for editing files.

  • If you are installing your CDO Connector on a CentOS virtual machine, we recommend you install Yum security patches on a regular basis. Depending on your Yum configuration, to acquire Yum updates, you may need to open outbound access on port 80 as well as 443. You will also need to configure yum-cron or crontab to schedule the updates. Work with your security-operations team to determine if any security policies need to change to allow you to get the Yum updates.

  • Gather this information before you begin the installation:

    • Static IP address you want to use for your CDO Connector.

    • Passwords for the root and CDO users that you create during the installation process.

    • The IP address of the DNS server your organization uses.

    • The gateway IP address of the network the CDO Connector address is on.

    • The FQDN or IP address of your time server.

  • The CDO Connector virtual machine is configured to install security patches on a regular basis and in order to do this, opening port 80 outbound is required.

  • Before you get started: Do not copy and paste the commands in this procedure into your terminal window, type them instead. Some commands include an "n-dash" and in the cut and paste process, these commands can be applied as an "m-dash" and that may cause the command to fail.

Procedure


Step 1

Log on to CDO.

Step 2

From the left pane, Tools & Services > Secure Connectors.

Step 3

Click the icon and then click Secure Event Connector.

Step 4

Using the link provided, copy the SEC Bootstrap Data in step 2 of the "Deploy an On-Premises Secure Event Connector" window.

Step 5

Install a CentOS 7 virtual machine (http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1804.iso) with at least the memory, CPU, and disk space mentioned in this procedure's perquisites.

Step 6

Once installed, configure basic networking such as specifying the IP address for the CDO Connector, the subnet mask, and gateway.

Step 7

Configure a DNS (Domain Name Server) server.

Step 8

Configure a NTP (Network Time Protocol) server.

Step 9

Install an SSH server on CentOS for easy interaction with CDO Connector's CLI.

Step 10

Run a Yum update and then install the packages: open-vm-tools, nettools, and bind-utils

[root@sdc-vm ~]# yum update -y 
[root@sdc-vm ~]# yum install -y open-vm-tools net-tools bind-utils 

Step 11

Install the AWS CLI package (https://docs.aws.amazon.com/cli/latest/userguide/awscli-install-linux.html)

Note

Do not use the --user flag.

Step 12

Install the Docker CE packages (https://docs.docker.com/install/linux/docker-ce/centos/#install-docker-ce)

Note

Use the "Install using the repository" method.

Step 13

Start the Docker service and enable it to start on boot:

[root@sdc-vm ~]# systemctl start docker
 [root@sdc-vm ~]# systemctl enable docker 
Created symlink from /etc/systemd/system/multiuser.target.wants/docker.service to /usr/lib/systemd/system/docker.service. 

Step 14

Create two users: CDO and sdc. The CDO user will be the one you log-into to run administrative functions (so you don't need to use the root user directly), and the sdc user will be the user to run the CDO Connector docker container.

[root@sdc-vm ~]# useraddCDO
 [root@sdc-vm ~]# useradd sdc –d /usr/local/CDO

Step 15

Configure the sdc user to use crontab:

[root@sdc-vm ~]# touch /etc/cron.allow
[root@sdc-vm ~]# echo "sdc" >> /etc/cron.allow

Step 16

Set a password for the CDO user.

[root@sdc-vm ~]# passwd CDO 
Changing password for user CDO. 
New password: <type password>  
Retype new password: <type password> 
passwd: all authentication tokens updated successfully. 

Step 17

Add the CDO user to the "wheel" group to give it administrative (sudo) privileges.

[root@sdc-vm ~]# usermod -aG wheelCDO
 [root@sdc-vm ~]# 

Step 18

When Docker is installed, there is a user group created. Depending on the version of CentOS/Docker, this may be called either "docker" or "dockerroot". Check the /etc/group file to see which group was created, and then add the sdc user to this group.


 [root@sdc-vm ~]# grep docker /etc/group 
docker:x:993:
[root@sdc-vm ~]# 
[root@sdc-vm ~]# usermod -aG docker sdc 
[root@sdc-vm ~]# 

Step 19

If the /etc/docker/daemon.json file does not exist, create it, and populate with the contents below. Once created, restart the docker daemon.

Note

Make sure that the group name entered in the "group" key matches the group you found in the /etc/group file.

 [root@sdc-vm ~]# cat /etc/docker/daemon.json 
{
 "live-restore": true, 
 "group": "docker" 
} 
[root@sdc-vm ~]# systemctl restart docker 
[root@sdc-vm ~]# 

Step 20

If you are currently using a vSphere console session, switch over to SSH and log in as the CDO user. Once logged in, change to the sdc user. When prompted for a password, enter the password for the CDO user.

[CDO@sdc-vm ~]$ sudo su sdc 
[sudo] password for CDO: <type password for CDO user > 
[sdc@sdc-vm ~]$ 

Step 21

Change directories to /usr/local/CDO.

Step 22

Create a new file called bootstrapdata and paste the bootstrap data from Step 1 of the deployment wizrd into this file. Save the file. You can use vi or nano to create the file.

Step 23

The bootstrap data comes encoded in base64. Decode it and export it to a file called extractedbootstrapdata

 [sdc@sdc-vm ~]$ base64 -d /usr/local/CDO/bootstrapdata > /usr/local/CDO/extractedbootstrapdata 
[sdc@sdc-vm ~]$ 

Run the cat command to view the decoded data. The command and decoded data should look similar to this:

[sdc@sdc-vm ~]$ cat /usr/local/CDO/extractedbootstrapdata 
CDO_TOKEN="<token string>" 
CDO_DOMAIN="www.defenseorchestrator.com" 
CDO_TENANT="<tenant-name>" 
<CDO_URL>/sdc/bootstrap/CDO_acm="https://www.defenseorchestrator.com/sdc/bootstrap/tenant-name/<tenant-name-SDC>" 
ONLY_EVENTING="true" 

Step 24

Run the following command to export the sections of the decoded bootstrap data to environment variables.


[sdc@sdc-vm ~]$ sed -e 's/^/export /g' extractedbootstrapdata > secenv && source secenv 
[sdc@sdc-vm ~]$ 

Step 25

Download the bootstrap bundle from CDO.

 [sdc@sdc-vm ~]$ curl -H "Authorization: Bearer $CDO_TOKEN" "$CDO_BOOTSTRAP_URL" -o $CDO_TENANT.tar.gz 
100 10314 100 10314 0 0 10656 0 --:--:-- --:--:-- --:--:-- 10654 
[sdc@sdc-vm ~]$ ls -l /usr/local/CDO/*SDC 
-rw-rw-r--. 1 sdc sdc 10314 Jul 23 13:48 /usr/local/CDO/CDO_<tenant_name>

Step 26

Extract the CDO Connector tarball, and run the bootstrap_sec_only.sh file to install the CDO Connector package.

 [sdc@sdc-vm ~]$ tar xzvf /usr/local/CDO/tenant-name-SDC 
<snipped – extracted files> 
[sdc@sdc-vm ~]$ 
[sdc@sdc-vm ~]$ /usr/local/CDO/bootstrap/bootstrap_sec_only.sh 
[2018-07-23 13:54:02] environment properly configured 
download: s3://onprem-sdc/toolkit/prod/toolkit.tar to toolkit/toolkit.tar 
toolkit.sh 
common.sh 
es_toolkit.sh 
sec.sh 
healthcheck.sh 
troubleshoot.sh 
no crontab for sdc 
-bash-4.2$ crontab -l 
*/5 * * * * /usr/local/CDO/toolkit/es_toolkit.sh upgradeEventing 2>&1 >> /usr/local/CDO/toolkit/toolkit.log 
0 2 * * * sleep 30 && /usr/local/CDO/toolkit/es_toolkit.sh es_maintenance 2>&1 >> /usr/local/CDO/toolkit/toolkit.log 
You have new mail in /var/spool/mail/sdc

What to do next

Continue to Additional Configuration for SDCs and CDO Connectors Installed on a VM You Created .