Administration Guide

Backup

SCOT supports on-demand and scheduled backups. The backup script is:

/opt/scot/bin/backup.pl

and will back up the SCOT’s mongo database and the ElasticSearch collections. The backup is a gzipped tar file and will be stored in /opt/scotbackup. Moving these backups to another system is left as an exercise to the admin. By default, the last 7 days of backups are kept in /opt/scotbackup and files older than 7 days are removed.

Manual Backup

I get it, you don’t trust some fancy script to back up. Here’s what is going on behind the scenes.

1. Back up the mongo database with the “mongodump” command.

   $ cd /directory/with/space $ mongodump –db scot-prod $ tar czvf /another/dir/scot-prod.tgz ./dump

2. Use unix tools to copy SCOT config in /opt/scot/etc

3. ElasticSearch backup is more involved:

   ##. if you have never backed up elastic, you will need to create

   a repo:

   | curl -XPUT localhost:9200/_snapshot/scot_backup -d '{
   |    "scot_backup": {
   |        "type": "fs",
   |        "settings: {
   |            "compress": "true",
   |            "location": "/opt/esback"
   |        }
   |    }
   | }'
   

   ##. if you have already backup up once before, remove any conflicting

   snapshot (or use different snapshot name):

   $ curl -XDELETE localhost:9200/_snapshot/scot_backub/snapshot_1
   

   ##. Create the Snapshot:

   $ curl -XPUT localhost:9200/_snapshot/scot_backup/snapshot_1
   

   ##. Check on status:

   $ curl -XGET localhost:9200/_snapshot/scot_backup/_all
   

   ##. When complete, use tar to back up /opt/esback:

   $ tar czvf /home/scot/esback.tgz /opt/esback
   

   ##. store scot-prod.tgz and esback.tgz in a safe place.

Restore

Extract the timestamped SCOT backup tar file:

tar xzvf scotback.201701211832.tgz

This will create a directory “./dump/scot-prod”. Restore the MongoDB with:

mongorestore --dropdatabase --db scot-prod ./dump/scot-prod

Manual Restore

1. Restore Mongo:

##. remove existing scot-prod database:

    $ mongo scot-prod < /opt/scot/etc/database/reset.js

##.  extract scot-prod.tgz::

    $ cd /home/scot
    $ tar xzvf /tmp/scot-prod.tgz
    $ cd dump
    $ mongorestore --db=scot-prod .

1. Restore configs by copying backup of /opt/scot/etc/ directory

2. Restore ElasticSearch

   ##. Close ElasticSearch indexes that are active.:

   $ curl -XPOST localhost:9200/scot/_close
   

   ##. Remove existing contents of /opt/esback:

   $ rm -rf /opt/esback/*
   

   ##. extract esback.tgz:

   $ cd /opt/esback
   $ tar xzvf /tmp/esback.tgz
   

   ##. Make sure that /etc/elasticsearch/elasticsearch.yml has the following:

   repo.path: [ '/opt/esback' ]
   (restart es if you have to make a change to the yml file
   

   ##. Create the “scot_backup” repo if it doesn’t exist (see above)

   ##. curl -XPOST localhost:9200/_snapshot/scot_backup/snapsot_1/_restore

3. Finally, restart scot.:

   # service scot restart
   

SSL Certs

The initial install of SCOT will use self-signed SSL Certs. Please update these certs as soon as possible.

GeoIP

SCOT use the MaxMind GEOIP2 libraries and databases for geo location. Please see the MaxMind website for details on how to update the database files.

Upgrading

Pull or Clone the latest from github (https://github.com/sandialabs/scot). CD into the downloaded directory, run:

./install.sh -s

You probably want to do this when your analysts are not very busy.

CRON Entries

If you are using /opt/scot/bin/alert.pl to import events you will need a crontab entry like:

*/5 * * * * /opt/scot/bin/alert.pl

To automate your backups:

0 3,12,20 * * * /opt/scot/bin/backup.pl

Daemons

A properly functioning SCOT has the following services running:

• ActiveMQ
• MongoDB
• Apache2
• Scot
• scfd (scot flairing daemon)
• scrfd (scot reflairing daemon)
• scepd (scot elastic push daemon)

Depending on the Linux version, these will have init style startup scripts or systemd style entries.

Logging

SCOT is a prolific logger. All logs are stored in /var/log/scot. It is highly recommended to set up logrotate to avoid filling you disk. Create a /etc/logrotate.d/scot like:

/var/log/scot.*.log {
    daily
    missingok
    rotate 5
    compress
    notifempty
    copytruncate
}
/var/log/error.*.log {
    daily
    missingok
    rotate 5
    compress
    notifempty
}

Manual Password Reset for Local Auth

Let’s say you forgot the admin password, what to do?

1. Run /opt/scot/bin/passwd.pl

   $ /opt/scot/bin/passwd.pl Enter New Admin Password : * Reenter Admin Password : * {X-PBKDF2}HMACSHA2+512:AAAnEA:2/oQYlnzjibzWoCs2aPv:KAZIhhNUgPBw4M7ZOVU1/2yT/P07FRe2bhacBw6J6ru4jwFRM9dMpxOARc9IfxrQs7ltxSn1ceW76dgJ4kL0Ng==

2. Enter mongodb shell and issue the following:

$ mongo scot-prod <enter> > db.user.update({username:”admin”},{$set:{hash:’{X-PBKDF2}HMACSHA2+512:AAAnEA:2/oQYlnzjibzWoCs2aPv:KAZIhhNUgPBw4M7ZOVU1/2yT/P07FRe2bhacBw6J6ru4jwFRM9dMpxOARc9IfxrQs7ltxSn1ceW76dgJ4kL0Ng==’}});

3. Now you (admin) will be able to log in via Local Auth using the password you entered.