- 6 Minutes to read
Prerequisites - Site Coordinator
- 6 Minutes to read
About this document
This document explains the prerequisites for installing a Site Coordinator or a Master Site Coordinator.
The required hardware profile should be able to process the following under test conditions:
- 5 agentless scans per minute.
- 1200 agent-based scans per minute.
The hardware profile requirement and the number of site coordinators needed depends upon two factors:
- total number of assets to be assessed
- the time period in which they are to be assessed.
Customers should consider the total number of assets that a single Site Coordinator can process when sizing the Site Coordinator. Customers with large numbers of assets can deploy multiple Site Coordinators. An example deployment diagram can be found here: Example Site Coordinator Deployment
Minimum Hardware requirements
- 2 Core CPU
- 4 GB RAM
- 50 GB disk storage
If the provisioned server has a partitioned disk, ensure the following directories/partitions have sufficient storage space available to prevent any installation issues:
|/var/lib/docker OR custom docker data directory||40GB||The default storage location for docker and its files (images, volumes, logs, etc.) is /var/lib/docker as per the official Docker documentation. If a custom storage location is used, please ensure that the Storage Requirements are met both at the time of installation and ongoing.|
|Site Coordinator Installation Directory||10 GB||The Site Coordinator will install at the location chosen during installation. If this is a shared partition, please ensure that the Storage Requirements are met both at the time of installation and ongoing.|
- Supported Operating Systems
- RedHat 7
- RedHat 8
- Oracle Linux 8
- Ubuntu 16 (Supported for existing deployments only. SAFE recommends moving to the latest supported ubuntu version to ensure docker support.)
- Ubuntu 18
- Ubuntu 20
- Docker CE 18.03.0 or greater
Docker is deployed with the following default network configuration:
- docker bridge default: 172.17.0.1/16.
Customers should review if this default network range will conflict with their existing infrastructure and make any adjustments as required.
- Docker Compose version 1.29.x or greater and lower than version 2.x.
- A non-root user to manage docker#
- Internet Access (For access via a Proxy, refer to Configuring Proxy in Site Coordinator )
SAFE will provide support for Site Coordinator deployments on the listed Operating Systems above until either of the following occurs:
- The vendor's end-of-support date is reached for that Operating System.
- Docker Support is ended for the given Operating System version.
- To enable results from Agentless scans to be sent to the SAFE Cloud Service. A specific URL will be provided to customers for this purpose, and access will be required at all times for results to be uploaded to the SAFE Cloud Service.
- For the installation of the required Docker pre-requisites using the SAFE provided process. This will require open outbound internet access during the installation of Docker and Docker Compose and can be removed following the successful verification of the prerequisites.
- For Site Coordinators requiring a Proxy to access the SAFE Cloud Services (Refer to Configuring Proxy in Site Coordinator).
- Proxy IP/Hostname: The IP address/ Hostname of the proxy server to be used.
- Proxy Port: The port to be used to connect to the proxy server.
- Proxy Username: The username to be used to connect to the proxy. (Optional)
- Proxy Password: The password of the username provided. (Optional)
- Comma-separated IPs/Hostnames without spaces to be omitted by proxy (NO_PROXY): Any IPs/Hostnames that the user does not want the site coordinator to route via proxy. This applies to some of the PIM/PAM tools or Third-Party tools like Arcon, CyberArk, BeyondTrust, etc.
- For Site Coordinators that will support Agent-Based Communication, the following is required (Refer to Configuring Site Coordinator for agent-based communication)
- Port 443 is open on the Site Coordinator to receive communication from agents.
- An internally routable URL/DNS entry that can be assigned to the Site Coordinator and is reachable from the target assets. For example, the URL for a company with the name "example1.com" might be "safesc.example1.com"
- SSL certificate with the private key for the URL assigned to the Site Coordinators IP address and the corresponding CA certificate.
- The SSL certificate should be supplied as a .crt file with a separate .key file containing the private key.
- SAFE does not support the use of Encrypted/Password protected key files.
- The SSL certificate cannot be self-signed.
- The CA certificate used to sign the SSL certificate must be trusted by the host where the Windows Agent is deployed
For Red Hat-based systems
The official Docker Community Edition (CE) is not natively supported on Red Hat systems. The alternative is the licensed Enterprise Edition (EE). If you already have a valid Docker EE license, it is recommended to use that and follow the installation guides received with the Docker license.
This guide specifies the steps to set up the Docker Community Edition (CE) that doesn’t need any license for easy setup using open source repositories.
Set up the required repositories
- Add a file named centos.repo in the directory /etc/yum.repos.d/ directory with the following contents:
[centos-extras] name=CentOS-7 extras - $basearch baseurl=http://mirror.centos.org/centos-7/7/extras/x86_64/ enabled=1 gpgcheck=1 gpgkey=http://mirror.centos.org/centos-7/7/os/x86_64/RPM-GPG-KEY-CentOS-7
- Verify the repository, but running yum repo list to ensure this new repository is added to the list.
Install docker manually
- Install the required utilities.
sudo yum install -y yum-utils
- Enable the required Docker repository.
sudo yum-config-manager \ --add-repo \ https://download.docker.com/linux/centos/docker-ce.repo
- Install Docker CE
sudo yum install docker-ce docker-ce-cli containerd.io
- If there are any prompts, accept them with a y to proceed with the installations.
To start and enable the docker service to run automatically on a server startup, run the following command:
sudo systemctl start docker sudo systemctl enable docker sudo systemctl enable containerd
For Ubuntu or other supported non-Red Hat systems
Docker installation provides the required runtime for the Site Coordinator to execute. The simplest way to install is using the convenience script provided and maintained by Docker.
From the official links:
- The script requires root or sudo privileges to run.
To start the installation, execute the following command on the required machine.
curl -fsSL https://get.docker.com | sudo sh
- This will automatically install all the required dependencies without any manual intervention or confirmation.
- To start and enable the docker service to run automatically on a server startup, run the following command:
sudo systemctl start docker sudo systemctl enable docker sudo systemctl enable containerd.service
Non-root user setup for Docker
In order to manage docker and enable the Site Coordinator to work without a root user during its runtime, the following steps are mandatory to execute. These are taken from the official docker setup documentation.
The following commands will need sudo access to modify the user/group permissions.
sudo usermod -aG docker $USER
- If the $USER user isn’t supported in your environment, replace it with the non-root user being used.
- In order for the group permissions to reflect correctly, a re-login OR a restart is required.
- If you’re logged in via an SSH mode on the server, you can simply exit the session and re-login.
- Or simply a server restart will bring these changes into effect.
To confirm if the changes are reflected:
- Log in as a non-root user.
- Run docker info, if you get the output without any permission errors, you’re good to go.
- If you observe any system errors, ensure you have added the correct user to the docker group. You can verify this by running the groups command to see the list of groups that the currently logged-in user is a part of.
Docker-compose works alongside the Docker engine to orchestrate multiple runtime containers. Docker engine needs to be installed and running before the following commands can be executed.
From the official links:
The script requires root or sudo privileges to run.
Run the following command to install the required release of docker-compose:
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
- Apply executable permissions to the binary.
sudo chmod +x /usr/local/bin/docker-compose
- Setup the required symlinks.
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
- Test the installation.
This should show the required output, something like the following:
docker-compose version 1.29.2, build 5becea4c