JuniperSecureAnalyticsInstallationGuide
Published
Release
2021-03-26
7.4.1
ii
Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA
408-745-2000 www.juniper.net
JuniperNetworks,theJuniperNetworkslogo,Juniper,andJunosareregisteredtrademarksofJuniperNetworks,Inc. in theUnitedStatesandothercountries. Allothertrademarks,servicemarks,registeredmarks,orregisteredservicemarks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
JuniperSecureAnalyticsInstallationGuide
7.4.1
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
TheJuniperNetworksproductthatisthesubjectofthistechnicaldocumentationconsistsof(orisintendedforusewith) JuniperNetworkssoftware.UseofsuchsoftwareissubjecttothetermsandconditionsoftheEndUserLicenseAgreement (“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.
iii
About the Documentation | vii
Documentation and Release Notes | vii
Documentation Conventions | vii
Documentation Feedback | x
Requesting Technical Support | x
Self-Help Online Tools and Resources | xi
Creating a Service Request with JTAC | xi
1JSA Deployment Overview
JSA Deployment Overview | 13
Management Controller | 13
License Keys | 14
JSA Components | 14
Prerequisite Hardware Accessories for JSA Installations | 17
Hardware Accessories | 17
Environmental Restrictions | 17
Supported Web Browsers | 18
USB Flash Drive Installations | 18
Supported Versions | 19
Installation Overview | 19
Creating a Bootable USB Flash Drive with Microsoft Windows | 19
Creating a Bootable USB Flash Drive on an Apple Mac OS X System | 20
Creating a Bootable USB Flash Drive with Red Hat Linux | 21
Installing JSA with a USB Flash Drive | 22
Standard Linux Users | 23
Third-party Software on JSA Appliances | 26
iv
2Bandwidth for Managed Hosts
Bandwidth for Managed Hosts | 29
3Installing a JSA Console or Managed Host
Installing a JSA Console or Managed Host | 31
Installing a JSA Console or Managed Host (applicable only for JSA 7.3.1 Patch 9, JSA 7.3.2 Patch 2, and JSA 7.3.2 Patch 3) | 33
4Virtual Appliance Installations for JSA and Log Manager
Virtual Appliance Installations for JSA and Log Manager | 37
Overview Of Supported Virtual Appliances | 38
JSA Threat Analytics “All-in-one” or Console 3199 | 38
JSA Event and Flow Processor Combo | 39
JSA Flow Processor Virtual 1799 | 39
JSA Event Processor Virtual 1699 | 40
JSA Event Collector Virtual 1599 | 40
JSA Flow Processor | 40
JSA Flow Processor Virtual 1299 | 41
JSA Vulnerability Manager Processor | 41
JSA Vulnerability Manager Scanner | 42
JSA Risk Manager | 42
JSA App Host 4000 | 42
System Requirements for Virtual Appliances | 42
Storage Requirements | 47
Creating Your Virtual Machine | 48
Installing JSA on a Virtual Machine | 49
Adding Your Virtual Appliance to Your Deployment | 51
5Installations from the Recovery Partition
Installations from the Recovery Partition | 54
Reinstalling from the Recovery Partition | 54
v
6Reinstalling JSA from Media
Reinstalling JSA from Media | 57
7Data Node Overview
Data Node Overview | 59
JSASoftwareInstallations(applicableonlyforJSA7.3.1Patch9,JSA7.3.2Patch2,and
JSA 7.3.2 Patch 3) | 62
Prerequisites for Installing JSA on Your Hardware | 62
Appliance Storage Requirements for Virtual and Software Installations | 65
Installing RHEL on Your System | 66
Linux Operating System Partition Properties for JSA Installations on Your Own System | 67
Console Partition Configurations for Multiple Disk Deployments | 68
Installing JSA After the RHEL Installation | 69
8Configuring Bonded Management Interfaces
Configuring Bonded Management Interfaces | 73
9Network Settings Management
|
Network Settings Management | 75 |
|
Changing the Network Settings in an All-in-one System | 75 |
|
Changing the Network Settings Of a JSA Console in a Multi-system Deployment | 76 |
|
Updating Network Settings After a NIC Replacement | 78 |
10 |
Troubleshooting Problems |
|
Troubleshooting Problems | 82 |
|
Troubleshooting Resources | 83 |
|
JSA Log Files | 83 |
Common Ports and Servers Used by JSA | 84
SSH Communication on Port 22 | 84
Open Ports That Are Not Required by JSA | 84
vi
JSA Port Usage | 85
WinCollect Remote Polling | 85
JSA Listening Ports | 85
Viewing IMQ Port Associations | 97
Searching for Ports in Use by JSA | 98
JSA Public Servers | 98
Public Servers | 98
RSS Feeds for JSA Products | 99
vii
IN THIS SECTION
Documentation and Release Notes | vii
Documentation Conventions | vii
Documentation Feedback | x
Requesting Technical Support | x
Use this guide to understand how to install JSA in your network.
To obtain the most current version of all Juniper Networks® technical documentation, see the product documentation page on the Juniper Networks website at https://www.juniper.net/documentation/.
Iftheinformationinthelatestreleasenotesdiffersfromtheinformationinthedocumentation,followthe product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at https://www.juniper.net/books.
Table 1 on page viii defines notice icons used in this guide.
viii
Table 1: Notice Icons |
|
|
Icon |
Meaning |
Description |
|
Informational note |
Indicates important features or instructions. |
|
Caution |
Indicates a situation that might result in loss of data or hardware |
|
|
damage. |
|
Warning |
Alerts you to the risk of personal injury or death. |
|
Laser warning |
Alerts you to the risk of personal injury from a laser. |
|
Tip |
Indicates helpful information. |
|
Best practice |
Alerts you to a recommended use or implementation. |
Table 2 on page viii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention |
Description |
Examples |
Bold text like this |
Represents text that you type. |
To enter configuration mode, type |
|
|
the configure command: |
|
|
user@host> configure |
Fixed-width text like this |
Represents output that appears on |
user@host> show chassis alarms |
|
the terminal screen. |
No alarms currently active |
|
|
Italictextlikethis |
• Introducesoremphasizesimportant |
|
new terms. |
|
• Identifies guide names. |
|
• Identifies RFC and Internet draft |
|
titles. |
•A policy term is a named structure that defines match conditions and actions.
•JunosOSCLIUserGuide
•RFC 1997, BGPCommunities Attribute
ix
Table 2: Text and Syntax Conventions (continued)
Convention |
Description |
Italictextlikethis |
Represents variables (options for |
|
which you substitute a value) in |
|
commands or configuration |
|
statements. |
Examples
Configure the machine’s domain name:
[edit]
root@# set system domain-name domain-name
Text like this |
Represents names of configuration |
|
statements, commands, files, and |
|
directories; configuration hierarchy |
|
levels; or labels on routing platform |
|
components. |
•To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level.
•The console port is labeled
CONSOLE.
< > (angle brackets) |
Encloses optional keywords or |
|
variables. |
| (pipe symbol) |
Indicates a choice between the |
|
mutually exclusive keywords or |
|
variablesoneithersideofthesymbol. |
|
The set of choices is often enclosed |
|
in parentheses for clarity. |
stub <default-metric metric>;
broadcast | multicast
(string1 | string2 | string3)
# (pound sign)
[ ] (square brackets)
Indention and braces ( { } )
; (semicolon)
Indicatesacommentspecifiedonthe |
rsvp{#RequiredfordynamicMPLS |
same line as the configuration |
only |
statement to which it applies. |
|
Enclosesavariableforwhichyoucan |
community name members [ |
substitute one or more values. |
community-ids ] |
Identifies a level in the configuration |
[edit] |
hierarchy. |
routing-options { |
|
static { |
Identifies a leaf statement at a |
route default { |
configuration hierarchy level. |
nexthop address; |
|
retain; |
|
} |
|
} |
|
} |
GUI Conventions
x
Table 2: Text and Syntax Conventions (continued) |
|
|
Convention |
Description |
Examples |
Bold text like this |
Represents graphical user interface |
• IntheLogicalInterfacesbox,select |
|
(GUI) items you click or select. |
All Interfaces. |
|
|
• To cancel the configuration, click |
|
|
Cancel. |
> (bold right angle bracket) |
Separates levels in a hierarchy of |
Intheconfigurationeditorhierarchy, |
|
menu selections. |
select Protocols>Ospf. |
We encourage you to provide feedback so that we can improve our documentation. You can use either of the following methods:
•Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the Juniper Networks TechLibrary site, and do one of the following:
•Click the thumbs-up icon if the information on the page was helpful to you.
•Click the thumbs-down icon if the information on the page was not helpful to you or if you have suggestions for improvement, and use the pop-up form to provide feedback.
•E-mail—Sendyourcommentstotechpubs-comments@juniper.net.Includethedocumentortopicname, URL or page number, and software version (if applicable).
TechnicalproductsupportisavailablethroughtheJuniperNetworksTechnicalAssistanceCenter(JTAC). If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
xi
covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.
•JTACpolicies—ForacompleteunderstandingofourJTACproceduresandpolicies,reviewtheJTACUser Guide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
•Productwarranties—Forproductwarrantyinformation,visithttps://www.juniper.net/support/warranty/.
•JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.
Forquickandeasyproblemresolution,JuniperNetworkshasdesignedanonlineself-serviceportalcalled the Customer Support Center (CSC) that provides you with the following features:
•Find CSC offerings: https://www.juniper.net/customers/support/
•Search for known bugs: https://prsearch.juniper.net/
•Find product documentation: https://www.juniper.net/documentation/
•Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
•Download the latest versions of software and review release notes: https://www.juniper.net/customers/csc/software/
•Search technical bulletins for relevant hardware and software notifications: https://kb.juniper.net/InfoCenter/
•Join and participate in the Juniper Networks Community Forum: https://www.juniper.net/company/communities/
•Create a service request online: https://myjuniper.juniper.net
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/
You can create a service request with JTAC on the Web or by telephone.
•Visit https://myjuniper.juniper.net.
•Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see https://support.juniper.net/support/requesting-support/.
1
CHAPTER
JSA Deployment Overview | 13
Management Controller | 13
License Keys | 14
JSA Components | 14
Prerequisite Hardware Accessories for JSA Installations | 17
Environmental Restrictions | 17
Supported Web Browsers | 18
USB Flash Drive Installations | 18
Standard Linux Users | 23
Third-party Software on JSA Appliances | 26
13
You can install JSA on a single server for small enterprises, or across multiple servers for large enterprise environments.
Formaximumperformanceandscalability,youmustinstallahigh-availability(HA)managedhostappliance for each system that requires HA protection. For more information about installing or recovering an HA system, see the JuniperSecureAnalyticsHighAvailabilityGuide.
RELATED DOCUMENTATION
License Keys | 14
JSA Components | 14
Prerequisite Hardware Accessories for JSA Installations | 17
The JSA appliances use a management controller for systems-management functions.
JSAappliancescontainanintegratedserviceprocessor,whichprovidesadvancedserviceprocessorcontrol, monitoring, and alerting functions and consolidates the service processor functionality, super I/O, video controller, and remote presence capabilities into a single chip on the server system board.
For more information about the Lenovo management controller, see Lenovo XClarity Controller.
For instructions on how to configure the Lenovo management controller, see XClarity Controller User Guide.
RELATED DOCUMENTATION
JSA Components | 14
Prerequisite Hardware Accessories for JSA Installations | 17
Supported Web Browsers | 18
14
After you install JSA, you must apply your license keys.
YoursystemincludesatemporarylicensekeythatprovidesyouwithaccesstoJSAsoftwareforfiveweeks. After you install the software and before the default license key expires, you must add your purchased licenses.
The following table describes the restrictions for the default license key: |
|
Table 3: Restrictions for the Default License Key for JSA Installations |
|
Usage |
Limit |
Events per second threshold |
5000 |
NOTE: This restriction also applies to the default license key for Log Manager. |
|
Flows per interval |
200000 |
WhenyoupurchaseaJSAproduct,anemailthatcontainsyourpermanentlicensekeyissentfromJuniper Networks. These license keys extend the capabilities of your appliance type and define your system operating parameters. You must apply your license keys before your default license expires.
RELATED DOCUMENTATION
JSA Components | 14
Prerequisite Hardware Accessories for JSA Installations | 17
Supported Web Browsers | 18
JSA consolidates event data from log sources that are used by devices and applications in your network. Figure 1 on page 15 shows JSA components.
NOTE: SoftwareversionsforallJSAappliancesinadeploymentmustbesameversionandpatch level. Deployments that use different versions of software are not supported.
15
Figure 1: JSA Components
JSA deployments can include the following components:
JSA Flow Processor
Passively collects traffic flows from your network through span ports or network taps. The JSA Flow Processor also supports the collection of external flow-based data sources, such as NetFlow.
JSA Console
Provides the JSA product user interface. The interface delivers real-time event and flow views, reports, offenses, asset information, and administrative functions.
In distributed JSA deployments, use the JSA console to manage hosts that include other components.
Magistrate
A service running on the JSA console, the Magistrate provides the core processing components. You can add one Magistrate component for each deployment. The Magistrate provides views, reports, alerts, and analysis of network traffic and security events.
The Magistrate component processes events against the custom rules. If an event matches a rule, the Magistrate component generates the response that is configured in the custom rule.
For example, the custom rule might indicate that when an event matches the rule, an offense is created. If there is no match to a custom rule, the Magistrate component uses default rules to process the event. An offense is an alert that is processed by using multiple inputs, individual events, and events that are combined with analyzed behavior and vulnerabilities. The Magistrate component prioritizes the offenses
16
and assigns a magnitude value that is based on several factors, including number of events, severity, relevance, and credibility.
JSA Event Collector
Gatherseventsfromlocalandremotelogsources. Normalizesrawlogsourceevents. Duringthisprocess, the Magistrate component, on the JSA Console, examines the event from the log source and maps the event to a JSA Identifier (QID). Then, the Event Collector bundles identical events to conserve system usage and sends the information to the Event Processor.
JSA Event Processor
Processes events that are collected from one or more Event Collector components. The Event Processor correlates the information from JSA products and distributes the information to the appropriate area, depending on the type of event. The Event Processor can also collect events if you do not have an Event Collector in your deployment.
The Event Processor also includes information that is gathered by JSA products to indicate behavioral changes or policy violations for the event. When complete, the Event Processor sends the events to the Magistrate component.
When to add Event Processors: if you collect and store events in a different country or state, you may need to add Event Processors to comply with local data collection laws.
Data Node
DataNodesenablenewandexistingJSAdeploymentstoaddstorageandprocessingcapacityondemand as required. Data Notes increase the search speed on your deployment by allowing you to keep more of your data uncompressed.
Youcanscalestorageandprocessingpowerindependentlyofdatacollection,whichresultsinadeployment that has the appropriate storage and processing capacity. Data Nodes are plug-n-play and can be added to a deployment at any time. Data Nodes seamlessly integrate with the existing deployment.
Increasingdatavolumesindeploymentsrequiredatacompressionsooner. Datacompressionslowsdown systemperformanceasthesystemmustdecompressquerieddatabeforeanalysisispossible.AddingData Node appliances to a deployment allows you to keep data uncompressed longer.
For more information about Data Nodes, see the “Data Node Overview” on page 59.
RELATED DOCUMENTATION
Prerequisite Hardware Accessories for JSA Installations | 17
Supported Web Browsers | 18
USB Flash Drive Installations | 18
17
Prerequisite Hardware Accessories for JSA
Installations
Before you install JSA products, ensure that you have access to the required hardware accessories and desktop software.
Ensure that you have access to the following hardware components:
•Monitor and keyboard, or a serial console
•UninterruptedPowerSupply(UPS)forallsystemsthatstoredata,suchasJSAconsole,EventProcessor components, or JSA flow processor components
•Null modem cable if you want to connect the system to a serial console
NOTE: JSA products support hardware-based Redundant Array of Independent Disks (RAID) implementations, but do not support software-based RAID installations or hardware assisted RAID installations.
RELATED DOCUMENTATION
Supported Web Browsers | 18
USB Flash Drive Installations | 18
Third-party Software on JSA Appliances | 26
JSA performance can be affected by other devices in your deployment.
For any DNS server that you point a JSA appliance to, you cannot have a DNS registry entry with the hostname set to localhost.
18
For the features in JSA products to work properly, you must use a supported web browser. The following table lists the supported versions of web browsers.
Table 4: Supported Web Browsers for JSA Products
Web browser |
Supported versions |
64 bit Mozilla Firefox |
60 Extended Support Release and later |
64-bit Microsoft Edge |
38.14393 and later |
64 bit Google Chrome |
Latest |
The Microsoft Internet Explorer web browser is no longer supported as of JSA 7.4.0.
Security Exceptions and Certificates
If you are using the Mozilla Firefox web browser, you must add an exception to Mozilla Firefox to log in to JSA. For more information, see your Mozilla Firefox web browser documentation.
Navigate the Web-Based Application
When you use JSA, use the navigation options available in the JSA user interface instead of your web browser Back button.
RELATED DOCUMENTATION
USB Flash Drive Installations | 18
Third-party Software on JSA Appliances | 26
JSA Components | 14
You can install JSA software with a USB flash drive.
USB flash drive installations are full product installations. You cannot use a USB flash drive to upgrade or apply product patches. For information about applying patches, see the latest Patch Release Notes.
19
The following appliances or operating systems can be used to create a bootable USB flash drive:
•A Linux system that is installed with Red Hat Enterprise Linux V7.7
•Apple Mac OS X
•Microsoft Windows
Follow this procedure to install JSA software from a USB flash drive:
1.Create the bootable USB flash drive.
2.Install the software for your JSA appliance.
3.Install any product maintenance releases or patches.
See latest patch Release Notes for installation instructions for patches..
UsetheFedoraMediaWriterapponaWindowssystemtocreateabootableUSBflashdrivethatyoucan use to install JSA software.
You must have access to an 8 GB or larger USB flash drive.
NOTE: It is recommended to download the latest version of the Fedora Media Writer app.
1.On your Windows system, download and install the Fedora Media Writer app from the Fedora Media Writer GitHub repository.
Othermediacreationtoolsmightworktocreatethebootableflashdrive,buttheJSAISOisamodified RedHatISO,andRedHatsuggestsFedoraMediaWriter.Formoreinformation,seeMakingInstallation USB Media.
2.On your Windows system, download the JSA ISO image file from https://support.juniper.net/support/downloads/ to a local drive.
20
3. Insert the USB flash drive into a USB port on your Windows system.
NOTE: Any files stored on the USB flash drive are overwritten when creating the bootable flash drive.
4.Open Fedora Media Writer and in the main window, click Custom Image.
5.Browse to where you downloaded the JSA ISO on your Windows system and select it.
6.Select the USB flash drive from the Fedora Media Writer menu, and then click Write to disk.
7.When the writing process is complete, click Close and remove the USB flash drive from your system. For more information about installing JSA software, see “Installing JSA with a USB Flash Drive” on page 22.
YoucanuseanAppleMacOSXcomputertocreateabootableUSBflashdrivethatyoucanusetoinstall JSA software.
You must have access to the following items:
•A 8 GB or larger USB flash drive
•A JSA 7.3.1 or later ISO image file
When you create a bootable USB flash drive, the contents of the flash drive are deleted.
1. Download the JSA ISO image file from the https://support.juniper.net/support/downloads/.
2. . Insert the USB flash drive into a USB port on your system.
3.Open a terminal and type the following command to unmount the USB flash drive:
diskutil unmountDisk /dev/<name_of_the_connected_USB_flash_drive>
4.Type the following command to write the JSA ISO to your USB flash drive:
dd if=/<jsa.iso>of=/dev/ r <name_of_the_connected_USB_flash_drive>bs=1m
21
NOTE: TherbeforethenameoftheconnectedUSBflashdriveisforrawmode,whichmakes the transfer much faster. There is no space between the r and the name of the connected USB flash drive.
5. Remove the USB flash drive from your system.
You can use a Linux desktop or notebook system with Red Hat V7 or higher to create a bootable USB flash drive that you can use to install JSA software.
You must have access to the following items:
•An 8 GB or larger USB flash drive
•A JSA 7.4.1 or later ISO image file
When you create a bootable USB flash drive, the contents of the flash drive are deleted.
1.Download the JSA ISO image file from the https://support.juniper.net/support/downloads/.
2.Insert the USB flash drive in the USB port on your system.
It might take up to 30 seconds for the system to recognize the USB flash drive.
3.Open a terminal and type the following command to determine the name of the USB flash drive:
dmesg | grep SCSI
Thesystemoutputsthemessagesproducedbydevicedrivers. Thefollowingexampleshowsthename of the connected USB flash drive as sdb.
[ 170.171135] sd 5:0:0:0: [sdb] Attached SCSI removable disk
4.Type the following commands to unmount the USB flash drive:
df -h | grep<name_of_the_connected_USB_flash_drive> umount /dev/<name_of_the_connected_USB_flash_drive>
Example:
22
[root@jsa ~]# dmesg | grep SCSI
[93425.566934] sd 14:0:0:0: [sdb] Attached SCSI removable disk [root@jsa ~]# df -h | grep sdb
[root@jsa ~]# umount /dev/sdb umount: /dev/sdb: not mounted
5.Type the following command to write the JSA ISO to your USB flash drive:
dd if=/<jsa.iso>of=/dev/<name_of_the_connected_USB_flash_drive> bs=512k
Example:
[root@jsa ~]# dd if=7.4.1.20200716115107.iso of=/dev/sdb bs=512k
11112+0 records in
11112+0 records out
5825888256 bytes (5.8 GB) copied, 1085.26 s, 5.4 MB/s
6.Remove the USB flash drive from your system. For more information about installing JSA software, see “Installing JSA with a USB Flash Drive” on page 22.
Follow this procedure to install JSA from a bootable USB flash drive.
You must create the bootable USB flash drive before you can use it to install JSA software. ThisprocedureprovidesgeneralguidanceonhowtouseabootableUSBflashdrivetoinstallJSAsoftware. The complete installation process is documented in the product Installation Guide.
1.Install all necessary hardware.
2.Choose one of the following options:
•Connect a notebook to the serial port at the back of the appliance.
•Connect a keyboard and monitor to their respective ports.
3.Insert the bootable USB flash drive into the USB port of your appliance.
4. Restart the appliance.
23
Most appliances can boot from a USB flash drive by default. If you are installing JSA software on your ownhardware(onlysupportedforDataNodes),youmighthavetosetthedevicebootordertoprioritize USB.
After the appliance starts, the USB flash drive prepares the appliance for installation. This process can take up to an hour to complete.
5.When the login prompt is displayed, type root to log in to the system as the root user. The user name is case-sensitive.
6.Press Enter and follow the prompts to install JSA.
The complete installation process is documented in the product Installation Guide.
RELATED DOCUMENTATION
Third-party Software on JSA Appliances | 26
JSA Components | 14
Supported Web Browsers | 18
Standard Linux Users | 23
The tables describe the standard Linux user accounts that are created on the JSA console and other JSA product components (All In One console, JSA Risk Manager, QRadar Network Insights, App Host, and all other managed hosts).
The following tables show standard Linux user accounts for RedHat and JSA.
Table 5: Standard Linux User Accounts for RedHat
|
Login to the Login |
|
User Account |
Shell |
Purpose |
root (password required) |
Yes |
RedHat user |
bin |
No |
Linux Standard Base |
daemon |
No |
Linux Standard Base |
24
Table 5: Standard Linux User Accounts for RedHat (continued)
|
Login to the Login |
|
User Account |
Shell |
Purpose |
adm |
No |
Linux Standard Base |
lp |
No |
Linux Standard Base |
sync |
No |
Linux Standard Base |
shutdown |
No |
Linux Standard Base |
halt |
No |
Linux Standard Base |
No |
Linux Standard Base |
|
operator |
No |
Linux Standard Base |
games |
No |
RedHat user |
ftp |
No |
RedHat user |
nobody |
No |
Linux Standard Base |
systemd-network |
No |
RedHat user |
dbus |
No |
RedHat user |
polkitd |
No |
RedHat user |
sshd |
No |
RedHat user |
rpc |
No |
RedHat user |
rpcuser |
No |
RedHat user |
nfsnobody |
No |
RedHat user |
abrt |
No |
RedHat user |
ntp |
No |
RedHat user |
tcpdump |
No |
RedHat user |
25
Table 5: Standard Linux User Accounts for RedHat (continued)
|
Login to the Login |
|
User Account |
Shell |
Purpose |
tss |
No |
RedHat user |
saslauth |
No |
RedHat user |
sssd |
No |
RedHat user |
Table 6: Standard Linux User Accounts for JSA |
|
|
User Account |
Login to the Login Shell |
Purpose |
ziptie |
No |
Ziptie service used by JSA Risk |
|
|
Manager |
si-vault |
No |
JSA Vault service used by JSA to |
|
|
store secrets and manage internal |
|
|
certificates |
vis |
No |
JSA VIS service used by JSA to |
|
|
process scan results |
si-registry |
No |
JSADockerRegistryServiceusedby |
|
|
JSA for App Framework |
customactionuser |
No |
JSA Custom Actions used to isolate |
|
|
custom actions into a chroot jail |
mks |
No |
MKS JSA component for handling |
|
|
secrets |
qradar |
No |
General user for JSA |
qvmuser |
No |
JSA Vulnerability Manager |
postgres |
No (account locked) |
PostgreSQL database used by JSA |
tlsdated |
No |
Tlsdatelegacytimesynctoolthatwas |
|
|
previously used by JSA |
traefik |
No |
Traefik service proxies Docker |
|
|
Containers for JSA App Framework |
Table 6: Standard Linux User Accounts for JSA (continued)
User Account |
Login to the Login Shell |
gluster |
No |
openvpn |
No |
chrony |
No |
apache |
No |
postfix |
No |
RELATED DOCUMENTATION
USB Flash Drive Installations | 18
Third-party Software on JSA Appliances | 26
JSA Components | 14
26
Purpose
GlusterFS used by JSA HA on event collectors
OpenVPNoptionalVPNtoolinstalled by JSA
Chronyd service time sync tool used by JSA
Apache Web Server used by JSA
Mail Service used by JSA to send email
JSA is a security appliance that is built on Linux, and is designed to resist attacks. JSA is not intended as a multi-user, general-purpose server. It is designed and developed specifically to support its intended functions. The operating system and the services are designed for secure operation. JSA has a built-in firewall, and allows administrative access only through a secure connection that requires encrypted and authenticated access, and provides controlled upgrades and updates. JSA does not require or support traditional anti-virus or malware agents, or support the installation of third-party packages or programs.
RELATED DOCUMENTATION
JSA Components | 14
Supported Web Browsers | 18
27
USB Flash Drive Installations | 18
2
CHAPTER
Bandwidth for Managed Hosts | 29
29
Toreplicatestateandconfigurationdata,ensurethatyouhaveaminimumbandwidthof100Mbpsbetween the JSA console and all managed hosts. Higher bandwidth is necessary when you search log and network activity, and you have over 10,000 events per second (EPS).
An Event Collector that is configured to store and forward data to an Event Processor forwards the data according to the schedule that you set. Ensure that you have sufficient bandwidth to cover the amount of data that is collected, otherwise the forwarding appliance cannot maintain the scheduled pace.
Use the following methods to mitigate bandwidth limitations between data centers:
•Process and send data to hosts at the primary data center-- Design your deployment to process and send data as it's collected to hosts at the primary data center where the console resides. In this design, all user-based searches query the data from the local data center rather than waiting for remote sites to send back data.
You can deploy a store and forward event collector, such as a JSA physical or virtual appliance, in the remotelocationstocontrolburstsofdataacrossthenetwork.Bandwidthisusedintheremotelocations, and searches for data occur at the primary data center, rather than at a remote location.
•Don't run data-intensive searches over limited bandwidth connections-- Ensure that users don't run data-intensive searches over links that have limited bandwidth. Specifying precise filters on the search limits the amount of data that is retrieved from the remote locations, and reduces the bandwidth that is required to send the query result back.
For more information about deploying managed hosts and components after installation, see the Juniper SecureAnalyticsAdministrationGuide.
3
CHAPTER
Installing a JSA Console or Managed Host | 31
InstallingaJSAConsoleorManagedHost(applicableonlyforJSA7.3.1Patch9,JSA
7.3.2 Patch 2, and JSA 7.3.2 Patch 3) | 33