Deploy Cyberwatch in compliance with CCN-STIC 807

The CCN-STIC 807 guide (Criptología de empleo en el Esquema Nacional de Seguridad), published by the Spanish Centro Criptológico Nacional (CCN), defines the cryptographic requirements that apply to organizations subject to the Esquema Nacional de Seguridad (ENS). It notably mandates the use of state-of-the-art cryptographic protocols (TLS 1.3) and control over the deployed components.

This page describes the adjustments to make to a Cyberwatch deployment in order to meet these requirements. It complements the standard deployment with Swarm and the page Deploy Cyberwatch on a hardened system.

The recommendations on this page apply only to organizations that are effectively subject to CCN-STIC 807. They are not required for a standard deployment and may needlessly complicate the installation in other contexts.

1. Disabling the embedded Elasticsearch and Kibana

By default, Cyberwatch includes its own Elasticsearch and Kibana instances. In an environment subject to CCN-STIC 807, these embedded containers must be disabled, as their cryptographic configuration is not controlled by the organization.

Follow the Disabling embedded containers procedure (the CBW_DISABLE_ELK flag), documented for Docker Swarm, Podman and the Helm chart.

If the features relying on Elasticsearch and Kibana are still required, Cyberwatch can be connected to an Elastic Stack deployed internally and configured in accordance with your security policy. The procedure to configure an external Elastic Stack describes the required settings (URL, authentication, CA certificate, TLS verification method).

2. Downloading the Cyberwatch package over TLS 1.3

The standard deployment adds the Cyberwatch repository and then installs the package through the distribution’s package manager (apt, dnf).

Depending on the operating system, the package manager’s TLS client does not always have the required capabilities (TLS 1.3 negotiation) to be compliant with CCN-STIC 807. In that case, do not configure the Cyberwatch repository: download the package manually with curl, forcing TLS 1.3, then install it locally.

Retrieve the cyberwatch and cosign packages matching your distribution while forcing TLS 1.3 with the --tlsv1.3 --tls-max 1.3 options:

Installing the Cyberwatch package may require adding dependencies that are not yet present on the system, such as docker, logrotate, openssl, bash-completion or curl for example. These should be installed from the repositories of the relevant distribution.

For Debian-based distributions (apt repository):

# The exact (versioned) name of the cosign package is visible on https://dl.cyberwatch.com/apt/incoming/
curl --tlsv1.3 --tls-max 1.3 -JLO https://dl.cyberwatch.com/apt/incoming/cyberwatch.deb
curl --tlsv1.3 --tls-max 1.3 -JLO https://dl.cyberwatch.com/apt/incoming/cosign_<version>.deb
sudo dpkg -i cosign*.deb
sudo dpkg -i cyberwatch.deb

For Red Hat-based distributions (rpm repository):

# The exact (versioned) name of the cosign package is visible on https://dl.cyberwatch.com/rpm/incoming/
curl --tlsv1.3 --tls-max 1.3 -JLO https://dl.cyberwatch.com/rpm/incoming/cyberwatch.rpm
curl --tlsv1.3 --tls-max 1.3 -JLO https://dl.cyberwatch.com/rpm/incoming/cosign-<version>.rpm
sudo rpm -i cosign*.rpm
sudo rpm -i cyberwatch.rpm

3. Importing the container images with docker load

The installation then downloads the container images from the Cyberwatch registry (harbor.cyberwatch.fr) using the Docker daemon.

The TLS client of the official Docker daemon is currently not compliant with CCN-STIC 807. It must therefore not be used to retrieve the images. Instead, download the image archive from dl.cyberwatch.com (over TLS 1.3), then import it locally with docker load.

Follow the Pull Docker images procedure, making sure to force TLS 1.3 on the curl download:

export CBW_USER=
export CBW_PASSWORD=
curl --tlsv1.3 --tls-max 1.3 -u "$CBW_USER:$CBW_PASSWORD" -JLO https://dl.cyberwatch.com/download_images
docker image load -i images_cbwonpremise_*.tar.gz

Disable the image download by setting the CBW_NO_PULL="true" variable in the /etc/cyberwatch/config.env file.

Because the images are present in the local cache, the Docker daemon does not need to retrieve them from the registry during configuration.

4. Configuring Cyberwatch

Once the package is installed, the images are imported and ELK is disabled, configure the application:

sudo cyberwatch configure

Then continue with the installation wizard as described in the standard deployment with Swarm.

This page covers the recommended deployment with Docker Swarm. The same principles apply to Podman deployments: disabling ELK is documented there as well, and the manual import of images over TLS 1.3 follows the same logic (podman image load, images preloaded into the cluster registry). Likewise for Kubernetes, you need to set global.image.pullPolicy: Never in the values.yml and load the images according to the image storage engine associated with the Kubernetes cluster. This is only necessary when the image download does not meet the TLS 1.3 requirements.

Technical support

For any question regarding a deployment subject to CCN-STIC 807, contact the Cyberwatch support:


Back to top

English Français Español