| Description | This article describes how to configure MinIO Community Edition for the Forensic Repository. |
| Scope | FortiDLP users who want to use a local repository based on MinIO Community Edition. |
| Solution |
MinIO Community Edition is a limited version of MinIO Enterprise Edition. The MinIO Community has been deprecated in terms of GUI action, limited only to bucket view. Apart from other limitations, most operations must be done manually. This guide will help to install a Minio Community Edition from scratch based on the standalone version only (other versions include Docker and Kubernetes).
Regarding the certificate, use a public certificate based on ZeroSSL for security integration from the FortiDLP tenant. There are options for local certificated, also not covered by this article.
Start with the basics: Install an Ubuntu Server as a standalone server, such as Ubuntu Server Edition 24.04.03 LTS.
Once installed, connect to the server and trigger updates:
sudo apt update
Then update the system:
sudo apt upgrade
If during the update, there is a message about the OpenSSH server, choose the option 'Keep the local version currently available'.
Download the MinIO Community Edition from the source:
https://dl.min.io/server/minio/release/linux-amd64/
Look for the latest .deb package available and get the package (for example):
wget https://dl.min.io/server/minio/release/linux-amd64/minio_20220523184511.0.0_amd64.deb
Now, install the MinIO package:
sudo dpkg -i minio_20220523184511.0.0_amd64.deb
Let's create a system group to run the MinIO server (-r):
sudo groupadd -r minio-user
Now, create a user with no home (-M), system user (-r), and a group already created (-g).
sudo useradd -M -r -g minio-user minio-user
After the user and group creation, create a folder to keep the data from MinIO:
sudo mkdir /mnt/data
Just give ownership to minio-user:
sudo chown minio-user:minio-user /mnt/data
Start to create a file config to set up the admin name and password:
sudo nano /etc/default/minio
The 'user' is a non-root user home directory used to host the certificates. Set up the admin user and a credential.
Add rules to the local firewall to accept incoming requests to TCP 9000 and TCP 9001.
sudo ufw allow 9000:9001/tcp
Let's create a ZeroSSL certificate to work with SSL. For creating a Public SSL certificate, go to Let's Encrypt.
Once created, save the private key, ca_bundle.cer, and certificate.cer.
Let's create a .minio/certs folder inside the 'user' folder, where 'user' is a non-root user of the Ubuntu server.
sudo mkdir -p /home/user/.minio/certs
Copy the private.key, ca_bundle.cert, and certificate.cer. Rename certificate.cer to public.crt inside the folder into:
/home/user/.minio/certs
Then, add ownership to the following certificates:
sudo chown minio-user:minio-user /home/user/.minio/certs/private.key
Now, it is time to start the MinIO services:
sudo systemctl start minio
Check the MinIO state:
sudo systemctl status minio
Look for API and WebUI 'https'. If the service starts with https, then the service has started correctly. If services keep only http://IP, then something is wrong with the certificate.
Open the MinIO Server by using the server IP address and port 9001 in a web browser:
Log in to the console with the adminuser and credentials added to the /etc/default/minio config file.
Now, let's go to a putty terminal. Connect to the server via SSH.
The following step is to install a client called mc or mccli for additional setup (mc or mccli are the same).
Install the mc client for the following MinIO site https://dl.min.io/client/mc/release/linux-amd64/.
wget https://dl.min.io/client/mc/release/linux-amd64/mcli_20250813083541.0.0_amd64.deb
Install the package in the Ubuntu server:
sudo dpkg -i mcli_20220509040826.0.0_amd64.deb
Use the autocompletion feature:
sudo mc --autocompletion
Create an alias 'dlp' or another name inside the AIStor Database from MinIO:
mc --insecure alias set dlp https://localhost:9000 minioadmin <credential>
Add a user testdlp to dlp alias:
mc --insecure admin user add dlp testdlp <credential>
Let's create a JSON file to set up access to the bucket.
Open a file with nano:
sudo nano bucket-policy.json
Add the following lines:
{
Save and close the file.
Let's create a policy by using the bucket configuration in the JSON file.
mc --insecure admin policy create dlp dlp_policy bucket-policy.json
Let's attach the policy to a user.
mc --insecure admin policy attach dlp dlp_policy --user=testdlp
Let's create a service account attached to the testdlp user.
mc --insecure admin user svcacct add dlp testdlp --name FORTIDLPSRV
An access key and a secret key will be shown:
Access Key: XXGF7WRYXXC84KYSXXX
Save the access key and the Secret Key for later FortiDLP configuration.
Let's create a bucket based on the JSON config created above.
Connect with the mc tool with the dlptest alias:
mc --insecure alias set testdlp https://localhost:9000 minioadmin <credentials>
Create a DLP bucket with the current alias:
mc --insecure mb dlptest/dlp
A message received "Bucket created successfully `dlptest/dlp`, confirm that bucket was created.
Check the Web GUI if needed:
Now, check the firewall NAT. API will need TCP 9000 from the Internet to access the bucket.
Go to FortiDLP console Integrations -> Evidence Store and configure the following items:
Vendor: Minio. Host: External IP address of the MinIO server and TCP 9000. Use format IP:9000. Region: Use us-east-1 (this is only for mimicking AWS, no effect in configuration). Access Key: Check the access key in the previous steps. Secret key: Check the secret key in the previous steps. CA certificate: Use the public.crt certificate. Paste the certificate information here.
Now, save the config and start the test configuration. FortiDLP will create a curl or PowerShell code to create an object in the bucket to test the connectivity and write permissions.
Once executed, select 'Download test file'. Optionally, check the DLP buckets via the MinIO GUI to check the test file added.
Now, storage is ready. Create a policy to save file evidence, create a decryption key, and check the evidence in a DLP incident.
|
