Faction Installation

Requirements

  • Tomcat8
  • mongodb
  • python
  • Java 8

1. Install Java 8:

$ sudo apt install software-properties-common
$ sudo add-apt-repository ppa:webupd8team/java
$ sudo apt-get install oracle-java8-installer
$ sudo apt-get install oracle-java8-set-default

#Check that the correct version is installed:
$ java --version

java version "1.8.0_91"
Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.91-b14, mixed mode)

You should probably add the following line to your /etc/environment file:

JAVA_HOME=/usr/lib/jvm/java-8-oracle

2. Install Tomcat8

Note: This will not work with the version of tomcat available from apt-get on Ubuntu. You must install the official version from the apache site.
$ cd /opt/
$ sudo wget http://mirror.reverse.net/pub/apache/tomcat/tomcat-8/v8.5.4/bin/apache-tomcat-8.5.4.tar.gz
$ sudo xzvf *.gz
$ sudo ln -s apache-tomcat-8.5.4 tomcat
$ sudo export JAVA_HOME=/usr/lib/jvm/java-8-oracle/
$ cd tomcat/bin
$ sudo ./startup.sh

3. Install remaining dependencies:

$ sudo apt-get install python mongodb libfontconfig1 libxrender1

 

4. Configure Tomcat

Log into the FuseSoft Portal and download your war file. You will place this file in your tomcat webapps directory. You can rename it as well. The file name will become the url path unless you rename the war ROOT.war. Then the path will be at the base of the URL.

Example:

$ /opt/tomcat/webapps# ls
faction-beta1  faction-beta1.war 

# The url will be http://localhost:8080/faction-beta1/ 

Or when named ROOT

$ /opt/tomcat/webapps# ls 
ROOT  ROOT.war  

# The url will be http://localhost:8080/ 

5. Create a Faction server side folders and configs

mkdir /opt/fusesoft
mkdir /opt/faction
mkdir /opt/fusesoft/templates 
chmod 755 /opt/fusesoft/templates
chmod 755 /opt/faction

6. Create the Database Config File and Mongo Configs

$ cd /opt/faction
$ vi db.config

A typical config file will look like the following. If you have mongo db on a separate server then you will want to configure authentication and therefore uncomment the lines for username and password.

host=127.0.0.1
port=27017
database=Faction
#username=FactionUser
#password=BeClever

To add authentication to mongo db you need to update the mongo db config file

$ vi /etc/mogodb.conf

[..snip..]

net: 
   bindIp = 127.0.0.1 # <--- Change this to the server ip if needing remote connections
[..snip..]

security:
   authorization = 'enabled'

[..snip..]

 

After you edit the above config file to allow remote connections you can then add the Faction user to the mongo database as follows

$ mongo
connecting to: test
> use admin
> db.createUser({username:"FactionUser",pwd:"BeClever",roles:[{role:"readWrite",db:"Faction"}]})

 

Now you can restart mongo and test that you can connect.

$ sudo service mongodb restart
$ mongo -u FactionUser  192.168.1.100/Faction -p

 

7. Logging in for the first time

Now navigate to the URL (i.e. http://localhost:8080/faction/). The first time you access the site you will be asked to create an administrator. After this you will need to have email set up to add additional users.

8. Set Up email.

Typical gmail set up looks like this:
Server: smtp.gmail.com
Port: 465
Protocol: smtp

Check ‘Use Authentication’, ‘Use TLS’, and ‘Use SSL’.
The Gmail set up may require you to add support for less secure apps for the account you use for email. Log into your gmail domain with the user that will send emails on behalf of Faction then navigate to the following URL:

https://www.google.com/settings/security/lesssecureapps

 

 

9. Using the BurpSuite Extension

You must first create a user with and API key. This is a checkbox in Admin->Users->[Select User]->Edit. Once the setting is saved the user will receive an email with the API Key.
Add the Faction Burp extension to Burp and click the Config tab. Enter the URL of the Faction REST API. If your base URL to log into Faction is http://demo.faction.com:8080/faction/ then the REST API URL will be http://demo.faction.com:8080/faction/api. (do not add a ‘/’ after ‘api’ or the request will fail.
Once your URL is entered you can then add the API key and save. You can also update how often it pings the server for updates. This will allows the extension to have near realtime data about when vulnerabilities are added to Faction to be shared with the other assessors on the same assessment.