With the AD E-Discovery and Enterprise products one can integrate end-points in order to do remote forensic collections. This is a short KB on how to use Enterprise to push the modules tot he Linux End-Points that use the 6.1 Agent. The 6.1 Agent is required for older Linux operating systems that don't have the GLIBC version 2.17 and newer. Mostly RHEL/Oracle Linux/CentOS/Fedora 6.0-7.9

RHEL 6 has a 32 bit and 64 bit OS versions, so one needs to pay attention which Agent installation script and modules need to be paired

 

Prerequisites:

ISO of E-Discovery 6.0 or 6.1

The modules from the ISO will also need to be copied onto the Enterprise server, we will point the application to this folder in order to push the modules once the agent has been installed.

Copy of the 6.0 Agent and Modules can be found at this link on the EMEA Technical Share. Only Internally accessible by EMEA TE members not for customers

EMEA Technical G-Drive Agents from E-Discovery 6.0 ISO

International share where one can find the 6.0 ISO E-Disco ISO. Only Internally accessible not for customers

G-Drive Location International

Customers requiring the 6.1 Linux agent will need to submit a request through AD Support

Steps:

1) First check which script you require. To do this use the following command. If the version of GLIBC is lower than 2.17 you need to use the 6.1 Agent. If GLIBC version is on version 2.17 and higher one can use the Linux script and modules shipped with the product, please refer to the User Guide in that case

ldd --version

2) For server/s with a GLIBC version lower than 2.17

Copy the Install script and certificate to the Linux machine (please note newer versions will not allow you to drag and drop the shell script to the machine as it is seen as harmful.

32 bit (6.1) install script - agent-rh5.sh

64 bit (6.1) install script - agent-rh5x64.sh

3) Run the script either as  a user that can elevate privileges to root using the sudo command, or install the script as the root user (preferred). Below is a simple install no call-back IP etc. which would be required for use with Site-Servers Please look at the correct guide for the command lie options and switches

eg. installing script with public certificate from the Enterprise server

./agent-rh5x64.sh AD-ENT-742-349.crt

4) Once this has been done ensure that the agent port 3999 has been whitelisted in the case that the firewall is enabled

Now that the agent has been installed one can push the agent modules to the end-point

5) Login on the Enterprise console. open a case, we need to do this to push the modules for the older Linux agents, the agents and modules need to be on the same level from the same ISO as the certificate used with the agent and modules need to be the same.

6) Make a note of the original values for the Path tot he modules certificate and the agent modules. 

https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875516/original/https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875516/original/original_values-mod.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T163805Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=7506308e3e81abdaabf90967bedbb4491310612aa9adf8dcda9f858a3f194e75?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T163805Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=7506308e3e81abdaabf90967bedbb4491310612aa9adf8dcda9f858a3f194e75

7) Change the Path to Certificate and the path to the Modules to point to the certificate ad modules copied from the ISO of E-Discovery 6.0 or 6.1

eg.

https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875517/original/modified_values-block.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T163805Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=b29735986a438139e392d49ce354ac682558d5049aa435ee74c360b08f21fa9d

8) Once this can been done. 

Go to the Evidence Menu -> Add Remote Evidence

Select the Linux machine test the agent connection to ensure the Agent is listening and one can connect through port 3999

https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875518/original/32_Bit_linux_agent_push-blocks.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T163805Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=5b3b481f43e8c31e7c9f0c50a8c85c6bba67d1ae3324a89df8b2976dd69c0e5a

9) This should open up the Processing Status, ensure the agent modules get pushed correctly

https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875519/original/Push_Agent-32bit.JPG?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T163805Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=587b2cd4654bf06d6ecf40aa1d2a401c9437c806fd8d50a034c1fd0c75b66601

10) Once completed with the module pushes for the various 6.1 Linux Agent, remember to change the values back to the original values to avoid issues later on when pushing modules.

https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875516/original/https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875516/original/original_values-mod.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T163805Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=7506308e3e81abdaabf90967bedbb4491310612aa9adf8dcda9f858a3f194e75?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T163805Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=7506308e3e81abdaabf90967bedbb4491310612aa9adf8dcda9f858a3f194e75

 

Copying Modules from one Installed End-Point to another

Note: This should only be done by some one who has more than a passing knowledge of Linux command line.

The aim here is to shorten the setup time should there be a large number of machines that need installing, while you are installing the agent you can copy the pre-installed modules 

Important: The Modules need to be the exact same for the version (32/64 Bit) as well as the agent installation script that was shipped with said modules. You cannot mix-and match installation scripts with modules. The modules and script are shipped with a certificate and this certificate needs to match the agent install script and modules. collections will not work if you try to mx-and-match.

 

Prerequisite:

Linux machine that has the modules already pushed from the Enterprise server.

Steps Source End-Point:

1) Login into a Linux machine, that has had the agent installed, the modules have been pushed to and that has already been tested by way of doing a volatile collection or by doing a live preview.

2) Switch to the root user or elevate a user to root (sudo). Root is better as you will need to unpack the tarball file on the target system

3) Change Directory to the modules dir on the installed machined. We will create a tarball of the modules in this directory. In this example the agent was installed to the default directory adjust should that not be the case

eg.

cd /usr/AccessData/agent/modules

4) Create a tarball of the directory, you can save this to a place where you will need to go an copy it off later for other installs

tar cvf //.tar

where

 is the full path where the file will be created. Suggest using a home directory, one should not be creating files like this in system directories
and 
 is the name you want to give to the modules tarball

eg. here we are creating the tarball in a users home directory and the tarball is called modules.tar

tar cvf /home/rhel-610-64/modules.tar

example of the output generated in the creating example above

[root@rhel610-64 modules]# tar cvf /home/rhel-610-64/modules.tar 
addm-1.12.0/
addm-1.12.0/manifest.xml
addm-1.12.0/addm
diskpreview-1.12.0/
diskpreview-1.12.0/diskpreview
diskpreview-1.12.0/manifest.xml
inventory-1.10.1/
inventory-1.10.1/manifest.xml
inventory-1.10.1/inventory
netfs-1.12.0/
netfs-1.12.0/manifest.xml
netfs-1.12.0/netfs
proxy-1.12.0/
proxy-1.12.0/proxy
proxy-1.12.0/manifest.xml
remediate-1.12.0/
remediate-1.12.0/manifest.xml
remediate-1.12.0/remediate
rim-1.12.0/
rim-1.12.0/rim
rim-1.12.0/manifest.xml
site_server-1.12.0/
site_server-1.12.0/manifest.xml
site_server-1.12.0/site_server
volatile-1.12.1/
volatile-1.12.1/volatile
volatile-1.12.1/manifest.xml
[root@rhel610-64 modules]#

Now that the tarball has been created you will need to copy that off the source machine, this will then need to be copied to the target machine along with the Enterprise Public Cert, and agent installation script

 

Steps Target End-Point:

Prerequisite:

The Agent Installation script, Public Certificate from the Enterprise server

Tarball created in the source section above

Steps:

1) Copy the Agent installation script, tarball and Enterprise server public certificate to the target machine, where you are going to be installing the agent and modules. In the examples below all the files have been copied to a users home directory.

2) Run the agent installation script either as  a user that can elevate privileges to root using the sudo command, or install the script as the root user (preferred). Below is a simple install no call-back IP etc. which would be required for use with Site-Servers Please look at the correct guide for the command lie options and switches

eg. installing script with public certificate from the Enterprise server

./agent-rh5x64.sh AD-ENT-742-349.crt

Ensure the installation completes without errors.

3) Once this has been done ensure that the agent port 3999 has been whitelisted in the case that the firewall is enabled

4) Extract the tarball created in the steps above, this needs to be unpacked in the Modules directory from the location where the file was copied to.

First change to the modules directory, example below is the default install location, adjust accordingly to your installation where different

cd /usr/AccessData/agent/modules

Use the following command to unpack the tarball

tar xvf //.tar

where

 is the full path where the file was copied to in step 1. Suggest using a home directory.
and 
 is the name given to the modules tarball when it was created

eg. Unpack the tarball that was created on the source machine, here we copied the tarball in a users home directory and the tarball is called modules.tar

[root@rhel610-64-tgt modules]# tar xvf /home/rhel-610-64-tgt/modules.tar 
addm-1.12.0/
addm-1.12.0/manifest.xml
addm-1.12.0/addm
diskpreview-1.12.0/
diskpreview-1.12.0/diskpreview
diskpreview-1.12.0/manifest.xml
inventory-1.10.1/
inventory-1.10.1/manifest.xml
inventory-1.10.1/inventory
netfs-1.12.0/
netfs-1.12.0/manifest.xml
netfs-1.12.0/netfs
proxy-1.12.0/
proxy-1.12.0/proxy
proxy-1.12.0/manifest.xml
remediate-1.12.0/
remediate-1.12.0/manifest.xml
remediate-1.12.0/remediate
rim-1.12.0/
rim-1.12.0/rim
rim-1.12.0/manifest.xml
site_server-1.12.0/
site_server-1.12.0/manifest.xml
site_server-1.12.0/site_server
volatile-1.12.1/
volatile-1.12.1/volatile
volatile-1.12.1/manifest.xml
[root@rhel610-64-tgt modules]#

5) Once the modules have been unpacked, restart the agent

/usr/init.d/agentcored restart

6) Confirm the agent is running

/etc/init.d/agentcored status

7) Once the agent has been configure and is confirmed to be running it would be best to test a volatile collection from the Enterprise server.