logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Update EDR in an Air-Gapped Environment

EDR: How to Update EDR in an Air-Gapped Environment

Environment

  • EDR Server: 7.x.0 and higher

Objective

Update EDR Server(s) in an air-gapped environment.   There are two sets of software to update, the CarbonBlack update packages and, optionally, the CbOpenSource packages (to include Event-Forwarder, Yara Connector/Manager and countless connectors).
  • For air-gap EDR install, please refer to 'Related Content' links.
  

Resolution

To obtain the EDR updates for an air-gapped offline environment. 

1.  Confirm the alliance certificates are present on the Internet-facing and air-gap EDR servers: 
ls /etc/cb/certs

2.  Confirm the Internet-facing caching EDR server has yum.conf configured as a cacheing server. 
vi /etc/yum.conf
    Confirm the following variables are set: 
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=1

3.  On the Internet-facing caching EDR server, pull the EDR updates.
a.  Confirm the proper tools are installed.
yum install yum-utils
yum install createrepo

b.  Pull the latest CarbonBlack and CbOpenSource (optional) packages.   See 'Additional Notes' for information on how to add CbOpenSource tools.
cd /var/cache/yum/x86_64/7/  (where 7 is the OS version; this example was CentOS 7.9)
reposync --repoid CarbonBlack
reposync --repoid CbOpenSource  (optional) 
yum --downloadonly install cb-event-forwarder  (optional)
yum --downloadonly install python-cb-yara-connector  (optional)
yum --downloadonly install python-cb-yara-manager (optional)

c. Create the CarbonBlack repo while remaining in the repo directory.
cd /var/cache/yum/x86_64/7/
createrepo --no-database -v CarbonBlack
createrepo --no-database -v CbOpenSource  (optional)

d. Tar the CarbonBlack updates.  Note the sha256 hash.
tar -cvzf CarbonBlack.tar.gz CarbonBlack 
tar -cvzf CbOpenSource.tar.gz CbOpenSource CbOpenSource2 (optional)
sha256sum -b CarbonBlack.tar.gz
sha256sum -b CbOpenSource.tar.gz (optional)

4.  Move the resulting tarball file (CarbonBlack.tar.gz or similar) to the desired air-gap EDR Servers.  Confirm the air-gap servers tarball sha256sum matches the original tarball file.

5.  Move the gz files to the yum directory on the air-gap EDR Servers and extract the tarball. 
cp /tmp/CarbonBlack.tar.gz /var/cache/yum/x86_64/7/ (where 7 is OS release version)
cp /tmp/CbOpenSource.tar.gz /var/cache/yum/x86_64/7/  (optional)
cd /var/cache/yum/x86_64/7  
tar -xvzf CarbonBlack.tar.gz
tar -xvzf CbOpenSource.tar.gz   (optional)

6.  Stop cb-enterprise services or cbcluster in the air-gap environment. 
service cb-enterprise stop
OR
/usr/share/cb/cbcluster stop

7.  On the air-gap EDR Servers, modify /etc/yum.repos.d/CarbonBlack.repo to redirect the baseurls to the correct yum cache directory.  
[CarbonBlack]
name=CarbonBlack
baseurl=file:///var/cache/yum/$basearch/$releasever
enabled=1
gpgcheck=0

8.  On the air-gap EDR Servers, modify /etc/yum.repos.d/CbOpenSource.repo to redirect the baseurls to the correct yum cache directory. (optional) 
[CbOpenSource]
name=CbOpenSource
baseurl=file:///var/cache/yum/$basearch/$releasever/CbOpenSource
gpgcheck=0
enabled=1
metadata_expire=60
sslverify=1

[CbOpenSource2]
name=CbOpenSource2
baseurl=file:///var/cache/yum/$basearch/$releasever/CbOpenSource2
gpgcheck=0
enabled=1
metadata_expire=60
sslverify=1

9.  Update cb-enterprise on each air-gap EDR Server and check the security settings.* 
yum update cb-enterprise
/usr/share/cb/cbcheck firewall -a
/usr/share/cb/cbcheck selinux -a
* If you get [Errno 14] curl#37 - "Couldn't open file /var/cache/yum/x86_64/7/repodata/repomd.xml", then move the repomd.xml file to this location or check permissions. 
mv ./CarbonBlack/repodata /var/cache/yum/x86_64/7
* In the lab, 'yum clean all' was not used in order to keep all (install and upgrade) packages cached prior to moving to the air-gap environment.  This placed the 7.7.2 updates in /var/cache/yum/x86_64/7/CarbonBlack/ directory while the EDR v7.4.1 install packages remained in /var/cache/yum/x86_64/7/CarbonBlack/packages/ directory.   Therefore the 7.7.2 packages were manually copied to /var/cache/yum/x86_64/7/CarbonBlack/packages/ directory prior to the yum update. 
cp /var/cache/yum/x86_64/7/CarbonBlack/*rpm /var/cache/yum/x86_64/7/CarbonBlack/packages/
9b.  Update cb-event-forwarder, yara, etc. (optional) 
yum update cb-event-forwarder
*  The repomd.xml may need to be moved to the CbOpenSource/repodata directory.
 
10. Run cbupgrade on each air-gap EDR Server.  This command adjusts fields in Postgres and Solr databases if needed.   If rpmnew files are noted during the cbupgrade, manually resolve differences between the RPMNEW and the existing configuration file of the same name, then delete the RPMNEW file before proceeding with the cbupgrade.
Note:  Do not start services inside the cbupgrade command.  (Answer 'n' to 'Do you want to start the services?') 
/usr/share/cb/cbupgrade

11. Start the air-gap EDR Server or cbcluster. 
service cb-enterprise start
OR
/usr/share/cb/cbcluster start

Additional Notes

  • Testing was performed on default install, using the minimal distribution and the distribution’s official package repositories.
  • Air-gap server OS repos must point to the internal OS repo server (outside of Carbon Black configuration)
  • Internet-facing server and air-gapped server must be the same OS version.
  • If CbOpenSource.repo is not present on the Internet-facing server and you would like to add it to the update process, then create the repo file by running:  (make sure to move or recreate CbOpenSource.repo to the air-gapped server also) 
    curl -O https://opensource.carbonblack.com/CbOpenSource.repo

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎07-26-2022
Views:
1841
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.