Installing and Configuring CxEngine under Linux
Starting with CxSAST 9.3, CxEngine supports both Windows and Linux, thus becoming a cross-platform. These pages explain how to install CxEngine under Linux, transition to Linux, and establish a secure connection between CxEngine and CxManager.
Notice
Before you start installing CxEngine, refer to Preparing the System for Cross-Platform Query Support for additional information.
Starting with CxSAST 9.3, CxEngine is supported by the following common Linux distributions:
CentOS
RHEL (Red Hat Enterprise Linux)
Ubuntu
Amazon Linux
Notice
Some Amazon Linux images are pre-configured with a limited number of file descriptors, which might render the EngineService unstable. In these cases, the following message is returned: No file descriptors available
Linux Bare Metal Deployment
Description
A standalone Engine can be deployed and used in the following ways:
Docker container
Bare metal deployment (described in this section)
Prerequisites
.NET 6.05 ASP.NET Core Runtime appropriate to the specific Linux OS installed on the machine.
Follow the instruction in the official documentation.
Extract the Engine Service tarball to a directory of your choice.
How to run the CxSAST Engine on demand
The distributed Engine Service package contains an executable script: run.sh
Edit environment variables in the script so that they are appropriate for the deployment environment.
The variables are explained in the Configuration section.
After editing the file, execute run.sh
When the Engine Service starts successfully, it displays the following lines:
Now listening on: http://[::]:8088
Application started. Press Ctrl+C to shut down.
How to run the CxSAST Engine as a system service
The CxSAST Engine can configured to run as a system service so that it runs automatically any time the system is restarted.
The distributed Engine Service package contains the following files that are required for registering the service in systemctl:
cxengine.service - Used for configuration and service parameters.
install.sh - Deploys and starts the service.
Edit the environment variables in the cxengine.service configuration file so that they are appropriate for the deployment environment.
Change the environment variables in the file. The variables are explained in the Configuration section.
After editing the configuration file, execute install.sh
To verify the service is running, use the following command: sudo systemctl status cxengine
Configuration
Edit the following environment variables in the configuration files to match the deployment environment of the product:
CX_ES_ACCESS_CONTROL_URL - The URL pointing to the Access Control installation instance used.
CX_ES_END_POINT - the endpoint address of the current machine, where this instance of Engine Service is being installed. This address must be the outward-facing IP address that external machines can use to reach the current one. Usually, using the ifconfig command is sufficient to find the IP address. If the machine is behind a router or switch, you can find this value by running the following command locally:
wget -qO- http//ifconfig.me/ipCX_ENGINE_TLS_ENABLE - Set to ‘true’ to optionally set SSL/TLS communication on.
If an SSL setup is desired, edit the following values as well:
CX_ENGINE_CERTIFICATE_SUBJECT_NAME - Full subject name (ex. CN=dev.corp.com)
CX_ENGINE_CERTIFICATE_PATH - Location of the certificate file
CX_ENGINE_CERTIFICATE_PASSWORD - Password for the certificate’s private key
Message queue details:
CX_ES_MESSAGE_QUEUE_USERNAME
CX_ES_MESSAGE_QUEUE_PASSWORD
CX_ES_MESSAGE_QUEUE_URL
Match these variables to the installed ActiveMQ configuration of user, password, and URL respectively. If unsure, these values can be obtained from the database using the following query:
Preparing the System for Cross-Platform Query Support
There are differences between Windows and Linux with respect to file names and new line characters. Therefore, CxSAST queries have been adjusted to run run on Windows and Linux. User custom queries must follow the same adaptations to support both platforms as explained below.
Required Adjustments
There are two differences between Linux and Windows:
File names:
Windows –
*\temp\config.xmlLinux –
*/temp/config.xml
New Line characters:
Windows -
\r\nLinux -
\n
Solution
Already starting with CxSAST 9.2, an additional CxQL API has been introduced, the cxEnv. By using this API variable, queries can be written in a cross-platform format in order to support both operating systems.
There are 6 properties to be used in cxEnv:
cxEnv.Path.DirectorySeparatorChar
cxEnv.Path.AltDirectorySeparatorChar
cxEnvPath.InvalidPathChars
cxEnv.Path.PathSeparator
cxEnv.Path.VolumeSeparatorChar
cxEnv.NewLine
For a full description of each variable, refer to the latest CxQL API guide.
All custom queries must use the above-listed variables rather than the actual values to run on both platforms and all their flavors.
Examples
The following section illustrates two examples.
Directory Separator
This string:
string[] path = fileName.Split('\\');Must be replaced with the following:
string[] path = fileName.Split(cxEnv.Path.DirectorySeparatorChar);
New Line in Regex
This string:
elseIfs.FindByRegex(@"[\W]if[^;\{]*{[^\}]*}[(\s)(\r\n)]*else[(\s)(\r\n)]*{[^\}]*?[(/\*)(//)]");Must be replaced with the following:
elseIfs.FindByRegex(@"[\W]if[^;\{]*{[^\}]*}[(\s)(" + cxEnv.NewLine + @")]*else[(\s)(" + cxEnv.NewLine + @")]*{[^\}]*?[(/\*)(//)]");Configuring TLS (SSL) between CxManager and CxEngine
CxSAST supports secure communication between CxManager and CxEngine based on TLS (SSL) certificates. These instructions take Windows and Linux support for CxEngine into consideration.
The Cx Engine is working on a Rest service that is not managed via the IIS console. The steps below explain how to configure the secure connection on both the CxManager and the CxEngine servers.
The secure connection is established between two servers only, it can be configured with Self Signed Certificates or real CA certificates. For additional information and instructions, refer to Enabling SSL Support on the CxEngine