Scroll to top

Installing DriftGuard on AWS


Overview

For companies who are existing clients of LimePoint, installing DriftGuard in the AWS Cloud can be quite a simple exercise. New clients can also follow this procedure of course, once access to releases and licensing has been sorted.

The process involves provisioning an EC2 instance and an RDS instance to host the application and database respectively, with some additional AWS components required to look after connectivity. The steps can be undertaken by any sys admin, but prior experience with AWS is going to make the exercise a lot easier. Requirements include access to an AWS account (with permissions to create and manage EC2 and RDS components), as well as the aforementioned access to DriftGuard releases, and a valid licence.

It should be noted that the Security Group in this example has deliberately been configured to be open to any IP, but in secure environment this should be locked down appropriately. For simplicity the database passwords specified in the User Data section are also all set to the string ‘password’ – these should be changed appropriately as well.

The high-level steps are as follows:

  1. Create Security Group
  2. Create RDS
  3. Create Keypair
  4. Create EC2
  5. Create Elastic IP
  6. Download DriftGuard Software
  7. Install DriftGuard Software

Create Security Group

  1. Navigate to the EC2 Dashboard console
  2. On the left, under ‘Network & Security’, click ‘Security Groups’
  3. Click ‘Create Security Group’
  4. Enter ‘Security Group Name’ as “DriftGuard”
  5. Enter ‘Description’
  6. Select the ‘Default VPC’ from the drop-down
  7. Click Add Rule Three times
  8. Populate the first rule for Oracle-RDS on port 1521 from 0.0.0.0/0
  9. Populate the second rule for SSH on port 22 from 0.0.0.0/0
  10. Populate the third rule for Custom TCP on port 8082 from 0.0.0.0/0
Create Security Group Screenshot

Create RDS

  1. Navigate to the RDS Dashboard console
  2. Click ‘Create database’
  3. Database creation method: leave ‘Standard Create’ selected
  4. Engine Options:
    1. ‘Oracle’
    2. ‘Oracle Standard Edition One’
    3. ‘license-included’
      DB Engine Options Screen
  5. Templates: select ‘Dev/Test’
  6. Settings:
    1. change DB Instance Identifier to “DriftGuard”
    2. Enter and confirm Master password as “password”
  7. DB instance size:
    1. ‘Burstable classes’
    2. ‘db.t3.micro’
      DB Instance Size Screenshot
  8. Connectivity:
    1. Default VPC
    2. Expand ‘Additional connectivity’ and set the ‘VPC security group’ to the ‘DriftGuard’ group created earlier
      Connectivity Screen screenshot
  9. Additional configuration:
    1. Set Initial database name as “dg”
  10. Scroll to bottom and click ‘Create Database’
  11. While the database is creating, you can move on with the next steps
  12. Once the database has finished being created, navigate to the ‘Connectivity & security’ section, and make note of the ‘Endpoint’
    RDS Summary Screen Screenshot

Create Keypair

  1. Navigate to the EC2 Dashboard console
  2. On the left, under ‘Network and Security’, click ‘Key Pairs’
  3. Click ‘Create key pair’
  4. Enter key pair name “dg” – leave “pem” selected
  5. Click ‘Create key pair’
    Key Pair Screen Screenshot
  6. From the dialog box that appears, save the key pair to your workstation
  7. Depending on the OS of your workstation, you may need to set permissions on the file to 0400

Create EC2

  1. Navigate to the EC2 Dashboard console
  2. Click Launch Instance
  3. Select ‘Amazon Linux 2 AMI (HVM), SSD Volume Type – ami-0e8c04af2729ff1bb (64-bit x86)’
  4. Select t2.medium and click ‘Next: Configure Instance Details’
  5. In the ‘User Data’ field (bottom of screen), enter the following:

    #!/bin/bash
    yum update -y
    yum install java-1.8.0-openjdk-devel.x86_64 nc telnet -y
    adduser -r driftmgr -d /home/driftmgr -m
    echo 'driftmgr ALL=(ALL:ALL) NOPASSWD:ALL' | (su -c 'EDITOR="tee -a" visudo')
    echo 'export JAVA_HOME=/etc/alternatives/java_sdk' >> /home/driftmgr/.bash_profile
    mkdir -p /limepoint/product
    chown -R driftmgr:driftmgr /limepoint
    cat <<'EOF' >> /home/driftmgr/driftguard.rsp
    # DriftGuard Installer Response File
    rsp_rootdir='/limepoint/product/drift'
    rsp_driftcontextroot=/drift
    rsp_drifthttpport=8082
    rsp_drifthttpsport=8443
    rsp_driftajpport=8081
    rsp_driftserverport=8107
    rsp_driftlistenaddress='*'
    rsp_driftdbhost='DB_URL'
    rsp_driftdbport='1521'
    rsp_driftdbconnecttype='1'
    rsp_driftdbsid='dg'
    rsp_driftdburl='jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=DB_URL)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=dg)))'
    rsp_driftschemaprefix=''
    rsp_driftdbpassword='password'
    rsp_driftrodbpassword='password'
    rsp_configdb='y'
    rsp_driftdbsysusername='admin'
    rsp_driftdbsyspassword='password'
    rsp_driftsecdbpassword='password'
    rsp_driftdatafileprefix=''
    rsp_configldap='n'
    rsp_roleAdmin='RoleAdmin'
    rsp_roleDriftAdmin='RoleDriftAdmin'
    rsp_roleDriftCollector='RoleDriftCollector'
    rsp_roleDriftDeveloper='RoleDriftDeveloper'
    rsp_roleDriftViewer='RoleDriftViewer'
    rsp_importLdapCertificate='n'
    rsp_ignoreCertImportWarnings='y'
    EOF
    chown driftmgr:driftmgr /home/driftmgr/driftguard.rsp
    

    Advanced Details Screen Screenshot
  6. Click ‘Next:Add Storage’
  7. Click ‘Next:Add Tags’
  8. Click ‘Add Tag’ and enter a Key of “Name” and a Value of “DriftGuard”
  9. Click ‘Next:Configure Security Group’
  10. Click ‘Select an existing security group’ and choose the “DriftGuard” group
  11. Click Review and Launch
    Review Instance Screen Screenshot
  12. Click Launch
  13. Click Choose an existing key pair and select the “dg” pair
    Key Pair Selection Screenshot
  14. Click Launch Instance

Create Elastic IP

  1. Navigate to the EC2 Dashboard console
  2. On the left, under Network & Security, click Elastic IPs
  3. Click ‘Allocate Elastic IP address’
  4. Leave current settings and click Allocate
  5. Make a note of the Public IPv4 address that was allocated
  6. Select the row, click Actions and select Associate Elastic IP address
  7. From the Instance drop-down, select the DriftGuard instance
    Elastic IP Configuration Screenshot
  8. Click Associate

Download DriftGuard Software

  1. Navigate to https://releases.driftguard.io/ (note: this will require login credentials)
  2. Click Download current release
  3. Using the Elastic IP and key pair created earlier, sftp the DriftGuard-Installer.sh file to the /tmp directory on the DriftGuard server at the Elastic IP address obtained above

Install DriftGuard Software

  1. Using the Elastic IP and key pair created earlier, ssh to the DriftGuard server
  2. Switch to the ‘driftmgr’ user via sudo su
  3. Copy the DriftGuard-Installer.sh file from the /tmp dir
  4. Change permissions on the file: chmod 755 DriftGuard-Installer.sh
  5. Update the driftguard.rsp file with the correct RDS endpoint:

    sed -i ‘s/DB_URL/<endpoint>/’ driftguard.rsp

    e.g.

    sed -i 's/DB_URL/driftguard.cwkd8ebqdaja.us-west-2.rds.amazonaws.com/' driftguard.rsp

  6. Run the Installer: ./DriftGuard-Installer.sh driftguard.rsp
  7. Once the installer is done, a message similar to the following will show in the terminal:

    Warming the application
    DriftGuard running.  Browse http://localhost:8082/drift admin/password, drift/password, (all other seeded users also have a password of password).
    

Log in

  1. Navigate to http://<ip-address>:8082/drift in the browser, where <ip-address> is the Elastic IP created earlier
  2. Use the credentials drift / password to log in, at which point you will see a valid licence is not installed (a valid licence must be purchased from LimePoint)
  3. Once a valid licence is uploaded, full access to the application is provided

Summary

The steps above demonstrate how quickly and simply the DriftGuard application can be installed in the AWS cloud. Depending on your company’s needs, a larger EC2 or RDS instance may be required, however, this is just a matter of selecting a different instance during your setup (or even dynamically modifying your instances at a later date).

An elastic IP is not strictly required, however, if you stop your DriftGuard instance at any time, AWS will allocate a new IP address when it is restarted, which will mean all of your target hosts will need to be updated to point to the new IP address. Having an Elastic IP address means that this will never be an issue.

From this point, configuration of the application is required to perform data collection against your target hosts. This is not covered in this post, however, is explained in great detail in the documentation, and may also be covered in a future post.

Please contact LimePoint directly if you have any enquiries relating to DriftGuard, and/or how to leverage the AWS cloud to quickly and simply get started with monitoring configuration drift at your site.

Related posts