Skip to main content
Skip table of contents

Installation on Linux‎

LAST UPDATED: OCT 21, 2024

Proxy Agent Installation on Linux

Environment Requirement

Hardware (Can be virtual)

Component

Minimum

Recommended

CPU

4 CPU Cores

8 CPU Cores

Memory

8GB RAM

16GB RAM

Host Local Storage

30GB SSD

100GB SSD (Raid 1 or 10)

Operating System

Version

License

Linux Ubuntu / Red Hat

-

Firewall Ports

Service

Protocol

Port

Direction

Firewall / Proxy

D3 SOAR Proxy Agent

TCP

443

Outbound to Internet

Allow

Please Note:

  1. The server for D3 Proxy Agent must be able to communicate with D3 vSOC servers via TCP ports 443.

  2. D3 Proxy Agent must be installed on servers that have direct access to the internal security products, such as firewalls, SIEM, Exchange, etc.

  3. If Web Proxy is enabled in your network environment, Web Proxy IP needs to be provided for docker-compose configuration during the installation.(See Using D3 Proxy Agent with a Web Proxy Server)

Step 1: Install Docker Engine

Example 1: Install Docker on Ubuntu

Follow the instructions from the documentation to install docker using the apt package manager: Install Docker Engine on Ubuntu | Docker Docs

  1. Run the command below to check if Docker is installed:

BASH 
docker version

Alternatively, you can install from a package with these instructions:

You can find different Ubuntu releases for Docker at https://download.docker.com/linux/ubuntu/dists/

Download and install four .deb packages from <version>/pool/stable/amd64:

  1. docker-ce-cli

  2. docker-ce

  3. http://containerd.io

  4. docker-compose-plugin

Command to install on ubuntu:

BASH 
sudo dpkg -i /path/to/<replace_with_package>.deb

Command to check if docker service is running:

BASH 
sudo systemctl status docker

Example 2: Install Docker on Red Hat

Follow the instructions from the documentation to install docker using the yum package manager: https://docs.docker.com/engine/install/rhel/

Alternatively, you can install from a package with these instructions:

Click here for Red Hat package distributions

Download and install four .rpm packages from <version>/s390x/stable/packages:

  1. docker-ce-cli

  2. docker-ce

  3. http://containerd.io

  4. docker-compose-plugin

Command to install on Red Hat:

BASH 
sudo yum install /path/to/<replace_with_package>.rpm

Command to start docker server:

BASH 
sudo systemctl start docker

Step 2: Authenticate to Google Container Registry

The D3 Proxy Agent image hosted on Google Container Registry is private. Authenticate to the D3 Google Container Registry to pull and install it.

  1. Contact the D3 account representative to obtain the service_account_d3soar.json file. Ensure that the file name remains as service_account_d3soar.json without any appended parentheses or numbers.

  2. Create a directory for the D3 Proxy Agent installation on the Linux host machine:

    BASH 
    mkdir D3ProxyAgent

  3. Change to the newly created directory:

    BASH 
    cd D3ProxyAgent

  4. Copy the service_account_d3soar.json file into the newly created directory.

  5. Authenticate to the Google Container Registry using the following command:

    BASH 
    sudo docker login -u _json_key --password-stdin https://gcr.io < service_account_d3soar.json

READER NOTE

  • Successful authentication will result in a “Login Succeeded” message in your terminal.

WARNING

  • The service_account_d3soar.json file must be named exactly as service_account_d3soar.json without any changes to its name.

  • If you encounter errors, verify the naming and content of your service_account_d3soar.json file.

  1. (Optional) Test and verify that you can successfully pull an image from the D3 Google Container Registry by running the following command:

    BASH 
    sudo docker pull gcr.io/nimble-cortex-285618/d3prod/d3agent:<D3 vSOC version>

READER NOTE

  • The <D3 vSOC version> conforms to the following format: #.#.#.#.

    • Eg. 16.8.112.0.

  • The <D3 vSOC version> can be found within your D3 vSOC login page.

    Frame 2-20240709-013409.png

  • Upon a successful pull, you will see something like the following:

    Frame 1 (28)-20241017-001413.png

  • Upon a failed pull, you will see a “Failed to fetch <D3 vSOC version> from request...” message:

    Frame 2 (27)-20241017-001646.png

Step 3: Run docker-compose to Start the Containers

On the Proxy Agent, we will need to run both the d3executor and the d3agent containers.

  1. Create and edit a docker-compose.yml file and include the following content:

    YAML 
    version: "3.3"
services:
  d3agent:
    image: "gcr.io/nimble-cortex-285618/d3prod/d3agent:<D3 vSOC version>"
    restart: always
    environment:
      - REMOTE_SERVER_URL=<D3 vSOC URL>
      - PROXY_IDENTITY=<D3 vSOC Agent Security Token>
      - PYTHON_REMOTE_URL=http://<Docker Host IP>:<Docker Host Port>/
      - PYTHON_REMOTE_GUID=7e036a86dbee40d9913c3794e779eae4
      - SERVICE_DISPLAY_NAME=<Proxy Agent Display Name>
      - DOCKER_GID=<Docker Group ID>
      - DOCKER_PORT=<Docker Host Port>
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
  
  d3executor:
    image: "gcr.io/nimble-cortex-285618/d3prod/d3executor:<D3 vSOC version>"
    ports:
      - "<Docker Host Port>:9090"
    restart: always
    environment:
      - EXECUTOR_GUID=7e036a86dbee40d9913c3794e779eae4
Step-by-Step Instructions to Modify the docker-compose.yml Template in Vim

Procedure

  1. Navigate into a directory to create the docker-compose.yml (we are using the same directory created in the Authenticate to Google Container Registry step):

    BASH 
    cd D3ProxyAgent

  2. Create the docker-compose.yml file using the text editor of your preference, such as nano, vim, or vi. For the purposes of this demonstration, let us use vim:

    BASH 
    vim docker-compose.yml

    This will open and create the file in Normal Mode (Vim's default mode). When a file is opened in Vim, it will appear as follows:

    image 10 (3)-20241019-002047.png

  3. Press i to enter Insert Mode (the user will now be able to type or paste text in Vim).

  4. Copy and paste the template into Vim.

    1. Copy the template above from your browser or other text editor.

    2. Navigate back to the Vim terminal.

    3. Paste the template in Insert Mode:

      • Press Ctrl + Shift + V (in most terminals).
        Note: Ensure that the indentation remains correct after pasting.

      • Important: Every directive (such as services) should have exactly two spaces of indentation. The list items (like - "90:90") should not have leading spaces before the hyphen (-). Learn more about Docker Compose.

      • (Optional) If you encounter an error like the one below, check your docker-compose.yml spacing.

        Frame 8 (21)-20241019-002138.png

  5. Modify the template as necessary.

    • Replace the < > placeholders with specific values.

    • Replace the following placeholders (in Insert Mode) with appropriate values:

      • <D3 vSOC version>

      • <D3 vSOC URL>

      • <D3 vSOC Agent Security Token>

      • <Docker Host IP>

      • <Docker Host Port>

      • <Proxy Agent Display Name>

      • <Docker Group ID>

The details and meanings of the values can be found below.

  1. Exit Insert Mode once you have replaced all the placeholders.

    1. Press the Esc key to exit Insert Mode and return to Normal Mode.

  2. Save and quit the docker-compose.ymlfile.

    1. In Normal Mode, type:

      BASH 
      :wq

    2. Press the Enter key to save and quit.

  3. Verify that all changes were saved correctly by using the following Linux command:

    BASH 
    cat docker-compose.yml

Quick Summary of Commands:

  • i – Enter Insert Mode

  • Esc – Exit Insert Mode

  • :wq – Save and quit

  • Ctrl + Shift + C – Copy

  • Ctrl + Shift + V – Paste into Vim

  • cat docker-compose.yml – View file content

D3 VSOC VERSION – Replace <D3 vSOC version> with your vSOC version, which can be found on the D3 login page. For example, if you are using D3 vSOC release version 16.1.80.0, replace the <D3 vSOC version> placeholders within the d3agent and d3executor services to 16.1.80.0.
D3 VSOC URL – This the the vSOC URL, starting with https or http. For example: https://www.test.d3security.com/VSOC/
D3 VSOC AGENT SECURITY TOKEN – The D3 vSOC Agent Security Tokencan be generated by following these steps:

i. Navigate to the the Configuration navigational tab.

image-20241017-050742.png

ii. Click on the Agent Management menu item on the left sidebar

iii. Click on the + Generate Security Token button.

iv. Select your site from the dropdown menu.

v. Click on the Generate Key button.

vi. Click on the Copy button, then paste the security token into the docker-compose.yml file.
DOCKER HOST IP – The <Docker Host IP> refers to the private IP address of the Linux machine hosting Docker. You can find this address using the command ip addr show on Linux. Ensure that the port is accessible and not being used by any other program.
DOCKER HOST PORT – The <Docker Host Port> specified in the PYTHON_REMOTE_URL environment variable of the d3agent service must match the <Docker Host Port> specified in the ports mapping of the d3executor service. This ensures proper communication between the d3agent and d3executor services.
PROXY AGENT DISPLAY NAME – Input a describtive name for this Agent, it displayed on vSOC.
DOCKER GROUP ID – Run the following command to obtain the <Docker Group ID>:

BASH 
getent group docker | cut -d: -f3
Frame 6 (6)-20241017-035833.png

  1. Open a terminal and navigate to the directory where the docker-compose.yml file. Once there, execute the following command:

    BASH 
    sudo docker compose up -d

  1. Upon successfully bringing up the Docker Compose services, your terminal will display outputs similar to the following:

    Frame 4 (3)-20240709-230040.png
Options for Running the Edited docker-compose.yml File
Option 1: Running All Services

To start all services defined in the docker-compose.yml in detached mode (in the background), run the following command:

BASH 
sudo docker compose up -d

You may need to use sudo because Docker commands interact with system-level resources, such as the Docker daemon or sockets, which require elevated permissions.

Option 2: Starting a Specific Service (e.g., d3agent or d3executor)

If you only need to start one specific service, run the following commands:

BASH 
sudo docker compose up d3agent -d 
sudo docker compose up d3executor -d

  • -d: Runs the service in detached mode, preventing it from blocking the terminal.

  • You can replace d3agent or d3executor with other service names defined in their docker-compose.yml file. These names may vary depending on your setup or specific requirements.

Option 3: Rebuilding and Restarting a Specific Service

If you have made changes to the service’s Docker image or dependencies, and need to rebuild and restart docker-compose.yml, run the following commands:

BASH 
sudo docker compose up d3agent --build -d 
sudo docker compose up d3executor --build -d

  • --build: Forces Docker to rebuild the service’s image before starting it.

Docker Service Logs and Status Checks

Checking Service Logs

To view the logs for a specific service, run the following commands:

BASH 
sudo docker compose logs d3agent 
sudo docker compose logs d3executor

For continuous log output, run the following command:

BASH 
sudo docker compose logs -f d3agent
Checking the Status of All Running Containers

To view the status of all containers managed by your docker-compose.yml, run the following command:

BASH 
docker compose ps

  • This command shows the status of the services, indicating which ones are running, stopped, or restarting.

  • See Learn more about Docker Compose for more details.

  1. Confirm the presence of your new agent.

    1. Navigate to the Configuration page.

    2. Click on the Agent Management module.

    3. Verify that the Agent Name matches the one specified in the docker-compose.yml file.

    4. Check the agent (connection) status and version. The agent version should match your D3 vSOC version.

    5. (Optional) Enter a description for your agent.

    6. Click on the Save button.

      Frame 7 (25)-20241017-170711.png

  2. (Optional) Troubleshoot via Docker Compose log commands.

    Frame 5 (4)-20241017-031517.png

  3. DOCKER COMPOSE LOGS To view a complete list of Docker Compose service logs, both logs for the d3executor and d3agent services, run the following command:

    BASH 
     sudo docker compose logs

    Ideally, only d3executor logs display—this confirms successful agent setup.

    D3EXECUTOR LOGS To view a list of d3executor service logs, run the following command:

    BASH 
     sudo docker compose logs d3executor


    D3AGENT LOGS To view a list of d3agent service logs, run the following command:

    BASH 
     sudo docker compose logs d3agent

Firewall Whitelisting for Docker Installation and D3 Proxy Agent Container Image

If all internet traffic is blocked by default, then certain Domains/IPs will need to be whitelisted in order to be able to download the docker package as well as the images hosted on GCR.

  1. Sites that require whitelisting

  2. Docker (for downloading docker package):

    1. http://download.docker.com

  3. GCR (for downloading docker images from GCR):

    1. http://gcr.io

    2. storage.googleapis.com

  4. Example of Checking IP address

Use nslookup to check IP address of the domain that needs to be accessed

We can see that download.docker.com has a few IP addresses that it uses. We can allow traffic to this domain download.docker.com or to an IP address list that includes all the resolved public IP (the same domain may resolve to different public IP from different regions, if you use IP address for the whitelist, you need to run nslookup to get these IP from your server.)

Using D3 Proxy Agent with a Web Proxy Server

To route D3 Proxy Agent’s outbound internet connections to a web proxy server, make the following configuration changes.

Open docker-compose.yml. Add the following to the Environment section:

YAML 
HTTP_PROXY=<Web Proxy Server:Port>

HTTPS_PROXY=<Web Proxy Server:Port>

NO_PROXY=localhost,127.0.0.1,<Docker Host IP>,<Other local integration host address,...>

docker-compose.yml

YAML 
version: "3.3"
services:
  d3agent:
    image: "gcr.io/nimble-cortex-285618/d3prod/d3agent:<D3 vSOC version>"
    restart: always
    environment:
      - REMOTE_SERVER_URL=<D3 vSOC Url>
      - PROXY_IDENTITY=<D3 vSOC Agent Security Token>
      - PYTHON_REMOTE_URL=http://<Docker Host IP>:<Docker Host Port>/
      - PYTHON_REMOTE_GUID=7e036a86dbee40d9913c3794e779eae4
      - SERVICE_DISPLAY_NAME=<Proxy Agent Display Name>
      - DOCKER_GID=<Docker Group ID>
      - DOCKER_PORT=<Docker Host Port>
      - HTTP_PROXY=<Web Proxy Server IP:Port>
      - HTTPS_PROXY=<Web Proxy Server IP:Port>
      - NO_PROXY=localhost,127.0.0.1,<Docker Host IP>,<Other local integration host address,...>
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
  
  d3executor:
    image: "gcr.io/nimble-cortex-285618/d3prod/d3executor:<D3 vSOC version>"
    ports:
      - "<Docker Host Port>:9090"
    restart: always
    environment:
      - EXECUTOR_GUID=7e036a86dbee40d9913c3794e779eae4
      - HTTP_PROXY=<Web Proxy Server IP:Port>
      - HTTPS_PROXY=<Web Proxy Server IP:Port>
      - NO_PROXY=localhost,127.0.0.1,<Docker Host IP>,<Other local integration host address,...>

HTTP_PROXY and HTTPS_PROXY are going to be the web proxy server HTTP and HTTPS connections respectively. You will need to add more addresses for the private IP, DNS name, and all other local integrations you want to connect to (i.e. skipping the proxy) to the NO_PROXY.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close