This section describes the steps for installing and initializing a new Carbon Black EDR server. Root-level permissions are required throughout the entire installation/configuration process. Use su
or sudo
to enter the installation/initialize commands.
The steps in this section are for a new installation only. If you already have the Carbon Black EDR server installed, do not perform these steps. Instead, see Server Upgrades and New Sensor Versions.
Using the new installation procedure on an existing server can result in loss of all data, including the configuration and event data collected from sensors.
To install and initialize a new server:
-
Verify that the host machine on which to install Carbon Black EDR server meets the hardware and software requirements specified in the VMware Carbon Black EDR Operating Environment Requirements (OER) Guide.
-
Verify that the server has Internet connectivity as specified in Firewall and Connectivity Requirements.
-
Contact VMware Carbon Black Technical Support to procure an installation RPM for the Carbon Black EDR server.
-
Install the RPM:
-
Run the following command using the customer-specific RPM you received:
sudo rpm -ivh carbon-black-release-1.0.3-1- <customername> .x86_64.rpm
-
(Optional) Verify that the Carbon Black EDR [cb] Yum repository was configured correctly. You can run this command to see the contents of the new Yum repository entry for Carbon Black EDR:
cat /etc/yum.repos.d/CarbonBlack.repo
[root@cb-enterprise-testing ~]# cat /etc/yum.repos.d/CarbonBlack.repo [CarbonBlack] name=CarbonBlack baseurl=https://yum.distro.carbonblack.io/enterprise/stable/ $releasever/$basearch/ gpgcheck=1 enabled=1 metadata_expire=60 sslverify=1 sslclientcert=/etc/cb/certs/carbonblack-alliance-client.crt sslclientkey=/etc/cb/certs/carbonblack-alliance-client.key
(Optional) You should see the Carbon Black EDR SSL certificates and keys in the following directory:
/etc/cb/certs/
-
-
Install the Carbon Black EDR server:
-
Verify that the computer’s date and time settings are accurate. Incorrect date/time settings can cause failures in SSL negotiation.
-
For EL6 and EL7 servers, run the following command:
$ sudo yum install cb-enterprise
[jdoe@localhost yum.repos.d]$ sudo yum install cb-enterprise
For EL8 servers, run the following commands:
$ sudo yum module disable postgresql redis python39
$ sudo yum install cb-enterprise
[jdoe@localhost yum.repos.d]$ sudo yum module disable postgresql redis python39 [jdoe@localhost yum.repos.d]$ sudo yum install cb-enterprise
-
Install the CentOS GPG key if you are prompted to do so.
-
If your environment requires that outbound firewall exceptions be made, ensure that the exceptions documented in Firewall and Connectivity Requirements are followed. You must also update /etc/yum.repos.d/CentOS-Base.repo to enable the baseurl of http://mirror.centos.org.
Note:Yum supports the use of web proxies. However, VMware Carbon Black cannot use Yum with NTLM-authenticated web proxies.
-
-
When the installation completes, initialize and configure the server.
-
Run the following command. If you plan to use the server-provided certificate to secure communications with sensors, no arguments are necessary:
sudo /usr/share/cb/cbinit
To substitute your own certificate, add the following arguments to the
cbinit
command, substituting the full path to a certificate file and a key file where shown:--server-cert-file= <certpath> --server-cert-key= <keypath>
Important:See Substituting a Server Communication Certificate for certificate requirements.
-
Press [Return] to open the EULA. When you are done reviewing it, if you agree to the terms, type q and then type yes to continue.
-
Select a storage location for your data and press [Return] .
Note:By default, the primary datastore is mapped to /var/cb/data. If you configured your storage differently, review your current file system mapping
(df -h)
with VMware Carbon Black Support or Professional Services. Incorrect or insufficient disk configurations prevent Carbon Black EDR from operating correctly. -
Enter an initial Adminstrator account to log in and configure Carbon Black EDR. Enter values for Username , First Name , Last Name , E-Mail , Password , and Confirm password :
-
Press [Enter] and then validate the account information by typing y.
-
In the Sensor Communications section, define the address that the sensors will use to communicate to the Carbon Black EDR server:
Would you like to keep the default [Y/n]: n Use SSL [Y/n]: Y Hostname [192.168.117.141]: cbr.company.com Port [443]: return If the Verify Account Information looks correct, Y
Note:The IP address of the server is accessed via the default SSL port 433. A best practice is to use a DNS record that points to this IP address.
Work with VMware Carbon Black Support or Professional Services to make sure that you understand the external connectivity options supported by the Carbon Black EDR server.
-
Review all prompts and configure sharing settings in accordance with your company’s security policies. The recommended settings are provided here. You can change these settings at any time by accessing the Carbon Black EDR console and clicking Username> Sharing Settings.
-
Do you want to enable communication with the Carbon Black Alliance? – Y
This enables the program to be supplemented with updated threat intelligence from VMware Carbon Black Threat Intel and the extended network of VMware Carbon Black Threat Intel partners.
-
Do you want your server to submit statistics and feedback information to Carbon Black? – Y
This enables the server to submit health statistics back to Carbon Black EDR. These are used by VMware Carbon Black Support and Professional Services to determine how the allocated server is performing.
-
Do you want the default sensor group to submit hashes to Carbon Black Alliance? – N
See the “Threat Intelligence Feeds” chapter in the VMware Carbon Black EDR User Guide for more information on sharing hashes with Carbon Black EDR.
-
Continue with current sharing settings? – Y
-
-
The SSL Certificates section is automated and requires no user input. If you used arguments pointing to valid certificate and key files when you ran
cbinit
, the certificate from your organization is substituted for the default certificate created by the server. See Substituting a Server Communication Certificate and the VMware Carbon Black EDR User Guide for more information.Run the following script to create an encrypted backup of your certificates. The exact certificates are critical to disaster recovery efforts.
/usr/share/cb/cbssl backup --out <backup_file_name>
-
In the IP Tables section, answer Y. This opens port 433 in the server’s IP tables.
-
The POSTGRESQL Database Setup section is automated and requires no user input.
-
In the Setup Complete section, enter Y to start the services.
Note:To confirm that sensor-to-server communications are functioning properly:
-
Open Google Chrome and launch the server:
https://<your_cber_server_url>
-
Download a sensor and install it on an endpoint.
For more information on installing and managing sensors, see the “Manage Sensors” chapter in the VMware Carbon Black EDR User Guide.
-
-
-
Configure the firewall if you have not already done so. There are many ways to configure a firewall. The following is an example for CentOS 6.
-
Open port 443 if you did not allow the
cbinit
script to manage iptables for you.[jdoe@localhost yum.repos.d]$ sudo vim /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited # New additions to the IPTABLES for carbon black -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT COMMIT
-
(Optional) Open port 80 to allow use of web interface and sensor communications through an unsecured channel. This is not required and only recommended for exploration or troubleshooting. Connections to the web interface through port 80 are redirected to port 443.
-
-
Log into the Carbon Black EDR server web console at https://<your server address>/ and use the username and password that you set up in the
cbinit
script.Note:Google Chrome is the only supported browser for this release.
After you have installed, configured, and initialized the Carbon Black EDR, it should be accessible through the web interface on port 443 with a self-signed certificate. If you attempt to access the web interface through HTTP on port 80, the connection is redirected to port 443.
The next step is to download and install one or more sensors to begin collecting data. Sensor installation is described in the “Manage Sensors” chapter in the VMware Carbon Black EDR User Guide .