Manually Installing Agents on 64-bit Fedora based Operating Systems 


TABLE OF CONTENTS


Prerequisites

 

  • User with sudo privileges or as root user as the installation and policy updates need to be done with elevated privileges.
  • Port 3999 needs to be added to the firewall so that it is open for the Agent to connect to FTK.

 

Installation

 

  1. Copy the agent from the FTK ISO or from C:\Program Files\AccessData\Forensic Tools\[Version]\bin\Agent and public certificate to the Linux endpoint.
  2. Add executable rights to the script by entering the following command:
chmod +x agent-linux64.sh
  1. Install the agent by entering the following command:
sudo ./agent-linx64.sh <Certificate Path>
  1. Set the security context (extended attributes) of the Agent core daemon by entering the following command:
sudo /sbin/restorecon -v /etc/rc.d/init.d/agentcored
  1. Update the allow/dontaudit policy rule for Agent Core Daemon by entering the following command:
sudo ausearch -c '(entcored)' --raw | audit2allow -M my-entcored
  1. Update the SELinux policy module by entering the following command:
sudo semodule -X 300 -i my-entcored.pp



Checking Agent Status after Installation

It is advised to restart the agent to observe if it has started correctly.


  1. Open Terminal.
  2. Restart the agent by entering the following command:
sudo /etc/init.d/agentcored stop
  1. Start the agent by entering the following command:
sudo /etc/init.d/agentcored start
  1. Check the agent status by entering the following command:
sudo /etc/init.d/agentcored status



Deploying Agents to RHEL 6/7/8 Systems using Ansible Playbooks

 

With the release of FTK 7.5.2, support for deploying agents using Ansible playbooks. 


 

Ensure all commands are stored in their respective .YML files. The scripts below assume the Agent installer, public certificate are present in the remote machine.


Running an Ansible Playbook

 

Open terminal and enter the command below:

Ansible-playbook [NAME OF PLAYBOOK.YAML] --ask-become-pass

Command to Install Agent

---
- name: Vne task
  hosts: all 
  become: yes
  become_user: root
  tasks:
    - name: Installing Agent
      command: "[ENTER PATH TO AGENT]/agent-linux64.sh [ENTER PATH TO CERT]/ad_agentcomm_ca.crt"
      register: cmd_op

    - debug:
            var: cmd_op.stdout_lines

Command to Uninstall Agent

---
- name: Vne task
  hosts: all 
  become: yes
  become_user: root
  tasks:
    - name: Uninstalling Agent
      command: "[ENTER PATH TO AGENT]/agent-linux64.sh -r"
      register: cmd_op

    - debug:
            var: cmd_op.stdout_lines

Command to Check Agent Status

---
- name: Vne task
  hosts: all 
  become: yes
  become_user: root
  tasks:
    - name: Checking Agent Service Status
      command: "systemctl status agentcored"
      register: cmd_op

    - debug:
            var: cmd_op.stdout_lines

Deploying Agents using RPM Packages on RHEL 6/7/8

 

You can find the Linux RPM package for RHEL 6/7/8 here. 
Modules and trusted module certificate required for RHEL 6 can be found here.



Prerequisites

Copy the following files to a Linux directory.

  • AD_Linux_RPM_Public.pgp – GPG Public Key
  • agent_linux-7.6.0-10.x86_64.rpm – Redhat 7 & 8
  • agent_linux-6.1.0-11.x86_64.rpm – Redhat 6

  • ss_ca.crt – Public Certificate from your Site Server or Enterprise



Installation

  1. Open Terminal as Root/Sudo.
  2. Import the provided GPG Public key by entering the following command:
$ sudo rpm –import AD_Linux_RPM_Public.pgp

Check if the RPM repository contains the imported GPG Key

  1. Open Terminal as Root/Sudo.
  2. Check the status of the repositories GPG key by entering the following commands:
$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
$ rpm --checksig  [agent installer rpm file]

Configuring and Installing the Agent

The agent must be configured before deployment to suit your needs. These changes can be made to agent.config.

  1. Ensure /tmp path has been created/or present.
  2. Create agent.config or use the provided config file attached.
  3. Open agent.config in a text editor.
  4. Use the table below to configure your agent and save any changes.


ConfigurationRequired?Default ValueValue
CERTFILE=YesN/ADirectory where the public certificate is located. If this is not specified in the configuration file, the installation will succeed but the agentcore service will fail to start.
LIFETIME=No0Specifies the amount of time that a transient agent will exist before self-destructing.  A negative value is used to denote minutes (eg. -30 denotes 30 minutes), and a positive value is used to denote days (eg. 30 denotes 30 days).  0 indicates that the agent will not self-destruct.  If not specified, the default value is assumed.
PORT=No3999

The port that the agent will be listening on.  If not specified, the default value is assumed.

CONNECTIONS=No10Specifies the number of concurrent connections allowed to the agent.  If not specified, the default value is assumed.
SIZE=No16777216 Specifies the agent configuration files storage size.  If not specified, the default value is assumed.
DATASIZE=No268435456 Specifies the agent temporary data storage size.  If not specified, the default value is assumed.
MAMA=NoN/AThe address of site server. If no address is specified, no heartbeat will is assumed. Example = 178.22.100.20:54545.
EXAMPLE CONFIGURATION FILE

CERTFILE=/root/truth/ss_ca.crt

LIFETIME=0

PORT=3999

CONNECTIONS=100

SIZE=65535

DATASIZE=4096

MAMA=178.22.100.20:54545



  1. Move the agent.config file to the /tmp path by entering the following command:
$ mv agent.config /tmp
  1. Install the agent by entering the following command:
$ sudo rpm -iv [rpm file name]

Agent Modules

Once an agent has been installed, users are required to push modules to allow it to complete requested agent jobs. For any deployments to RHEL 6 systems, users cannot use the Linux modules included in recent FTK releases.


Configuring Modules for RHEL 6 Agents

It is important to ensure that the following changes are reverted to the latest modules and certificate when pushing modules to a newer RHEL system. 

If a site server is being used, ensure that the site server results folder (Agent > Modules) contains the legacy modules and .p7b certificate.

  1. Open FTK Enterprise and login using an administrator account.
  2. Open a case.
  3. Click Tools > Configure Agent Push.
  4. Select the Path to agent modules.
Ensure the path selected points to the legacy agent modules. This is required.
  1. Click OK.
  2. Select the Path to trust modules certificate.
Ensure the .p7b packaged with the legacy agent modules has been selected. This is required.
  1. Click OK.


Pushing Agent Modules

  1. Open FTK Enterprise and login using an administrator account.
  2. Open a case.
  3. Click Evidence > Add Remote Data.
  4. Select an Agent. 
If this agent is not configured to check-in with a site server then add the agent manually. Select Load agents from manual entry list.
  1. Select Install or Update Agent Modules.
  2. Select Modules only.
  3. Select a job such as Process Info to allow for the update to proceed.
  4. Click OK.


Uninstalling the Agent

When using the following command, please note that both the agent as well as the AccessData agent directory will be deleted.

$ sudo rpm --erase agent_linux