Tuesday, December 28, 2010

Installing and configuring Fortify on Linux and Windows machines

Installing Fortify on Linux (RHEL 5 32 bit)
  • Download Fortify archive Fortify-360-2.6.5-Analyzers_and_Apps-Linux-x86.tar.gz and extract it to a directory like /usr/local/fortify
  • Get License file fortify.license and place it under root directory (/usr/local/fortify)
  • Run utility scapostinstall under bin directory (/usr/local/fortify/bin) to perform some necessary post install activities.
        ./scapostinstall
           [1] Migration...
           [2] Settings...
           [s] Display all settings
           [q] Exit
           Please select the desired action (1,2,s,q):

          Give valid entries for  Rulepack Update and 360 Server Settings

          Select 2 and proceed for changing settings. In Rulepack Update, give http address of your fortify 360 server for  Update Server URL: field. In 360 Server Settings, give again http address of your fortify 360 server for Server URL: field and set Get Rulepack Updates from 360 Server: true

  • Now update rules pack using tool rulepackupdate available at bin directory (/usr/local/fortify/bin) 
  • Generate Upload access token using utility fortifyclient under bin directory. The upload access token enable account and password information to be concealed during uploading of FPRs to Fortify 360 Server          
          fortifyclient -url [360_server_URL] token -gettoken AnalysisUploadToken -user [AccountName]
 
          fortifyclient prompts for a password, type the password for [AccountName]. fortifyclient displays a token of the general form cb79c492-0a78-44e3-b26c-65c14df52e86. Copy the token returned by fortifyclient into a text file.

Updating rules in future

  • In case in future if you want to update rule packs, here is the process
  • You may get rules pack in a zip file of the form Se289787b-abd8-4ad6-a77d-f11d89e8ac60.zip 
          Then run the command
         /usr/local/fortify//bin/rulepackupdate -import Se289787b-abd8-4ad6-a77d-f11d89e8ac60.zip
  • or if your F360 server is up to date with rules, then run the command
           /usr/local/fortify//bin/rulepackupdate -url  [360_server_URL]

3 comments:

  1. Awesome!
    Thank You :)

    ReplyDelete
  2. Thanks for the post man, but I have a little trouble after installing the rules

    After updating the rules using fortifyupdate command (rulepackupdated is now deprectaed) the libraries on Fortify 360 console still shows the outdated ones.

    Am I missing something?

    ReplyDelete
  3. thank you so much - it is much easy to read than manuals ;-)

    ReplyDelete