Impex Operation Guide

Purpose of This Guide

This operations guide is designed to support users in operating Impex systems. It provides both general and specific instructions related to the operation of USB Protect, DataLock, the ICC, and the Repo server. Please note that this guide does not cover the system or application architecture, which is detailed in a separate document. Additionally, troubleshooting procedures for USB Protect and DataLock are outside the scope of this guide and are documented separately.

Definitions

Contacts

Customers with an active support agreement are welcome to contact us via email at:

support@sysctl.se

System overview

System Overview: USB Protect and DataLock

USB Protect is a kiosk-based system designed to scan data on USB devices. Each USB Protect station is centrally managed by an ICC (Impex Control Center) server.

Key functionalities include:

• File Scanning and Content Control: USB Protect scans files on USB devices and enforces policy rules to allow or deny content based on predefined technologies.
• Secure Communication: All communication with the ICC server is initiated by the USB Protect stations over TCP port 443, using TLS 1.3 encryption.
• Time and Configuration Management: USB Protect retrieves its system time and configuration settings from the ICC server.
• Log and Result Reporting: Scanned data, operational logs, and other activity reports are pushed back to the ICC server.
• Updates and Patching: Engine definition updates, OS patches, and application upgrades are retrieved from a Repo server, which can either be hosted on the ICC server itself or on a separate dedicated server.

DataLock operates similarly to USB Protect, but instead of using USB devices, it handles file transfers over the network via SFTP. It supports scanning and transferring files through customizable workflows.

Infrastructure Components

• ICC Server:
  • Acts as the central management point for USB Protect and DataLock stations.
  • Exposes a secure REST API with authentication for communication with stations and potential third-party integrations.
  • Provides a web interface for system owners to manage devices and analyze results.
  • Supports configuration of key infrastructure settings such as mail relay, DNS, NTP, and syslog.
  • Local accounts are used by default, but integration with Active Directory, Red Hat Identity Manager, FreeIPA, or other LDAP services is supported for centralized identity management.
  • Admins can access the server via SSH or directly from the console.
• Repo Server:
  • Synchronizes engine definitions and updates from updates.sysctl.se over TCP/443 with TLS.
  • Hosts updates for distribution to stations.

System Architecture and Security

• All components (USB Protect, DataLock, ICC, and Repo) are based on SYSCTL Linux.
• USB Protect and DataLock stations are locked down — they are not intended for direct login or remote access.
• Configuration for these stations is managed centrally via configuration cards on the ICC server.

Deployment Flexibility and Network Architecture

The Impex solution is designed to integrate seamlessly into network architectures that follow the IEC 62443 standard and similar zoned security models, while also accommodating other network topologies.

Key deployment considerations include:

• Flexible Deployment: The ICC and Repo components can be hosted on the same machine; separate servers are not required.
• Proxy Compatibility: While the solution is fully compatible with the use of network proxies, the use of a proxy is optional and not mandatory for proper operation.

This versatility ensures that Impex can be adapted to a wide range of secure network environments and design preferences.

Network with ICC and Repo installed on the same server in a basic network

                  +-------------------+   +---------------+
                  | updates.sysctl.se |   | Let's Encrypt |
                  +------^------------+   +-----^---------+
    Internet             |                      |
                         |     +----------------+
                         |     |
+------------------------------------------------------------+
                         |     |
    DMZ              +---+-----+---+
                     |  Firewall   <------+
                     +-------------+      |
                                          |
                                    +-----+----+
                      +------------->  Proxy   |
                      |             | if used  |
                      |             +----------+
                      |
                      |
                 +----+--------------------+
                 |                         |
                 |   ICC and optional Repo <------+
                 |                         |      |
                 +-------^-----------------+ +----^----+
                         |                   | Proxy   |
                         |                   | if used |
                         |                   +-+-------+
                         |                     |
+------------------------+---------------------+-------------+
                         |                     |
    Peripheral Network   |                     |
                         |                     |
                  +------+-------+     +-------+------+
                  | USB Protect  |     | USB Protect  |
                  +--------------+     +--------------+

Network with ICC and Repo installed on separate servers in a zone based network

                  +-------------------+   +---------------+
                  | updates.sysctl.se |   | Let's Encrypt |
                  +------^------------+   +-----^---------+
    Internet             |                      |
                         |     +----------------+
                         |     |
+------------------------------------------------------------+
                         |     |
    DMZ              +---+-----+---+
                     |  Firewall   <------+
                     +-------------+      |
                                          |
                                    +-----+----+
                 +------------------>  Proxy   |
                 |                  | if used  |
                 |                  +----------+
            +----+-------------+
            |                  |
            |  Repo, if used   |
            |                  |
            +----+-------------+
                 |
+------------------------------------------------------------+
                      |
    Internal network  |
                      |
                 +----+--------------------+
                 |                         |
                 |   ICC and optional Repo <------+
                 |                         |      |
                 +-------^-----------------+ +----^----+
                         |                   | Proxy   |
                         |                   | if used |
                         |                   +-+-------+
                         |                     |
+------------------------+---------------------+-------------+
                         |                     |
    Peripheral Network   |                     |
                         |                     |
                  +------+-------+     +-------+------+
                  | USB Protect  |     | USB Protect  |
                  +--------------+     +--------------+

Network for the DataLock

                  +-------------------+   +---------------+
                  | updates.sysctl.se |   | Let's Encrypt |
                  +------^------------+   +-----^---------+
    Internet             |                      |
                         |     +----------------+
                         |     |
+---------------------------------------------------------------------+
                         |     |
    DMZ              +---+-----+---+
                     |  Firewall   <------+
                     +-------------+      |
                                          |
                                    +-----+----+
                      +------------->  Proxy   |
                      |             | if used  |
                      |             +----------+
                      |
                      |
                 +----+--------------------+
                 |                         |
                 |   ICC and optional Repo <------+
                 |                         |      |
                 +-------^-----------------+ +----^----+
                         |                   | Proxy   |
                         |                   | if used |
                         |                   +-+-------+
                         |                     |
+------------------------+---------------------+-----------------------+
                         |                     |
    Office Network       |                     |
                         |                     |
                         |                     |
   +--------+       +----+-----+         +-----+----+      +--------+
   | Sender |-------> DataLock |         | DataLock <------| Sender |
   +--------+       +----------+         +----------+      +--------+
                         |                     |
                         |                     |
+------------------------+---------------------+------------------------+
                         |                     |
    Protected Network    |                     |
                   +-----v----+           +----v-----+
                   | Receiver |           | Receiver |
                   +----------+           +----------+

Interaction Overview

The table outlines the standard interactions within the system. However, actual implementations may vary depending on specific deployment configurations—for example, when integrations such as Active Directory or other external services are in use.

Client software requirements

The following software is required to manage and administer the Impex systems.

Accessing the ICC Application

To use the ICC web interface, a modern browser is required. The following browsers are supported:

• Google Chrome
• Microsoft Edge
• Mozilla Firefox

Performing Administrative Tasks

To perform administrative tasks such as accessing the ICC or Repo server, an SSH client is required. Most operating systems include a built-in SSH client:

• Windows: Built-in SSH client (available via PowerShell or Command Prompt)
• Linux: Built-in SSH client (typically accessible via the terminal)
• macOS: Built-in SSH client (accessible via the terminal)

Operation Description

This section outlines routine and exceptional administrative tasks that may be required to maintain the Impex system components.

USB Protect and DataLock

These systems are designed to be self-maintaining, requiring no manual intervention during normal operation. They perform the following automated tasks:

• Update Checks:
  • System updates are checked once daily.
  • Definition updates (e.g., scanning engines or threat databases) are checked every hour, with a randomized delay of up to 30 minutes to distribute load across the network.
• Scheduled Reboots:
  • Both USB Protect and DataLock stations automatically reboot once per week to ensure optimal performance and stability.

ICC and Repo Servers

Routine administration for the ICC and Repo servers is minimal. However, the following should be noted:

• TLS Certificate Management:
  • If the Let’s Encrypt module is not used, administrators must manually renew TLS certificates before they expire.
  • An expired certificate will prevent USB Protect and DataLock systems from receiving updates, potentially compromising system integrity and security.
• Day-to-Day Operations:
  • No additional daily administrative tasks are required under normal conditions.

Definition Update Interval

• Sysctl Update Frequency:
  • The SYSCTL service retrieves and publishes updated definitions every hour, with the exception of ClamAV
  • The ClamAV upstream servers have rate limiting and are therefore updated every third hour.
• Repo Server Synchronization:
  • The Repo server checks for newly published definitions from updates.sysctl.se once per hour, with a randomized delay of up to 60 minutes to reduce simultaneous network requests across installations.

Password Usage in the Solution

This section outlines how passwords are utilized and managed within the solution architecture. It covers storage practices, authentication scopes, encryption considerations, and any integration points where password-based access is required. The intent is to ensure clarity on security posture, compliance with best practices, and operational awareness regarding sensitive credentials across system components.

Further subsections should be added to describe specific areas, such as:

• Web interface login
• API authentication
• Repository access controls
• Rotation and policy enforcement

Passwords in USB Protect and DataLock

• Each USB Protect and DataLock station is configured with a randomly generated root password during installation.
• This root password is automatically rotated every day to enhance security.
• The current password is stored securely and is only accessible from the ICC server.

Passwords in the ICC Server

After installation, the ICC server is configured with two separate passwords:

• root Password (Operating System Access):
  • This password is manually created by the system owner during installation.
  • It is used for accessing the underlying SYSCTL Linux operating system.
• admin Password (Application Access):
  • The application’s admin password is randomly generated during installation.
  • It is saved in the file: /root/icc_admin
  • This file is readable only by the root user, ensuring secure storage.
  • It is strongly recommended to change the admin password before moving the system into production.

Passwords in the Repo Server

• root Password (Operating System Access):
  • This password is manually set by the system owner during installation.
  • It is used to access the underlying SYSCTL operating system via console or SSH.

Default Passwords

• The root password must be manually set during installation. SYSCTL does not have access to or knowledge of this password.
• The admin password for the ICC application is automatically generated as a random string during installation and stored in:

/root/icc_admin

SYSCTL strongly recommends changing this password during or immediately after installation for enhanced security.

• The USB Protect and DataLock systems automatically rotate their root passwords daily. The current password is securely accessible only via the ICC server.

Reset ICC Application Password

To reset a user’s password for the ICC application, SSH or console access is required. Use the following commands:

sudo -i

cd /opt/sysctl/impex-server/django-app

sudo -u impex-server ./manage.sh changepassword $username

Replace $username with the actual username of the account you wish to reset.

Administrative Login

Administrators can access the system either locally via the server console or remotely using SSH.

• By default, the only interactive user on the system is root.
• If additional users are created, they can perform administrative tasks using the sudo command. However, by default, sudo will prompt for the root password.
• To allow sudo access using each user’s own password, the file /etc/sudoers.d/users must be modified accordingly.

Note: Always follow security best practices when modifying sudo permissions and restrict elevated access to trusted users only.

DataLock SSH Configuration and Root Access

Configuration File Location

DataLock uses its own SSH configuration override file located at:

/etc/ssh/sshd_config.d/60-datalock.conf

This file takes part in the rule evaluation order of OpenSSH’s sshd, where configurations are processed in lexical order. That means:

• Lower-numbered files (e.g., 60-datalock.conf) are evaluated first
• Higher-numbered files (e.g., 70-customer.conf) override earlier rules if applicable

Default Restriction: Password Authentication

The 60-datalock.conf file sets:

PasswordAuthentication no

This setting disables password-based logins globally, which enhances security by enforcing key-based authentication only.

Allowing Root Login (When Required)

In some cases, such as initial setup or certain troubleshooting scenarios, SSH access for root might be required. However, this must be done securely and explicitly.

Recommended Procedure

If SSH root login is needed, do not edit 60-datalock.conf directly. Instead:

1. Login via Station Token

Use the station token from ICC to securely log in to the DataLock console.

1. Create a custom override configuration:

vi /etc/ssh/sshd_config.d/70-customer.conf

1. Add the following content to allow root login:

AllowUsers root

1. Add an SSH key to the root user:

• Place your public SSH key in:

/root/.ssh/authorized_keys

• Ensure correct file permissions:

chmod 600 /root/.ssh/authorized_keys

chmod 700 /root/.ssh

1. Restart the SSH daemon to apply changes:

systemctl restart sshd

Summary

DataLock destination test

To manually verify a DataLock destination, log in as root on the DataLock server and attempt to access the destination from the command line using the following command:

sftp server.tld -i /home/impex-outgoing/.ssh/id_rsa

Note: Adjust server.tld as needed for your environment.

USBProtect Access

USB Protect supports only console access. See the USB Protect User Manual for more information.

Service Accounts

• Each server includes a root account, which is configured during the initial installation.
• The root password is manually set by the system owner and is not known or stored by SYSCTL.
• Post-installation Login Policy:
  • No additional accounts are configured for system login by default.
  • SSH login as root is disabled for security reasons.
  • Login is only possible via the local console unless additional user accounts are configured.
• Recommended Access Approach:
  • Personal user accounts should be created for remote SSH access.
  • These accounts can then escalate privileges using sudo.
  • Personal accounts may be managed centrally via LDAP services such as Active Directory, FreeIPA, or Red Hat Identity Manager.
• To gain root privileges from a personal user account, use the following command:

sudo -i

Termination Procedures

Below are the commands for managing the Impex application and server operations:

Application Shutdown

To stop the Impex application:

systemctl stop impex-server

Application Start

To start the Impex application:

systemctl start impex-server

System Shutdown

To power off the server:

systemctl poweroff

Server Reboot

To reboot the server:

systemctl reboot

Service Window

The servers are configured to automatically check for updates daily at 01:00 (local time), with a randomized delay of up to 1 hour to distribute load across systems.

• Updates include operating system patches, engine definitions, and other relevant components.
• Automatic Reboot: If a system reboot is required to complete an update, the server will reboot automatically during this window.

Note: Plan administrative work outside of this time window to avoid interruptions.

Certificate Management Overview

SSL certificates are needed on the ICC server and, if you run a separate Repo server, on that server as well. How you manage these certificates depends on how your organisation issues them. The sections below cover the two most common setups.

Option 1: Let’s Encrypt (automatic)

If your deployment uses Let’s Encrypt and the letsencrypt module is installed, certificates are installed and renewed automatically — no manual steps are needed.

The Let’s Encrypt proxy configuration lives in:

/etc/sysconfig/impex-letsencrypt

Option 2: Internal or External CA (manual)

If your organisation uses its own Certificate Authority (CA) or an external certificate vendor, you need to renew certificates manually when they expire.

Importing a certificate issued elsewhere

If your CA issues the certificate on a separate system and gives you the certificate and private key files:

1. Make sure you have both:
   • The private key generated alongside the certificate request.
   • The full certificate chain — the server certificate plus all intermediate certificates, plus the root certificate.
2. Place the files in the certificate folder described under Certificate file paths below.

Generating a certificate request on the server

If you prefer to generate the certificate request directly on the ICC or Repo server, follow these steps:

1. Prepare the OpenSSL configuration:

cp /etc/pki/tls/openssl.cnf /root/openssl.conf

Open /root/openssl.conf and add the following block, replacing host1.domain.tld with the server’s actual hostname:

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names


[alt_names]

DNS.1 = host1.domain.tld

1. Run the certificate generation script:

bash /opt/sysctl/impex-server/tools/cert.sh

The script needs the server hostname to be correctly configured. It will create two files in /root/pki/<timestamp>/:

• hostname.key — the private key (keep this secure)
• hostname.csr — the certificate signing request to send to your CA

1. Verify the CSR before sending it, to confirm the hostname and other details are correct:

openssl req -text -noout -verify -in /root/pki/<timestamp>/hostname.csr

1. Send the .csr file to your CA and wait for the signed certificate back.

2. Convert the certificate to PEM format if needed. Your CA may return the certificate in a different format. The cert.sh script includes conversion commands in its comments; the most common conversions are:

   • DER to PEM:

     openssl x509 -inform der -in hostname.cer -out hostname.pem
     

   • PKCS7 to PEM:

     openssl pkcs7 -in hostname.p7b -inform DER -print_certs -out hostname.pem
     

Renewing an existing certificate

To generate a new certificate signing request using the existing private key:

openssl req -new -key "/opt/sysctl/impex-server/etc/apache/certs/hostname.key" -out /root/hostname.csr -config /root/openssl.conf

This creates /root/hostname.csr. Send the contents of that file to your CA — the CA will use it to issue the renewed certificate. Once you receive the signed certificate back, place it and its full chain in the certificate folder described below.

Certificate file paths

The certificate paths are configured in:

/opt/sysctl/impex-server/etc/apache/conf.d/cert.d/cert.conf

The default locations are:

• SSLCertificateFile → /opt/sysctl/impex-server/etc/apache/certs/impex.crt
• SSLCertificateKeyFile → /opt/sysctl/impex-server/etc/apache/certs/impex.key

You can use different filenames (for example the server’s FQDN) as long as cert.conf points to them.

The certificate file must:

• Be in PEM format.
• Contain the certificates in the correct order: server certificate first, then any intermediate certificates, then the root certificate.

Important: file permissions (SELinux)

After placing certificate files on the server, make sure the files have the correct SELinux security label — without it the web server will not be able to read them. Copying files into the folder (cp) preserves the correct label automatically. Moving files with mv can break the label unless you use the -Z flag.

To fix or verify labels, run:

restorecon -Rv /opt/sysctl/impex-server/etc/apache/certs/

Backup Strategy

Server Snapshots

• Snapshots of the servers can be used as the primary backup method.
• These snapshots are suitable for capturing both configuration and state.

During each upgrade of the ICC software, the system:

• Automatically creates a local backup (snapshot) of the database.
• This provides a built-in recovery point without manual intervention.

Repository (Repo) Server Backup

No Backup Required

• The Repo server does not require traditional backups of:
  • Repository data
  • Signature data

Reason: Sync with Sysctl

• The Repo server can always resync its full content from SYSCTL.
• As such, storing or backing up repository files locally is not necessary, reducing storage and administrative overhead.

ICC Backup Procedures

Application Data Storage

• The ICC stores all application data in a SQLite database located at:

/opt/sysctl/impex-server/django-app/db/db.sqlite3

Backing Up the ICC Database

To create a consistent backup of the database, use the following command:

sqlite3 /opt/sysctl/impex-server/django-app/db/db.sqlite3 .dump > new_backup_file

• This command:
  • Exports the entire database in SQL format.
  • Is ideal for creating a versioned or timestamped backup (new_backup_file).

Recommendation: Run this during low-traffic windows to ensure data consistency, or temporarily pause ICC activity if possible.

Backing Up Custom YARA Rules

If YARA rules are used, consider backing up custom rule files:

• Path:

/opt/sysctl/impex-server/django-app/upload/yara/custom

• Notes:
  • These files are uploaded by ICC administrators.
  • Depending on their origin (e.g. uploaded from another managed location), they might already exist in other backups.

Tip: You can add this path to snapshot jobs or file-based backup scripts for completeness.

ICC Monitoring Overview

Built-In Monitoring Features

The ICC has built-in capabilities to monitor:

• USB Protect
• DataLock

It can also be configured to send email alerts if either of these services goes offline.

Ensure that email notifications are properly set up in your ICC configuration to make use of this feature effectively.

External Monitoring Recommendations

To ensure high availability and reliability, it is recommended to use an external monitoring system (e.g. Nagios, Zabbix, Prometheus, etc.) to monitor the following aspects of both the ICC and Repo servers:

1. Web Server Response
   • Confirm that the web server is responding to requests on expected ports (e.g., 80/443).
   • Common checks include:
     • HTTP/HTTPS status codes
     • Latency or downtime alerts
2. Certificate Expiration
   • Continuously monitor the SSL/TLS certificate validity to avoid unexpected expiration.
   • Checks should trigger alerts well before expiration (e.g., 30 days notice).
   • Tools like check_ssl_cert, Certbot’s renewal monitoring, or external services can be used for this.

Summary

Syslog Overview for ICC and Repo

Malware Detection Alerts

When either USB Protect or DataLock detects malware in a scan report, the ICC generates a syslog entry in the following format:

Dec 24 15:00:00 icc journal: ICC WARNING [ICC:14] \
Station detected malware (https://icc.domain.tld/v/operations?byId=2)

Key Notes:

• The log includes a URL to the specific scan report on the ICC.
• It does not contain sensitive data — only an alert reference.

Remote Syslog Configuration

ICC Remote Syslog

• The ICC application supports remote syslog configuration.
• The setup process is documented in the ICC manual.
• Use this feature to forward ICC-generated logs (including malware alerts) to a central log system.

Repo Server Remote Syslog

For the Repo server, remote syslog forwarding must be manually configured on the console.

Step-by-Step Configuration

1. Create config file:

sudo vi /etc/rsyslog.d/remote.conf

1. Add the following configuration:

Replace:

• target="IP_ADDRESS_OR_FQDN" with the actual IP or FQDN of your remote syslog server.
• protocol="tcp" with "udp" if your remote server uses UDP.

1. Apply the configuration:

systemctl restart rsyslog

1. Consult support before changing other values:

For advanced customizations or tuning of retry behavior, buffering, etc., it is advised to contact SYSCTL support.

Summary of Recommendations

Running DataLock, ICC and Repo in VMware

Purpose of VMware Tools

Installing VMware Tools (specifically, open-vm-tools) enhances the VM’s ability to:

• Report accurate status and metrics to vCenter
• Support VM-level operations such as graceful shutdowns, reboots, and resource tracking
• Enable advanced monitoring and management features in VMware environments

Installing open-vm-tools

The package should be installed depending on whether the ICC server uses a local Repo or SYSCTL external Repo service.

If the ICC Uses a Local Repo (including the Repo server itself)

Use this command:

dnf -c /var/impex_repo/local_fedora_impex.repo -y install open-vm-tools

This command leverages the local repository configuration file (local_fedora_impex.repo) provided by the system setup.

If the ICC Does Not Use a Local Repo

Use this command instead:

dnf -c /etc/yum.repos.d/impex.repo -y install open-vm-tools

To install Open VM Tools on DataLock

dnf -y install open-vm-tools

This configuration accesses the standard remote Impex repository.

Post-Installation Step

After installation, reboot the server to ensure the open-vm-tools service starts correctly and begins reporting to vCenter.

Summary Table

Don’t forget to reboot the server after installation.