Professional Documents
Culture Documents
SECURITY ORCHESTRATOR
SYSTEM ADMINISTRATION GUIDE
RELEASE 4.2
Contents
© 2019 FireEye 3
Contents
CHAPTER 6: Configuration 43
Manual Configuration 43
Networking Configuration 43
Hostname Configuration 44
Web Configuration 46
Firewall Configuration 47
SSL Configuration 49
Remote Access with Secure Shell (SSH) 50
Configuring Remote Access Authentication 50
Generating RSA Keys for SSH Authentication 51
Connecting with PuTTy and Authorized Keys 52
SNMP 55
SNMP Installation 55
SNMP Configuration and Monitoring 56
4 © 2019 FireEye
Contents
© 2019 FireEye 5
Contents
6 © 2019 FireEye
SO System Administration Guide
© 2019 FireEye 7
SO System Administration Guide PART I: Getting Started
8 © 2019 FireEye
SO System Administration Guide
© 2019 FireEye 9
SO System Administration Guide CHAPTER 1: About Security Orchestrator
l Chat tools
l Mobile devices
This guide contains information on installing, configuring, and maintaining the Security
Orchestrator virtual appliance. To get started, see the following sections:
For information on creating, customizing, and managing playbooks, see the Security
Orchestrator Playbook Management Guide.
SO Virtual Appliance
Security Orchestrator (SO) is a virtual appliance distributed in the Open Virtualization
Format (OVF), which is an open standard for sharing virtual appliances. The
SO 4.2 virtual appliance is a CentOS 6 virtual machine with core SO components already
installed.
SO Architecture
The following services, systems, and components are installed on the Security Orchestrator
virtual appliance:
Name Description
Security Orchestrator The main Security Orchestrator service (fso) that manages all
service Web and engine services
Apache HTTP Server Web server that provides access to the Security Orchestrator Web
2.4 UI
Python Interpreter Used by the SO engine. One process runs for each worker thread
(up to 10 processes total), as well as one process per running
adapter.
10 © 2019 FireEye
Release 4.2 SO Command-Line Interface (CLI)
Name Description
Cassandra database The database that stores most SO data, including application
configurations, playbooks, cases, and events
Elasticsearch Used for storing data for dashboard data and custom tables.
database Some plug-ins also use Elasticsearch to persist data from
execution to execution.
RabbitMQ server Message queuing framework used to store events that need to be
processed by SO, such as results received by adapters and
playbook tasks.
Mnesia database The RabbitMQ server uses the Mnesia database to store data that
SO needs to access quickly, such as in-progress executions and
their status.
Node.js Used to run Javascript code and custom scripts entered in the
SO Web UI. One process is used for each script task worker (5
script task workers available), one for each mustache worker (5
mustache workers available), and one more for playbook
validation, for a total of 11.
© 2019 FireEye 11
SO System Administration Guide CHAPTER 1: About Security Orchestrator
SO Web UI
The Security Orchestrator (SO) virtual appliance has a Web UI that can be used to build
courses of action (COAs), manage cases generated by COAs, view metrics, manage users,
and monitor system status.
For information on managing user access from the Web UI, see About User Management
on page 69. For more information about the Web UI, see the Security Orchestrator Playbook
Management Guide.
Later versions of Chrome and Firefox should function properly but have not been tested.
Not Supported
The following browsers are not supported because of known issues with Security
Orchestrator:
12 © 2019 FireEye
SO System Administration Guide Virtual Appliance Requirements
CHAPTER 2: System
Requirements
Before you deploy a Security Orchestrator virtual appliance, make sure the following
requirements are met.
Memory (RAM) 32 GB
Network Requirements
The following communications will be required to allow the virtual machine to
communicate.
© 2019 FireEye 13
SO System Administration Guide CHAPTER 2: System Requirements
The following communications are optional. You can install and configure SNMP as part
of your Security Orchestrator deployment; it is not installed by default. For more
information, see SNMP on page 55.
14 © 2019 FireEye
SO System Administration Guide
© 2019 FireEye 15
SO System Administration Guide PART II: Deployment
16 © 2019 FireEye
SO System Administration Guide
CHAPTER 3: Deployment
Checklist
Follow these steps to install and configure Security Orchestrator.
Task Details
© 2019 FireEye 17
SO System Administration Guide CHAPTER 3: Deployment Checklist
Task Details
Configure secure shell See Remote Access with Secure Shell (SSH) on
(SSH) authentication. page 50.
18 © 2019 FireEye
SO System Administration Guide Obtaining the SO Deployment Files
For information on upgrading the virtual appliance, see Upgrading Software on page 101.
1. Download the following files from the FireEye Customer Service Portal:
l SO Release Readme file, which contains the SHA-256 checksums for the SO
deployment files
l SO virtual appliance, fso-system-4.2.x-<rev>.el6.ova
l SO login credentials for the virtual appliance,
fso-system-4.2.x-ova-credentials.zip, which contains the FSO_Access_
Credentials_Readme file
2. Verify SHA-256 checksums for the SO virtual appliance and login credentials files.
© 2019 FireEye 19
SO System Administration Guide CHAPTER 4: Virtual Appliance Installation
Prerequisites
l Root user account on an ESXi server
l Familiarity with deploying virtual machines and administering ESXi hosts
l Virtual Appliance Requirements on page 13
l Virtual appliance deployment files. See Obtaining the SO Deployment Files on the
previous page.
This procedure uses VMware ESXi version 6.0.0 (build 3568940) and vSphere
Client version 6.0.0 (build 3562874) on VMware vCenter Server version 6.0.0
(build 3018524). The navigation instructions and user interface may vary based
on your version of these products.
This procedure covers the required settings for a FireEye virtual appliance. You
can accept the default values for the other settings, or specify values that are
appropriate for your setup.
20 © 2019 FireEye
Release 4.2 Configuring the SO Virtual Appliance at Initial Startup
7. On the Network Mapping screen, click Next to accept the default settings.
8. On the Ready to Complete screen:
a. Verify the information.
b. (Optional) Select the Power on after deployment check box.
c. Click Finish.
The system prompts you for the ixoperator password. Enter the password to
continue.
© 2019 FireEye 21
SO System Administration Guide CHAPTER 4: Virtual Appliance Installation
22 © 2019 FireEye
Release 4.2 Configuring the SO Virtual Appliance at Initial Startup
6. Select the eth0 device in the list, and then press Enter.
The Network Configuration screen appears:
© 2019 FireEye 23
SO System Administration Guide CHAPTER 4: Virtual Appliance Installation
Netmask This is the dotted quad notation for the subnet mask.
The default value is what was detected via DHCP or
255.255.255.0, if nothing was detected.
8. Select OK to continue.
9. On the Select a Device screen, select Save.
24 © 2019 FireEye
Release 4.2 Configuring the SO Virtual Appliance at Initial Startup
10. On the Select Action screen, select DNS configuration in the list, and then press
Enter.
The DNS Configuration screen appears:
Hostname Enter the host portion of the domain name to set the system
name. Do not enter periods or dots. Default: fso
For example, if the full domain name is
myfsoserver.mydomain.com, enter myfsoserver as the
hostname.
Primary DNS This is the IP address of the primary DNS server. This will be
saved as a nameserver entry in /etc/resolv.conf.
Secondary DNS This is the IP address of the secondary DNS server. This will
be saved as a nameserver entry in /etc/resolv.conf.
Tertiary DNS This is the IP address of the tertiary DNS server. This will be
saved as a nameserver entry in /etc/resolv.conf.
© 2019 FireEye 25
SO System Administration Guide CHAPTER 4: Virtual Appliance Installation
The Hostname for the node and the Hostname for the Web UI must be
the same for the Web UI to run.
16. When prompted for Hostname for the Web UI, enter the same value used for the
Hostname for the node.
The initial configuration completes and then starts all system services.
17. Change the password for the root user:
a. Log out of the system with the following command:
$ exit
b. Log in as the root user with the default password provided in the FSO_
Access_Credentials_Readme file.
The system immediately prompts you to change the root password.
c. To change the root password, re-enter the current password and then enter
the new password.
All Security Orchestrator services and components should now be running and accessible.
Next, verify that the SO Web UI can be accessed. See Accessing the Web UI on the facing
page.
If any of the initial configuration information changes, such as the IP address, domain
name, hostname, or DNS information, see Manual Configuration on page 43 for
instructions on how to change these configuration settings manually.
26 © 2019 FireEye
Release 4.2 Accessing the Web UI
/etc/ntp.conf file. By default, the following NTP servers are specified in the
/etc/ntp.conf file:
l server 0.fireeye.pool.ntp.org iburst
3. If the date and time are not accurate, update the NTP servers in the /etc/ntp.conf
file. To open the file for editing, run the following command:
# vi /etc/ntp.conf
4. After making changes to the /etc/ntp.conf file, restart the NTP service by running
the following command:
# service ntpd restart
You can also force an immediate time synchronization at any time by restarting the
ntpd service with the command above.
Prerequisites
l The IP address or hostname for the SO Web UI
l A supported Web browser. See Web Browser Support on page 12.
© 2019 FireEye 27
SO System Administration Guide CHAPTER 4: Virtual Appliance Installation
If you cannot access the SO login page or receive an error message, see
Troubleshooting Web UI Access Issues below.
2. Enter the following user name and password the first time you log in to the Web UI:
l User name: admin
l Password: changeme
After you log in to the Web UI the first time, change the password.
1. In the upper right corner, point to ISO Admin (or the user's name) and then select
Change Password.
2. In the Previous Password box, enter the current password.
3. In the New Password and Confirm Password boxes, enter a new password.
4. Click Apply.
28 © 2019 FireEye
Release 4.2 Troubleshooting Web UI Access Issues
The most common reason for this problem is that a hostname was used for the AppHost
in the /opt/rh/httpd24/root/etc/httpd/conf.d/zzz-fso-system.conf file and the
server is unable to resolve that hostname to an IP address. The solution is to add the
appropriate entry in the /etc/hosts file to ensure that SO can resolve the IP address of
that hostname without relying on external DNS. See the steps for updating the /etc/hosts
file in Hostname Configuration on page 44.
Unresponsive Web UI
If the Web UI is unresponsive, first try reloading the browser page by clicking the browser's
Reload button (or pressing F5). This may resolve issues such as difficulty logging in or
changes not being saved. For further troubleshooting, you can open the browser’s
developer console (F12 in Chrome, Ctrl-Shift-K or Cmd-Opt-K for Firefox). This console
displays any HTTP or HTML errors encountered while loading the current page, which
may help you identify the underlying issue.
© 2019 FireEye 29
SO System Administration Guide CHAPTER 4: Virtual Appliance Installation
This typically means the SO service is not started. The solution is to restart the services as
described in Managing Services on page 89.
If the hostname in the address bar appears to be incorrect, then this error is likely caused
by a misconfigured setting in the /etc/fireeye/fso/web.conf file. See the steps for
updating the /etc/fireeye/fso/web.conf file in Hostname Configuration on page 44.
30 © 2019 FireEye
SO System Administration Guide Plug-In Installation Checklist
For instructions on installing plug-ins with the Content installer, see the Plug-In
Installation Checklist below.
For instructions on installing plug-ins not distributed as part of a Content release, see
Installing Plug-Ins and Dependencies Independently on page 39.
For instructions on uninstalling plug-ins, see Uninstalling Plug-Ins on page 38.
© 2019 FireEye 31
SO System Administration Guide CHAPTER 5: Plug-In Installation
Task Details
32 © 2019 FireEye
Release 4.2 Content Installer Arguments
Argument Description
Required
-l, --online Online installation of general availability (GA) and
early access (EA) plug-ins and dependencies. Internet
connectivity is required for online installations.
-o, --offline Offline installation of general availability (GA) and
early access (EA) plug-ins and dependencies. The
offline installation package is required for offline
installations.
Optional
-f, --force-reinstall Force the reinstallation of plug-ins and dependencies.
-g, --general-availability Install only general availability (GA) plug-ins and
dependencies.
-e, --early-access Install only early access (EA) plug-ins and
dependencies.
-d, --only-dependencies Install plug-in dependencies only.
-i, --plugins-info List plug-ins included in the content installation
package.
-n, --name Install plug-in based on name with dependencies.
-m, --vendor Install plug-ins based on vendor with dependencies.
-c, --category Install plug-ins based on category with dependencies.
-v, --verbose Enable verbose mode.
-V, --version Print installer version information.
© 2019 FireEye 33
SO System Administration Guide CHAPTER 5: Plug-In Installation
Argument Description
-h, --help Print installer help.
1. Download the following files from the FireEye Customer Service Portal:
l SO Content Release Readme file, FSO_Plugins_Content_Bundle_Release_
Readme_<yyyy>_<mm>, which contains the SHA-256 checksums for the plug-in
installation files.
l SO Content online installation package, fso-plugins-<version>.tar.gz.
Internet connectivity is required during installation when you use the online
installation package.
l SO Content offline installation package,
fso-plugins-<version>-offline.tar.gz. The offline installation package
contains all plug-in dependency installation files, so Internet connectivity is
not required during installation.
2. Verify SHA-256 checksums for the SO plug-in installation files.
3. Log in to the SO virtual appliance as root.
4. Copy the online or offline Content installation package to the SO virtual appliance.
5. Extract the Content installation package:
# tar -xvf /filepath/fso-plugins-<version>.tar.gz
3. To list all plug-ins in the installation package, run the following command:
# ./fso_content_install --plugins-info
4. If you plan to install specific plug-ins by name, vendor, or category, note the plug-in
names and categories. (The plug-in vendor is the first part of the plug-in name.)
34 © 2019 FireEye
Release 4.2 Installing Plug-Ins by Name
3. To install a plug-in and its dependencies, run the following command (online
installation examples):
# ./fso_content_install --online --name <plug-in name>
For example, to install the FireEye HX (version 2.2.2) plug-in, run the following
command:
# ./fso_content_install --online --name fireeye.hx.2.2.2
3. To install all plug-ins and dependencies for a specific plug-in vendor, run the
following command (online installation examples):
# ./fso_content_install --online --vendor <vendor name>
The plug-in vendor is the first part of the plug-in name. For example, to install
all plug-ins that integrate FireEye appliances and services, run the following
command:
# ./fso_content_install --online --vendor fireeye
© 2019 FireEye 35
SO System Administration Guide CHAPTER 5: Plug-In Installation
3. To install all plug-ins and dependencies for a specific plug-in category, run the
following command (online installation examples):
# ./fso_content_install --online --category <plug-in category>
Plug-in categories are not case sensitive. For example, to install all plug-ins in the
ThreatIntel category, run the following command:
# ./fso_content_install --online --category threatintel
If the plug-in category contains two or more words separated by spaces, enter the
first word only. For example, to install plug-ins in the Malware Analysis category,
run the following command:
# ./fso_content_install --online --category malware
3. To install all GA and EA plug-ins and dependencies, run the following command:
# ./fso_content_install --offline
Other examples:
l To install only GA plug-ins and dependencies, run the following command:
# ./fso_content_install --offline --general-availability
3. To install all GA and EA plug-ins and dependencies, run the following command:
# ./fso_content_install --online
Other examples:
36 © 2019 FireEye
Release 4.2 Verifying Installed Plug-Ins
1. Log in to the SO Web UI as the admin user. See Accessing the Web UI on page 27.
2. In the Web UI, click Plug-Ins.
3. Review the list of plug-ins, and ensure that warning icons do not appear in the list.
A red warning icon appears next to invalid plug-ins. A plug-in may be
invalid because it is not properly installed, its supporting third-party
modules are not installed, or it is incompatible with Security Orchestrator.
If this occurs, force the reinstallation of the plug-in and its dependencies
using the --force-reinstall argument, discussed in Content Installer
Arguments on page 33.
© 2019 FireEye 37
SO System Administration Guide CHAPTER 5: Plug-In Installation
For instructions on using the content management tools, see Uninstalling Plug-Ins
below and Viewing Content on page 99.
Uninstalling Plug-Ins
To display information about the uninstaller tool, you can run the following command
(while logged in as ixoperator):
$ fsocontent uninstall --help
38 © 2019 FireEye
Release 4.2 Installing Plug-Ins and Dependencies Independently
© 2019 FireEye 39
SO System Administration Guide CHAPTER 5: Plug-In Installation
Argument Description
--force-reinstall Forces the reinstallation or update of a plug-in package.
<path> Path to a directory containing the SO plug-in package files
to install. All plug-in packages in the directory will be
installed.
Ensure that plug-ins and their dependencies were properly installed by following the
instructions in Verifying Installed Plug-Ins on page 37.
40 © 2019 FireEye
Release 4.2 Installing Plug-Ins and Dependencies Independently
3. Note the name of the plug-in package you want to uninstall, including the full
plug-in name and version.
4. To uninstall the plug-in, run the following command:
$ fso package uninstall <package_name>
where <package_name> is the name of the plug-in package to uninstall. The package
name includes the full plug-in name, with the plug-in vendor and version.
© 2019 FireEye 41
SO System Administration Guide CHAPTER 5: Plug-In Installation
42 © 2019 FireEye
SO System Administration Guide Manual Configuration
CHAPTER 6: Configuration
The steps in this section are not required. They are provided for reference and
troubleshooting purposes.
This section covers the following topics:
Manual Configuration
This section covers the following topics:
Networking Configuration
You can update network configuration settings in the ifcfg-eth0 file. The following is an
example of the file's contents:
DEVICE=eth0
BOOTPROTO=none
DHCP_HOSTNAME="myfsoserver"
HOSTNAME="myfsoserver"
IPV6INIT=yes
MTU=1500
NM_CONTROLLED=yes
© 2019 FireEye 43
SO System Administration Guide CHAPTER 6: Configuration
ONBOOT=yes
TYPE=Ethernet
UUID="ab222222-1cde-2200-12c1-1c1abc987456"
IPADDR=192.168.111.111
HWADDR=00:0a:11:22:d1:33
NETMASK=255.255.255.0
GATEWAY=192.168.111.1
DNS1=8.8.8.3
DNS2=8.8.8.4
USERCTL=no
PEERDNS=yes
Hostname Configuration
Follow these steps to change the Security Orchestrator hostname or check the current
configuration, after you have initially configured the virtual appliance.
To reconfigure the SO hostname manually:
b. Modify the HOSTNAME line to reflect the desired hostname. Do not use a fully
qualified domain name for the hostname since dots in the hostname prevents
RabbitMQ from starting.
In the following example, myfsoserver is the hostname:
NETWORKING=YES
HOSTNAME=myfsoserver
44 © 2019 FireEye
Release 4.2 Manual Configuration
c. Update or add a line containing the server's actual IP address, the hostname,
and the fully qualified domain name.
For example:
192.168.0.1 myfsoserver myfsoserver.mydomain.com
b. Modify the following line to reflect the base URL of the server, using its
hostname or fully qualified domain name:
common.web_url = https://myfsoserver.mydomain.com
© 2019 FireEye 45
SO System Administration Guide CHAPTER 6: Configuration
Web Configuration
You can locate the Web configuration files at: /etc/fireeye/fso/web.conf
46 © 2019 FireEye
Release 4.2 Manual Configuration
Firewall Configuration
The SO virtual machine is hardened and includes strict firewall configuration. This may
prevent newly configured devices from working until a firewall rule is created to allow
traffic to the destination host. Similarly, when configuring socket adapters or HTTP listener
devices, additional inbound network ports will need to be opened. Use the iptables
command to create these firewall rules as shown in the following examples.
© 2019 FireEye 47
SO System Administration Guide CHAPTER 6: Configuration
Allow access to a third party Web API listening on TCP 8443 (e.g. McAfee ePO):
sudo iptables -I OUTPUT -p tcp -m tcp --dport 8443 -j ACCEPT
Listing Rules
The firewall rules can be listed by chain (INPUT, FORWARD, OUTPUT) using the
following command:
sudo iptables -L
Deleting a Rule
Using the --list-rules option, find the rule that you wish to delete. The rules will be
listed as arguments that can be passed to the sudo iptables command. Copy the desired
line and type or paste it into the sudo iptables command line as arguments but replace
the –A with a –D to delete rule instead of appending it. For example, the following
commands can be used to delete the sample outbound rule created above:
sudo iptables -D OUTPUT -p tcp -m tcp –dport 8080 -d 192.168.1.1/32 -m
comment --comment "This is an outbound example" -j ACCEPT
sudo service iptables save
48 © 2019 FireEye
Release 4.2 Manual Configuration
SSL Configuration
To configure the Security Orchestrator virtual appliance to use a custom certificate for
HTTPS:
1. Create a new certificate and key file pair in PEM format following instructions from
your Certificate Authority administrator.
2. The "subject" of the certificate is typically the hostname or fully qualified domain
name of the server. Ensure that the hostname resolves to the IP address of the SO
virtual appliance, from both the client system accessing the Web UI as well as from
the SO server itself.
3. Once you receive the files, name the certificate file ssl.crt and name the key file
ssl.key. This will save having to change the Apache configuration file, since we
are using the same file names.
4. Before copying the new certificate and key files over, back up the existing self-signed
certificate and key:
# mv /opt/fireeye/fso/config/ssl.crt
/opt/fireeye/fso/config/ssl.crt.orig
# mv /opt/fireeye/fso/config/ssl.key
/opt/fireeye/fso/config/ssl.key.orig
© 2019 FireEye 49
SO System Administration Guide CHAPTER 6: Configuration
…
common.web_url = <https://your-ssl-cert-subject-hostname-here>
…
# vi /opt/rh/httpd24/root/etc/httpd/conf.d/zzz-fso-system.conf
…
Use AppHost <your-ssl-cert-subject-hostname-here>
/opt/fireeye/fso/config /opt/fireeye/fso/apps/web/priv/static localhost
4000
…
8. Start Apache and SO services:
# service httpd24-httpd start
# service fso start
50 © 2019 FireEye
Release 4.2 Remote Access with Secure Shell (SSH)
PasswordAuthentication yes
...
Logging in through the console as root and changing PasswordAuthentication from yes to
no will prevent users from logging in remotely with a user name and password.
© 2019 FireEye 51
SO System Administration Guide CHAPTER 6: Configuration
4. Enter a unique key passphrase and then confirm the passphrase in the Key
passphrase and Confirm passphrase fields.
5. Click Save public key to save the public key.
6. Click Save private key to save the private key.
7. Copy all the characters in the Public key for pasting into OpenSSH authorized_
keys file area. You need this key to allow the ixoperator user to log in to the SO
virtual appliance.
52 © 2019 FireEye
Release 4.2 Remote Access with Secure Shell (SSH)
2. Navigate to the desired PuTTY Private Key File (*.ppk), select it, and then click
Open.
3. The full path to the chosen ppk file is now shown in the Private key file for
authentication: field. Click on Session from the Category list at the top left.
© 2019 FireEye 53
SO System Administration Guide CHAPTER 6: Configuration
4. Enter the hostname or IP address in the required field and type in a name for the
session in the Saved Sessions field, then click on Save.
54 © 2019 FireEye
Release 4.2 SNMP
7. You will be presented with a login prompt. Enter the user name associated with the
key file, and the key file passphrase provided in the credentials ZIP file.
SNMP
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for
collecting and organizing information about managed devices on IP networks and for
modifying that information to change device behavior. SNMP is widely used in network
management for network monitoring.
SNMP exposes management data in the form of variables on the managed systems
organized in a management information base (MIB) which describe the system status and
configuration. These variables can then be remotely queried (and, in some circumstances,
manipulated) by managing applications.
This section covers the following information:
SNMP Installation
SNMP is not installed in an out-of-the-box installation of Security Orchestrator. This is to
ensure that only appropriate deployments have SNMP installed and enabled. To use
SNMP, install SNMP and related utilities and then update the host firewall ruleset to allow
inbound traffic on UDP ports 161 and 162.
© 2019 FireEye 55
SO System Administration Guide CHAPTER 6: Configuration
Installing SNMP
To install SNMP on an appliance with Internet access:
56 © 2019 FireEye
Release 4.2 SNMP
Updating SNMPD Configuration
The ixoperator user has been provisioned such that the user can perform privileged tasks
(listed below) necessary for management of the SNMP agent installed on the Security
Orchestrator virtual appliance.
© 2019 FireEye 57
SO System Administration Guide CHAPTER 6: Configuration
58 © 2019 FireEye
Release 4.2 SNMP
Restarting SNMPD
The ixoperator user has been provisioned such that the user can perform privileged
tasks necessary for management of the SNMP agent installed on the Security Orchestrator
virtual appliance. A restart is required after making the above configuration changes:
# ssh ixoperator@<SO-SERVER>
# sudo service snmpd restart
© 2019 FireEye 59
SO System Administration Guide CHAPTER 6: Configuration
The complete list of OIDs of monitored processes is shown below. You can monitor them
by using the OID numbers directly, or you can use the MIB file named UCD-SNMP-MIB.
This MIB file is generally added to SNMP libraries by default, and you can choose the
variables from it directly.
.1.3.6.1.4.1.2021.2.1.1.1 = INTEGER: 1
60 © 2019 FireEye
Release 4.2 SNMP
.1.3.6.1.4.1.2021.2.1.1.2 = INTEGER: 2
.1.3.6.1.4.1.2021.2.1.1.3 = INTEGER: 3
.1.3.6.1.4.1.2021.2.1.1.4 = INTEGER: 4
.1.3.6.1.4.1.2021.2.1.1.5 = INTEGER: 5
.1.3.6.1.4.1.2021.2.1.1.6 = INTEGER: 6
.1.3.6.1.4.1.2021.2.1.1.7 = INTEGER: 7
.1.3.6.1.4.1.2021.2.1.2.1 = STRING: run_erl
.1.3.6.1.4.1.2021.2.1.2.2 = STRING: beam.smp
.1.3.6.1.4.1.2021.2.1.2.3 = STRING: java
.1.3.6.1.4.1.2021.2.1.2.4 = STRING: node
.1.3.6.1.4.1.2021.2.1.2.5 = STRING: rabbitmq-server
.1.3.6.1.4.1.2021.2.1.2.6 = STRING: epmd
.1.3.6.1.4.1.2021.2.1.2.7 = STRING: httpd
.1.3.6.1.4.1.2021.2.1.3.1 = INTEGER: 2
.1.3.6.1.4.1.2021.2.1.3.2 = INTEGER: 3
.1.3.6.1.4.1.2021.2.1.3.3 = INTEGER: 4
.1.3.6.1.4.1.2021.2.1.3.4 = INTEGER: 2
.1.3.6.1.4.1.2021.2.1.3.5 = INTEGER: 2
.1.3.6.1.4.1.2021.2.1.3.6 = INTEGER: 1
.1.3.6.1.4.1.2021.2.1.3.7 = INTEGER: 2
.1.3.6.1.4.1.2021.2.1.4.1 = INTEGER: 2
.1.3.6.1.4.1.2021.2.1.4.2 = INTEGER: 3
.1.3.6.1.4.1.2021.2.1.4.3 = INTEGER: 4
.1.3.6.1.4.1.2021.2.1.4.4 = INTEGER: 12
.1.3.6.1.4.1.2021.2.1.4.5 = INTEGER: 2
.1.3.6.1.4.1.2021.2.1.4.6 = INTEGER: 1
.1.3.6.1.4.1.2021.2.1.4.7 = INTEGER: 6
.1.3.6.1.4.1.2021.2.1.5.1 = INTEGER: 2
.1.3.6.1.4.1.2021.2.1.5.2 = INTEGER: 3
.1.3.6.1.4.1.2021.2.1.5.3 = INTEGER: 4
.1.3.6.1.4.1.2021.2.1.5.4 = INTEGER: 12
.1.3.6.1.4.1.2021.2.1.5.5 = INTEGER: 2
.1.3.6.1.4.1.2021.2.1.5.6 = INTEGER: 1
.1.3.6.1.4.1.2021.2.1.5.7 = INTEGER: 6
.1.3.6.1.4.1.2021.2.1.100.1 = INTEGER: noError(0)
.1.3.6.1.4.1.2021.2.1.100.2 = INTEGER: noError(0)
.1.3.6.1.4.1.2021.2.1.100.3 = INTEGER: noError(0)
.1.3.6.1.4.1.2021.2.1.100.4 = INTEGER: noError(0)
© 2019 FireEye 61
SO System Administration Guide CHAPTER 6: Configuration
MIB File
The MIB file can be downloaded at http://www.net-snmp.org/docs/mibs/UCD-SNMP-
MIB.txt. The MIB file has some related information about MIB variables and their
62 © 2019 FireEye
Release 4.2 SNMP
© 2019 FireEye 63
SO System Administration Guide CHAPTER 6: Configuration
UCD-SNMP-MIB::prCount.7 = INTEGER: 6
UCD-SNMP-MIB::prErrorFlag.1 = INTEGER: noError(0)
UCD-SNMP-MIB::prErrorFlag.2 = INTEGER: noError(0)
UCD-SNMP-MIB::prErrorFlag.3 = INTEGER: noError(0)
UCD-SNMP-MIB::prErrorFlag.4 = INTEGER: noError(0)
UCD-SNMP-MIB::prErrorFlag.5 = INTEGER: noError(0)
UCD-SNMP-MIB::prErrorFlag.6 = INTEGER: noError(0)
UCD-SNMP-MIB::prErrorFlag.7 = INTEGER: noError(0)
UCD-SNMP-MIB::prErrMessage.1 = STRING:
UCD-SNMP-MIB::prErrMessage.2 = STRING:
UCD-SNMP-MIB::prErrMessage.3 = STRING:
UCD-SNMP-MIB::prErrMessage.4 = STRING:
UCD-SNMP-MIB::prErrMessage.5 = STRING:
UCD-SNMP-MIB::prErrMessage.6 = STRING:
UCD-SNMP-MIB::prErrMessage.7 = STRING:
64 © 2019 FireEye
Release 4.2 SNMP
You can stop the fso service to test the SNMP monitoring by running the following
command:
# ssh ixoperator@<SO-SERVER>
# sudo service fso stop
After stopping the fso service, you can set error flags to 1 so the monitoring application
can detect the crashing or closing processes:
Example status of monitored sensors after stopping the fso service:
After you see that the error flags are set, SNMP monitoring configuration can be marked as
completed and you can start the fso service again:
# ssh ixoperator@<SO-SERVER>
# sudo service fso start
© 2019 FireEye 65
SO System Administration Guide CHAPTER 6: Configuration
66 © 2019 FireEye
SO System Administration Guide
© 2019 FireEye 67
SO System Administration Guide PART III: User Management
68 © 2019 FireEye
SO System Administration Guide
CHAPTER 7: About
User Management
Security Orchestrator (SO) provides role-based access control for the Web UI. You control
who can access the Web UI by creating users, and you control which features and
components a user can access by configuring groups and assigning users to groups.
By default, all users have access to the Dashboard and System Status pages. By assigning a
user to a group, you can also grant add, read, write, delete, and execute access to SO
components, such as playbooks, devices, adapters, and cases.
You create and manage users and groups using the SO Web UI. For information on
accessing the Web UI, see Accessing the Web UI on page 27.
You can also apply role-based permissions to specific playbooks, allowing user groups to
access some playbooks but not others. For information on granting access to specific
playbooks, see the Security Orchestrator Playbook Management Guide.
Playbooks are also referred to as courses of action (COAs) in this guide and in the
SO Web UI.
For information on managing groups and users, see the following sections:
© 2019 FireEye 69
SO System Administration Guide CHAPTER 7: About User Management
70 © 2019 FireEye
SO System Administration Guide Access Permissions by Component
© 2019 FireEye 71
SO System Administration Guide CHAPTER 8: Managing Groups
l Scripts on page 75
l Tables on page 75
l Forms on page 75
You must grant Read (R) permission to a component to allow users to view and
access the component. Read permission is not automatically granted by granting
add (A), write (W), or delete (D) permission.
Courses of Action
Courses of Action permissions control user access to COAs and the cases and processes
generated by COAs. You can set the following permissions for COAs:
Write (W) Modify configuration details and workflows for all COAs.
Execute (X) Run recommended COAs and pivot actions from a case or process.
You can also grant a user group access to only specific COAs (on the Playbook page),
instead of granting the group access to all COAs. For information on granting access to
specific COAs, see the Security Orchestrator Playbook Management Guide.
72 © 2019 FireEye
Release 4.2 Access Permissions by Component
You can also grant a user group access to cases and processes generated by specific COAs
only (on the Playbook page), instead of granting the group access to cases and processes
generated by all COAs. For information on granting access to specific COAs, see the
Security Orchestrator Playbook Management Guide.
Plug-Ins
You can set the following permissions for plug-ins:
Devices
You can set the following permissions for devices:
© 2019 FireEye 73
SO System Administration Guide CHAPTER 8: Managing Groups
Adapters
You can set the following permissions for adapters:
Users
You can set the following permissions for users:
Write (W) Modify all users, including profiles, passwords, and group assignments.
Current User
You can set the following permissions for the currently logged-in user:
74 © 2019 FireEye
Release 4.2 Access Permissions by Component
User Groups
You can set the following permissions for user groups:
Scripts
Access permissions for scripts are not enforced; access to scripts cannot be restricted. Since
scripts are embedded in COAs, users with access to a COA also have access to its scripts.
Tables
You can set the following permissions for tables:
Forms
You can set the following permissions for summary forms:
To grant permissions to Forms, you must also grant the same permissions to
Tables. For example, a user group must have write permission for Tables and
Forms to modify a form. (This is because a form is a type of table.)
© 2019 FireEye 75
SO System Administration Guide CHAPTER 8: Managing Groups
Viewing Groups
The Groups page displays the following information for each user group:
To view groups:
76 © 2019 FireEye
Release 4.2 Creating a Group
Creating a Group
Create a group to define access permissions for a group of users.
To create a new group:
Granting add, delete, or write permission does not grant read permission.
When granting add, delete, or write permission, also grant read permission
to allow users to view the component.
To allow a group to view Devices or Adapters, you must also grant the
group read permission to Plugins.
To grant permissions to Forms, also grant the same permissions to Tables.
For example, to grant write permission to Forms, select W for Forms and
select W for Tables.
6. Click Create.
© 2019 FireEye 77
SO System Administration Guide CHAPTER 8: Managing Groups
Modifying a Group
You can change a group's access permissions and description. You cannot change a
group's name.
Granting add, delete, or write permission does not grant read permission.
When granting add, delete, or write permission, also grant read permission
to allow users to view the component.
To allow a group to view Devices or Adapters, you must also grant the
group read permission to Plugins.
To grant permissions to Forms, also grant the same permissions to Tables.
For example, to grant write permission to Forms, select W for Forms and
select W for Tables.
5. Click Save.
78 © 2019 FireEye
Release 4.2 Deleting a Group
Deleting a Group
Deleting a group will remove the group assignment from all users, and may cause users to
lose access to components. Before deleting a group, review the list of users assigned to the
group. See Viewing Groups on page 76.
To delete a group:
© 2019 FireEye 79
SO System Administration Guide CHAPTER 8: Managing Groups
80 © 2019 FireEye
Release 4.2 Viewing Users
Viewing Users
The Users page displays the following information for each user:
l User name
l The user's full name and email addresses
l Group assignments
l Enabled status (on or off)
l Date and time the user configuration was last updated
© 2019 FireEye 81
SO System Administration Guide CHAPTER 9: Managing Users
Creating a User
Create a user to give someone access to the Security Orchestrator Web UI.
4. (Optional) In the Name boxes, enter the user's first, middle, and last names.
5. (Optional) Click +Add Email Address to enter an email address for the user.
If you enter multiple email addresses, click Main next to the email address you
want to appear in the summary list on the Users page.
82 © 2019 FireEye
Release 4.2 Changing User Details
6. In the Password and Confirm Password boxes, enter a temporary password for the
user.
7. In the Groups box, select group assignments for the user:
l To assign the user to a group, click in the Groups box and then select a group
name from the list. Select multiple groups if needed. The user is granted all
access permissions defined in the selected groups.
l To remove the user from a group, click x next to the group name.
8. Click Create.
The user can log in to the Security Orchestrator Web UI with the user name and temporary
password.
© 2019 FireEye 83
SO System Administration Guide CHAPTER 9: Managing Users
84 © 2019 FireEye
Release 4.2 Enabling or Disabling a User
If you disabled a user, the user's access to the Web UI is denied the next time the user
attempts to log in.
Deleting a User
Deleting a user removes the user's login credentials and prevents the user from accessing
the Web UI. To deny a user access temporarily, consider disabling the user. See Enabling or
Disabling a User above.
© 2019 FireEye 85
SO System Administration Guide CHAPTER 9: Managing Users
To delete a user:
86 © 2019 FireEye
SO System Administration Guide
© 2019 FireEye 87
SO System Administration Guide PART IV: Administration
88 © 2019 FireEye
SO System Administration Guide Status of SO and Dependent Services
The proper way to start and stop Security Orchestrator is by using the fso service. The
status of Security Orchestrator should also be checked using the fso service.
© 2019 FireEye 89
SO System Administration Guide CHAPTER 10: Managing Services
The service configuration is configured to stop all services in the correct order during
system shutdown. If any of the services is not running, it is recommended that you stop
and restart them in the order shown below.
To stop fso and all dependent services:
While logged in as root, run the following commands in the order shown:
# service crond stop
# service httpd24-httpd stop
# service fso stop
# service cassandra stop
# service elasticsearch stop
# service rabbitmq-server stop
90 © 2019 FireEye
SO System Administration Guide Configuring Logging Levels
To follow only Web requests (useful for troubleshooting the Web UI), use the following
command:
l tail -f /var/log/fireeye/fso/web/web.log |grep request_id=
To follow everything except Web requests (useful for troubleshooting plug-ins and
adapters), use the following command:
l tail -f /var/log/fireeye/fso/web/web.log |grep -v request_id=
<Level> can be debug, info, warn, error, or fatal. The default setting is info.
FireEye does not recommend setting logging levels to debug for extended periods
of time. Debug mode requires file I/O and consumes disk space each time a
command is executed. After you troubleshoot an issue with debug mode enabled,
reset logging levels to their defaults.
© 2019 FireEye 91
SO System Administration Guide CHAPTER 11: Managing Logs
RabbitMQ also writes specific logs at startup and shutdown and tracks errors in separate
logs. The following logs are included:
l /var/log/rabbitmq/startup_err
l /var/log/rabbitmq/startup_log
l /var/log/rabbitmq/shutdown_err
l /var/log/rabbitmq/shutdown_log
The RabbitMQ service may trigger an error message about log rotation. You can ignore
this. Log rotation succeeds and the RabbitMQ service continues to work correctly.
The error is:
/etc/cron.daily/logrotate:
Password: su: incorrect password
error: error running shared postrotate script for
'/var/log/rabbitmq/*.log '
92 © 2019 FireEye
SO System Administration Guide
The resulting file will have the following name format: fso_<MAC>_
logs.<timespstamp>.tbz2
The file is a tar archive compressed with bzip2. To extract the logs from the file, use the
following command:
$ tar jxf fso_<MAC>_logs.<timespstamp>.tbz2
The files are extracted to a directory named logs in the current working directory. This
includes log files for Cassandra, ElasticSearch, Security Orchestrator, and Apache.
© 2019 FireEye 93
SO System Administration Guide CHAPTER 12: Generating Log Bundles for Customer Support
94 © 2019 FireEye
SO System Administration Guide
l Users
l Groups
l Plug-ins
l Devices
l Adapters
l Courses of Action (Playbooks)
l Summary Forms
l Tables
The user configuration contains the hashed password and salt used to authenticate the SO
user. Course of action (playbook) configuration includes the current version of any custom
scripts and any templates configured within the course of action. Table contents are not
saved in a snapshot file. Only the definition and configuration of the table are saved in a
snapshot file.
You can also choose whether encrypted data is stored in a snapshot. The encrypted data
requires a separate secret key, which is contained in the /etc/fireeye/fso/web.conf file
as common.encryption_key.
© 2019 FireEye 95
SO System Administration Guide CHAPTER 13: Managing Snapshots
Creating a Snapshot
You can create a snapshot at any time without affecting the SO operational state.
Before creating a snapshot, you must do the following:
The --include-encrypted option allows you to include encrypted data in the snapshot. If
not specified, encrypted data is not stored in the snapshot file. User password hashes are
always saved as part of the snapshot, even if encrypted data is not included.
While a snapshot is being restored, SO is shut down, the new snapshot is loaded, and SO
restarts.
To restore a snapshot without encrypted data, run the command:
$ fso snapshot load <snapshot filename>
96 © 2019 FireEye
Release 4.2 Restoring a Snapshot with Encrypted Data
The --include-encrypted option will only work on snapshots that include encrypted data
upon generation. If no encrypted data is contained in the snapshot, the option is ignored.
© 2019 FireEye 97
SO System Administration Guide CHAPTER 13: Managing Snapshots
98 © 2019 FireEye
SO System Administration Guide
For more information about installed plug-ins, see Verifying Installed Plug-Ins on
page 37.
3. To list all devices with their status and plug-in information, run the following
command:
$ fsocontent status --devices
4. To list devices that are currently using an older plug-in version (when a newer
version of the plug-in is installed and available), run the following command:
$ fsocontent status --upgradable-devices
The plug-in version currently used by the device is shown along with the newer
plug-in version available for upgrade. For instructions on upgrading devices, see the
Security Orchestrator Playbook Management Guide.
5. To list all adapters, run the following command:
$ fsocontent status --adapters
© 2019 FireEye 99
SO System Administration Guide CHAPTER 14: Viewing Content
or
$ fsocontent status --playbook-details
You can also review information about plug-ins, adapters, devices, and
playbooks in the Web UI and troubleshoot issues with device (plug-in)
commands by reviewing the command trace within a case. For more
information, see the Security Orchestrator Playbook Management Guide.
To determine the version of the current system, use the fso version command.
In older systems, use the fsoversion command.
1. Download the following files from the FireEye Customer Service portal:
l SO Release Readme file, which contains the SHA-256 checksums for the
SO upgrade files
l SO online upgrade package, fso-system-4.2.3-1.el6.tar.gz
l SO offline upgrade package, fso-system-4.2.3-1.el6-offline.tar.gz
2. Verify SHA-256 checksums for the SO upgrade files.
3. Log in to the SO virtual appliance as root.
4. Copy the online or offline upgrade package (tar.gz) to the SO virtual appliance.
5. Create a directory to which you can extract the upgrade package:
# mkdir -p ~/tmp-fso/
Technical Support
Documentation
Documentation for all FireEye products is available on the FireEye Documentation Portal
(login required):
https://docs.fireeye.com/
© 2019 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or
service names are or may be trademarks or service marks of their respective owners.