How to Update EDR in an Air-Gapped Environment
Article ID: 291589
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Update EDR Server(s) in an air-gapped environment. There are two sets of software to update, the CarbonBlack update packages and, optionally, the CbOpenSource packages (to include Event-Forwarder, Yara Connector/Manager and countless connectors).
- For air-gap EDR install read the Server Cluster Management Guide installation section.
Environment
- EDR Server: 7.x and higher
- Linux OS: All Supported Versions
Resolution
To obtain the EDR updates for an air-gapped offline environment.
1. Confirm the alliance certificates are present on the Internet-facing and air-gap EDR servers:
2. Confirm the Internet-facing caching EDR server has yum.conf configured as a cacheing server.
3. On the Internet-facing caching EDR server, pull the EDR updates.
b. Pull the latest CarbonBlack and CbOpenSource (optional) packages. See 'Additional Notes' for information on how to add CbOpenSource tools.
c. Create the CarbonBlack repo while remaining in the repo directory.
d. Tar the CarbonBlack updates. Note the sha256 hash.
4. Move the resulting tarball file (CarbonBlack.tar.gz or similar) to the desired air-gap EDR Servers. Confirm the air-gap servers tarball sha256sum matches the original tarball file.
5. Move the gz files to the yum directory on the air-gap EDR Servers and extract the tarball.
6. Stop cb-enterprise services or cbcluster in the air-gap environment.
7. On the air-gap EDR Servers, modify /etc/yum.repos.d/CarbonBlack.repo to redirect the baseurls to the correct yum cache directory.
8. On the air-gap EDR Servers, modify /etc/yum.repos.d/CbOpenSource.repo to redirect the baseurls to the correct yum cache directory. (optional)
9. Update cb-enterprise on each air-gap EDR Server and check the security settings.*
10. Run cbupgrade on each air-gap EDR Server. This command adjusts fields in Postgres and Solr databases if needed. If rpmnew files are noted during the cbupgrade, manually resolve differences between the RPMNEW and the existing configuration file of the same name, then delete the RPMNEW file before proceeding with the cbupgrade.
Note: Do not start services inside the cbupgrade command. (Answer 'n' to 'Do you want to start the services?')
11. Start the air-gap EDR Server or cbcluster.
1. Confirm the alliance certificates are present on the Internet-facing and air-gap EDR servers:
ls /etc/cb/certs
2. Confirm the Internet-facing caching EDR server has yum.conf configured as a cacheing server.
vi /etc/yum.confConfirm the following variables are set:
cachedir=/var/cache/yum/$basearch/$releasever keepcache=1
3. On the Internet-facing caching EDR server, pull the EDR updates.
a. Confirm the proper tools are installed.
yum install yum-utils yum install createrepo
b. Pull the latest CarbonBlack and CbOpenSource (optional) packages. See 'Additional Notes' for information on how to add CbOpenSource tools.
cd /var/cache/yum/x86_64/7/ (where 7 is the OS version; this example was CentOS 7.9) reposync --repoid CarbonBlack reposync --repoid CbOpenSource (optional) yum --downloadonly install cb-event-forwarder (optional) yum --downloadonly install python-cb-yara-connector (optional) yum --downloadonly install python-cb-yara-manager (optional)
c. Create the CarbonBlack repo while remaining in the repo directory.
cd /var/cache/yum/x86_64/7/ createrepo --no-database -v CarbonBlack createrepo --no-database -v CbOpenSource (optional)
d. Tar the CarbonBlack updates. Note the sha256 hash.
tar -cvzf CarbonBlack.tar.gz CarbonBlack tar -cvzf CbOpenSource.tar.gz CbOpenSource CbOpenSource2 (optional) sha256sum -b CarbonBlack.tar.gz sha256sum -b CbOpenSource.tar.gz (optional)
4. Move the resulting tarball file (CarbonBlack.tar.gz or similar) to the desired air-gap EDR Servers. Confirm the air-gap servers tarball sha256sum matches the original tarball file.
5. Move the gz files to the yum directory on the air-gap EDR Servers and extract the tarball.
cp /tmp/CarbonBlack.tar.gz /var/cache/yum/x86_64/7/ (where 7 is OS release version) cp /tmp/CbOpenSource.tar.gz /var/cache/yum/x86_64/7/ (optional) cd /var/cache/yum/x86_64/7 tar -xvzf CarbonBlack.tar.gz tar -xvzf CbOpenSource.tar.gz (optional)
6. Stop cb-enterprise services or cbcluster in the air-gap environment.
service cb-enterprise stop OR /usr/share/cb/cbcluster stop
7. On the air-gap EDR Servers, modify /etc/yum.repos.d/CarbonBlack.repo to redirect the baseurls to the correct yum cache directory.
[CarbonBlack] name=CarbonBlack baseurl=file:///var/cache/yum/$basearch/$releasever enabled=1 gpgcheck=0
8. On the air-gap EDR Servers, modify /etc/yum.repos.d/CbOpenSource.repo to redirect the baseurls to the correct yum cache directory. (optional)
[CbOpenSource] name=CbOpenSource baseurl=file:///var/cache/yum/$basearch/$releasever/CbOpenSource gpgcheck=0 enabled=1 metadata_expire=60 sslverify=1 [CbOpenSource2] name=CbOpenSource2 baseurl=file:///var/cache/yum/$basearch/$releasever/CbOpenSource2 gpgcheck=0 enabled=1 metadata_expire=60 sslverify=1
9. Update cb-enterprise on each air-gap EDR Server and check the security settings.*
yum update cb-enterprise /usr/share/cb/cbcheck firewall -a /usr/share/cb/cbcheck selinux -a
* If you get [Errno 14] curl#37 - "Couldn't open file /var/cache/yum/x86_64/7/repodata/repomd.xml", then move the repomd.xml file to this location or check permissions.
9b. Update cb-event-forwarder, yara, etc. (optional)
mv ./CarbonBlack/repodata /var/cache/yum/x86_64/7* In the lab, 'yum clean all' was not used in order to keep all (install and upgrade) packages cached prior to moving to the air-gap environment. This placed the 7.7.2 updates in /var/cache/yum/x86_64/7/CarbonBlack/ directory while the EDR v7.4.1 install packages remained in /var/cache/yum/x86_64/7/CarbonBlack/packages/ directory. Therefore the 7.7.2 packages were manually copied to /var/cache/yum/x86_64/7/CarbonBlack/packages/ directory prior to the yum update.
cp /var/cache/yum/x86_64/7/CarbonBlack/*rpm /var/cache/yum/x86_64/7/CarbonBlack/packages/
yum update cb-event-forwarder
* The repomd.xml may need to be moved to the CbOpenSource/repodata directory.
Note: Do not start services inside the cbupgrade command. (Answer 'n' to 'Do you want to start the services?')
/usr/share/cb/cbupgrade
11. Start the air-gap EDR Server or cbcluster.
service cb-enterprise start OR /usr/share/cb/cbcluster start
Additional Information
- Testing was performed on default install, using the minimal distribution and the distribution’s official package repositories.
- Air-gap server OS repos must point to the internal OS repo server (outside of Carbon Black configuration)
- Internet-facing server and air-gapped server must be the same OS version.
- If CbOpenSource.repo is not present on the Internet-facing server and you would like to add it to the update process, then create the repo file by running: (make sure to move or recreate CbOpenSource.repo to the air-gapped server also)
curl -O https://opensource.carbonblack.com/CbOpenSource.repo
Feedback
Yes
No
Powered by
