Install on Linux
This guide explains how to install FMD Server on a generic Linux host.
Step 1: Get the binary
Download and unzip one of the pre-built packages. Among other things, the packages include:
- Pre-built binaries for multiple architectures (
fmd-server-amd64). - The
config.example.yml. - The
web/directory (only needed if you want to modify something).
Alternatively, you can compile the Go binary from source.
Put the binary at your preferred location, for example at /usr/local/bin/fmd-server.
Step 2: Create user
Create a user and group for FMD Server. On Debian-based systems:
sudo adduser fmd-server --system --group --no-create-home
Step 3: Choose the paths
FMD Server recognizes the following defaults for its config file and database directory:
| Default location | Recommended location | |
|---|---|---|
| Config file | ./config.yml | /etc/fmd-server/config.yml |
| Directory with the SQLite database | ./db/ | /var/lib/fmd-server/db/ |
| Directory with web static files | "" (embedded) | /usr/share/fmd-server/web/ |
These can be configured via CLI flags. The directories can also be configured in the config file.
The default location is the current working directory, because it is likely to be writable by the current user.
When installing FMD Server as an administrator, use the recommended locations for a more Unix-like setup. This requires root privileges to create and chown the required locations (hence it is not the default). The Docker images use the recommended locations.
Step 4: Create files/paths
Create the database directory.
Make sure that it is readable, writable, and executable by the fmd-server user.
sudo mkdir -p /var/lib/fmd-server/db/
sudo chown fmd-server:fmd-server /var/lib/fmd-server/db/
If desired, create a config file.
For more details, see the configuration article.
Make sure that it is readable by the fmd-server user.
However, it can still be owned by root (since FMD Server does not need to write it).
sudo mkdir -p /etc/fmd-server/
# Fill out the config file
sudo nano /etc/fmd-server/config.yml
sudo chmod 644 /etc/fmd-server/config.yml
Step 5: Start the server
You can now start FMD Server!
sudo -u fmd-server /usr/local/bin/fmd-server serve --config /etc/fmd-server/config.yml --db-dir /var/lib/fmd-server/db
Step 6: Manage with systemd
You can also manage FMD Server as a systemd service.
Create the following unit file and put it at /etc/systemd/system/fmd-server.service.
# https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html
[Unit]
Description=FMD Server
Documentation=https://gitlab.com/fmd-foss/fmd-server
After=network.target
[Service]
ExecStart=/usr/local/bin/fmd-server serve --config "/etc/fmd-server/config.yml" --db-dir "/var/lib/fmd-server/db"
Type=simple
Restart=always
User=fmd-server
Group=fmd-server
# Hardening
# https://blog.sergeantbiggs.net/posts/hardening-applications-with-systemd/
# https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html
# In the order in which they appear in the systemd.exec docs.
# Check with "systemd-analyze security fmd-server.service"
ProtectProc=invisible
NoNewPrivileges=true
CapabilityBoundingSet=
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
SystemCallFilter=@system-service
SystemCallArchitectures=native
# Necessary weakening
RuntimeDirectory=fmd-server
ReadWritePaths=/var/lib/fmd-server/
[Install]
WantedBy=multi-user.target
Then start and enable the service:
sudo systemctl enable fmd-server.service
sudo systemctl start fmd-server.service
sudo systemctl status fmd-server.service
Next steps
The FMD Server web interface should now be available at http://localhost:8080.
Next, continue to set up a reverse proxy.