Uninstalling AC-Hunter

August 30, 2021
F
Uninstalling AC-Hunter

Note; following these steps will irretrievably and permanently remove your entire AC-Hunter installation and all data. If this isn’t what you want, please do not follow these steps.

Do not follow these steps if you have any docker images, containers, or volumes not supplied by Active Countermeasures on this system.

 

1) Back up your whitelist. Dashboard, gear, whitelist tab, download whitelist.

2) If you’ve added any blacklisted IPs to /etc/AC-Hunter/blacklist/ips.txt , make a backup of this somewhere outside of /etc/AC-Hunter/ .

3) Make a backup of any databases you wish to keep. Since we’ll be deleting the entire collection of actual mongo databases, you may wish to use mongodump to export them to a file.

4) Stop sending logs from your sensors to this system. On each sensor, edit (under sudo) /etc/cron.d/zeek_log_transport ; comment out the line sending logs to this AC-Hunter system. Save and exit.

5) Make a backup of any Zeek logs you wish to keep, placing them outside of /opt/zeek/remotelogs/

6) Get a listing of all docker volumes with:

sudo docker volume ls

If you wish to keep any of these volumes, stop here.

7) Get a listing of all docker containers with:

sudo docker ps

If any of these do not have names (last column of output) that start with “beaker_” or “achunter_”, stop here.

8) Get a listing of all docker images with:

sudo docker images

The repository column for all should start with “ac-hunter/”, “ai-hunter/”, “activecm-beaker/”, ““, or “mongo”, “taskrabbit/elasticsearch-dump”, or “hello-world”. If there are images from any other source, stop here.

9) Shut down AC-Hunter with:

hunt down -v

(If “hunt” is not located, try using “/usr/local/bin/hunt” in all commands that use it.)

10) Confirm that AC-Hunter is shut down by running:

sudo docker volume ls | grep hunter

; this command should return no output. If you do get any output, please stop here and contact [email protected] .

11) Shut down Beaker with:

beaker down

(If “beaker” is not located, try using “/usr/local/bin/beaker” in all commands that use it.)

12) Remove all docker volumes with (all on one line):

for X in `sudo docker volume ls | awk '{print $2}' | grep -v VOLUME` ; do sudo docker volume rm "$X" ; done

13) Remove all images with (all on one line):

for X in `sudo docker images | awk '{print $3}' | grep -v IMAGE` ; do sudo docker rmi "$X" ; done

14) If you no longer need the Zeek logs, remove the directories under /opt/zeek/remotelogs/ (keep /opt/zeek/remotelogs/ itself).

15) Move old configuration directories out of the way with:

cd /etc
sudo mv AI-Hunter AI-Hunter.old
sudo mv AC-Hunter AC-Hunter.old
sudo mv BeaKer BeaKer.old

It’s OK if the “sudo mv AI-Hunter AI-Hunter.old” reports an error that the directory doesn’t exist.

 

(If you find any errors in the above instructions or have suggestions for improving them, please let us know at [email protected] ).

Version: 202108301034

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=3784

Category: Installation
Tags: