Skip to main content

Installation

This guide covers all installation methods for Faction, from the recommended Docker Compose setup to building from source.

Prerequisites

Important: MongoDB 8.0 (used by Faction) requires a CPU with AVX instruction set support. This may cause issues in certain virtualized environments.
Before installing Faction, ensure your system meets these requirements:

Required

  • Docker and Docker Compose (for containerized deployment)
  • Java JDK 11 (for building from source)
  • Maven (for building from source)
  • CPU with AVX support - Required for MongoDB 8.0
  • 4GB RAM minimum - 2GB allocated to Tomcat, additional for MongoDB
  • 10GB disk space - For application, database, and report storage
  • Linux, macOS, or Windows with Docker support
The fastest and most reliable way to deploy Faction is using Docker Compose.

Step 1: Clone the Repository

git clone https://github.com/factionsecurity/faction.git
cd faction

Step 2: Review Configuration

The docker-compose.yml file includes default configuration: 
services:
  faction-mongo:
    image: mongo:8.0
    ports:
      - "27017:27017"
    volumes:
      - '~/.faction/data:/data/db'
    environment:
      - MONGO_INITDB_ROOT_USERNAME=faction_mongo_user
      - MONGO_INITDB_ROOT_PASSWORD=faction_mongo_pass
      
  tomcat-service:
    build:
      context: .
      dockerfile: Dockerfile
      target: base_app
    environment:
      - 'FACTION_REPORT_STORAGE=local'
      - 'FACTION_MONGO_HOST=faction-mongo'
      - 'FACTION_MONGO_DATABASE=faction'
      - 'FACTION_MONGO_USER=faction_mongo_user'
      - 'FACTION_MONGO_PASSWORD=faction_mongo_pass'
      - 'FACTION_SECRET_KEY=faction_encryption_key'
      - 'FACTION_OAUTH_CALLBACK=http://localhost:8080'
      - 'FACTION_APPSTORE_ENABLED=true'
    ports:
      - "8080:8080"
    depends_on:
      - faction-mongo

Step 3: Launch Faction

docker-compose up --build
The first build will download dependencies and compile the WAR file. This may take 5-10 minutes depending on your system.

Step 4: Access Faction

Once containers are running, access Faction at: 
http://127.0.0.1:8080

Environment Variables

Faction uses environment variables for configuration. These can be set in docker-compose.yml or as system environment variables.

Core Configuration

VariableDescriptionDefault
FACTION_MONGO_HOSTMongoDB hostnamefaction-mongo
FACTION_MONGO_DATABASEMongoDB database namefaction
FACTION_MONGO_USERMongoDB usernamefaction_mongo_user
FACTION_MONGO_PASSWORDMongoDB passwordfaction_mongo_pass
FACTION_SECRET_KEYEncryption key for sensitive datafaction_encryption_key
Security: Change FACTION_SECRET_KEY and MongoDB credentials before deploying to production!

Storage Configuration

VariableDescriptionDefault
FACTION_REPORT_STORAGEStorage backend: local or s3local

OAuth/SAML Configuration

VariableDescriptionRequired
FACTION_OAUTH_CALLBACKOAuth callback URLYes (if using OAuth/SAML)
FACTION_APPSTORE_ENABLEDEnable App Store extensionstrue

SMTP Configuration (Optional)

Configure SMTP for email notifications:
VariableDescription
FACTION_SMTP_SERVERSMTP server hostname
FACTION_SMTP_PORTSMTP server port
FACTION_SMTP_USERSMTP username
FACTION_SMTP_PASSWORDSMTP password
FACTION_SMTP_FROM_ADDRESSFrom email address
SMTP settings can also be configured through the web interface at Settings → Email Configuration.

Building from Source

For development or customization, you can build Faction from source.
1

Install Prerequisites

Ensure you have:
  • Java JDK 11
  • Maven 3.6+
  • Git
# Verify installations
java -version
mvn -version
2

Clone Repository

git clone https://github.com/factionsecurity/faction.git
cd faction
3

Build with Maven

mvn clean package
This will:
  • Compile Java sources from src/
  • Run tests from test/
  • Package into target/faction.war
The build process uses dependencies defined in pom.xml, including Struts 6.7.0, MongoDB drivers, and docx4j for report generation.
4

Deploy WAR File

Deploy the generated WAR file to Tomcat 9:
# Copy to Tomcat webapps
cp target/faction.war /usr/local/tomcat/webapps/ROOT.war

# Start Tomcat
/usr/local/tomcat/bin/catalina.sh run

Data Persistence

By default, Docker Compose stores MongoDB data in: 
~/.faction/data
This ensures your assessments, findings, and configurations persist across container restarts.

Backup Recommendations

1

Backup MongoDB Data

# Create backup
docker exec faction-mongo mongodump \
  --username=faction_mongo_user \
  --password=faction_mongo_pass \
  --out=/backup

# Copy from container
docker cp faction-mongo:/backup ./faction-backup-$(date +%Y%m%d)
2

Restore from Backup

# Copy backup to container
docker cp ./faction-backup-20260305 faction-mongo:/restore

# Restore
docker exec faction-mongo mongorestore \
  --username=faction_mongo_user \
  --password=faction_mongo_pass \
  /restore

Troubleshooting

MongoDB AVX Issues

Problem: MongoDB 8.0 requires CPU AVX support, which may not be available in:
  • Oracle VirtualBox VMs
  • Some Kubernetes configurations
  • Older CPUs
Solutions:
  1. VirtualBox Users:
  2. Kubernetes Users:

Port Conflicts

If port 8080 is already in use: 
# In docker-compose.yml, change:
ports:
  - "8081:8080"  # Use port 8081 instead
Then access Faction at http://127.0.0.1:8081

Memory Issues

If you encounter OutOfMemoryError:
  1. Increase Tomcat Heap: Edit setenv.sh or set in docker-compose.yml: 
    environment:
  - CATALINA_OPTS=-Xms2g -Xmx4g
  2. Monitor with JMX: The included setenv.sh enables JMX monitoring on port 9090: 
    # Connect with VisualVM or JConsole
jconsole localhost:9090

Container Logs

View logs for troubleshooting: 
# Faction application logs
docker logs -f faction-tomcat-service-1

# MongoDB logs
docker logs -f faction-faction-mongo-1

# All services
docker-compose logs -f

Production Deployment

Security Hardening

1

Change Default Credentials

Update MongoDB credentials and secret key in docker-compose.yml:
environment:
  - MONGO_INITDB_ROOT_PASSWORD=<strong-random-password>
  - FACTION_SECRET_KEY=<secure-encryption-key>
2

Enable HTTPS

Use a reverse proxy (nginx, Apache) with SSL/TLS:
server {
  listen 443 ssl;
  server_name faction.example.com;
  
  ssl_certificate /path/to/cert.pem;
  ssl_certificate_key /path/to/key.pem;
  
  location / {
    proxy_pass http://localhost:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
  }
}
3

Restrict MongoDB Access

Remove MongoDB port exposure in docker-compose.yml:
# Remove or comment out:
# ports:
#   - "27017:27017"
4

Configure Firewall

Only expose HTTPS port (443) to external networks.

Performance Tuning

JVM Settings (setenv.sh): 
# Adjust based on available RAM
export CATALINA_OPTS="-Xms4g -Xmx8g"
export CATALINA_OPTS="$CATALINA_OPTS -XX:+UseG1GC"
export CATALINA_OPTS="$CATALINA_OPTS -XX:+UseStringDeduplication"

Advanced Configuration

LDAP Integration

Configure LDAP authentication through the web interface: Settings → LDAP Configuration Required fields:
  • LDAP URL
  • Base DN
  • Bind DN
  • Search DN
  • Object Class

OAuth 2.0 / SAML Setup

Configure SSO through environment variables and web interface:
  1. Set callback URL: 
    - FACTION_OAUTH_CALLBACK=https://faction.example.com
  2. Configure in Settings → SSO Configuration:
    • OAuth Client ID
    • OAuth Client Secret
    • Discovery URI (for OIDC)
    • SAML Metadata URL (for SAML)

S3 Storage Backend

For distributed deployments, use S3 for report storage: 
environment:
  - FACTION_REPORT_STORAGE=s3
  - AWS_ACCESS_KEY_ID=<your-key>
  - AWS_SECRET_ACCESS_KEY=<your-secret>
  - AWS_S3_BUCKET=faction-reports
  - AWS_REGION=us-east-1

Development Setup

For development with live reload: 
# Use development compose file
docker-compose -f docker-compose-dev.yml up

# Build JavaScript assets
./buildJSAssets.sh
The development setup:
  • Mounts source code as volumes
  • Enables hot reload
  • Exposes debugging ports

Getting Help

Community Support

Join #project-faction on OWASP Slack

Report Issues

Submit bugs and feature requests on GitHub

Contributing

Read the contributing guidelines

Video Tutorials

Watch installation walkthroughs
Next: Once installed, follow the Quickstart Guide to create your first assessment.

Build docs developers (and LLMs) love

Get started for freeTalk to us