This repository was archived by the owner on Dec 27, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
Home
Max Siyazov edited this page Apr 1, 2017
·
5 revisions
Welcome to the SA_BACKUP wiki!
Security Analytics uses settings and configuration information that is stored in databases and files. This section describes the data needs to be backed up to be able to restore service if the organisation experiences a failure or outage, and also identifies the data and components used by the RSA Security Analytics that need to be backed up separately. Note: This document does not describe how to back up and recover the packets/logs and meta data.
The following table identifies the settings and configuration information of the SA that need to be backed up.
| Type of data | Where stored | Description |
|---|---|---|
| Topology configuration information | Mongo DB on the SA sever | SA Host, Services, and Groups information. |
| User accounts information | Standalone H2 Platform DB file on the SA server (/var/lib/netwitness/uax/db/platform.h2.db) | Central repository of Users, Users groups, and Roles. |
| SA server configuration information | Standalone H2 platform DB file. Mongo DB on the SA server. Configuration files (under /var/lib/netwitness/uax/) | SA server system settings and configuration data: Live, security configuration and permissions, password policy, role mapping, pam authentication, logging, ldap binding, global audit, global notification configuration, web server certificates, scheduler, enrichment sources, index configuration, table map configuration, etc. |
| Puppet infrastructure configuration information | Configuration files (/etc/puppet/) and Mongo DB on the SA server | Puppet master configuration and modules, ssl files. Puppet agent configuration data. |
| Core SA services configuration information | Configuration files on the core appliance (/etc/netwitness/ng/*) | Core services (log collector, decoder, concentrator, broker, warehouse connector, archiver) configuration information, lockbox |
| Licenses information | Mongo DB on the SA server | SA service licenses and licenses stats. |
| Event Stream Analysis | Mongo DB on the SA server (ESA rules). Mongo DB on the ESA server (Alarms). Configuration files under /opt/rsa/esa/ on the ESA server. | ESA settings and configuration information, rules and alerts. |
| Intelligence information | Mongo DB on the SA server, | Feeds, enrichment sources configuration |
| System monitoring configuration | Mongo DB on the SA server, Configuration files under /opt/rsa/sms/ on the SA server | Health and wellness stats, policies, and settings. Event source monitoring database, policies and settings. |
| Reporting engine configuration information | Reporting engine directory on the SA server | Rules, reports definitions, charts |
| Operating system configuration | Files under /etc/ | Network, NICs, hosts, NTP, Kerberos, partition, NS configuration. |
| SA runtime information | RabbitMQ server on the SA server | System stats. |
The following table describes the minimal backup configurations of components for every appliance type.
| Appliance | Component | Required to backup |
|---|---|---|
| SA Server | Puppet master/agent | Required |
| OS configuration files | Required | |
| RabbitMQ server | Required | |
| MongoDB database | Required | |
| SA server (Jetty) | Required | |
| Reporting Engine | Required | |
| PostgreSQL database | Not in use | |
| Incident Management server configuration | Optional | |
| Core Service configuration information (Broker) | Required | |
| System Management Server | Required | |
| Malware Analysis | Optional | |
| Customised and extra files | Optional | |
| Core SA services | Puppet agent | Required |
| (Log Hybrid, Log Decoder, Concentrator, Broker, Warehouse Connector) | OS configuration files | Required |
| Warehouse Connector database | Not required | |
| RabbitMQ server | Not required | |
| Log Collector database | Not required | |
| Core Appliance Services | Required | |
| Event Stream Analysis | Puppet agent | Required |
| OS configuration files | Required | |
| RabbitMQ server | Not required | |
| MongoDB database | Not required | |
| PostgreSQL database | Not in use | |
| Event Stream Analysis configuration | Required | |
| Core Appliance Services | Not required | |
| Remote Virtual Log Collector | Puppet agent | Required |
| OS configuration files | Required | |
| RabbitMQ server | Not required | |
| Log Collector database | Not required | |
| Core Appliance Services | Required |
The components details are listed in the table below:
| Component | Description | File / Direcrtory to backup | Exclusion list | Services restarted |
|---|---|---|---|---|
| OS configuration files | /etc/sysconfig/network-scripts/ifcfg-*[0-9] - HWADDR is disabled | None | ||
| /etc/sysconfig/network | ||||
| /etc/hosts | ||||
| /etc/resolv.conf | ||||
| /etc/ntp.conf | ||||
| /etc/fstab - renamed to fstab.{hostname} to prevent overwriting the original fstab on restore | ||||
| /etc/krb5.conf | ||||
| Puppet master/agent | Puppet infrastructure configuration and data files. | /var/lib/puppet | /var/lib/puppet/lib | puppetmaster |
| Puppet master on the SA server. | /var/lib/puppet/node_id | /var/lib/puppet/bucket | puppet | |
| Puppet agent on every SA host. | /var/lib/puppet/reports | collectd | ||
| /etc/puppet | mcollective | |||
| Malware Analysis | Configuration files and DB. | /var/lib/netwitness/rsamalware | jetty/javadoc | rsaMalwareDevice |
| jetty/lib | ||||
| jetty/logs | ||||
| jetty/webapps | ||||
| jetty/bin | ||||
| lib | ||||
| spectrum/yara | ||||
| spectrum/logs | ||||
| spectrum/cache | ||||
| spectrum/temp | ||||
| spectrum/lib | ||||
| spectrum/repository | ||||
| spectrum/infectedZipWatch | ||||
| spectrum/index | ||||
| saw | ||||
| RabbitMQ server | Configuration (managed by puppet) and database files. | /var/lib/rabbitmq | rabbitmq-server | |
| MongoDB | Entire dump of the mongodb instance of SA. | This includes the following DBs: | tokuumx (on ESA) | |
| *MongoDB on the ESA is not require as contains ESA alerts and SA Incident Management database | asg – Host and services repository | |||
| esm – Event Source monitoring | ||||
| sms – System Management Server | ||||
| les – Licenses stats | ||||
| puppet – Puppet nodes repository | ||||
| sa – Entitelements, ESA inventory, ESA rules library, Enrichment sources, Meta types, Output actions, Output templates, etc. | ||||
| Security Analytics server | SA server and Jetty server configuration files: | /var/lib/netwitness/uax | /var/lib/netwitness/uax/temp | jettysrv |
| - Platform H2 DB | /var/lib/netwitness/uax/trustedStorage | |||
| - Jetty keystore | /opt/rsa/jetty9/etc/keystore | /var/lib/netwitness/uax/cache | ||
| - Configuration files | /opt/rsa/jetty9/etc/jetty-ssl.xml | /var/lib/netwitness/uax/yum | ||
| /opt/rsa/carlos/keystore | /var/lib/netwitness/uax/logs/*_index | |||
| /var/lib/netwitness/uax/content | ||||
| /var/lib/netwitness/uax/lib | ||||
| /var/lib/netwitness/uax/scheduler | ||||
| Reporting Engine | Configuration files | /home/rsasoc/rsa/soc/reporting-engine | formattedReports | rsasoc_re |
| resultstore | ||||
| livecharts | ||||
| statusdb | ||||
| subreports | ||||
| temp/* | ||||
| logs | ||||
| Incident Management | Configuration files | /opt/rsa/im | log | rsa-im |
| lib | ||||
| bin | ||||
| scripts | ||||
| db | ||||
| Core Appliance Services | Configuration files | /etc/netwitness/ng | Geo*.dat | none |
| envision/etc/devices | ||||
| logcollection/content | ||||
| feeds | ||||
| System Management Server | Configuration files | /opt/rsa/sms | log | rsa-sms |
| lib | ||||
| bin | ||||
| scripts | ||||
| Warehouse Connector | Warehouse connector stats database and temporary avro files | /var/netwitness/warehouseconnector | core.* | nwwarehouseconnector |
| Log Collector | Log Collector stats database | /var/netwitness/logcollector | core.* | nwlogcollector |
| Event Stream Analysis | Configuration files | /opt/rsa/esa/ | log | rsa-esa |
| lib | ||||
| bin | ||||
| geoip | ||||
| db | ||||
| temp/* | ||||
| client |