Current ThreatQ Version Filter

ThreatQ 6x Installation

Implementing ThreatQ 6x involves setting up a new Ubuntu 22.04 LTS instance or Red Hat Enterprise Linux (RHEL) 8.10 or 9.4 instance and installing ThreatQ 6x in this new instance. After you complete this process, contact ThreatQuotient Support to request the Migration guide for ThreatQ 6x. This guide provides information on transferring data from your existing ThreatQ 5x instance to your new ThreatQ 6x instance.

ThreatQuotient recommends you install the most recent version of ThreatQ 6x for your upgrade.

Operating System and Kubernetes Distribution Maintenance

After upgrading to ThreatQ 6x, customers are responsible for maintaining their RHEL or Ubuntu operating system as well as the RKE2 Kubernetes distribution.
ThreatQ currently supports RHEL 8.10 or 9.4, Ubuntu 22.04 LTS, and the latest, stable RKE2 version. Before updating to a different version, please contact ThreatQuotient Support to confirm compatibility. See the Red Hat Enterprise Linux 9 Support section for more information.

Supported Hardening Standards by Operating System

ThreatQ v6 supports the following hardening standards for RHEL 8.10, RHEL 9.4, and Ubuntu 22.04 LTS:

	RHEL 8.10	RHEL 9.4	Ubuntu 22.04 LTS
CIS Level 1	X	✔	X
CIS Level 2	X	✔	X
STIG	✔	✔	X

See the ThreatQ v6 RHEL v9 Hardening guide for more information on implementing CIS Level 1, CIS Level 2, and STIG hardening standards in a RHEL 9.4 environment.

Security Technical Implementation Guide (STIG) Installs

This installation guide includes STIG Install Notes to assist customers performing a STIG install of ThreatQ 6x on RHEL 8.10 or 9.4 instances.

Prerequisites

Before you begin a ThreatQ install, you must disable any security endpoint tools running on your VM as this may cause the installation to fail.

Ubuntu 22.04 LTS or Red Hat Enterprise Linux (RHEL) 8.10 or 9.4 instance that meets ThreatQ System Requirements and is configured to use UTC as the time zone standard.
The latest stable RKE2 version. See the steps below for information on installing and configuring RKE2.
Depending on your network, you may need to whitelist the following:
- Domains included in the RKE2 install script
- Ubuntu or RHEL repos
The following packages must be installed on your system: bash-completion, curl, gnupg, python3, tmux, wget, and zstd. In addition, software-properties-common is required for Ubuntu. The container-selinux and iptables packages are required for RHEL.
Your ThreatQ license key.
Your ThreatQ YUM credentials.
A static IP address assigned to the new Ubuntu or RHEL instance.

Firewall access to the following ports:
ThreatQ Appliance Ports

Source	Destination	Port	Port Use
All of the workstations that will be used by security analysts	ThreatQ	443	Open for ThreatQ UI (HTTPS / TLS)
Workstations that will access remotely ThreatQ	ThreatQ	22	Secure shell access. Open for shell access by administrators
All of the workstations that will be used by security analysts	ThreatQ	80	Redirects to 443 to ensure TLS is used
TAXII Clients	ThreatQ	5910	Used by the embedded TAXII server
Other TQX subscribers	ThreatQ Publisher	8883	Used by ThreatQ Exchange (TQX) Broker (opendxl-broker). The port is used for TQX communication. This is the subscriber's incoming connection port

External ThreatQ Ports and URLs

Source	Destination	Port	Port Use
ThreatQ	ThreatQ Base Software	443	https://download.threatq.com/*
ThreatQ	ThreatQ System Updates	443	https://system-updates.threatq.com/* https://install-v6.threatq.com/*
ThreatQ	ThreatQ Integrations	443	https://extensions.threatq.com/*
User Workstation	ThreatQ Help Center	443	https://helpcenter.threatq.com/*
User Workstation	ThreatQ Marketplace	443	https://marketplace.threatq.com/*
User Workstation	ThreatQ Support Portal	443	https://support.threatq.com/*

ThreatQ v6 BYOD Partitioning Overview

For BYOD 6x installations, we require the following partition scheme to obtain the best ThreatQ experience.

Specific Sizes Overview

Use the following in the event that your organization requires specific sizes:

File System	Size	Notes
/	50GB	N/A
/var	120GB/200GB	200GB is the recommended size if there are no other partitions under /var. 120GB is the recommended size if there are separate log and tmp partitions under /var. Images are stored in /var in addition to the locations listed below. See the breakdown of the individual locations within /var in the Specific Size Breakdown table below.
/opt	>=600GB	The majority of resources should be dedicated to this location. MYSQL and SOLR utilize this mount point. A minimum of 600GB to several TBs is required for optimal performance.

Specific Size Breakdown

The following is a more detailed break down of specific sizes (listed on the overview table above):

File System	Size	Notes
/boot	1GB	N/A
/home	20GB	N/A
/tmp	20GB	N/A
/var/tmp	5GB	If your /var size is 200GB, the /var/tmp size is included in the overall recommended /var file system size of 200GB. If your /var size is 120GB, the /var/tmp size is not included in the overall recommended /var size of 120GB.
/var/log	50GB	All container logs are written to this location. You can increase the size if needed. If your /var size is 200GB, the /var/log size is included in the overall recommended /var file system size of 200GB. If your /var size is 120GB, the /var/log size is not included in the overall recommended /var size of 120GB.
/var/log/audit	20GB	If your /var size is 200GB, the /var/log/audit size is included in the overall recommended /var file system size of 200GB. If your /var size is 120GB, the /var/log/audit size is not included in the overall recommended /var size of 120GB.
/	>=680GB	All remaining resources should be dedicated to this location.

Dedicated Mount /opt

Use the following sizing, in addition to the Specific Size Breakdown table, if you are required to create a dedicated mount for /opt.

File System	Size	Notes
/	250GB	N/A
/opt	>=600GB	The majority of resources should be dedicated to this location. A minimum of 600GB to several TBs is required for optimal performance.

Before You Begin

Before setting up your new environment, installing ThreatQ 6x, and migrating your ThreatQ 5x data, we recommend the following preparation:

Create a non-root user for the new ThreatQ 6x environment.
Determine if you want to use the default IP range for K8s on the new 6x instance or a custom IP range.
Make sure your YUM credentials are easily accessible. If you do not have them, please reach out to ThreatQ Support.

The following install steps must be completed using a non-root user account.

Set up Your Ubuntu or RHEL Environment

Provision a new amd64 Ubuntu 22.04 LTS or RHEL 8.10 or 9.4 instance that meets ThreatQ system requirements.

Deployment Size	Typical Usage	Required Hardware Specifications	Minimum Instance Size for AWS Deployment
<2M Indicators	Development or PoC (small)	4-8 Core CPUs 64GB RAM 800GB of provisioned storage	r6i.2xlarge
2 - 10M Indicators	Medium Production	8-16 Core CPUs 128GB RAM 800GB of provisioned storage	r6i.4xlarge
>10M Indicators	Large Production	16-32 Core CPUs 256GB RAM 2TB of provisioned storage	r6i.8xlarge

Run the following command to set the maximum number of inotify instances for the installing user to 300.
If the inotify instance maximum is already configured for your system, this command will overwrite any existing value with a value of 300.

sudo sed -i '/^fs\.inotify\.max_user_instances/d' /etc/sysctl.conf && printf "fs.inotify.max_user_instances = 300\n" | sudo tee -a /etc/sysctl.conf >/dev/null && sudo sysctl -p

Pin Your RHEL 9 Version

The following steps allow you to pin your current RHEL 9 release so that you cannot inadvertently upgrade your RHEL 9 environment to an unsupported release. See the Red Hat Enterprise Linux 9 Support section for more information on currently supported RHEL 9 versions.

Run the following commands as root or prefix them with sudo.

Set release to minor version:
subscription-manager release --set=<release number>
Clean repositories:
yum clean all
Check which release is set locally:
subscription-manager release --show

Pin Your Ubuntu 22.04 Version

ThreatQ recommends you update the release-upgrades file to disable manual Ubuntu upgrades so that you cannot inadvertently upgrade your Ubuntu 22.04 environment to an unsupported release.

Use a text editor, such as vi, to access /etc/update-manager/release-upgrades.
Change the Prompt= setting to Prompt=never.
Save your changes and exit the file.

Configure Internal Networking

With the default configuration, changing the hostname or external IP address of a Kubernetes system can cause unrecoverable errors that require a complete reinstall to resolve. All these commands must be run with root permissions.

Create a virtual network interface using an IP address that does not exist on a local subnet.
For Ubuntu:
sudo tee /etc/netplan/99-k8s-dummy.yaml <<EOF > /dev/null
network:
version: 2
bridges:
dummy0:
interfaces: []
addresses: [ "<dummy IP>/32" ]
EOF
sudo chmod 0600 /etc/netplan/*.yaml
sudo netplan apply

You may receive a warning message. You can ignore this message and proceed to the next step.
For RHEL:
sudo nmcli connection add type dummy ifname dummy0 ipv4.method manual ipv4.addresses <dummy IP>/32 ipv6.method disabled
Add an entry to the /etc/hosts file mapping the IP address of the dummy network interface to a simple hostname like “node”.
Example:
echo '<dummy IP> node' | sudo tee -a /etc/hosts

Prepare the RKE2 Configuration File

Add a configuration file for RKE2 before installing it so it takes effect when building the initial configuration. This will force the system to use the dummy IP address and hostname for the Kubernetes node, leaving you free to change your system's external IP address and hostname.
sudo mkdir -p /etc/rancher/rke2
sudo tee /etc/rancher/rke2/config.yaml <<EOF > /dev/null
node-name: node
node-ip: <dummy IP>
node-external-ip: <dummy IP>
EOF

Example:
sudo mkdir -p /etc/rancher/rke2
sudo tee /etc/rancher/rke2/config.yaml <<EOF > /dev/null
node-name: node
node-ip: 192.168.199.1
node-external-ip: 192.168.199.1
EOF

Further steps require additional changes to the configuration file, so be careful not to overwrite the file if it already exists.
For RHEL only, enable SElinux in the rke2 config file:
echo "selinux: true" | sudo tee -a /etc/rancher/rke2/config.yaml > /dev/null

Change the Kubernetes Subnet (Optional)

By default, RKE2 uses the 10.42.0.0/15 subnet for container and service networking. If that subnet is used for your local network, you may want to configure RKE2 to use a different subnet.
See the RKE2 server configuration options for cluster-cidr, service-cidr, and cluster-dns.ptional.

Set Up kubectl

Run the following command to add RKE2 and associated utilities:
sudo tee /etc/profile.d/rke2.sh <<EOF > /dev/null
export PATH="\$PATH:/var/lib/rancher/rke2/bin"
EOF
source /etc/profile.d/rke2.sh

During the installation of RKE2, restart the host system right after you enable the rke2-server.service and before you start it.
Install RKE2 as a Server Node on a systemd-based system using the steps in RKE2 Quick Start guide.

Verify Your RKE2 Installation

The following steps must be completed using a non-root user account.

After the RKE2 installation is complete, copy the RKE2 kubeconfig file to your home directory and set the appropriate permissions. This enhances security by restricting access to the kubeconfig file.
Example:
mkdir -p ~/.kube
sudo cp /etc/rancher/rke2/rke2.yaml ~/.kube/config
sudo chmod 600 ~/.kube/config
sudo chown <non-root username>:<non-root username> ~/.kube/config
Run the following command to check the status of your pods:
kubectl get pods -A

Example - Successful Output:

Install ThreatQ 6x

Log into your Ubuntu or RHEL instance.
Download the most recent version of TQAdmin, using your YUM credentials:
STIG Install Note:
Download TQAdmin from another system. FIPS will not allow you to download TQAdmin. After you download TQAdmin from another system, copy it to the /root/ directory.
Ubuntu:
curl -fO -u <YUM_USER> https://install-v6.threatq.com/tqadmin.deb

RHEL:
curl -fO -u <YUM_USER> https://install-v6.threatq.com/tqadmin.rpm
Run the following command to verify the TQAdmin download:
Ubuntu:
ls -ltr tqadmin.deb

RHEL:
ls -ltr tqadmin.rpm
Install TQAdmin:
STIG and RHEL 8.10 Install Note:
For STIG installs and for non-STIG RHEL 8.10 installs, append --nodigest to the end of the TQAdmin install command.
Ubuntu:
sudo dpkg -i tqadmin.deb

RHEL:
sudo rpm -Uvh tqadmin.rpm

Run the following command to provision your deployment:

sudo /usr/local/bin/tqadmin configure

Prompt	Description
Do you want to enable OpenDXL (TQX)? (yes/no)	Enter yes to enable ThreatQ Data Exchange's OpenDXL functionality. Enter no to disable this functionality.
Do you want to enable the embedded TAXII server? (yes/no)	Enter yes to enable ThreatQ Data Exchange's TAXII server functionality. Enter no to disable this functionality.
Do you want to use your own SSL certificate? (yes/no)	Enter yes to configure a custom SSL certification (not self-signed).
Enter the file path for your certificate	Enter the path for your SSL certificate. example: /etc/threatq-certs/mycert.pem
Enter the file path for your private key	Enter the path for the SSL certificate's private key. example: /etc/threatq-certs/mykey.pem
Do you want to enable CAC/mTLS? (yes/no)	Enter yes to configure SSL Client Certificate Authentication.
Enter the file path for your certificate	Enter the path for your CA Certificate. example: /etc/threatq-certs/mycert.pem
Enter the FQDN of the server	Enter the FQDN of the server. example: myserver.threatq.com

STIG Install Notes:
Running the tqadmin platform install command may take longer than fifteen minutes and as such may trigger the timeout interval required by STIG. To prevent process interruption, a user will need to press the spacebar prior to each timeout. If this is not an option, you can use the following command to increase the timeout interval:
RHEL 9.4: sudo sed -i 's/=600/=60000/g' /etc/profile.d/tmout.sh
RHEL 8.10:
sudo sed -i 's/600/60000/g' /etc/ssh/sshd_config
sudo systemctl restart sshd.service
After you run this command, you must log out and log back in. After you complete the install process, run the following command to reinstate the timeout interval:
RHEL 9.4: sudo sed -i 's/=60000/=600/g' /etc/profile.d/tmout.sh
RHEL 8.10:
sudo sed -i 's/60000/600/g' /etc/ssh/sshd_config
sudo systemctl restart sshd.service

Run one of the following commands to Install ThreatQ:
To install the most recent 6x release:
sudo /usr/local/bin/tqadmin platform install

To install a specific release:
sudo /usr/local/bin/tqadmin platform install -v <version number>

STIG Install Note:
If you disabled the fifteen minute timeout, after the TQAdmin install completes, run the following command to reinstate the timeout interval:
RHEL 9.4: sudo sed -i 's/=60000/=600/g' /etc/profile.d/tmout.sh
RHEL 8.10:
sudo sed -i 's/60000/600/g' /etc/ssh/sshd_config
sudo systemctl restart sshd.service
Run the following command to generate the initial password for the ThreatQ Admin user (username = admin):
sudo /usr/local/bin/tqadmin password
To verify your ThreatQ installation, check the status of the pods and services in your Kubernetes cluster.
kubectl get pods -A
kubectl get svc -A
List the ThreatQ pods:
kubectl get pods -n threatq

Access Your New ThreatQ 6x Instance

Connect to the ThreatQ web interface, using the IP/hostname given during the installation.
Add the license key provided by ThreatQ Support.
Use the username admin and the password you generated.
Accept the EULA.
Opt in or out of sending analytics.

Next Steps

Contact ThreatQuotient Support to request the Migration guide for ThreatQ 6x.