Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
On-premise, or on-prem, refers to deploying software, systems, or infrastructure onsite within an organization's physical location rather than in a cloud-based environment. It means the organization owns and maintains the hardware and software necessary to run its IT operations within its premises rather than relying on external providers or cloud services.
For customers hosting PlexTrac locally, this section provides information and instructions on installing and managing that instance and best practices to keep the instance secure.
Machine/instance with a minimum quad-core processor, 16 GB of memory, 250 GB of storage, and connection to the internet
CMD access to the PlexTrac server
If using Let’s Encrypt: Ensure ports 443 and 80 are open in/outbound to allow a new certificate to be obtained when the docker containers are started
If using a custom domain, the DNS A record must be created
Ubuntu 20.04 or Ubuntu 22.04
Debian Linux (Version 12, Bookworm)
CentOS 8
Red Hat Linux 9
Rocky Linux 9
Delay any hardening procedures until after installation.
Step 1: Log in to the server that will host PlexTrac.
Step 2: As a root user (or user with root privileges), run the following commands to download the PlexTrac utility from our public GitHub repository:
The command will also initialize the script and perform system updates. Once complete, the shell should be returned.
Step 3: Switch the user to "plextrac".
Step 4: Run plextrac configure
. A message “Error: Docker Hub key not found…” will appear at the end of the log, but this can be safely ignored. The key will be added in the following steps.
Step 5: Edit the .env file.
Step 6: Find the following variables in the .env and make the changes listed in the table.
Step 7: If using a custom logo, favicon, or SSL certificate, follow the instructions here and here before continuing to the next step.
Step 8: Ensure that the most recent upstream version of Couchbase's database is used.
Edit the docker-compose.override.yml
located in the installation directory of PlexTrac.
Uncomment theservices:
line.
Save the file.
Step 9: Run plextrac install
.
Once complete, a summary page should be printed (example below).
Step 10: Set the initial password for the global_admin account by querying the logs and extracting the URL:
An example query result might be:
Access the URL in the query result to set the initial password for the global_admin account.
Step 11: Log in using the password set in the previous step:
Username: global_admin
Password: [your_password]
Command-line access to the server with PlexTrac installed and running
Step 1: As root, enable journald globally by adding this configuration to /etc/docker/daemon.json
:
This file may not exist. If this is the case, it will need to be created.
Step 2: Restart the docker service.
Step 3: Add plextrac user to the systemd-journal group.
Step 4: As the plextrac user, update the system using this command.
As a plextrac user, invoke the journalctl
command to view logs.
Examples:
Available containers to pull logs from:
plextrac-postgres-1
plextrac-redis
plextrac-plextracdb-1
plextrac-plextracnginx-1
plextrac-plextracapi-{1,2,3}
plextrac-couchbase-migrations-1
plextrac-notification-sender-1
plextrac-notification-engine-1
Variable | Action | Example |
---|---|---|
Below the services:
line, add the following:
so that it appears as below:
This page provides instructions on setting up and accessing historical logs on the PlexTrac server. This process leverages the logging driver that uses the Linux logging system as a storage backend and allows access to historical logs after a container has been updated or restarted.
Refer to the official page for journald.
ADMIN_EMAIL=
Add a valid email address to create the initial user in the platform.
ADMIN_EMAIL=you@domain.com
DOCKER_HUB_KEY=
Add the docker token provided by PlexTrac Support.
DOCKER_HUB_KEY=key123
CLIENT_DOMAIN_NAME=
If using a self-signed certificate, enter the IP address of the server. Otherwise, if a DNS A record was created, enter the DNS name here.
CLIENT_DOMAIN_NAME=plextrac.example.com
LETS_ENCRYPT_EMAIL=
If using Let's Encrypt, enter an email address to be notified when the certificate is about to expire.
LETS_ENCRYPT_EMAIL=you@domain.com
USE_CUSTOM_CERT=
If using a custom SSL certificate, set to true and follow step 7.
USE_CUSTOM_CERT=true/false
Plextrac allows self-hosted instances to verify that the Docker images run in the environment are signed and trusted using Cosign.
Verification has been used for years with checksums on downloads from the internet. Cosign verification allows the same process but with Docker containers. This simple check provides validation and confidence that the container was built and signed by PlexTrac.
Cosign binary: Ensure this is in a location that can be used within the command line
Plextrac cosign public key saved with the following content (can be downloaded below):
To verify the signature against PlexTrac's signed image, use the public key downloaded above and the following command:
cosign verify --key plextrac_cosign.pub** docker.io/plextrac/plextracapi:stable | jq .
**Replace this filename with the value the key was saved as.
If using "jq," the output would be:
For CI/CD or other purposes, the signed hash can be extracted to ensure the image is verified, such as the following:
cosign verify --key plextrac_cosign.pub docker.io/plextrac/plextracapi:stable | jq '.[].critical.image | .[]'
The output would be:
Custom SSL certificates are digital certificates issued for a specific domain or subdomain to secure website traffic with HTTPS encryption. Unlike free SSL certificates provided by Certificate Authorities (CAs) like Let's Encrypt, custom SSL certificates are typically purchased from commercial CAs and can be customized to meet the website owner's specific security and branding requirements.
Command-line access to the server with PlexTrac installed and running
Purchased SSL certificate from a vendor such as GoDaddy or DigiCert
Two files are required to implement a custom SSL certificate with NGINX
a .crt file following this format:
a .key file following this format
Often, the contents of these files can be extracted from the PEM downloaded from the vendor.
Step 1: Copy the .key and .crt files to the server hosting PlexTrac.
Step 2: Edit the docker-compose.override.yml located in the installation directory of PlexTrac.
Step 3: Uncomment “services”, “plextracnginx:”, “volumes” and the two lines ending in app.plextrac.key and app_cert_chain.crt.
Step 4: Replace “<< local key path here >>” and “<< local cert path here >>” with the file path to the files copied to the server in Step 1.
Take note of the two additional spaces for each new line.
Step 5: Save and exit.
Step 6: A command-line code must be executed to implement changes, but the line used depends on the scenario:
If the PlexTrac instance is running on the latest version:
If the PlexTrac instance is on an older version:
Step 7: Clear browser cache or open an incognito page and browse to your PlexTrac URL to ensure successful changes.
Command-line access to the server with PlexTrac installed and running
Desired logo (.png, .jpg etc.) for both light and dark themes
Desired favicon in .ico format
Step 1: Copy the desired logo and favicon to the server running PlexTrac.
Step 2: Edit the docker-compose.override.yml located in the installation directory of PlexTrac.
Step 3: If adding logos, uncomment “services”, “plextracnginx:”, “volumes” and the first two lines under volumes.
Spacing in this yaml file must be exact or may cause issues. Reference the screenshots below to match the indentation of each line.
Step 4: Replace “<< local file path here >>” with the file path of your logo(s).
Step 5: Save and exit.
Step 6: Run plextrac update
to implement the changes.
If the following error message appears while running plextrac update
, check the file path specified in the override file and ensure it is correct and that the files exist.
If the logo does not appear, try clearing the cache and refreshing the page. If still having trouble, please create a ticket at the Service Desk.
It is recommended to back up before updating.
Prerequisite: Access to command-line where PlexTrac is hosted.
To install an update to PlexTrac, follow the steps below:
Step 1: Validate user is "plextrac."
Step 2: Run plextrac update
to pull the latest code release.
Once complete, the shell will be returned for use.
Step 3: Log in to the platform by browsing to the IP address or DNS name.
If one of the messages below appears when attempting to log in, wait for five minutes and try logging in again. These messages generally indicate that the startup needs additional time to finish.
When migrating to another server, it is essential to ensure that backup data is transferred successfully to maintain data integrity and accessibility. This page provides the steps involved in moving backup data.
A backup consists of three parts:
Couchbase database: A distributed, NoSQL document-oriented database management system that contains PlexTrac information, such as users and reports.
Postgres database: An open-source relational database management system that, much like Couchbase, stores various user data.
Uploads: Files and items transferred (i.e., scans and screenshots) that may exist in a report.
All of the above are needed for a complete backup and restore to a new server.
Step 1: Perform a backup by running the following command:
Step 2: Navigate to the backups directory. This is typically located at /opt/plextrac/backups.
Step 3: List the files in Couchbase, Postgres and uploads to verify that the .tar.gz files exist with the timestamp of the latest backup.
Step 4: Identify the most recent files from each directory. From a local machine, copy the files off the server. For example:
Step 5: Once the Couchbase, Postgres and uploads backup files have been successfully copied to a local machine, visit the Restore Procedure page and follow the directions to restore.
Let's Encrypt is a free, automated, and open certificate authority that provides digital certificates to enable HTTPS (SSL/TLS) encryption on short-lived websites to encourage automatic renewal and reduce the time a compromised cert could be abused. PlexTrac is designed to work best with Let's Encrypt and recommends it instead of self-signed certificates.
Let's Encrypt is operated by the Internet Security Research Group (ISRG), a non-profit organization that aims to secure the Internet by providing free and open digital certificates. Let's Encrypt certificates are trusted by all major browsers and can be used for any website.
Command-line access to the server with PlexTrac installed and running
Ensure that port 80/443 is open inbound AND outbound for Let’s Encrypt to pull a certificate
Step 1: Navigate to the installation directory of Plextrac (e.g., /opt/plextrac) as the plextrac
user.
Step 2: Edit the .env file.
Ensure that the CLIENT_DOMAIN_NAME={DNS A Record} and LETS_ENCRYPT_EMAIL={valid email address}. Verify that USE_CUSTOM_CERT=false.
Step 4: Save and exit.
Step 5: In the docker-compose.override.yml, verify that lines governing a custom certificate are commented out.
<< local key path here >>:/etc/ssl/app.plextrac.key
<< local cert path here >>:/etc/ssl/app_cert_chain.crt
Step 6: Run plextrac update
to implement the changes.
A restoring procedure refers to recovering data or restoring the functionality of a device, software, or system. The procedure may involve using backup files to restore lost or damaged data, re-installing software applications, and repairing or replacing hardware components.
This page explains how to restore the database in PlexTrac.
This should only be used when necessary due to the risk of data loss.
Access to command-line where PlexTrac is hosted
A recent backup performed using the PlexTrac Utility
Step 1: For the most consistent results, create a new directory in /opt/plextrac
and move any content from /opt/plextrac/backups/couchbase/
, /opt/plextrac/backups/postgres/
, and /opt/plextrac/backups/uploads/
to this new directory.
If you do not see the directories listed above, the plextrac backup command has likely not been run yet. Once this command is executed, the directories will be created.
Step 2: Place only the desired {{uploads}}.tar.gz to restore into the following directory: /opt/plextrac/backups/uploads
.
Step 3: Place only the desired {{couchbase}}.tar.gz in the /opt/plextrac/backups/couchbase
.
Step 4: Place only the desired {{postgres}}.tar.gz in the /opt/plextrac/backups/postgres
.
During Steps 2-4, verify that only these exist when placing the files in the given directories. The existence of other files or directories may lead to errors during the restore process.
Step 5: Run plextrac restore.
It might take several minutes to complete, depending on the database size and upload directories.
Step 6: Enter yes or no to proceed with restoring Postgres, then enter yes or no to restore Couchbase, and finally enter yes or no to restore the uploads.
Step 7: Once both sections have been completed, navigate to the platform and check that the data has been restored.
By hosting PlexTrac on-premise, organizations gain greater control over customization and updates but are responsible for implementing and maintaining security measures. Since PlexTrac contains an organization's vulnerability and pentesting data, security is crucial for protecting sensitive data, complying with regulations, and ensuring business continuity.
Securing the deployment of PlexTrac encompasses various best practices, which can be categorized into two primary domains: network security and host security.
Network security protects data and resources' integrity, confidentiality, and availability within a computer network. It involves implementing various measures, policies, and technologies to prevent unauthorized access, data breaches, and cyberattacks on the network infrastructure. The primary goal of network security is to create a secure environment where data can be transmitted, stored, and accessed by authorized users while keeping malicious actors and threats at bay.
Host security refers to the measures and practices implemented to protect individual computing devices, such as servers, workstations, laptops, and mobile devices (endpoints). The primary objective of host security is to safeguard these devices from various cyber threats and unauthorized access, ensuring the confidentiality, integrity, and availability of the data stored on them.
Ensuring security for on-premise hosting is paramount in safeguarding sensitive data and critical systems within an organization's infrastructure. This section outlines essential best practices that organizations should consider when securing their hosting environments, providing a solid foundation for protecting valuable assets and maintaining the confidentiality, integrity, and availability of their information and services.
Before installing the PlexTrac product, the first step involves determining the optimal location for the host placement within the network. PlexTrac strongly advises against placing the product in the DMZ (demilitarized zone) or exposing it to the internet unless internet access is required.
For only internal-facing instances, keep two ports open, while the rest can be closed via firewall rules in the environment. Here is an overview of ports that could be opened:
To enhance security and prevent attackers from laterally moving to the PlexTrac instance through port 22, PlexTrac recommends implementing one or more of the following mitigation strategies:
Keep port 22 closed until management or patching is necessary. While effective, this approach may become an issue if prompt action is required on the host.
Implement MFA, RADIUS, or similar authentication mechanisms to provide an additional layer of protection. This will prevent attackers from exploiting password spraying or brute forcing techniques to access the host.
Configure the firewall rules to allow access from a jump host. This can work well when an environment is comprised of enterprise Windows hosts. Using LDAP to access the jump host, along with a strong password on the PlexTrac instance, helps to ensure that two factors are in place for access and enforcing AD policies on users who need to access the PlexTrac instance.
When making PlexTrac publicly accessible, the required ports remain the same as mentioned before (port 443 and port 80). However, exposing only port 443 to the internet is essential for enhanced security. Port 22, used for SSH access, should be treated with the same precautions as in the Intranet deployment and protected with appropriate mitigating measures. This helps safeguard the system against potential threats and unauthorized access.
Organizations should follow hardening standards to protect the PlexTrac host from network-based attacks. Some effective approaches include:
Update the operating system (OS) often: It's crucial to update the host OS to patch vulnerabilities and keep the PlexTrac instance host up to date, reducing its vulnerability as much as possible.
Configure strong passwords: Configuring strong passwords for the root and plextrac user accounts is essential for enhancing security by preventing unauthorized access and reducing the risk of privilege escalation.
Use security tools: Configuring anti-malware software and logging tools for internal security teams to monitor the instance is crucial to bolster security. Configure antivirus and logging tools, but ensure exceptions exist for tools like Docker.
Restrict access to the host: Restricting access to the CLI is critical for security. Implementing firewall rules or access management solutions allows control over who can access the host.
Possession of Couchbase, Postgres and uploads in tar.gz format (See instructions on how to perform a backup and prepare it to be moved to a new host)
Port | Notes |
---|
443 | This port is commonly used for HTTPS, the secure version of HTTP. It is accessed by users to connect to the PlexTrac instance securely over the internet. HTTPS ensures that the communication between the user's browser and the PlexTrac server is encrypted, providing higher security during data transmission. |
80 | Port 80 is typically used for regular HTTP connections. It redirects to port 443, which means that when users attempt to access the PlexTrac instance using HTTP (non-secure), the server automatically redirects them to the HTTPS (secure) version on port 443. Leaving port 80 open can help handle these redirects and ensure a secure connection. |
22 | Port 22 is the default SSH (Secure Shell) connection port. SSH is a secure protocol used for remote access to servers. It is used to manage, patch, and upgrade the PlexTrac instance. System administrators and authorized users can use SSH to log in to the server's command-line interface (CLI) and perform various administrative tasks. |
This page explains the process for creating a local backup of PlexTrac using the built-in script and clean command.
Command-line access to the server hosting PlexTrac
Nobody is using the platform
Backup may be incomplete if someone is actively using the platform.
Step 1: Log in to PlexTrac and switch the user to plextrac
.
Step 2: Run plextrac backup
.
Depending on how much data exists in the platform, this step may take anywhere from a few seconds to 10 minutes. Do not interrupt the process before the shell is returned.
If this is the first time running a backup, a backups
directory will be created in the directory where PlexTrac was installed.
Inside the backups directory, “couchbase,” “uploads,” and “postgre” folders exist.
Each time a backup is performed, a new directory is created in these directories with the date and time of the backup. If a backup needs to be performed, all three directories are required.
The new PlexTrac utility has a built-in function to make managing local PlexTrac backups quick and easy. Depending on the size of your database and the frequency of backups, we recommend running this command regularly to avoid potential problems arising from space issues on the server.
To run the clean utility, perform the following steps:
Step 1: Log in to PlexTrac and switch the user to plextrac
.
Step 2: Run the plextrac clean
command. This command automatically removes backups older than ten days and compresses the rest to save space.