Document toolboxDocument toolbox

cookiecutinvt.py - Inventory Creation Wizard

Overview

From Version 1.2.1 onwards, the Endpoint Agent solution provides a tool to create a deployment topology from scratch by asking the user questions.

The tool is based on a template that is shipped with the deployment package. Depending on the answers that the user gives, it creates an inventory to be used with the deployment playbook. This tool is not mandatory, but it is provided as a way to help users with limited knowledge of YAML.

How to use it

From Endpoint Agent 1.3.0 on, you must load the ansible-2.9 virtual environment before executing the tool:

source /opt/ansible-2.9/venv/bin/activate

Example syntax (from devo-ea-deployer folder):

python tools/cookiecutinvt.py -o inventories/<< output_inventory_name >>.yaml

Some images of Amazon Linux 2 come with python3 pre-installed. If python3 is installed, it should be uninstalled as described here.

Topology questions

The tool poses questions to the user and creates an inventory. Below is an example of the questions that are asked. Note that questions might differ depending on the type of topology that the user wants to create.

Do you want deploy in full HA? (Y/N) [N] → Answer “Y” if you want to deploy a full HA topology. It implies that the topology will make use of existing DB services and more than one EA Manager.

How many managers will be deployed? (1..) [1] → Number of managers to be included in the inventory. If you have selected a “Full HA” deployment, the minimum will be two.

Manager: Host name in inventory [devo-ea-manager] → Hostname of the EA Manager server(s).

Manager: SSH connection host/IP → Internal IP of the EA Manager server(s) for SSH connection. It will be used in the agents etc/hosts file when there is no direct access to EA Manager FQDN.

Manager: SSH connection user→ User for SSH Connection.

Manager: SSH authentication with passwd? (Y/N) [Y] → Answer “Y” if the SSH connection will use a password, answer “N” if the SSH connection will be done with a public key.

Manager: SSH connection password→ Password for SSH Connection.

Manager: Python interpreter [/usr/bin/python3] → Python interpreter depending on the python engine installed on the host:

  • Python2: /usr/bin/python

  • Python3: /usr/bin/python3

Do you want to deploy No-HA internal services? ("No" implies MySQL and Redis are provided as external services) (Y/N) [Y] → Answer “Y” if you want EA Manager to deploy dockers with internal services (MySQL and Redis).

Do you want to deploy internal services in the same host as the manager (yes) or in a separate host (no)? (Y/N) [Y] y → Answer “Y” if you want to deploy the dockers in the same server as the EA Manager (if there are more than one EA Managers they will be deployed in the first EA Manager). Answer “N” to deploy the dockers in a different server.

Internal services: Host name in inventory [devo-int-services] → When deploying in a different server, specify a hostname for the server.

Internal services: SSH connection host/IP → Internal IP of the host for SSH connection.

Internal services: SSH connection user→ User for SSH Connection.

Internal services: SSH authentication with password? (Y/N) [Y] → Answer “Y” if the SSH connection will use a password, answer “N” if the SSH connection will be done with a public key.

Internal services: SSH connection password → Password for SSH Connection.

MySQL address in host:port format. I.E: mysql.server:3306 [192.168.104.20:3306] → The connection string to the MySQL server. A suggestion will be made as default valued based on previous answers.

MySQL database [devoea] → MySQL database name.

MySQL user [devoea] → MySQL user name.

MySQL passwd [insecure] → MySQL password.

Redis address in host:port format. I.E: redis.server:6379 [192.168.104.20:6379] → The connection string to the REDIS server. A suggestion will be made as default valued based on previous answers.

Redis database number (0..) [0] → REDIS Database number.

Do you want use password to authenticate with Redis (Y/N) [N] → Answer “Y” if you want to use a password when connecting to REDIS server.

Redis password → REDIS password.

EA Manager requires an FQDN to work correctly. Additionally, agents can connect to an IP if required. Do you want agents to connect via IP (yes) or FQDN (no)? (Y/N) [N] → Answer “Y” if you want agents to use an IP to connect to the EA Manager (for example, the FQDN is not reachable, and an IP is needed to connect).

EA Manager FQDN. [devo-ea-manager] → FQDN for the EA Manager. The endpoint agents will be configured to use this FQDN to reach EA Manager only if the answer to the previous question was “N”.

IP used by agents, without port → IP to be configured in the agents to reach EA Manager. This question is not asked if the agents connect via FQDN.

Port used by agents (1..65536) [8080] → Port to be configured in the agents to reach EA Manager. This question is not asked if the agents connect via FQDN.

Do you want to add devo-ea-manager fqdn associated to manager IP/Host (192.168.104.10) in etc/hosts file of the agents (Y/N) [Y] → Answer “Y” if you want to modify /etc/hosts file in the endpoint agents to connect to the EA Manager. Answer “N” if you are using a public FQDN name and agents can reach it directly via DNS.

Do you want send data to Devo through relay "in-house"? (Y/N) [N] → Answer “Y” if you want to send data to Devo using Devo In-House Relay. Answer “N” if you want to send data directly from the EA Manager to Devo.

Devo relay in-house address, host:port format [relay:13000] → If using a Devo In-House Relay, address of the Devo In-House Relay.

Devo relay address [us.elb.relay.logtrust.net:443] eu.elb.relay.logtrust.net:443 → If connecting directly to Devo, address of the Devo entrypoint.

Enable check events ingested during Devo certificates pre-check (Y/N) [N] → Select “Y” if you want to enable EA deployer to send test events to your domain and verify connectivity before running the deployment.

API v2 token required to check events ingested during Devo certificates pre-check → Introduce a valid token to query data in table siem.logtrust.collector.counter. For more information on how to generate authentication token, read here.

API v2 URL used to check events ingested during Devo certificates pre-check [https://apiv2-us.devo.com/search/query] → Devo API URL used to query data in siem.logtrust.collector.counter using token previously introduced. Read here for more information.

User name for the EA Manager administrator [admin] → User for EA Manager Web UI.

Email for the EA Manager administrator (used to login in to EA Manager) [no-reply@localhost.local] → Email to identify user for EA Manager Web UI and used for login.

Password for the EA Manager administrator [Th3Adm1n!] → Password for EA Manager Web UI.

Organization to set in EA Manager [local] → Organization associated to current EA deployment. It will be displayed in the UI.

Agent repository username [dea-agent] → User for Endpoint Agent repository.

Agent repository password [Th3Ag3nt!] → Password for Endpoint Agent repository.

Generate self-signed certificates (Y/N) [Y] → Answer “Y” if you want EA deployer to generate self-signed certificates that will be used to secure communication between the Endpoint Agent and the Endpoint Agent Manager. Answer “N” if you want to use your own certificates.

Do you want to add other Subject alternative names to generated certs? (Y/N) [N] → Answer “Y” if you need your certificate to trust more than one subject name (for example, when your agent connects the manager using the IP instead of the FQDN).

New subject alternative name to add to certs, type "<N>" to stop adding more [<N>] → IP or FQDN to be included in the certificate generation. Type <N> to stop adding SANs.

Enable software inventory gathering (Y/N) [N] → Answer “Y” if you want that Software and Software vulnerabilities will be recollected from EA agent hots by EA Manager.

FQDN used by software inventory scrapper when uploading this data to Devo. Address set must be accessible by managers [https://devo-ea-manager:8080] → HTTPS URL of the EA manager used to load Software vulnerabilities and propagated (upload) to Devo under box.devo_ea.inventories.sw_vulnerabilities tag. This URL must be accessible by EA managers. In most cases https://<<FQDN>>:8080 is the correct value, where <<FQDN>> is the value set in Public endpoint FQDN.

Do you want to enable one or more Devo packs? (Y/N) [Y] → Answer “Y” if you want to enable one or more query packs in the EA Manager by default. The wizard will ask you one by one for every pack included with the package. Answer “N” if you do not want to enable any default pack.