Manually Installing Agents on 64-bit Fedora based Operating Systems
TABLE OF CONTENTS
- Manually Installing Agents on 64-bit Fedora based Operating Systems
- Deploying Agents to RHEL 6/7/8 Systems using Ansible Playbooks
- Deploying Agents using RPM Packages on RHEL 6/7/8
Prerequisites
- User with sudo privileges or as root user as the installation and policy updates need to be done with elevated privileges.
- Port 3999 needs to be added to the firewall so that it is open for the Agent to connect to FTK.
Installation
- Copy the agent from the FTK ISO or from C:\Program Files\AccessData\Forensic Tools\[Version]\bin\Agent and public certificate to the Linux endpoint.
- Add executable rights to the script by entering the following command:
chmod +x agent-linux64.sh
- Install the agent by entering the following command:
sudo ./agent-linx64.sh <Certificate Path>
- Set the security context (extended attributes) of the Agent core daemon by entering the following command:
sudo /sbin/restorecon -v /etc/rc.d/init.d/agentcored
- Update the allow/dontaudit policy rule for Agent Core Daemon by entering the following command:
sudo ausearch -c '(entcored)' --raw | audit2allow -M my-entcored
- Update the SELinux policy module by entering the following command:
sudo semodule -X 300 -i my-entcored.pp
Checking Agent Status after Installation
It is advised to restart the agent to observe if it has started correctly.
- Open Terminal.
- Restart the agent by entering the following command:
sudo systemctl stop agentcored
- Start the agent by entering the following command:
sudo systemctl start agentcored
- Check the agent status by entering the following command:
sudo systemctl status agentcored
Deploying Agents to RHEL 6/7/8 Systems using Ansible Playbooks
With the release of FTK 7.5.2, support for deploying agents using Ansible playbooks.
Ensure all commands are stored in their respective .YML files. The scripts below assume the Agent installer, public certificate are present in the remote machine.
Running an Ansible Playbook
Open terminal and enter the command below:
Ansible-playbook [NAME OF PLAYBOOK.YAML] --ask-become-pass
Command to Install Agent
--- - name: Vne task hosts: all become: yes become_user: root tasks: - name: Installing Agent command: "[ENTER PATH TO AGENT]/agent-linux64.sh [ENTER PATH TO CERT]/ad_agentcomm_ca.crt" register: cmd_op - debug: var: cmd_op.stdout_lines
Command to Uninstall Agent
--- - name: Vne task hosts: all become: yes become_user: root tasks: - name: Uninstalling Agent command: "[ENTER PATH TO AGENT]/agent-linux64.sh -r" register: cmd_op - debug: var: cmd_op.stdout_lines
Command to Check Agent Status
--- - name: Vne task hosts: all become: yes become_user: root tasks: - name: Checking Agent Service Status command: "systemctl status agentcored" register: cmd_op - debug: var: cmd_op.stdout_lines
Deploying Agents using RPM Packages on RHEL 6/7/8
You can find the Linux RPM package for RHEL 6/7/8 here.
Prerequisites
Copy the following files to a Linux directory.
- AD_Linux_RPM_Public.pgp – GPG Public Key
- agent_linux-7.6.0-10.x86_64.rpm – Redhat 7 & 8
agent_linux-6.1.0-11.x86_64.rpm – Redhat 6
ss_ca.crt – Public Certificate from your Site Server or Enterprise
Installation
- Open Terminal as Root/Sudo.
- Import the provided GPG Public key by entering the following command:
$ sudo rpm –import AD_Linux_RPM_Public.pgp
Check if the RPM repository contains the imported GPG Key
- Open Terminal as Root/Sudo.
- Check the status of the repositories GPG key by entering the following commands:
$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
$ rpm --checksig [agent installer rpm file]
Configuring and Installing the Agent
The agent must be configured before deployment to suit your needs. These changes can be made to agent.config.
- Ensure /tmp path has been created/or present.
- Create agent.config or use the provided config file attached.
- Open agent.config in a text editor.
- Use the table below to configure your agent and save any changes.
Configuration | Required? | Default Value | Value |
CERTFILE= | Yes | N/A | Directory where the public certificate is located. If this is not specified in the configuration file, the installation will succeed but the agentcore service will fail to start. |
LIFETIME= | No | 0 | Specifies the amount of time that a transient agent will exist before self-destructing. A negative value is used to denote minutes (eg. -30 denotes 30 minutes), and a positive value is used to denote days (eg. 30 denotes 30 days). 0 indicates that the agent will not self-destruct. If not specified, the default value is assumed. |
PORT= | No | 3999 | The port that the agent will be listening on. If not specified, the default value is assumed. |
CONNECTIONS= | No | 10 | Specifies the number of concurrent connections allowed to the agent. If not specified, the default value is assumed. |
SIZE= | No | 16777216 | Specifies the agent configuration files storage size. If not specified, the default value is assumed. |
DATASIZE= | No | 268435456 | Specifies the agent temporary data storage size. If not specified, the default value is assumed. |
MAMA= | No | N/A | The address of site server. If no address is specified, no heartbeat will is assumed. Example = 178.22.100.20:54545. |
EXAMPLE CONFIGURATION FILE | CERTFILE=/root/truth/ss_ca.crt LIFETIME=0 PORT=3999 CONNECTIONS=100 SIZE=65535 DATASIZE=4096 MAMA=178.22.100.20:54545 |
- Move the agent.config file to the /tmp path by entering the following command:
$ mv agent.config /tmp
- Install the agent by entering the following command:
$ sudo rpm -iv [rpm file name]
Agent Modules
Once an agent has been installed, users are required to push modules to allow it to complete requested agent jobs. For any deployments to RHEL 6 systems, users cannot use the Linux modules included in recent FTK releases.
Configuring Modules for RHEL 6 Agents
It is important to ensure that the following changes are reverted to the latest modules and certificate when pushing modules to a newer RHEL system.
If a site server is being used, ensure that the site server results folder (Agent > Modules) contains the legacy modules and .p7b certificate.
- Open FTK Enterprise and login using an administrator account.
- Open a case.
- Click Tools > Configure Agent Push.
- Select the Path to agent modules.
Ensure the path selected points to the legacy agent modules. This is required.
- Click OK.
- Select the Path to trust modules certificate.
Ensure the .p7b packaged with the legacy agent modules has been selected. This is required.
- Click OK.
Pushing Agent Modules
- Open FTK Enterprise and login using an administrator account.
- Open a case.
- Click Evidence > Add Remote Data.
- Select an Agent.
If this agent is not configured to check-in with a site server then add the agent manually. Select Load agents from manual entry list.
- Select Install or Update Agent Modules.
- Select Modules only.
- Select a job such as Process Info to allow for the update to proceed.
- Click OK.
Uninstalling the Agent
When using the following command, please note that both the agent as well as the AccessData agent directory will be deleted.
$ sudo rpm --erase agent_linux