Overview

From version Version 1.2.1 onwards, the Endpoint Agent solution provides a tool to create a deployment topology from scratch by asking the user questions.

The tool is based on a template that is shipped with the deployment package and, based . Depending on the answer answers that the user gives, it will create creates an inventory to be used with the deployment playbook. It This tool is not mandatory to use this tool, but it is provided as a way to help users with limited knowledge of YAML.

How to use it

From Endpoint Agent 1.3.0 on, you must load the ansible-2.9 virtual environment before executing the tool:

source /opt/ansible-2.9/venv/bin/activate

Example syntax (from devo-ea-deployer folder):

python3 python tools/cookiecutinvt.py -o inventories/<< output_inventory_name >>.yaml

Topology questions

The tool will ask poses questions to the user questions and it will then create creates an inventory. Below is an example of the questions that will be are asked. Note that questions might differ depending on the type of topology that the user wants to create.

...

Manager: SSH connection host/IP → Internal IP of the EA Manager server(s) for SSH connection. It will be used in the agents etc/hosts file when there is no direct access to EA Manager FQDN.

Manager: SSH connection user→ User for SSH Connection.

Manager: SSH authentication with passwd? (Y/N) [Y] → Answer “Y” if the SSH connection will use a password, answer “N” if the SSH connection will be done with a public key.

Manager: SSH connection password→ Password for SSH Connection.

Manager: Python interpreter [/usr/bin/python3] → Python interpreter depending on the python engine installed on the host.:

• Python2: /usr/bin/python

• Python3: /usr/bin/python3

Do you want to deploy No-HA internal services? ("No" implies MySQL and Redis are provided as external services) (Y/N) [Y] → Answer “Y” if you want EA Manager to deploy dockers with internal services (MySQL and Redis).

Do you want to deploy internal services in the same host as the manager (yes) or in a separate host (no)? (Y/N) [Y] y → Answer “Y” if you want to deploy the dockers in the same server than as the EA Manager (if there are more than one EA Manager Managers they will be deployed in the first EA Manager). Answer “N” to deploy the dockers in a different server.

...

Internal services: SSH connection host/IP  → → Internal IP of the host for SSH connection.

Internal services: SSH connection user→ User for SSH Connection.

Internal services: SSH authentication with passwdpassword? (Y/N) [Y] → Answer “Y” if the SSH connection will use a password, answer “N” if the SSH connection will be done with a public key.

Internal Internal services: SSH connection password → Password for SSH Connection.

MySQL address in host:port format. I.E: mysql.server:3306 [192.168.104.20:3306] → The connection string to the MySQL server. A suggestion will be made as default valued based on previous answers.

...

Do you want use password to authenticate with Redis (Y/N) [N] → Answer “Y” if you want to use a password when connecting to REDIS server.

Redis passwdpassword → REDIS password.

Public endpoint FQDN, do not use IP. If you need connect agents through IP, answer "Y" to the following question [devo-ea-manager] → FQDN for the EA Manager. The endpoint agents will be configured to use this FQDN to connect to the EA Manager.

Do you need that agents connect using different FQDN or IP EA Manager requires an FQDN to work correctly. Additionally, agents can connect to an IP if required. Do you want agents to connect via IP (yes) or FQDN (no)? (Y/N) [N] → Answer “Y” if you need that want agents to use a different FQDN or an IP to connect to the EA Manager (for example, the FQDN is not reachable, and need an IP is needed to connect via direct Public IP, for example).

Public endpoint FQDN/IP, without port, used by agents → FQDN/EA Manager FQDN. [devo-ea-manager] → FQDN for the EA Manager. The endpoint agents will be configured to use this FQDN to reach EA Manager only if the answer to the previous question was “N”.

IP used by agents, without port → IP to be configured in the agents to reach EA Manager. This question is not asked if the agents connect via FQDN.

Public endpoint port, Port used by agents (1..65536) [8080] → Port to be configured in the agents to reach EA Manager. This question is not asked if the agents connect via FQDN.

Do you want to add devo-ea-manager fqdn associated to manager IP/Host (192.168.104.10) in etc/hosts file of the agents (Y/N) [Y] → Answer “Y” if you want to modify /etc/hosts file in the endpoint agents to connect to the EA Manager. Answer “N” if you are using a public FQDN name and agents can reach it directly via DNS.

Do you want send data to Devo through relay "in-house"? (Y/N) [N] → Answer “Y” if you want to send data to Devo using Devo In-house House Relay. Answer “N” if you want to send data directly from the EA Manager to Devo.

Devo relay in-house address, host:port format [relay:13000] → If using a devo in-house relayDevo In-House Relay, address of the Devo In-house House Relay.

Devo relay address [collector-us.elb.relay.logtrust.netdevo.io:443] eu.elb.relay.logtrust.net:443 → If connecting directly to Devo, address of the Devo entrypoint.

Enable check events ingested during Devo certificates pre-check (Y/N) [N] → Select “Y” if you want to enable EA deployer to send test events to your domain and verify connectivity before running the deployment.

API v2 token required to check events ingested during Devo certificates pre-check → Introduce a valid token to query data in table siem.logtrust.collector.counter. For more information on how to generate authentication token, read here.

API v2 URL used to check events ingested during Devo certificates pre-check [https://apiv2-us.devo.com/search/query] → Devo API URL used to query data in siem.logtrust.collector.counter using token previously introduced. Read here for more information.

User name for the Endpoint manager admistrator EA Manager administrator [admin] → User for EA Manager Web UI.

Email for the EA Manager administrator (used to login in to EA Manager) [no-reply@localhost.local] → Email to identify user for EA Manager Web UI and used for login.

Password for the Endpoint manager admistrator EA Manager administrator [Th3Adm1n!] → Password for EA Manager Web UI.

Organization to set in EA Manager [local] → Organization associated to current EA deployment. It will be displayed in the UI.

Agent repository username [dea-agent] → User for Endpoint Agent repository.

...

Do you want to add other Subject alternative names to generated certs? (Y/N) [N] → Answer “Y” if you need your certificate to trust more than one subject name . (for example, when your agent connects the manager using the IP instead of the FQDN, for example).

New subject alternative name to add to certs, type "<N>" to stop adding more [<N>] → IP or FQDN to be included in the certificate generation. Type <N> to stop adding SANs.

Enable software inventory gathering (Y/N) [N] → Answer “Y” if you want that Software and Software vulnerabilities will be recollected from EA agent hots by EA Manager.

FQDN used by software inventory scrapper when uploading this data to Devo. Address set must be accessible by managers [https://devo-ea-manager:8080] → HTTPS URL of the EA manager used to load Software vulnerabilities and propagated (upload) to Devo under box.devo_ea.inventories.sw_vulnerabilities tag. This URL must be accessible by EA managers. In most cases https://<<FQDN>>:8080 is the correct value, where <<FQDN>> is the value set in Public endpoint FQDN.

Do you want to enable one or more Devo packs? (Y/N) [Y] → Answer “Y” if you want to enable one or more query packs in the EA Manager by default. The wizard will ask you one by one for every pack included with the package. Answer “N” if you do not want to enable any default pack.