Endpoint Standard: How to configure a Local Mirror (Linux)
search cancel

Endpoint Standard: How to configure a Local Mirror (Linux)

book

Article ID: 290054

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Configure a Linux/Unix mirror server for Signature Updates for the CBC Sensor

Environment

  • Carbon Black Cloud Console: All Version
    • Endpoint Standard
  • Carbon Black Cloud Mirror Server Utility: v3.0 and Higher
    • Linux/Unix: All Supported Versions

Resolution

Configure Mirror Server

  1. Ensure traffic to the Signature Update Server URL is allowed through any proxy/firewall without packet inspection (TCP/80 or TCP/443) 
    updates2.cdc.carbonblack.io
  2. Download cbdefense_mirror_unix_x64_v3.0.zip to the Server that will provide updates
  3. Unpack the zipped file and move the contents to a directory (these files will be used to automate mirror server updates with a cron job, so they should be stored in a permanent location such as /opt/cbupdate) 
    avupdate_msg.avr
avupdate.bin
HBEDV.KEY
update_defs.sh
update_defs_ssl.sh
  4. Open a command prompt and change directory to the update file location
  5. Download the initial Signature pack set and create the Signature Mirror with this command (/var/www/html is an example directory often used when configuring Apache)
          NOTE: The command can also call update_defs_ssl.sh to use https for the download 
    bash ./update_defs.sh /var/www/html
  6. Results will print to the command line.  Confirm the following directories and files are located in the root of the directory targeted with the update command 
    ave2
avupdate.log
idx
x_vdf
Apache Configuration Example
  1. Download Apache 
    yum install httpd
  2. Start Apache service 
    systemctl start httpd
  3. Access httpd.conf with a command line editor 
    vi /etc/httpd/conf/httpd.conf
  4. Edit httpd.conf to configure Apache to listen on desired IP address and port 80 (port 443 can be used for https if Sensors are running 3.3.x.x and higher) 
    Listen Local_Mirror_IP:80
  5. Restart httpd service 
    systemctl restart httpd
  6. Enable httpd start on boot 
    systemctl enable httpd
  7. Test connection to web server from a remote machine within the local network (Apache welcome page should load in web browser)
NOTE: If the firewall on the update Server has been configured, then allow port 80 or 443 traffic as needed
  1. Remove the Apache welcome page 
    rm /etc/httpd/conf.d/welcome.conf
  2. Create a configuration file named "cb.conf"  
    touch /etc/httpd/conf.d/cb.conf
  3. Use a command line text editor to add the following values (some values require customization) to cb.conf 
    <VirtualHost LOCAL_MIRROR_IP:80>ServerAdmin [email protected]>
ServerName carbonblackmirror
DocumentRoot /var/www/html
<Directory "/var/www/html">
Options All Indexes FollowSymLinks
Order allow,deny
Allow from allow
</Directory>
</VirtualHost>
  4. Restart the Apache service 
    systemctl restart httpd
  5. Use a web browser to access the /idx/master.idx file to confirm mirror server functionality
Schedule update task
  1. Create a cron file to automate Local Mirror updates 
    touch /opt/cbdupate/cronfile
  2. Edit the file to fetch updates at a set interval (1 hour intervals will ensure timely updates available for Sensors)(The path to the update script may vary depending on where the files are stored) 
    0 * * * *  cd /opt/cbupdate/ && /bin/bash /opt/cbupdate/update_defs.sh /var/www/html
         NOTE: The update_defs_ssl.sh file can be called to use HTTPS communication between the Local Mirror and CB Update Servers
  3. Add the cron file to crontab to ensure the system will run the job, please note this step needs to be done with sudo or as "root" 
    sudo crontab /opt/cbdupate/cronfile
  4. Ensure the cronfile was added 
    sudo crontab -l
0 * * * * cd /opt/cbupdate/ && /bin/bash /opt/cbupdate/update_defs.sh /var/www/html
  5. Cron job activities can be verified in /var/log/cron log 
    tail -f /var/log/cron
Add Local Mirror URL to Local Scanner Policy
  1. Log into CBC Console
  2. Go to Enforce > Policies
  3. Click on the desired Policy's name
  4. Click on the Local Scan tab
  5. Ensure 'Allow Signature Updates' is set to Enabled
  6. Add the URL for the Local Mirror Server to the 'Update Servers' settings for Internal and Offsite devices as desired
  7. Check the box to the right of the desired URL to set it as the Preferred Server
  8. Remove any URLs which are not desired

Additional Information

  • Recommended schedule for pulling down updates is hourly
  • Recommended 2Ghz CPU and 4GB of RAM for Local Mirror server, in order to service 10k endpoints
Powered by Wolken Software