Deployment Guide for 12.5.1.3 Security Patch

Last Updated January 8, 2025.

The NetWitness® Platform 12.5.1.3 Security Patch is not like other NetWitness® Platform deployments as it does not use the NetWitness UI to apply the update. Instead, the user will need to follow the below instructions to properly deploy and apply the update. Please review all the instructions at least once before starting the process. If there are any questions, stop, and reach out to NetWitness Customer Support.

Important: The NetWitness® Platform must already be on version 12.5.1.3 before applying this Security Patch. Do Not apply this patch update to systems that are not on 12.5.1.3.

Overview

The security patch utilizes a patcher script, a component descriptor mapping json file, and a specific set of provided RPMs. The following instructions will walk through the process of where to place the provided RPMs, and the syntax needed to use the patcher script.

Pre-requisites

The following items need to be done first before proceeding with the actual Security Patch update. If your organization requires change windows, it is important to plan enough time to allow for all pre-requisite items to be accomplished based on the size of the NetWitness environment. This may require multiple change windows to allow for any issues discovered during this phase to be addressed before proceeding. Do Not skip any of these items as it could greatly affect the success or potential rollback of the NetWitness® environment.

Use the NetWitness Recovery Tool (NRT) to backup the existing configuration before applying the security patch. This should be done for the Admin Server (Node-0) and all other NetWitness servers (Node-X). See the Recover Tool User Guide for 12.5.1 for instructions on how to run the tool.
Ensure that the Pre-Check Tool (Upgrade Checklist, Network Checklist, and Certificate Checklist) has been executed prior to running the security patch update. For assistance running this script, please see the Upgrade Guide for 12.5.1.0, under the Run Pre-Upgrade Checks section.
If any of the NetWitness® Platform is running on a virtual machine, stop the NetWitness services and take a full snapshot. Instructions for this are outside of the scope of this document. Please see your virtual machine provider for instructions on taking snapshots.
It is important that the NetWitness Admin server is not having any resource issues before proceeding, just like when doing a normal upgrade. The reason for this is that the Admin server will be the focal point of the upgrade process. The Pre-Check Tool should alert on any potential issues.
If there are Log Collectors or Windows Legacy Collectors in the NetWitness® environment it will be important to set the recovery password on the Lockbox due to the kernel update in the patch. See the Upgrade Guide for 12.5, under the section Perform Post Upgrade Tasks - Setting Recover Password for Lockbox.
Ensure that Salt is currently running on the NetWitness Admin server by running the following command:
```
salt "*" test.ping
```

Installation/Update Instructions

Important: If the NetWitness® environment contains a failover Admin server, first apply the security patch on the Admin(Primary) Server and all node-x systems associated with it. Then, apply the same patch on the Warm Standby server so that both setups run on the same version.

Updating Primary/Warm Standby Failover Admin Server (Node-0)

Download the security_patch_12.5.1.3.zip from the NetWitness® Community.
Run a sha256 checksum checker against the downloaded security_patch_updater.zip. Confirm that the provided checksum of the file matches the output. Any such checker can be used. Which one and how to use it, falls outside of the scope of this document.
Unzip the security_patch_12.5.1.3.zip on your desktop.
Log into the NetWitness Admin server's (Node-0) SSH console, either using root or a non-privileged user that has proper sudo access.
Upload the security_patch_updater folder to the Admin server. Select a folder on a partition that contains enough space for all the RPM files that are a part of the security_patch_updater folder. For this document, the /root folder will be used.
Change into the security_patch_updater folder that is now on the NetWitness Admin server.
```
cd /root/security_patch_updater
```

Extract all the required RPMs from the packages.zip file.

python3 security_patch_updater.py --mapping mappings.json --rpm-zip packages.zip

Run the following command to clean up the update cached data.
```
dnf clean all
```
Refresh the NetWitness Admin server (Node-0) host. The in the command is the actual IP address used by the Admin server for network connectivity. If the command fails, please run the command again. If there are still issues, stop and contact NetWitness Customer Support for assistance.
```
nw-manage --refresh-host --host-key 
    
```
Install all the latest updated operating system packages.
```
dnf update -y
```
Once all the updating has completed, reboot the admin server.
Once the system has completely rebooted, log into the NetWitness UI and confirm that UI is accessible. If there are any UI access issues, open a case with NetWitness Customer Support before proceeding.
Backup the newly created component-descriptor JSON file at /etc/netwitness/component-descriptor/descriptor/12.5.1.3/nw-component-descriptor.json to a safe location should it be needed later.

Update the Remaining NetWitness® Platform Servers (Node-X)

Important: All of the following steps must be initiated from the Primary Admin Server (Node-0) even though the instructions are for updating the rest of the NetWitness® environment (Node-X) servers. The Admin server will act as a central upgrade hub for all other servers. It is important that the Pre-Checks have been completed to make sure that any communication issues have been resolved before starting the update. If the Pre-Checks were not completed, stop and run them per the Pre-requisite section above.

Log into the Primary Admin server (Node-0) via SSH console.
Determine the minion ID of the Admin server (Node-0)
```
cat /etc/salt/minion
```
Identify all the minion ids of all the other nodes in the environment (Node-X). Make sure to use the Admin server's minion id from the previous step to replace in this command below.
```
salt -C 'not 
    
     ' test.ping
    
```
A list of minion ids should be output to the screen. If the previous command fails to list all the available servers within the environment, try restarting all the salt-minions, wait about 5 minutes, and try again. If there are still issues, stop and contact NetWitness Customer Support.
```
salt -C 'not 
    
     ' cmd.run "service salt-minion restart"
    
```

With the list of minion ids for the entire NetWitness® environment now collected, repeat the following steps for each minion id by replacing the in each command with the collected minion id.

NOTE: Here is the ID of a particular Node – X.

Clear the cached data on the designated NetWitness server (Node-X).
```
salt '
    
     ' cmd.run "dnf clean all"
    
```

Refresh the NetWitness server (Node-X).

nw-manage --refresh-host --host-key

Update all the operating system packages on the NetWitness server (Node-X).
```
salt '
    
     ' cmd.run "dnf update -y"
    
```

Once the update is complete, reboot the NetWitness server (Node-X). An error will be produced from this command since salt will have shutdown due to the reboot command.

salt '
    
     ' cmd.run "reboot" Returned Error Message (this is to be expected) 
     
      : Minion did not return. [Not connected] ERROR: Minions returned with non-zero exit code

Once all the NetWitness® servers have been updated in this manner, the Security Update is complete. If there are any issues or questions during the process, please reach out the NetWitness Customer Support for assistance.