Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 etc
Octocat-spinner-32 html
Octocat-spinner-32 inc
Octocat-spinner-32 lib
Octocat-spinner-32 po
Octocat-spinner-32 reports
Octocat-spinner-32 t
Octocat-spinner-32 .gitignore
Octocat-spinner-32 .perlcriticrc bring over RT's .perlcriticrc
Octocat-spinner-32 CHANGES
Octocat-spinner-32 MANIFEST
Octocat-spinner-32 MANIFEST.SKIP
Octocat-spinner-32 META.yml
Octocat-spinner-32 Makefile.PL
Octocat-spinner-32 README
Octocat-spinner-32 UPGRADING
Octocat-spinner-32 releng.cnf
README
RT for Incident Response is an open source, industrial-grade
incident-handling tool designed to provide a simple, effective
workflow for members of CERT and CSIRT teams. It allows team members
to track, respond to and deal with reported incidents and features a
number of tools to make common operations quick and easy.  RTIR is
built on top of "RT," which is also available for free from Best
Practical Solutions at http://www.bestpractical.com/rt/.

To purchase commercials support, training or custom development for RT
or RTIR, please contact Best Practical at sales@bestpractical.com.


WARNING: This version DOES NOT WORK with RT 4.x, wait for RTIR 3.0.


REQUIRED PACKAGES:
------------------

o   RT 3.8.3 or later, but not 4.x, configured, installed and tested.
o   RTFM 2.4.1 or later, configured, installed and tested.
o   Net::Whois::RIPE 1.31 or OLDER, later versions broke
    backwards compatibility


Upgrade instructions:
-----------------------

If you've installed a prior version of RTIR, you may need to follow
special steps to upgrade.  See the UPGRADING file for detailed
information.


Installation instructions:
--------------------------

1) Install RT 3.8.3 or newer following RT's regular installation instructions

2) Install RTFM 2.4.1 or nerwer, following the installation instructions
   in RTFM's README file. (Don't forget to run "make initdb" to set up the 
   database for RTFM and activate it using @Plugins option in the RT config); 

3) Run "perl Makefile.PL" to generate a makefile for RTIR. 

4) Install any extra Perl modules RTIR needs that aren't already
   installed.

5) Type "make install".

6) If you are installing RTIR for the first time, initialize the RTIR
   database by typing "make initdb".

   WARNING: Do not attempt to re-initialize the database if you are
   upgrading.

7) Activate RTIR extion in the RT config:

    Set(@Plugins, 'RT::FM', 'RT::IR');

8) Stop and start your web server.

9) If you want to enable ticket/incident aging, install RT::Extension::TicketAging
   following the installation instructions in that extension's INSTALL and README 
   files.

10) If you want to enable ticket locking, install RT::Extension::TicketLocking
    following the installation instructions in that extension's README file.


Configuring RTIR
----------------

1) Using RT's configuration interface, add the email address
   of the Network Operations Team (the people who will handle
   activating and removing Blocks) as AdminCC on the Blocks queue.
   RT -> Queues -> Blocks -> Watchers

2) You may want to modify the email messages that are automatically
   sent on the creation of Investigations and Blocks.
   RT -> Queues -> <Select RTIR's Queue> -> Templates.
   RT -> Global -> Templates.


3) By default, RT ships with a number of global Scrips.  You should use 
   RT's configuration interface to look through them, and disable any 
   that aren't apropriate in your environment.
   RT -> Queues -> <Select RTIR's Queue> -> Scrips.
   RT -> Global -> Scrips.


4) Add staff members who handle incidents to the DutyTeam group.
   RT -> Configuration -> Groups -> DutyTeam -> Members.

5) You can override values in the RTIR_Config.pm in your
   RT_SiteConfig.pm file. Just add your customizations after the "require" 
   line mentioned above.


SETTING UP THE MAIL GATEWAY 
---------------------------

An alias for the Incident Reports  queue will need to be made in either 
your global mail aliases file (if you are using NIS) or locally on your
machine.
 
Add the following lines to /etc/aliases (or your local equivalent) :

rtir:         "|/opt/rt3/bin/rt-mailgate --queue 'Incident Reports' --action correspond --url http://localhost/"

You should substitute the URL for RT's web interface for "http://localhost/".

** If you're configuring RTIR with support for multiple constituencies, please
refer to the instructions in the file lib/RT/IR/Constituencies.pod

** Use "perldoc /opt/rt3/bin/rt-mailgate" to get more info about mailgate script.

Documentation for RTIR
----------------------

   * This README file

   * UPGRADING 
        Instructions for users upgrading from 1.0 or 2.0

   * perldoc lib/RT/IR/DocIndex.pod 
        ( also at http://svn.bestpractical.com/cgi-bin/index.cgi/bps/view/rtir/branches/2.3-EXPERIMENTAL/lib/RT/IR/DocIndex.pod )
        Links to documentation specific to RTIR

   * perldoc lib/RT/IR/Tutorial.pod 
        ( also at http://svn.bestpractical.com/cgi-bin/index.cgi/bps/view/rtir/branches/2.3-EXPERIMENTAL/lib/RT/IR/Tutorial.pod )
        Extended information about ticket merging

   * perldoc lib/RT/IR/Constituencies.pod 
        ( also at http://svn.bestpractical.com/cgi-bin/index.cgi/bps/view/rtir/branches/2.3-EXPERIMENTAL/lib/RT/IR/Constituencies.pod )
        Information about setting up RTIR with multiple user constituencies

   * perldoc lib/RT/IR/AdministrationTutorial.pod 
        ( also at http://svn.bestpractical.com/cgi-bin/index.cgi/bps/view/rtir/branches/2.3-EXPERIMENTAL/lib/RT/IR/AdministrationTutorial.pod )
        Information about setting up RTIR for Administrators
        
   * install extension RT-OnlineDocs to give SuperUsers access to the RT::IR and RT API
     documentation via the Web UI.  This includes the Tutorial.pod and other .pod files
     mentioned above.

   * perldoc RT::Extension::TicketAging
        (also at http://svn.bestpractical.com/cgi-bin/index.cgi/bps/view/RT-Extension-TicketAging/lib/RT/Extension/TicketAging.pm )
        Information about configuring and using RT and RTIR Ticket Aging.

   * perldoc RT::Extension::TicketLocking
        (also at http://svn.bestpractical.com/cgi-bin/index.cgi/bps/view/RT-Extension-TicketLocking/lib/RT/Extension/TicketLocking.pm )
        Information about configuring and using RT and RTIR Ticket Locking.

   * etc/RTIR_Config.pm  
        (Contains a number of RTIR-specific configuration options and instructions for their use)

   * RTIR mailing list 
        Subscribe by sending mail to rtir-request@lists.bestpractical.com

   * http://wiki.bestpractical.com/view/RTIR
        The RTIR section of the community-developed RT wiki is still in its infancy.  


DEVELOPMENT
-----------

If you would like to run RTIR's tests, you need to set a few environment
variables:

RT_DBA_USER - a user who can create a database on your RDBMS
              (such as root on mysql)

RT_DBA_PASSWORD - the password for RT_DBA_USER

To run tests:

$ RTHOME=/opt/my-rt perl Makefile.PL
$ RT_DBA_USER=user RT_DBA_PASSWORD=password make test

These are intended to be run before installing RTIR.  RTFM, however,
must already be installed.

Like RT, RTIR expects to be able to create a new database called rt3test
on your system.


REPORTING BUGS
--------------

To report a bug, send email to rtir-bugs@bestpractical.com.
Something went wrong with that request. Please try again.