With the AD E-Discovery and Enterprise products, end-points can be integrated in order to do remote forensic collections.
How to use Enterprise to push the modules to the Linux End-Points that use the 6.1 Agent
The 6.1 Agent is required for older Linux operating systems that don't have the GLIBC version 2.17 and newer. Mostly RHEL/Oracle Linux/CentOS/Fedora 6.0-7.9. RHEL 6 has a 32 bit and 64 bit OS versions, so pay attention to which Agent installation script and modules need to be paired.
Prerequisites:
ISO of E-Discovery 6.0 or 6.1
The modules from the ISO will also need to be copied onto the Enterprise server, we will point the application to this folder in order to push the modules once the agent has been installed.
Copy of the 6.0 Agent and Modules can be found at this link on the EMEA Technical Share. Only Internally accessible by EMEA TE members not for customers
EMEA Technical G-Drive Agents from E-Discovery 6.0 ISO
International share where one can find the 6.0 ISO E-Disco ISO. Only Internally accessible not for customers
G-Drive Location International
Customers requiring the 6.1 Linux agent will need to submit a request through AD Support
Steps:
1) First check which script you require. To do this use the following command. If the version of GLIBC is lower than 2.17 you need to use the 6.1 Agent. If GLIBC version is on version 2.17 and higher one can use the Linux script and modules shipped with the product, please refer to the User Guide in that case
ldd --version
2) For server/s with a GLIBC version lower than 2.17
Copy the Install script and certificate to the Linux machine (please note newer versions will not allow you to drag and drop the shell script to the machine as it is seen as harmful.
32 bit (6.1) install script - agent-rh5.sh
64 bit (6.1) install script - agent-rh5x64.sh
3) Run the script either as a user that can elevate privileges to root using the sudo command, or install the script as the root user (preferred). Below is a simple install no call-back IP etc. which would be required for use with Site-Servers Please look at the correct guide for the command lie options and switches
eg. installing script with public certificate from the Enterprise server
./agent-rh5x64.sh AD-ENT-742-349.crt
4) Once this has been done ensure that the agent port 3999 has been whitelisted in the case that the firewall is enabled
Now that the agent has been installed one can push the agent modules to the end-point
5) Login on the Enterprise console. open a case, we need to do this to push the modules for the older Linux agents, the agents and modules need to be on the same level from the same ISO as the certificate used with the agent and modules need to be the same.
6) Make a note of the original values for the Path tot he modules certificate and the agent modules.
7) Change the Path to Certificate and the path to the Modules to point to the certificate ad modules copied from the ISO of E-Discovery 6.0 or 6.1
eg.
8) Once this can been done.
Go to the Evidence Menu -> Add Remote Evidence
Select the Linux machine test the agent connection to ensure the Agent is listening and one can connect through port 3999
9) This should open up the Processing Status, ensure the agent modules get pushed correctly
10) Once completed with the module pushes for the various 6.1 Linux Agent, remember to change the values back to the original values to avoid issues later on when pushing modules.
Copying Modules from one Installed End-Point to another
Note: This should only be done by some one who has more than a passing knowledge of Linux command line.
The aim here is to shorten the setup time should there be a large number of machines that need installing, while you are installing the agent you can copy the pre-installed modules
Important: The Modules need to be the exact same for the version (32/64 Bit) as well as the agent installation script that was shipped with said modules. You cannot mix-and match installation scripts with modules. The modules and script are shipped with a certificate and this certificate needs to match the agent install script and modules. collections will not work if you try to mx-and-match.
Prerequisite:
Linux machine that has the modules already pushed from the Enterprise server.
Steps Source End-Point:
1) Login into a Linux machine, that has had the agent installed, the modules have been pushed to and that has already been tested by way of doing a volatile collection or by doing a live preview.
2) Switch to the root user or elevate a user to root (sudo). Root is better as you will need to unpack the tarball file on the target system
3) Change Directory to the modules dir on the installed machined. We will create a tarball of the modules in this directory. In this example the agent was installed to the default directory adjust should that not be the case
eg.
cd /usr/AccessData/agent/modules
4) Create a tarball of the directory, you can save this to a place where you will need to go an copy it off later for other installs
tar cvf //.tar
where
is the full path where the file will be created. Suggest using a home directory, one should not be creating files like this in system directories and is the name you want to give to the modules tarball
eg. here we are creating the tarball in a users home directory and the tarball is called modules.tar
tar cvf /home/rhel-610-64/modules.tar
example of the output generated in the creating example above
[root@rhel610-64 modules]# tar cvf /home/rhel-610-64/modules.tar addm-1.12.0/ addm-1.12.0/manifest.xml addm-1.12.0/addm diskpreview-1.12.0/ diskpreview-1.12.0/diskpreview diskpreview-1.12.0/manifest.xml inventory-1.10.1/ inventory-1.10.1/manifest.xml inventory-1.10.1/inventory netfs-1.12.0/ netfs-1.12.0/manifest.xml netfs-1.12.0/netfs proxy-1.12.0/ proxy-1.12.0/proxy proxy-1.12.0/manifest.xml remediate-1.12.0/ remediate-1.12.0/manifest.xml remediate-1.12.0/remediate rim-1.12.0/ rim-1.12.0/rim rim-1.12.0/manifest.xml site_server-1.12.0/ site_server-1.12.0/manifest.xml site_server-1.12.0/site_server volatile-1.12.1/ volatile-1.12.1/volatile volatile-1.12.1/manifest.xml [root@rhel610-64 modules]#
Now that the tarball has been created you will need to copy that off the source machine, this will then need to be copied to the target machine along with the Enterprise Public Cert, and agent installation script
Steps Target End-Point:
Prerequisite:
The Agent Installation script, Public Certificate from the Enterprise server
Tarball created in the source section above
Steps:
1) Copy the Agent installation script, tarball and Enterprise server public certificate to the target machine, where you are going to be installing the agent and modules. In the examples below all the files have been copied to a users home directory.
2) Run the agent installation script either as a user that can elevate privileges to root using the sudo command, or install the script as the root user (preferred). Below is a simple install no call-back IP etc. which would be required for use with Site-Servers Please look at the correct guide for the command lie options and switches
eg. installing script with public certificate from the Enterprise server
./agent-rh5x64.sh AD-ENT-742-349.crt
Ensure the installation completes without errors.
3) Once this has been done ensure that the agent port 3999 has been whitelisted in the case that the firewall is enabled
4) Extract the tarball created in the steps above, this needs to be unpacked in the Modules directory from the location where the file was copied to.
First change to the modules directory, example below is the default install location, adjust accordingly to your installation where different
cd /usr/AccessData/agent/modules
Use the following command to unpack the tarball
tar xvf //.tar
where
is the full path where the file was copied to in step 1. Suggest using a home directory. and is the name given to the modules tarball when it was created
eg. Unpack the tarball that was created on the source machine, here we copied the tarball in a users home directory and the tarball is called modules.tar
[root@rhel610-64-tgt modules]# tar xvf /home/rhel-610-64-tgt/modules.tar addm-1.12.0/ addm-1.12.0/manifest.xml addm-1.12.0/addm diskpreview-1.12.0/ diskpreview-1.12.0/diskpreview diskpreview-1.12.0/manifest.xml inventory-1.10.1/ inventory-1.10.1/manifest.xml inventory-1.10.1/inventory netfs-1.12.0/ netfs-1.12.0/manifest.xml netfs-1.12.0/netfs proxy-1.12.0/ proxy-1.12.0/proxy proxy-1.12.0/manifest.xml remediate-1.12.0/ remediate-1.12.0/manifest.xml remediate-1.12.0/remediate rim-1.12.0/ rim-1.12.0/rim rim-1.12.0/manifest.xml site_server-1.12.0/ site_server-1.12.0/manifest.xml site_server-1.12.0/site_server volatile-1.12.1/ volatile-1.12.1/volatile volatile-1.12.1/manifest.xml [root@rhel610-64-tgt modules]#
5) Once the modules have been unpacked, restart the agent
/usr/init.d/agentcored restart
6) Confirm the agent is running
/etc/init.d/agentcored status
7) Once the agent has been configure and is confirmed to be running it would be best to test a volatile collection from the Enterprise server.