Installing a Modular Sensor in OCI

This topic describes how to install a Modular Sensor in an Oracle Cloud Infrastructure (OCI) environment. Refer to the following sections for details:

Use our example as a guideline, as you might be using a different software version.

About Modular Sensors

A modular sensor lets you easily add the features you like to your sensor. This helps simplify your deployment and lets you manage the VM requirements for the sensors based on the modular features they use.

Modular Sensors always include log ingestion. From there, you can enable features from network sensors and security sensors as part of your modular sensor profile:

  • A network sensor monitors the virtual environment, the physical environment if connected to the span port of a physical switch, or the LAN segment via a mirror port on a switch. The sensor monitors network and server response times and can identify applications.

    The network sensor converts that information to metadata and forwards it to the DP as Interflow. The DP can then provide security, DDoS, and breach attempt detections.

  • A security sensor operates as a network sensor and adds:

    • sandbox
    • anti-virus
    • IDS

Keep in mind that VM resource requirements increase as you add more features to the Modular Sensor Profile. Refer to Modular Sensor Specifications for details on the resources required to run different combinations of features in a Modular Sensor Profile, as well as how to use the show module and show module request CLI commands to compare provisioned resources against those required to run specific feature combinations. Stellar Cyber only enables a Modular Sensor Profile on a sensor if the host VM's resources can support it.

Site Preparation

Refer to Modular Sensor Specifications for details on the resources required to run different combinations of features in a Modular Sensor Profile. Provision your modular sensor according to the features that you plan on enabling.

You will also need to open firewall ports for the features you plan on enabling in the Modular Sensor Profile for this sensor.

Obtaining the Installation File

You download the installation file for the Modular Sensor for OCI from the Download Images tab in the System | Deployment | Sensor Installation page. Use the following procedure:

Only users with the Deployment | Sensor Installation | Sensor Image Download privilege assigned to their profile in the System | Role-Based Access Privileges interface can download images.

  1. Navigate to the System | Deployment | Sensor Installation page.

  2. Set the Sensor Type dropdown to Modular Security Sensor.

  3. Set the Image Type to KVM.

    The same qcow2 installation file used for KVM can also be used for OCI.

    The display updates to show you the size of the file to be downloaded.

  4. Click the Download button. The system downloads the installation file (aella-modular-ds-5.x.x.qcow2.zip) along with its corresponding SHA-1 hash file.

  5. Unzip the installation file's contents (virt_deploy_modular_ds.sh and aella-modular-ds-5.x.x.qcow2).

    You will upload the aella-modular-ds-5.x.x.qcow2 image file to OCI in the next section.

Installing the Modular Sensor Image

This section describes how to install the Modular Sensor image in OCI:

  1. Log in to Oracle Cloud Console at https://cloud.oracle.com/.

  2. Click the main menu icon at the top left of the Oracle Cloud Console.

  3. If you do not already have a bucket for the Modular Sensor, navigate to Storage | Buckets.

  4. Click Create Bucket to add a new bucket. Select the Standard storage tier, supply a name, and click Create to add the bucket to your account.

  5. Click the entry for the bucket you just created. Then, use the Upload button to upload the aella-modular-ds-5.0.x.qcow2 image you downloaded in Obtaining the Installation File. The Choose Files from your Computer field lets you either drag and drop the file or select the file in a standard Browse dialog box.

  6. Click the main menu icon and navigate to Compute | Custom Images.

  7. Click the Import image button and fill out the Import image dialog box as follows:

    • Supply a Name.

    • Use the Bucket field to select the bucket where you uploaded the image at the start of this procedure.

    • Use the Object name field to select the aella-modular-ds-5.1.x.qcow2 image.

    • Set the Operating system to Ubuntu.

    • Set the Image type field to QCOW2

    • Leave Launch mode set to Paravirtualized mode.

    The figure below provides an example of the settings:

  8. When you have finished configuring the settings in the Import image dialog box, click the Import image button to start the import process.

    The Custom image details page appears for the image while it imports. When the image has finished importing, it appears with a value of Succeededin the State column, as shown below.

  9. Once the image has finished importing, click the Create instance command to create a new instance based on the image. Set the options in the Create compute instance dialog box as follows:

    • Supply an easily identifiable Name for the new instance.

    • Choose the compartment and availability domain for the new instance. Make sure you choose the availability domain where you want to receive traffic.

    • Leave Image set to stellar-modular-ds-5.0.x.

    • The Shape field lets you select from VMs with a variety of different provisioning. Choose a shape that corresponds to the resources required by the features to be enabled in this sensor's Sensor Profile.

      You can customize the CPUs and memory for many of the available shapes by clicking Change shape and adjusting as necessary. For example, we know we want to enable the Log Collector, Log Forward, and Network Traffic features, so we've chosen the VM.Standard.E3.Flex shape and adjusted its settings to the minimum values of 2 OCPUs and 8 GB of memory.

    • Use the Networking options to select the Primary network and Subnet for the sensor's management interface.

    • In most cases, you'll want to Assign a public IPv4 address to the management interface. This lets you manage the sensor from a DP located outside the OCI public cloud.

    • Use the Add SSH keys options to decide how you want to connect to the sensor using SSH. We are letting OCI generate a key pair for us and saving the resulting private key locally.

    • You can leave the other options set to their defaults.

    The figure below shows our settings so far.

  10. When you are satisfied with your settings, click Create to create the instance.

    OCI begins to create the instance, tracking its progress in the Instance details | Work requests display. Once the State shown in the Work requests table shows Succeeded, as illustrated in the example below, you are ready to add a second VNIC to be used as a monitoring interface. See below.

Applying a Token to the Installed Sensor

The next step is to obtain and apply the token used to authorize and configure the installed sensor.

Obtaining a Token for the Installation

Tokens are required to authorize and configure the installation of a sensor image downloaded from the DP in the System | Deployment | Sensor Installation page. Tokens point the installed sensor to the correct DP, assign the specified tenant, and authorize the sensor installation.

Use the following procedure to obtain a token in the Tokens tab:

  1. Navigate to the System | Deployment | Sensor Installation page and click on the Tokens tab.

  2. If a token already exists for the target tenant for the sensor installation, you can either use the Copy button to copy it to the clipboard or use the Download button to download it as a file.

    • Copy the token if you plan on applying it by pasting it into a set token string <token> command in the CLI.

    • Download the token as a file if you plan on hosting the file on an HTTP server and referring to it in a set token url <token url> command.

    Refer to Assigning Tokens for a summary of the different ways in which tokens can be applied to a sensor installation.

  3. If there is not already an unexpired token for the target tenant, click the Generate button.

    The Generate Installation Token dialog appears:

  4. Select the tenant for the token from the Tenant dropdown. This is the tenant to which all sensors authorized with this token will be automatically assigned. The dropdown lists all tenants configured for your organization in the System | Tenants page.

  5. Click the Generate button.

    The system generates the token and displays its contents in the Token field. The dialog also updates to display the expiration date for the token, as illustrated below.

  6. You can use the Copy button to copy the token to the clipboard immediately, or simply close the dialog and retrieve the token from the Tokens tab later on.

Applying the Token to the Sensor

Tokens are required to complete the installation of a sensor image downloaded from the DP in the Download Image tab.

You apply tokens to sensors as the last step in the overall installation procedure:

  1. Log in to your new Sensor. The default username/password is aella/changeme. You are immediately prompted to change the password.

  2. Apply the token to the installed sensor from the sensor CLI with the set token command using one of the options in the table below:

    You only need to use one of the options in the table below. These are just two different ways to do the same thing – apply the token.

    Option 1. Copy and Paste the Token String

    Copy the token string from the Tokens tab and paste it into the CLI command. The syntax is as follows:

    set token string <pasted string>

    Option 2. Host the Token on an HTTP Server

    Download the token as a file from the Tokens tab, upload it to an HTTP server, and reference it in the set token command. The syntax is as follows:

    set token url http://<url to token>

    You can also use an HTTPS server. In that case, the specified URL must also include the username and password for the server using the following syntax:

    set token url https://<user:password>@URL>

  3. The CLI reports that the Sensor token is successfully set.

    If you receive an error message instead, it's possible that the token has expired. Refer to the Tokens tab to see the expiration date. If you are using the File technique, it's also possible that an extra space or line may have crept into your text file – check the file to make sure it includes only the token text.

  4. Wait a minute or so. Then, verify that the token was successfully applied using any combination of the following techniques:

    • Check the System | Sensors tab in the user interface to see that the sensor has registered itself successfully.

    • Verify that the show system command shows all services as running.

    • Verify that the show receiver command displays a receiver.

    • Verify that the show json command reports some data sent in the BYTE_SENT column.

Configuring a Static IP Address (Optional)

By default, the sensor uses DHCP for the management port's IP address. For ease of troubleshooting, however, Stellar Cyber recommends that you reconfigure the management port to use a static IP address. The procedure is as follows:

  1. Log in to your sensor. The default username/password is aella/changeme, but you changed this when you applied the token in the previous section.

  2. You can set IP parameters manually using commands similar to the following (substitute your own IP parameters for the ones shown in bold below):

    set interface management ip 192.168.14.100/255.255.255.0

    set interface management gateway 192.168.14.1

    set interface management dns 8.8.8.8

  3. Verify the IP settings with the show interfaces command.

  4. Log out with the quit command.