Creating a Clone Template for Linux Sensor VMs

This topic describes how to create a clone template from a virtual machine with a Linux Sensor installed so that it can be duplicated and reused elsewhere in your virtual environment. The topic describes how to do this in AWS, but the same procedure can be used in other virtual environments, all of which provide tools to duplicate virtual machines.

You can use the procedures in this topic with any Linux-based Stellar Cyber Sensor, including both Linux Server Sensors and Modular Sensors.

Refer to the following sections for details:

• Understanding Cloning

• Working with Clone Templates in Managed Environments

• Working with Clone Templates in On-Premises Deployments

Clone Templates Are for Linux Sensors Only!

The clone template feature can only be used with Linux Sensors (Server Sensors or Modular Sensors).

Understanding Cloning

The Challenge

Sensors are uniquely identified by an Engine ID. No two Sensors can share the same Engine ID. If you use your cloud management interface to clone a VM with a Sensor installed, you end up with two Sensors with the same Engine ID.

The Solution

You can get around this issue by resetting Engine IDs on individual VMs as you clone them. However, this can be tedious when you are creating multiple clones from a single VM.

As an improved solution, Stellar Cyber provides a clone template feature that temporarily removes the Engine ID from the Sensor so that it can be shut down, cloned multiple times, and then restarted. Both the source Sensor and each of the clones receive new, unique Engine IDs when they are restarted.

Sensor Settings for Cloned Sensors Are Preserved

Both the source Sensor and each of the clones retain the settings from the source Sensor used to create the clone template, including the managing Stellar Cyber platform and tenant settings. This is done differently depending on whether your deployment is managed for you by Stellar Cyber or an on-premises deployment you manage yourself. Refer to the procedures for your deployment type:

• Managed Deployments (Version Numbers ending in "s")

  Managed deployments can be identified by an "s" in their version number (for example, 5.3.0s) and are sometimes referred to as SaaS deployments. These deployments use tokens to authorize and configure sensor installations.

• On-Premises Deployments (Version Numbers without an "s")

  On-premises deployments do not include an "s" in their version number. They use the set cm, set aggregator, and set tenant_id commands to configure sensors. In addition, sensors are authorized in the Sensor List rather than by using tokens.

Working with Clone Templates in Managed Environments

Sensors in a managed (SaaS) deployment are authorized and configured using tokens created in the Tokens tab of the Sensor Installation page. Tokens point the installed sensor to the correct DP, assign the specified tenant, optionally provision a sensor profile, and authorize the sensor installation.

The System | Sensor Installation page only appears in managed deployments. It is not available in an on-premises deployment.

When you create a clone template for a managed deployment, you include a token as part of the create sensor_clone_template command. The settings from the token are preserved in the clone template and are applied to all clones created using the template:

• Managing Stellar Cyber Platform – Clones automatically add themselves to the same Stellar Cyber platform instance for the organization that generated the token.

• Tenant – Clones are automatically assigned the same tenant included in the token used to create the clone template. 

• Sensor Profile – If the token used to create the clone template included a Sensor Profile, that profile is automatically assigned to all clones created using the template.

• Authorization – Clones are automatically authorized if the token used to create the clone template is valid and unexpired.

  • The system does not create a clone template if you supply an expired token as part of the create sensor_clone_template command.

  • Clones are not able to add themselves successfully to the Stellar Cyber platform if the token used to create the template expires between the time the clone template was created and the time you create the clones in your cloud management interface. For example, if you create a clone template with a token that's configured to expire on 10/31/2024, a clone created from the template on 11/1/2024 can not register successfully with the Stellar Cyber platform.

    Depending on your needs, you can avoid issues with expiration dates by using a token set to Never expires to create a "golden master" clone template. However, you should consider the security exposure of such a template.

  • If you supply an invalid token as part of the create sensor_clone_template command, the clone template is created but any clones you create using it do not register successfully with the Stellar Cyber platform. Tokens become invalid if they are associated with a Sensor Profile that is deleted after the token is created.

Procedure: Creating and Using a Clone Template in a Managed Deployment

The following procedure describes how use the clone template feature in a managed (SaaS) deployment:

1. Install and configure the sensor you want to use as the source for the clone template.

2. Use the Tokens tab to identify the token you want to use with the clone template. You can either use an existing token that is unexpired and valid or generate a new token to be used with the clone template.

   • Tokens are embedded in the clone template with their expiration dates (included an expiration of Never expires, if configured). Clones created using a clone template only add themselves successfully to the Stellar Cyber platform if they are created before the expiration date in the specified token is reached.

   • Tokens become invalid if they are associated with a sensor profile that is deleted after the time the token was created. Clones created from a template with an invalid token cannot add themselves to the Stellar Cyber platform.

3. Open an SSH connection to the Sensor VM and start the sensor CLI with the following command:

   $ aella_cli

   Caution: The next step shuts down the Stellar Cyber services for the Sensor, temporarily taking it offline from the DP. Make sure you are ready to do this.

4. Create a clone template from the VM with the following command:

   DataSensor> create sensor_clone_template [token_string]

5. Confirm your decision to create the template at the sensor's prompt.

   Once you confirm your decision, the following takes place:

   • The Stellar Cyber services for the Sensor are shut down. The host VM itself is not shut down.

   • The Engine ID is removed.

   The sample below illustrates creation of a clone template with a token. Note that we are using a dummy token in the example; it will not work with your platform.

   Copy

   DataSensor> create sensor_clone_template eyWxxGciOiJkaXIiLCJlbmMiOiJBMTI4R0NNIn0..A5lu6VvpTXaH93hQLqzUQQ.0bZQ3ZrUqjIwGpwanNhqZvvR9rk0bYn5zr7WQ2UvM58zWbdQNxxlGCHL7dF7p7ln6GLLSb2fsxCH0WULlfoiezb15L1x-fRPCeYuWA81b43mN8cNC1P4L1wpW5rAsaJT8zJ6vvskjmem-0u8RpaPm4OPY3_x6SdzWzIkH0ViJfS-t-PEN2ONFKl2lWyL4tXlBHaAHOfKkFM1e_xbpGMuoh2TxfYuvbZiwIA7MgwVYyh-6eCSKqu2-nklWbLFUXpvZhDVlPqEX87enWmxE24XBpGzikJ4LMbbDBTv6r-3XXgbun94vj99sjpYn9pvE7kjEJN3cqvez_Zy1vLH4AEbq020MrK0iM61moD14Ra1Tokyl4uy9mgjDJPjh3jQFyxT2Izj8EE03Z0FF0gZ4ZcxRd0lA5XTQjvANK0uAftXs2eV1PFPK655OrIkq2wdJz81d812m8telwZw8I38ECKOhgdUAm9IOXfkL2ALqrz_WvyGCKsI4Luhbg_0bQVQ1vvymSB-0gXcUXh7zaa5GGiFTbHn_I9LBes6PZDjHuP7dNzIQbGKghVN7-Hpjfrx_7y3tdi6rJJ16btvQAxJcjMfGO2kJwaifBYDZcXuowopUwpjbXi0CCgtK--tyRCBmj-qLb58N_lxFOy-9oPv6ZD6vYpWdX533oZMA3h9mnDPlhKJqx_XXXXX.yyyyyoQQQQQzfqeflUwxyz
   
   Creating sensor clone template will stop sensor services and change the engid
   
   To convert the current sensor to a template, select Y: [y|N]
   y
   Start create sensor clone template, aella services will be shut down soon
   
   Please stop the machine before clone.
   
   Token expire time is 2024-10-14 20:59:34
   Stop service aella_ctrl, status 0.
   Stop service aella_mon, status 0.
   Stop service aella_flow, status 0.
   Stop service aella_audit, status 0.
   aella_conf service stopped, clone template finished
   DataSensor> show system
   
   SERVICE         STATE           UPTIME
   ===========     ========        ========
   aella_audit     stopped         -
   aella_conf      stopped         1h32m
   aella_ctrl      stopped         1h32m
   aella_flow      stopped         1h31m
   aella_mon       stopped         1h32m

6. Shut down the host Linux VM so that it can be cloned.

7. Open the AWS Console and navigate to the EC2 | Instances list.

8. Right-click the entry for the Sensor VM and select Images and templates | Create image from the context menu that appears.

9. Use the AWS documentation to complete creation of the image(s). When the new image(s) restart they automatically generate new, unique Engine IDs and add themselves to the same Stellar Cyber platform as the source Sensor with the tenant and sensor profile assignments included in the token.

10. Restart the clone source Linux Sensor. It also automatically generates a new Engine ID for itself.

Working with Clone Templates in On-Premises Deployments

For on-premises deployments (deployments without an "s" in their version number), clones retain the set cm, set aggregator, and set tenant_id settings from the source sensor used to create the clone template. The clones automatically add themselves to the same managing DP and must be authorized there. The source Sensor does not need to be reauthorized even though it will have a new Engine ID after it is restarted.

Procedure: Creating and Using a Clone Template in an On-Premises Deployment

The following procedure describes how use the clone template feature:

1. Install and configure the sensor you want to use as the source for the clone template. Make sure the set cm, set aggregator, and, if desired, set tenant_id settings are all configured.

2. Open an SSH connection to the Sensor VM and start the sensor CLI with the following command:

   $ aella_cli

   Caution: The next step shuts down the Stellar Cyber services for the Sensor, temporarily taking it offline from the DP. Make sure you are ready to do this.

3. Create a clone template from the VM with the following command:

   DataSensor> create sensor_clone_template

   You can include a tenant_id as part of this command if the source sensor either doesn't have one configured or you want to use a different tenant_id for the clones created using this template. The syntax is as follows:  create sensor_clone_template [tenant_id]. The tenant_id specified here is applied to all clones created using this template.

4. Confirm your decision to create the template at the sensor's prompt.

   Once you confirm your decision, the following takes place:

   • The Stellar Cyber services for the Sensor are shut down. The host VM itself is not shut down.

   • The Engine ID is removed.

5. Shut down the host Linux VM so that it can be cloned.

6. Open the AWS Console and navigate to the EC2 | Instances list.

7. Right-click the entry for the Sensor VM and select Images and templates | Create image from the context menu that appears.

8. Use the AWS documentation to complete creation of the image(s). When the new image(s) restart they automatically generate new, unique Engine IDs and add themselves to the same Stellar Cyber platform as the source Sensor.

9. Authorize the cloned Sensors.

10. Restart the clone source Linux Sensor. It automatically generates a new Engine ID for itself and also must be reauthorized.