The following information describes the PCA installation package.
The PCA software package file name looks like:
<nnnn>is the build version number; for example, 3650.
<rrr>is the RPM revision number. This is usually a single digit number.
<distro>is an identifier for the Linux™ distribution, such as "RHELn" for Red Hat Enterprise Linux release n.
Note: Red Hat Enterprise Linux (RHEL) 7 uses the same PCA installation package and process as Red Hat Enterprise Linux (RHEL) 6.x. In this scenario, use tealeaf-pca-<nnnn>-<rrr>.RHEL6.i386.rpm for the installation package.
Operating system users
The PCA must be installed by using the
root user account. During the installation process, the PCA user
ctccap is created. During execution, the
ctccap user runs the PCA processes, regardless of the user that started them.
Note: Do not use the sudo root user for installation. Although it can display that the installation was completed, several capture errors indicate that the installation failed. These errors can include "restarting too rapidly" errors, failures to start interfaces, permissions issues, and more. Please be sure to use a true root user login.
It is not required that you log in to the system by using the
root user. However, the
ctccap user must have the permissions to run the
tealeaf stop commands. It is necessary to run with limited
root permissions as described. As a passive network traffic that is capturing application running under a stock Linux operating system, the PCA requires specific system permissions to passively capture network packets. Through the operating system, the PCA must be able to place system network NICs into promiscuous capture mode. It allows the PCA to passively listen to all network traffic presented to the designated NICs. It is necessary to run the specific application process as root permission.
To minimize security issues, only one specific PCA application module requires this permission for traffic that is capturing. All other PCA application modules are run with non-root user permissions.
The capturing module only listens to a copy of the supplied network traffic. The module cannot inject any traffic whatsoever between your web server and the client browser.