Overview -------- There was once an AIRT home page at http://www.airt.nl. Installation ------------ It depends how you want to install the AIRT system. The easiest way is from package, but if you read this, you likely want to do something more elaborate. For a typical development installation of AIRT (on a personal workstation), make sure you have a working Apache with PHP and a working PostgreSQL database server. Then cd to the source directory and type: $ ./bootstrap This creates a few scripts and files that the GNU Autoconf system needs. Now type: $ ./configure This by default configures stuff to be dropped in the following places: /usr/local/bin CLI things: airt_import, airt_export... /usr/local/etc/airt config things: airt.cfg, importqueue.cfg... /usr/local/lib/man man pages: airt.1, airt_export.1... /usr/local/share/airt/php PHP files to be published on the www. /usr/local/share/airt/lib PHP (library) files not to be published on www. /usr/local/share/doc/airt Documentation files. It does not actually drop stuff there. ./configure only creates a bunch of files with the correct paths filled in, so that you now can type: $ make which generates even more files and leaves your source tree littered with production versions of the code. But still there is nothing installed in the list of directories above. To do this, you need: $ make install which you may also do from one of the lower directories. For example, if you have modified something in the source/php directory, you only need to execute "make install" in that directory, as all others have been unchanged. Especially in the source/etc directory you will not often want to execute "make install" as this overwrites your own live config files (in /usr/local/etc/airt) with fresh versions with default values. If you do a "make install" in the source directory itself, it will recurse down the tree, so be careful with that given the etc directory. bootstrap, configure, and make are "safe", they won't touch anything in your live AIRT installation. "make install" is not safe, it will touch things in your live AIRT installation, and usually you don't want etc to be touched. You also need to install the following packages: $ apt install php-mail php-mail-mime php-mail-mimedecode php-soap Site customization ------------------ No two incident response teams are the same. AIRT offers a number of local site customization hooks which can be used to taylor its behaviour for local circumstances. The hooks that are presently provided are * site specific ip address classification Depending on the setup of a site, simple classification of an IP address into a network might not be enough. AIRT offers customization by defining a function function custom_categorize($ip, $networkid) { return $networkid; } The function takes as input the IP address that needs to be categorized and the network id in which it is placed by AIRT's built-in categorization system. Return the network id in which you want the ip to be categorized. * site specific ip address details After an IP address has been categorized into a network, additional detail can be provided by defining this function. Note that it is possible to see session variables in this function. A list of settable session variables can be found in the documentation tree. function search_info($ip, $networkid) { return; } // search_info * hooks for "events" Use the customfunctions.plib list to add custom event handlers. Event handlers take the format addEventHandler($eventType, $handlerFunction) E.g. to add a local event handler for the creation of a new incident, add a line addEventHander("newincident", "local_NewIncident"); Every time a new incident is created, the function local_NewIncident will be called, which may take one argument. The argument will contain a event-specific string. Installation manual for packages -------------------------------- 1. Configuring AIRT after installation After installing AIRT, a few actions need to be taken. Step 1. Create the database referred to in the configuration file. This would typically be achieved by changing to the postgres user and giving the following commands postgres:~% createdb airt CREATE DATABASE Step 2. Create the database user that is referred to in the configuration file. For example, postgres:~% createuser airt --no-createdb --no-adduser -P CREATE USER You will be prompted for a password for the AIRT user. Keep this password somewhere handy, as you will need it again. Step 3. Edit /opt/airt/etc/airt/airt/airt.cfg and set the variables apropriately. Note that the configuration file is a regular PHP program, and any PHP construct can be used in it. For example, it is possible to move the database password out of the main configuration file and move it to its own file by using PHP's require_once operator. Step 4 (preferred). Make sure that the airt user has access to the database. Edit pg_ident.conf and add a map airt-users www-data airt Also, in pg_hba.conf, make sure that the airt-users have access to the database. local airt airt ident airt-users Step 4 (alternative). If you do not wish to use ident maps, you need to use username/password authentication. Since the password will be available in plain text in your filesystem, you will need to take precautions. Make sure the airt user has access to the database. Edit pg_hba.conf. On most systems, that file can be found in /etc/postgresql, but your milage may vary. Keep in mind that the order of access control rules in pg_hba.conf is important. Add the following line after the line which grants the postgres user access to all databases: local airt airt password Step 5. As root, signal postgres to reload the configuration. On most installations, this may be achieved by a command similar to /etc/init.d/postgresql restart, however you may have chosen a different setup. Debian administrators may use the command: root:~# invoke-rc.d postgresql reload Step 6. Initialise the database. Dont worry if the script outputs ERRORs in the the beginning; this is due to the fact that it tries to drop sequences and tables that may not exist yet. Having psql and gunzip in your PATH, do: postgres:~% gunzip -c /opt/airt/doc/database/airtschema.sql.gz \ |psql airt airt Step 7. Bootstrap the database. postgres:~% psql airt airt < \ /opt/airt/doc/database/airtbootstrap.sql Step 8. Configure your web server. If you are using Apache, the easiest way to do this is to add a symbolic link in your configuration directory and include that file. Debian administrators can achieve the same by adding a symbolic link in /etc/apache/conf.d (or /etc/apache2/conf.d) which leads to /opt/airt/etc/airt/airt/airt-apache.conf Step 9. Confirm that the configuration file is correct. Apache administrators do root:~# apachectl configtest (or apache2ctl, or apache-sslctl, etc) Step 10. If everything checks out, reload the apache configuration and you should be done. If apache is already running, do root:~# /etc/init.d/apache reload else do root:~# /etc/init.d/apache start Step 11. Change the admin password. Point your browser at the machine that hosts the application, typically: http://your.host.com/airt/ (mind the trailing slash) and log in with user admin, password admin. On the main menu, click Edit settings > Edit users. Then, on the line with the admin user, click edit and set a (different) password. AIRT deinstallation manual for packages --------------------------------------- Uninstalling AIRT consists of the following steps: Step 1: Remove PHP files; generally this may be achieved by root:~# rm -rf /usr/share/airt Depending on your packacing policy, this may differ. Debian administrators do root:~# apt-get remove --purge airt Step 2: Remove data files. Generally this may be achieved by root:~# rm -rf /var/lib/airt Debian administrators can skip this step, as it is taken care of by the --purge option to apt-get remove. Step 3: Remove the database. This may be achieved by postgres:~% psql template1 Welcome to psql 7.4.6, the PostgreSQL interactive terminal. ... template1=# drop database airt; DROP database Step 4: Remove the database user. This may be achieved by template1=# drop user airt; DROP USER Step 5: Update pg_hba.conf. Remove the line which grants access to the airt database from pg_hba.conf and signal Postgresql to reload its configuration files. AIRT upgrade manual for packages -------------------------------- If you upgrade AIRT with a live database in place, the current package system does *not* automatically perform a database schema upgrade yet. You need to do this manually. However, we give you a tool to do this. Each release contains a database schema file which can be used to compare your current database to what it should be. This file is /opt/airt/doc/database/airtschema.sql. At any time, your database should be consistent with this schema file. When relevant, a new release contains a database upgrade script to facilitate your database upgrade. The upgrade scripts are named: /opt/airt/doc/database/airtschema-from-PREVREL-to-CURRENTREL.sql If you run the appropriate script against a database from PREVREL, you will hopefully end up with a database for CURRENTREL. The development team has tested these upgrade scripts, but as always it is wise to first make a backup of your complete AIRT database before running anything out of the ordinary against it. Example upgrade session (first backup, then upgrade): postgres:~% pg_dump -f /var/tmp/airt-20050607.1.sql airt postgres:~% psql airt airt < \ /opt/airt/doc/database/airtschema-from-20050607.1-to-20050610.1.sql Should you see any warnings or errors, please review them carefully. In many cases, there is no real problem, but for consistency reasons you should try to fix the offending issues. Digitally signing outgoing mail with GPG ---------------------------------------- AIRT is able to digitally sign messages using GPG. To enable the feature, edit the configuration file and uncomment the line which defined the GPG_KEYID. Replace the keyID with your own key, and set the GPG_HOMEDIR to a directory in which a keyring can be found containing the key that must be used to signed messages. The GPG_HOMEDIR should point to a directory which is owned by www-data.www-data and has permission mode 700. The pubring.gpg and the secring.gpg files which must be present in that directory must be mode 500. # EOF