sa_backup - backup tool for Security Analytics 10.6

Document created by Maxim Siyazov on Mar 31, 2017Last modified by Maxim Siyazov on Mar 31, 2017
Version 2Show Document
  • View in full screen mode

Since I no longer have access to my previous post sa_backup-1.0.9 - backup tool for Security Analytics 10.3, 10.4, 10.5 and a built-in backup feature is still pending on RSA I would like to share an updated script.

 

sa_backup is a tool to take a backup of configurations and some data of all Security Analytics components available on the appliance.

Tested with versions 10.3, 10.4, 10.5, 10.6.

 

The script is attached and also available on the GitHub: https://github.com/Jazzmax/rsa_sa_backup

The direct GitHub link to the script:  https://raw.githubusercontent.com/Jazzmax/rsa_sa_backup/master/sa_backup.sh so can be grabbed using wget.  

Restore instructions are on the Github Wiki: Backup restore · Jazzmax/rsa_sa_backup Wiki · GitHub 

 

This has been tested when restoring on the same appliance and a fresh/re-imaged appliance (RMA-like scenario).

Features

  • The following components are backed up:

    • OS configuration files:
      • /etc/sysconfig/network-scripts/ifcfg-*[0-9] - HWADDR is disabled
      • /etc/sysconfig/network
      • /etc/hosts
      • /etc/resolv.conf
      • /etc/ntp.conf
      • /etc/fstab - renamed to fstab.{hostname} to prevent overwriting the original fstab on restore
      • /etc/krb5.conf
    • Puppet configuration (puppetmaster, puppet client, ssl files, node_id, puppet.conf, csr_attributes.yaml, mcollective configuration)
    • Core Appliance Services configuration (/etc/netwitness/ng)
    • SA server configuration (/var/lib/netwitness/uax, jetty keystore, jetty-ssl.xml)
    • Reporting Engine (configuration or full backup (optional))
    • RabbitMQ server (mnesia database, configuration for 10.3)
    • MongoDB (entire dump of the mongodb instance of SA and ESA servers)
    • PostgreSQL database (10.3)
    • Malware Analysis configuration
    • ESA server configuration
    • System Management Service (SMS) configuration
    • Incident Management (IM) configuration and DB
    • Log Collector (configuration and statDB)
    • Warehouse Connector
    • Custom user files
  • After taking a backup the tool restores the original service status (start/stop)

  • Logs the progress to a file

  • Logs fatal errors to syslog

  • Checks if the tool is already running

  • Removes archives older than "n" days.

  • Rotates log file

  • Command line arguments - see the usage information.

  • Inline or file configuration to enable/disable backup of components

  • Option to backup custom user files

  • Test mode

  • Remote backup to NFS

 

The tool does NOT do:

- Backup of packets, meta, sessions or index data.
- Backup of a license server (fneserver).

 

Usage

Usage: ./sa_backup.sh [OPTION...]

Please modify the configuration section in the script or use an external configuration file.

Examples:
  sa_backup --config=backup.conf --verbose

  sa_backup --backuponly=CORE

Main operation mode:

-c, --config=CONFIG_FILE      Use configuration file
-b, --backuponly=COMPONENTS   Backup only specified components:
                                  CORE - Core services
                                  SYS - OS configuration
                                  PUPPET - puppet master/agent configuration
                                  RABBITMQ - rabbitmq configuration
                                  MONGO - MongoDB/tokumx dump
                                  JETTY - SA application server settings
                                  RE - Reporting Engine
                                  MALWARE - Malware Analysis configuration
                                  ESA - Event Stream Analysis configuration
                                  IM - Incidint Management configuration
                                  IMDB - Incidint Management DB
                                  SMS - System Management System
                                  LC - Log collector
                                  WHC - Warehouse connector
                                  PGQSL - PostgreSQL database
-t, --test                    Test mode; no backup performed
-v, --verbose                 tar verbose switch
-?, -h, --help                Give this help list

Edit the configuration section in the script before running it.

BACKUP_TYPE=local                             # local | nfs 
BACKUPPATH=/root/sabackups              # Local backup directory
LOG=sa_backup.log                       # The backup log file
LOG_MAX_DIM=10000000                    # Max size of log file in bytes - 10MB
RETENTION_DAYS=0                            # Local backups retention in days (0 - no cleanup)
                        
# System files
SYS_ENABLED=true

# SA server / Jetty server
SASERVER_ENABLED=true

# Reporting engine
RE_ENABLED=true
RE_FULLBACKUP=1                         # 0 - backup only RE configuration;
                                        # 1 - full RE backup
# Puppet
PUPPET_ENABLED=true

# RabbitMQ server
RABBITMQ_ENABLED=true

# Core Appliance Services
CORE_ENABLED=true

# MongoDB
MONGODB_ENABLED=true

# Malware Analysis
MALWARE_ENABLED=true

# ESA
ESA_ENABLED=true

# Incident Management
IM_ENABLED=true

# Incident Management database
IMDB_ENABLED=true
IM_MONGO_PASS="im"                      # Password for the MongoDB IM database .
                                        # Host, db name, and db user will be read from SA IM configuration file

 

 

This script must be run as "root" user.

 

Restoring is manual.

You need to extract all tar.gz files using:

tar -C / -xvphzf backup.tar.gz

To restore MongoDB extract the mongo dump directory and run:

mongorestore -v --drop mongodb-dump.2015-06-07-22-40

Note: on ESA appliance to be able to restore the entire db dump you would need to temporarily disable the authentication in /etc/tokumx.conf:

sed -i "s/\(auth *= *\).*/\1false/" /etc/tokumx.conf
service tokumx restart

After the restore has been done enable the authentication back:

sed -i "s/\(auth *= *\).*/\1true/" /etc/tokumx.conf
service tokumx restart

 

in version 1.0.15 

+ Added Incident Management remote database backup
* Fixed --backuponly option, other minor fixes
* Let SA 10.6 backup
* check_SAVersion checks the sarelease file first

 

This document was generated from the following discussion: sa_backup - backup tool for Security Analytics 10.6

Attachments

Outcomes