sa_backup is a tool to take a backup of configurations of all Security Analytics components available on the appliance. Tested with versions 10.3, 10.4, 10.5.
NOTE: This solution has not been qualified by RSA.
Pushed a new release as fixed a bug: Mongo DB is not identified.
New release 1.0.7 - 1.0.9 !. New features:
- Command line options,
- Configuration file to enable/disable backup of components,
- Custom user files backup,
- Test mode,
- TAR progress indication,
- One component backup option. See the change log for more details.
Attached and also available on the GitHub: https://github.com/Jazzmax/rsa_sa_backup
The direct GitHub link to the script: https://raw.githubusercontent.com/Jazzmax/rsa_sa_backup/master/sa_backup.sh so can be grabbed using wget.
This has been tested when restoring on the same appliance and a fresh/re-imaged appliance (RMA-like scenario).
The tool does NOT do:
- Remote backup - on its way
- Backup of the SA data (nw*db files).
- Backup of a license server (fneserver).
Restoring is manual yet. You need to extract all tar.gz files using:
tar -C / -xvphzf backup.tar.gz
To restore MongoDB extract the mongo dump directory and run:
mongorestore -v --drop mongodb-dump.2015-06-07-22-40
Note: on ESA appliance to be able to restore the entire db dump you would need to temporarily disable the authentication in /etc/tokumx.conf:
sed -i "s/\(auth *= *\).*/\1false/" /etc/tokumx.confservice tokumx restart
After the restore has been done enable the authentication back:
sed -i "s/\(auth *= *\).*/\1true/" /etc/tokumx.confservice tokumx restart
In conjunction to this backup tool I am working on a restore tool.Any feedback or contribution will be greatly appreciated.
Features
- The following components are backed up:
- OS configuration files:
- /etc/sysconfig/network-scripts/ifcfg-*[0-9] - HWADDR is disabled
- /etc/sysconfig/network
- /etc/hosts
- /etc/resolv.conf
- /etc/ntp.conf
- /etc/fstab - renamed to fstab.{hostname} to prevent overwriting the original fstab
- /etc/krb5.conf
- Puppet configuration (puppetmaster, puppet client, ssl files, node_id, puppet.conf, csr_attributes.yaml, mcollective configuration)
- Core Appliance Services configuration (/etc/netwitness/ng)
- SA server configuration (/var/lib/netwitness/uax, jetty keystore, jetty-ssl.xml)
- Reporting Engine (configuration only or full backup (optional))
- RabbitMQ server (mnesia database, configuration files for 10.3)
- MongoDB (entire dump of the mongodb instance of SA or ESA servers)
- PostgreSQL database (10.3)
- Malware Analysis
- ESA server
- System Management Service (SMS)
- Incident Management (IM)
- Log Collector (configuration and statDB)
- Warehouse Connector
- Preserves the initial service status(start/stop)
- Logs errors to syslog
- Will not start backup if the script is already running
- Removes archives older than "n" days.
- Logs the progress to a file
- Rotates log file
- Command line arguments - see the usage information.
- Inline or file configuration to enable/disable backup of components
- Option to backup custom user files
- Test mode
Usage
This script must be run as "root" user.Edit the initialization section in the script before running the script or use a configuration file.
./sa_backup.sh [OPTION...]Please modify the configuration section in the script or use an external configuration file.Examples:
sa_backup --config=backup.conf --verbose sa_backup --backuponly=coreMain operation mode:-c, --config=CONFIG_FILE Use configuration file
-b, --backuponly=COMPONENTS Backup only specified components:
core - Core services
sys - OS configuration
puppet - puppet master/agent configuration
rabbitmq - rabbitmq configuration
mongo - MongoDB/tokumx dump
jetty - SA application server settings
re - Reporting Engine
malware - Malware Analysis configuration
esa - Event Stream Analysis configuration
im - Incidint Management configuration
sms - System Management System
lc - Log collector
whc - Warehouse connector
pgqsl - PostgreSQL database
-t, --test Test mode; no backup performed
-v, --verbose tar verbose switch
-?, -h, --help Give this help list
Version history
Changelog version 1.0.8:
- * Fixed a type in the ESA backup configuration
Changelog version 1.0.7:
- + Added command line arguments
- + Added a configuration file to enable/disable backup of components
- + Added a new option to backup custom user files
- + Added a test mode
- * Fixed: Cleanup removing non-backup folders
- * Exclude core files from the Warehouse connector backup
- + Added a tar progress indication
- * Improved reporting engine exlusion list
- * Code refactoring around components detection
- + Added option to backup only one component - see the usage
Changelog version 1.0.6:
- * Optimized the core services backup. Saving files without stopping services.
- * SA server backup consolidated into a single file including: uax, jetty and carlos keystores .
- * Fixed RSA SMS backup - added db directory.
- * Changes around puppetmaster backup. Fuller backup.
- * Disabled a single tar creation as redundant.
Changelog version 1.0.5:
- * Bug fixes: mcollective backup; single tar creation and cleanup.
Changelog version 1.0.4:
- + Added RSA SMS backup
- * Fixed pupetmaster backup (added entire /etc/puppet)
- + tarball all archives in a single file
- + Added mcollective backup
- * Now taking ifcfg-*[0-9] instead of ifcfg-eth*
- + Disabling HWADDR parameter in network configuration scripts before archiving
- * Added support for 10.5
Changelog version 1.0.3:
Changelog version 1.0.2:
- * Fixed removing old archives
- + SA version check (based on Joshua Newton code)
- + Improved user/log output. Added list of components to be backed up
- + Improved RabbitMQ configuration backup
- + Added support of 10.3
- + Added PestgreSQL backup for 10.3
Changelog version 1.0.1:
- + Code refactoring around service start/stop * Bug fixes
Version 1.0.0 - Initial version