Skip to main content
Version: 2.9.0

Qumulo Installation Guide

System requirements

Ensure you have the following:

  1. Valid licenses for Superna solutions.

  2. Create a Superna user and role:

    • Create a user named "superna".
    • Create a role named "superna" and add the "superna" role to the "superna" user.
    • Assign the permissions defined below to the "superna" role.
    tip

    For more information regarding roles, see Quick Start Steps

    Permissions Table

    Permissions categoryPermissions nameDescription
    UsersAD_USERequired to use Active Directory objects. Required for the user lockout and restore user access operations.
    AD_READRequired to correctly display information about the user when an event is raised in Data Security.
    LOCAL_USER_READGrants permission to read local user information on a specific machine. Required for the user lockout and restore user access operations.
    LOCAL_GROUP_READAllows reading local group information on a specific machine. Required to list all users in the local user database and for the lockout and restore operations.
    NetworkNETWORK_READ
    NFS exports permissionsNFS_EXPORT_READGrants permission to read NFS export settings and allows writing or modifying NFS export settings. Required for ransomware detection. Relevant in environments using NFS for file sharing.
    NFS_EXPORT_WRITE
    QuotaQUOTA_READPermits reading quota settings for storage or user accounts, which is required for the Disaster Recovery feature.
    Replication permissionsREPLICATION_REVERSE_RELATIONSHIPThese permissions are essential for managing and configuring replication processes.
    REPLICATION_SOURCE_READ
    REPLICATION_SOURCE_WRITE
    REPLICATION_TARGET_READ
    REPLICATION_TARGET_WRITE
    S3_BUCKETS_READ
    SMB permissionsSMB_SESSION_READRequired for the user lockout and restore user access operations.
    SMB_SESSION_WRITE
    SMB_SHARE_READView configuration of SMB shares and SMB server settings. Required by Security Guard.
    SMB_SHARE_WRITECreate, modify, and delete SMB shares and SMB server settings. Required by Security Guard.
    SnapshotsSNAPSHOT_POLICY_READRequired for snapshot taking when an event is detected and for the recovery manager to work correctly.
    SNAPSHOT_POLICY_WRITE
    SNAPSHOT_READ
    SNAPSHOT_WRITE
    Multi-tenancy SupportTENANT_READRequired only if using Qumulo version 5.3.4 or above with multi-tenancy enabled. Grants permission to read tenant configurations.

  3. Apply the following configurations

    • User Resolution Service: To enable user resolution, add the following line to /opt/superna/eca/eca-env-common.conf file:

      export USER_RESOLUTION_SERVICE_ENABLED=true

    • Enable Sync Users to Zookeeper: Add the following option to the Eyeglass system.xml:

      <syncUsersSourceToZK>true</syncUsersSourceToZK>

  4. Add an Active Directory account for name resolution service
    This account is solely used to query Active Directory for retrieving a list of AD users to display correctly in the events list.
    In most environments, being part of the "Authenticated Users" group is sufficient for basic querying.
    The user should have at least read permissions on the user objects within the AD.

    • Command (run this on Eyeglass):

      igls adv adserver set --server=ADV.DEMO --basedn=CN=Users,DC=ADV,DC=DEMO --logindn=CN=Administrator,CN=Users,DC=ADV,DC=DEMO --domain=ADV.DEMO --loginhost=10.154.1.68 --ssl=false --port=389 --password=GoSuperna!

  5. The Security Guard appliance requires a dedicated AD user account named "igls-securityguard" and a network share where that AD user has the necessary access permissions. The network share is created automatically.

    info

    If needed, you can also add it manually by navigating to Sharing → Edit SMB Share. Edit SMB Share

  6. Audit settings for Data Security

    To enable Data Security events, enable syslog for Qumulo.
    Go to Cluster → Audit and add a new syslog. Enter the IP address of ECA node 2, and save the changes.

    warning

    Make sure the cluster is already up and running before proceeding with the configuration. Attempting these steps before the cluster is active may result in errors. Refer to the Add a cluster using UI and Cluster UP sections before enabling syslog for Qumulo.

  7. Eyeglass must be operational on the cluster.

Qumulo Deployment and Configuration

Add a Cluster Using the UI

To add a cluster, navigate to Eyeglass Main Menu → Add Managed Device.

Alt text

When the cluster is successfully added, a confirmation window will appear.

Next, open the Jobs menu to check Running Jobs. Wait until the add job is complete, and validate that the cluster can be browsed in the inventory view.

Alt text

Configuration

To launch Qumulo, use the IP address or open it from the Inventory View.

Alt text

ECA Configuration

Add the following parameter to /opt/superna/eca/eca-env-common.conf on ECA Node 2 before bringing the cluster up:

export TURBOAUDIT_QM_SERVER_ENABLED=true

Configure the following setting in /opt/superna/eca/eca-env-common.conf to start in Ransomware Only mode:

export RSW_ONLY_CFG=true
info

After setting up Easy Auditor, this setting will need to be changed to false. Please review your specific requirements to determine if a Ransomware Only configuration is necessary for your environment.

Set the following to false to continue cluster startup even if no NFS mount is available (expected because Qumulo uses Syslog):

export STOP_ON_AUTOMOUNT_FAIL=false

Add Eyeglass IP and API token:

export EYEGLASS_LOCATION=
export EYEGLASS_API_TOKEN=

Cluster UP

Bring up the cluster using:

ecactl cluster up
tip

For more information regarding cluster deployment, check the ECA VM Deployment section.

Enable audit stream

On the Qumulo interface, go to Cluster -> Audit.

Alt text

Enter the IP address of ECA node 2, and save

Alt text

Additional configuration

Kafka Additional Memory:

Additional memory needs to be allocated to the Kafka docker container.

Do the following:

  • SSH to ECA1 (user: ecaadmin, password: 3y3gl4ss).
  • Open the docker-compose.overrides.yml file for editing:
vim /opt/superna/eca/docker-compose.overrides.yml
  • Add the following lines. IMPORTANT: Maintain the spacing at the start of each line.
version: '2.4'

#services:
#  cadvisor:
#    labels:
#      eca.cluster.launch.all: 1
services:
  kafka:
    mem_limit: 2048MB
    mem_reservation: 2048MB
    memswap_limit: 2048MB
  • Save changes with: ESC + wq!

Zookeeper Retention:

We will be implementing the following changes to prevent zk-ramdisk exhaustion from occurring. When zk-ramdisk reaches 100% utilization, this causes event processing to halt.

Do the following:

  • SSH to ECA1 (user: ecaadmin, password: 3y3gl4ss).
  • vim /opt/superna/eca/conf/zookeeper/conf/zoo.cfg.template
  • Add the following configurations to the bottom of the file:
snapCount=1000
preAllocSize=1000
  • Save changes with: ESC + wq!

Cron Jobs:

Cron job needs to be created to restart the fastanalysis docker container on a schedule. Do the following:

  • SSH to ECA1 (user: ecaadmin, password: 3y3gl4ss).
 ecactl cluster exec "sudo -E USER=ecaadmin ecactl components restart-cron set fastanalysis 0 0,6,12,18 \'*\' \'*\' \'*\'"
  • Validate cron job added:
  ecactl cluster exec 'cat /etc/cron.d/eca-*'

Cluster up from ECA1 (must be done before configuring auditing):

  • ecactl cluster up

Next Step

Easy Auditor Installation