Transcription
FIREEYE HEALTH CHECK TOOLVERSION 2.0FireEye, Inc. 601 McCarthy Blvd. Milpitas, CA 95035 408.321.6300 877.FIREEYE (347.3393) [email protected] www.fireeye.com 2018 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or servicemarks of their respective owners. WRD.EN-US.022018
TABLE OF CONTENTSTable of Contents . 2Overview . 3Supported Platforms . 3Executable Checksums. 4Usage . 5Execution. 9Behaviors . 10Issues and Troubleshooting . 11Licensing . 11Legal. 13
OVERVIEWFireEye Health Check Tool is a standalone agent that allows customers to collect health-relatedinformation from their cloud and on-premises FireEye appliances. The agent will runconfiguration and metric collections against FireEye appliances and provide an automated reportdetailing the health findings of the appliances based on predefined conditions of Hardware,System, Configuration, Detection and Best Practices health. The intent is to provide the status ofthe assessed systems and self-help recommendations for any issues identified by the FireEyeHealth Check Tool.SUPPORTED PLATFORMSThe Health Check Agent is supported to be executed from Windows, Mac OSX and Linux CentOS 7 andUbuntu 16.4.Supported FireEye platforms to perform Health Check against includes the following:Helix – Cloud Threat AnalyticsEndpoint Security – HX, HX DMZNetwork Security – NX, VXEmail Security – EXManagement – CMSContent – FXAnalysis - AX
EXECUTABLE CHECKSUMSMAC OSSize: 12.0 MBDate: Thu Jan 31 16:40:02 2019MD5: 47967cd9350731fbae30e7c21a26b851SHA1: 37820d0b1e36af9920d5b3e6c146d211938d7859LinuxSize: 22.0 MBDate: Thu Jan 31 16:33:01 2019MD5: c4d0db515a3645d1a664d606ac1da38eSHA1: e: 19.0 MBDate: Thu Jan 31 16:19:19 2019MD5: 55db296c9a58cae123d8e3ddec2987b2SHA1: 912cf7e269b65f95faf49b5a1f25578900507b77
USAGEc:\FEHCA fe hca.exe -hdefault/ /////// .-s '''''o-:o,.:s-y. /s.,y:--o -------------:-------------- o--:yy / ./ osssso : / yy / :syyys yyyy ./ yy / oyyyyy#####yyyyyy:/ yy /oyyoooo#####ooooyyy./ yy / yyy#############oyy// yy / yyy#############oyy:/ yy /:yyyyyy#####yyyyyyo / yy /-syyyy#####yyyyy / yy / :oyyyyyyyyys/./ yy / .-:::-. / ys //so////////////////////////////os// sFireEye Health Check Agent - v2.0usage: fe hca.exe [-h] [-e] [-c CONFIG] [-m MODE] [-s] [-T TIMEOUT] [-S][-u USERNAME] [-t TARGET] [-f FILE] [-hi HELIXINSTANCE][-hk HELIXKEY]optional arguments:-h, --help-e, --encryptshow this help message and exitEncrypt a password for use in storing in config files.Prompts for password interactively.-c CONFIG, --config CONFIGConfiguration file containing hosts. Used forconducting single runs against multiple hosts thathave different passwords. Experimental.-m MODE, --mode MODE Operation mode. Supported options are appliance(default), helix & fso. Note: Appliance mode is usedfor both physical and virtual appliances.-s, --sslcheckoverrideOverride the SSL check if an SSL Intercept solution isin use and having SSL certificate verification tofail. Note: Only use this if you are certain on whycertificate checks are failing-T TIMEOUT, --timeout TIMEOUTConnection timeout in seconds. Default is 5.-S, --statisticsDisplay execution statistics.-u USERNAME, --username USERNAMEUsername to use for target appliance. Admin level userrequired. If not provided, you will be prompted.-t TARGET, --target TARGETIP or hostname of target appliance. If not providedand --file not specified, you will be prompted.-f FILE, --file FILE File to read target hostnames or IPs from. Onehostname specified per line.-hi HELIXINSTANCE, --helixinstance HELIXINSTANCEHelix instance identifier. Only used with --modehelix. If not provided, you will be prompted.-hk HELIXKEY, --helixkey HELIXKEYHelix API key. Only used with --mode helix. If notprovided, you will be prompted.
HELPWhen FE HCA is executed without any arguments, or -h or --help is specified, the defaultusage is displayedTARGETTarget hosts for data collection can be specified directly. A single host can be provided, oroptionally, multiple hosts separated by a comma, e.g.; 192.168.1.150,10.1.1.39USERNAMEUsername for the appliance. This should be a user with admin credentials on the appliance tofacilitate complete configuration collection. Collection from the use of a non-admin account isnot supported.FILEA file that contains a list of target hosts to be assessed, each specified on its own line, can beprovided. This is useful for large deployments.ENCRYPTEncrypt password / API key to be saved in a configuration file. Only encrypted passwords aresupported in configuration files. Encrypted passwords can only be used on the same host that thetool is being run from. If the configuration file and moved to another system and used with aconfiguration file, the passwords / API keys need to be reiencrypted.CONFIGURATION FILEAn encrypted file that contains a list of target hosts with accompanying authenticationcredentials that can be stored for reuse. This can be used to run against Helix and on premesisappliances in a single execution. This option may also assist with conducting a single executionagainst multiple hosts that have different accounts and passwords. This is useful for largedeployments. Example config:[appliance set 1]mode:applianceusername:account1password: encrypted password generated with ‘-e’
target: omain[appliance set 2]mode:applianceusername:account2password: encrypted password generated with ‘-e’ ary.otherdomain[helix set 1]mode:helixhelixkey: encrypted api key generated with ‘-e’ helixinstance:hexabc123STATISTICSProvides statistics on the execution of the agent.REPORTSReport generation. This flag should be used on execution to enable the report generation featureof this tool. Report generation is automated when this option is enabled.TIMEOUTEnables a custom timeout window in seconds. Typically used to accommodate connections withlatency. Default timeout window is five seconds.MODEOperation mode. Supported options are appliance (default), HELIX & FSO. Note: Appliancemode is used for both physical and virtual appliances. Only one Mode can be executed at a time.Ex. Helix mode must be run separately from FSO mode, and Appliance mode must be runseparately. This option can be avoided using the Configuration File option described above.HELIX INSTANCESpecifies the customer Helix instance ID to query for reporting pull.HELIX KEY
Provides the parameter to enter in the API key required to query the Helix API when running theHelix mode reporting.SSL CHECK OVERRIDEOverride the SSL check if an SSL Intercept solution is in use and having SSL certificateverification to fail. Note: Only use this if you are certain on why certificate checks are failing.
EXECUTIONEXAMPLEA typical execution of this agent for reporting on appliance health should resemble the followingoutput. Device addresses and credentials will vary:C:\ fe hca.exe -r -f Appliances.txt -u [email protected]/ /////// .-s '''''o-:o,.:s-y. /s.,y:--o -------------:-------------- o--:yy / ./ osssso : / yy / :syyys yyyy ./ yy / oyyyyy/ yyyyyy:/ yy /oyyoooo: ooooyyy./ yy / yyy.oyy// yy / yyy:--- ----oyy:/ yy /:yyyyyy/ yyyyyyo / yy /-syyyy .-yyyyy / yy / :oyyyyyyyyys/./ yy / .-:::-. / ys //so////////////////////////////os// sFireEye Health Check Agent – v2.0FIREEYE HEALTH CHECK AGENT END USER LICENSE --------------------------------------Your use of this FireEye Health Check Agent tool is subject to the applicable terms found at:http://www.fireeye.com/company/legalBy running this tool, you confirm and acknowledge that you have read and agree to those termspresented in the link above. If you do not agree to these terms, please exit and discontinue theuse of this tool.All Intellectual Property Rights in FireEye Materials, Products, Deliverables, Documentation, andSubscriptions belong exclusively to FireEye and its licensors. Customer will not (and will notallow any third party to):(i) disassemble, decompile, reverse compile, reverse engineer or attempt to discover any sourcecode or underlying ideas or algorithms of any FireEye Materials (except to the limited extentthat applicable law prohibits reverse engineering restrictions);(ii) sell, resell, distribute, sublicense or otherwise transfer, the FireEye Materials, or makethe functionality of the FireEye Materials available to any other party through any means (unlessotherwise FireEye has provided prior written consent)Have you read and agree to all the terms? (Yes/No): yesOkta User: [email protected] Password:Appliance(s) Password: Gathering Configurations
Hosts:100% ################################### 38/38[01:10 00:00, 1.66hosts/s][ 192.168.1.250][ Completed.]:100% ################################### 112/112 [00:55 00:00, 3.33cmd/s][ 10.1.1.120][ Completed.]:100% ################################### 112/112 [00:53 00:00, 2.57cmd/s][ hexabc123-hxprim.helix.apps.fireeye.com][ Completed.]:100% ################################### 112/112 [00:53 00:00, 2.40cmd/s][ hexabc123-hxdmz.helix.apps.fireeye.com][ Completed.]:100% ################################### 112/112 [00:53 00:00, 2.33cmd/s] Processing ConfigurationsConfigs: 100% ########## 35/35 [00:01 00:00, 19.21files/s] Generating ReportsReports: 100% ########## 33/33 [00:08 00:00, 4.09files/s]reports\192.168.1.250 141218T103332.docxreports\10.1.1.120 pps.fireeye.com ps.fireeye.com 141218T103332.docxBEHAVIORSUSERNAMES AND PASSWORDSIn the event that --username or --password is not specified on the command line, the tool willprompt for those at execution time.TARGETS AND FILESIn the event that neither --target nor --file is specified, the tool starts in an interactive modewhere target hosts can be specified.REPORTSReports are generated automatically and output customized based on the appliance that wasdetected at run time. Reports can be found in the reports folder in the same location where thetool is located.
ISSUES AND TROUBLESHOOTINGKNOW N ISSUES NoneSUPPORTThis tool is not supported by FireEye Technical Support; however, bugs can reported to FireEyeTechnical lLICENSINGTo assist you, an index of each license referenced is provided. Full text copies of the open sourcelicenses may be found by following the links set out below. Some of the open source licenses requireFireEye to make the corresponding source code available. For those, you may obtain the correspondingsource code from FireEye by contacting: [email protected] offer ends three years after delivery by FireEye of the corresponding FireEye Software Release toyou or, where the license so requires, at the expiration of a longer period of time as expressly set out inthe license. To defray the costs associated with fulfilling your request a nominal charge of 15 may apply.The FireEye Health Check Tool contains the open source software (OSS) packages listed below: jmespath is licensed under the MIT license and is Copyright (c) 2013 Amazon.com, Inc. or itsaffiliates. All Rights Reserved. python docx is licensed under the MIT license and is Copyright (c) 2013 Steve Canny,https://github.com/scanny.
json2html is licensed under the MIT license and is Copyright (c) 2013 Varun Malhotra.jsonmerge is licensed under the MIT license and is Copyright 2018, Tomaz Solc [email protected] .docxtpl is licensed under the GNU LGPL, Version 2.1.tqdm is licensed under the MIT license in part and the Mozilla Public License, 2.0 in part. (Foradditional details refer to: paramiko is licensed under the GNU LGPL, Version 2.1.colorama is licensed under the BSD 3-Clause license and is Copyright (c) 2010 Jonathan Hartley.All rights reserved.requests is licensed under the Apache License, Version 2.0. Copyright (c) 2018 Kenneth Reitz.HMAC.py & setup.py are licensed under the Python 2.2 license and is Copyright (c) 2001, 2002,2003 Python Software Foundation. All Rights Reserved.docx is licensed under the MIT license and is Copyright (c) 2013 Steve Canny,https://github.com/scanny.beautifulsoup4 is licensed under the MIT license and is Copyright (c) 2009-2010 Mike MacCana.License Index: BSD 3-Clause license: https://opensource.org/licenses/BSD-3-Clause GNU LGPL, Version 2.1: .en.html MIT license: https://opensource.org/licenses/MIT Mozilla Public License, 2.0: https://www.mozilla.org/en-US/MPL/2.0/ Python 2.2 license: se/
LEGALFREEWARE END USER LICENSE AGREEMENT(FOR OBJECT CODE VERSIONS OF FIREEYE SOFTWARE)BY DOWNLOADING, INSTALLING OR USING (WHICHEVER COMES FIRST) THIS SOFTWARE ANDRELATED DOCUMENTATION (THE “SOFTWARE”) YOU AND THE ENTITY THAT YOU REPRESENT("LICENSEE") ARE UNCONDITIONALLY CONSENTING TO BE BOUND BY THIS END USER LICENSEAGREEMENT WITH FIREEYE, INC. (“FIREEYE”). IF LICENSEE DOES NOT UNCONDITIONALLYAGREE TO THE TERMS OF THIS AGREEMENT, YOU MUST NOT DOWNLOAD INSTALL OR USETHE SOFTWARE.Grant of License and Restrictions. Subject to the terms hereof, FireEye grants Licensee a personal,non-sublicensable, non-transferable and nonexclusive, right to use the Software, but only in object codeform. FireEye retains ownership of the Software and Licensee shall maintain the copyright and othernotices that appear on the Software.No Obligation to Deliver Updates and Support Services. In no event shall FireEye be liable for anysupport, maintenance or updates of the Software. In the event FireEye provides, in its sole discretion, anysuch updates, they shall be deemed “Software” subject to this Agreement unless otherwise stated inwriting by FireEye.Restrictions. Licensee shall not, and shall not authorize or assist any third party to, reverse engineer orattempt to discover any source code or underlying ideas or algorithms of the Software (except to thelimited extent that applicable law prohibits reverse engineering restrictions). Prior to disposing of anymedia or apparatus containing any part of the Software, Licensee shall completely destroy all copies ofthe Software contained therein. Licensee acknowledges that the Software may contain or use certainopen source or other third party components (“Third Party Software”). Licensee agrees to be bound toany and all license provisions applicable to the Third Party Software. No rights or licenses are grantedother than as expressly and unambiguously set forth herein.Confidentiality. The Software in source code form remains a confidential trade secret of FireEye. TheSoftware is protected by the copyright and other intellectual property laws of the United States andinternational treaties.Termination. This Agreement is effective until terminated. This Agreement shall terminate automatically ifLicensee fails to comply with any term or condition of this Agreement. Upon termination, Licensee shalldestroy all copies of the Software. Paragraphs 3, 4, 6, 7, 8, and 9 of this Agreement shall survive anytermination.Limited Warranty and Disclaimer. LICENSEE ACCEPTS THE SOFTWARE "AS IS," AND FIREEEYEMAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION,ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,SATISFACTORY QUALITY, TITLE, AND NONINFRINGEMENT. FIREEYE DOES NOT WARRANTTHAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET LICENSEE’S REQUIREMENTSOR THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR FREE.THE ENTIRE RISK ARISING OUT OF SELECTION, USE OR PERFORMANCE OF THE SOFTWAREREMAINS WITH YOU.
Limitation of Liability. LICENSEE’S EXCLUSIVE REMEDY AND THE ENTIRE LIABILITY OFFIREEYE RELATED TO THE SOFTWARE SHALL BE EXPRESSLY LIMITED TO REPLACEMENT OFTHE SOFTWARE. IN NO EVENT WILL FIREEYE OR ANYONE ELSE WHO HAS BEEN INVOLVED INTHE CREATION, PRODUCTION, OR DELIVERY OF THE SOFTWARE BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING WITHOUTLIMITATION, LOST PROFITS OR LOST DATA, EVEN IF THEY HAVE BEEN ADVISED OF THEPOSSIBILITY OF SUCH DAMAGES, OR OTHER LIABILITY.Export Control. Licensee represents and warrants that it shall comply with all laws and regulationsapplicable to Licensee with respect to the Software and its license and use, including without limitationthose with respect to export.Miscellaneous. This Agreement shall be deemed to have been made in, and shall be governed by thelaws of the State of California and the United States without regard to conflicts of laws provisions thereof,and without regard to the United Nations Convention on the International Sale of Goods or the UniformComputer Information Transactions Act. This is the complete and exclusive statement of the mutualunderstanding of the parties with respect to the license granted herein and supersedes and cancels allagreements and communications relating to such license.
Provides the parameter to enter in the API key required to query the Helix API when running the Helix mode reporting. SSL CHECK OVERRIDE . Override the SSL check if an SSL Intercept solution is in use and having SSL certificate verification to fail. Note: Only use this
