NetWitness Community

As cloud deployments continue to gain popularity you may find the need for running the RSA NetWitness Platform in Google Cloud.  The RSA NetWitness Platform is already available for AWS and Azure, however is not "officially" available in Google Cloud as of 11/2018.

In this blog post I will walk through how to get the RSA NetWitness Platform running in Google Cloud.  This is NOT officially supported, however it does work and has been deployed in the field.

The rough steps are:

1. Install NetWitness to a local virtual machine using the DVD ISO (Use single file for vmdk rather than split)
2. After startup edit /etc/grub/default
3. Install ca-certificates via yum
4. Add repo for Google and install a few more RPM's (https://cloud.google.com/compute/docs/instances/linux-guest-environment)
5. Copy ISO to the VM (You can also use a Google storage bucket and gcfuse in place of this step)
6. Install Google SDK on your local machine (https://cloud.google.com/compute/docs/gcloud-compute/)
7. Upload vmdk from deployed machine to Google Cloud Storage bucket
8. Run import tool (Importing Virtual Disks  |  Compute Engine Documentation  |  Google Cloud )
9. (Skip this step if you copied ISO in step 5) Add gcfuse
10. (Skip this step if you copied ISO in step 5) Use gcfuse to mount ISO
11. Make a directory to mount the ISO
12. Mount the ISO
13. Remove existing ntp rpm (Skipping this step will cause bootstrap to fail)

1. Use VMWare Workstation or vSphere to create a new virtual machine.  Follow sizing instructions here: Virtual Host Setup: Basic Deployment 
   1. Choose to install Operating System Later
   2. Adjust the VM to sizes needed
   3. Ensure you are using one file for the vmdk rather than splitting into multiple disks.  Converting split disks is not in scope for this blog
   4. For the CD/DVD ensure the option "Connected" is checked
   5. Select use ISO image and browse to the path of your 11.x DVD  ISO.  Please note there are both DVD and USB ISO's.  The instructions provided here used the DVD ISO.
   6. Finish and power on the Virtual Machine
   7. Follow the prompts to install NetWitness
2. Google has very specific instructions on what kernel arguments are allowed for imported, bootable images.  More details here: Importing Boot Disk Images to Compute Engine  |  Compute Engine Documentation  |  Google Cloud 
   1. You'll want to change your Grub command line arguments to exclude any references to splash screens or quiet 
   2. For NetWitness 11.1 ISO I used the following for /etc/grub/default:

   3. GRUB_TIMEOUT=5

      GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"

      GRUB_DEFAULT=saved

      GRUB_DISABLE_SUBMENU=true

      GRUB_TERMINAL_OUTPUT="console"

      GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=netwitness_vg00/root rd.lvm.lv=netwitness_vg00/swap biosdevname=1 net.ifnames=0 rd.shell=0 console=ttys0,38400n8d"

      GRUB_DISABLE_RECOVERY="true"

3. If DHCP did not automatically assign all network settings, assign gateway, ip and subnet in ifcfg file for the interface and ensure the machine has connectivity to the CentOS repos (https://www.cyberciti.biz/faq/howto-setting-rhel7-centos-7-static-ip-configuration/ )
4. Run the following and accept any gpg keys if prompted.  The latest version of ca-certificates is required or the daisy converter service will fail when you run the import.

   1. yum install ca-certificates

5. Add the Google yum repo

   1. vi  /etc/yum.repos.d/google-cloud.repo

   2. Paste contents below
      

      [google-cloud-compute]
      name=Google Cloud Compute
      baseurl=https://packages.cloud.google.com/yum/repos/google-cloud-compute-el7-x86_64
      enabled=1
      gpgcheck=1
      repo_gpgcheck=1
      gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
      https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg

   3. Run command to clean up yum repos

      yum clean all

6. Install Google Cloud helper rpm's.  Permanently accept any gpg keys so they are stored.  Also install any prerequisite rpm's.  This will prevent errors during the conversion.

   1. yum install python-google-compute-engine

      yum install google-compute-engine-oslogin

      yum install google-compute-engine

7. Copy the 11.x (Same ISO you used to build) into /tmp via scp.  This will be used for mounting the local yum repo for bootstrap.  You can also use gcfuse in place of this step, however we will not cover that here.
8. Shutdown the VM and copy the vmdk to Google Cloud Storage bucket accessible to account used with the Google Cloud SDK.  Instructions can be found here: https://cloud.google.com/compute/docs/gcloud-compute/
9. Run the import tool (Importing Virtual Disks  |  Compute Engine Documentation  |  Google Cloud )
   1. If your vmdk was named nw11.vmdk and your storage bucket is called netwitness the import command would be:

      gcloud compute images import nw11 --source-file gs://netwitness/nw11.vmdk --os centos-7

   2. This process can take up to a few hours
   3. Once the conversion is complete you will now have an image you can use to make NetWitness VM's
10. Start the VM, switch to user root and mount the ISO that was copied to the vmdk before the conversion. My ISO copied was 11.2 and named rsa-11.2.0.0.3274.el7-dvd.iso

    1. su root

       mkdir /mnt/nw11gce

       mount -t iso9660 -o /tmp/rsa-11.2.0.0.3274.el7-dvd.iso /mnt/nw11gce

11. Uninstall ntp and install version on NetWitness ISO so bootstrap will successfully complete.  Google installs a newer version of ntp rpm.  The version NetWitness uses can be reinstalled from the ISO you just mounted in step 10

    1. yum remove ntp

       rpm -e ntpdate

       rpm -Uvh /mnt/nw11gce/Packages/11.2.0.0/OS/ntpdate*.rpm

12. Run nwsetup-tui to complete the install

You should now have a working NetWitness image you can build from.  One thing I have noticed is during some upgrades of kernels (which are included in service packs, patches and major versions of NetWitness software updates) additional arguments are added that can cause the instance to lose ssh connectivity and the software to not function correctly.  After any upgrade and BEFORE reboot I recommend checking to ensure additional kernel arguments have not been added.  I'd also recommend upgrading in a lab or small instance as well as take snapshot prior to upgrade so you can return to a known good state if needed.