Manually Installing Agents on 64-bit Linux Operating Systems 



TABLE OF CONTENTS

Prerequisites

 

  • User with sudo privileges or as root user as the installation and policy updates need to be done with elevated privileges.
  • Port 3999 needs to be added to the firewall so that it is open for the Agent to connect to FTK.

 

Installation

 

  1. Copy the agent from the FTK ISO or from C:\Program Files\AccessData\Forensic Tools\[Version]\bin\Agent and public certificate to the Linux endpoint.
  2. Add executable rights to the script by entering the following command:
chmod +x agent-linux64.sh
  1. Install the agent by entering the following command:
sudo ./agent-linx64.sh <Certificate Path>
  1. Set the security context (extended attributes) of the Agent core daemon by entering the following command:
sudo /sbin/restorecon -v /etc/rc.d/init.d/agentcored
  1. Update the allow/dontaudit policy rule for Agent Core Daemon by entering the following command:
sudo ausearch -c '(entcored)' --raw | audit2allow -M my-entcored
  1. Update the SELinux policy module by entering the following command:
sudo semodule -X 300 -i my-entcored.pp


Checking Agent Status after Installation

It is advised to restart the agent to observe if it has started correctly.


  1. Open Terminal.
  2. Restart the agent by entering the following command:
sudo systemctl stop agentcored
  1. Start the agent by entering the following command:
sudo systemctl start agentcored
  1. Check the agent status by entering the following command:
sudo systemctl status agentcored


Deploying Agents to RHEL 6/7/8/9 Systems using Ansible Playbooks

 

With the release of FTK 7.5.2, support for deploying agents using Ansible playbooks. 


 

Ensure all commands are stored in their respective .YML files. The scripts below assume the Agent installer, public certificate are present in the remote machine.


Running an Ansible Playbook

 

Open terminal and enter the command below:

Ansible-playbook [NAME OF PLAYBOOK.YAML] --ask-become-pass

Command to Install Agent

---
- name: Vne task
  hosts: all 
  become: yes
  become_user: root
  tasks:
    - name: Installing Agent
      command: "[ENTER PATH TO AGENT]/agent-linux64.sh [ENTER PATH TO CERT]/ad_agentcomm_ca.crt"
      register: cmd_op

    - debug:
            var: cmd_op.stdout_lines

Command to Uninstall Agent

---
- name: Vne task
  hosts: all 
  become: yes
  become_user: root
  tasks:
    - name: Uninstalling Agent
      command: "[ENTER PATH TO AGENT]/agent-linux64.sh -r"
      register: cmd_op

    - debug:
            var: cmd_op.stdout_lines

Command to Check Agent Status

---
- name: Vne task
  hosts: all 
  become: yes
  become_user: root
  tasks:
    - name: Checking Agent Service Status
      command: "systemctl status agentcored"
      register: cmd_op

    - debug:
            var: cmd_op.stdout_lines

Deploying Agents using RPM Packages on RHEL 6/7/8/9

 

You can find the Linux RPM package for RHEL 6/7/8/9 at the bottom of the page.



Prerequisites

Copy the following files to a Linux directory.

  • AD_Linux_RPM_Public.pgp – GPG Public Key
  • agent_linux-7.7.0-*.x86_64.rpm – Redhat Agent

  • ss_ca.crt – Public Certificate from your Site Server or Enterprise



Installation

  1. Open Terminal as Root/Sudo.
  2. Import the provided GPG Public key by entering the following command:
$ sudo rpm –import AD_Linux_RPM_Public.pgp

Check if the RPM repository contains the imported GPG Key

  1. Open Terminal as Root/Sudo.
  2. Check the status of the repositories GPG key by entering the following commands:
$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
$ rpm --checksig  [agent installer rpm file]

Configuring and Installing the Agent

The agent must be configured before deployment to suit your needs. These changes can be made to agent.config.

  1. Ensure /usr/AccessData/agent/tmp path has been created/or present.
  2. Create agent.config or use the provided config file attached.
  3. Open agent.config in a text editor.
  4. Use the table below to configure your agent and save any changes.


ConfigurationRequired?Default ValueValue
CERTFILE=YesN/ADirectory where the public certificate is located. If this is not specified in the configuration file, the installation will succeed but the agentcore service will fail to start.
LIFETIME=No0Specifies the amount of time that a transient agent will exist before self-destructing.  A negative value is used to denote minutes (eg. -30 denotes 30 minutes), and a positive value is used to denote days (eg. 30 denotes 30 days).  0 indicates that the agent will not self-destruct.  If not specified, the default value is assumed.
PORT=No3999

The port that the agent will be listening on.  If not specified, the default value is assumed.

CONNECTIONS=No10Specifies the number of concurrent connections allowed to the agent.  If not specified, the default value is assumed.
SIZE=No16777216 Specifies the agent configuration files storage size.  If not specified, the default value is assumed.
DATASIZE=No268435456 Specifies the agent temporary data storage size.  If not specified, the default value is assumed.
MAMA=NoN/AThe address of site server. If no address is specified, no heartbeat will is assumed. Example = 178.22.100.20:54545.
FOLDER_STORAGE=
No0A 1 Indicates that the agent will not use protected storage.  A 0 indicates that the agent will use protected storage.  If not specified, the default value is assumed.

must be used if attempting to deploy on endpoints with DISA STIGS employed.
EXAMPLE CONFIGURATION FILE

CERTFILE=/root/truth/ss_ca.crt

LIFETIME=0

PORT=3999

CONNECTIONS=100

SIZE=16777216 

DATASIZE=268435456 

MAMA=178.22.100.20:54545

FOLDER_STORAGE=1



  1. Move the agent.config file to the /usr/AccessData/agent/tmp path by entering the following command:
$ mv agent.config /usr/AccessData/agent/tmp


The net-tools can be installed using the below command:
yum install net-tools.x86


  1. Install the agent by entering the following command:
$ sudo rpm -iv [rpm file name]


For RHEL 9, if the installation fails (for the FOLDER_STORAGE=1 configuration) and the /etc/rc.d/init.d/functions: No such file or directory error is displayed, execute the below command and reinstall the RPM:
yum install -y initscripts

Agent Modules

Once an agent has been installed and a agent job has been initiated, the agent modules will automatically be installed.


If you face any issues please follow the steps below to ensure successful module installation.


  1. Open FTK Enterprise and login using an administrator account.
  2. Open a case.
  3. Click Tools > Configure Agent Push.
  4. Select the Path to agent modules.
Ensure the path selected points to the correct agent modules. This is required.
  1. Click OK.
  2. Select the Path to trust modules certificate.
Ensure the correct .p7b has been selected. This is required.
  1. Click OK.


Pushing Agent Modules Manually

  1. Open FTK Enterprise and login using an administrator account.
  2. Open a case.
  3. Click Evidence > Add Remote Data.
  4. Select an Agent. 
If this agent is not configured to check-in with a site server then add the agent manually. Select Load agents from manual entry list.
  1. Select Install or Update Agent Modules.
  2. Select Modules only.
  3. Select a job such as Process Info to allow for the update to proceed.
  4. Click OK.



Uninstalling the Agent

When using the following command, please note that both the agent as well as the AccessData agent directory will be deleted.

$ sudo rpm --erase agent_linux



Accessing the Linux files from Windows (Optional)


The below steps should be followed to create a network-shared folder in Red Hat-based distribution and access it from Windows using Samba


Step 1: Installing Samba

  • Execute the below command to install Samba:

sudo yum install samba

Step 2: Configuring SELinux (Optional)

If SELinux is enabled in the CentOS system, it should be configured to allow access to Samba.

  • Run the following command to allow Samba to share files:

sudo setsebool -P samba_export_all_rw 1

 

Step 3: Adding a user to the Share path

  • Execute the below commands to add a user to the share path: 

sudo useradd <username>

sudo passwd <username>


Step 4: Configuring Samba

  • Open the Samba configuration file (smb.conf) using a text editor with root privileges using the below command:

sudo vi /etc/samba/smb.conf


  • In the [global] section of the configuration file, set the workgroup and other Samba options as provided below:

[global]

workgroup = WORKGROUP # Replace "WORKGROUP" with your Windows

workgroup name

#server string = Samba Server %v

#netbios name = myserver

#security = user

#map to guest = bad user

#dns proxy = no


  • Below the [global] section, create a new section for your shared folder.

For example, if you want to share the folder located at /path/to/shared_folder, add the following information to the smb.conf file:

[shared_folder]

path = /path/to/shared_folder

browsable = yes

#writable = yes

#guest ok = yes

#guest only = yes

#read only = no

#create mask = 0777

#directory mask = 0777

#force user = your_linux_username


Step 5: Creating Folders or Files on the share path 

  • Create folders or files in the share path mentioned in Step 4 to collect the data.


Step 6: Creating a user file for Samba user

  • Create a user file for the Samba user using the below command:

sudo vi /etc/samba/users.map


  • In the users.map file, add the samba user created in Step 3

<username> = <domain>/<username>


Step 7: Creating a Samba User

  • Create a Samba user and set a password for it:

sudo smbpasswd -a your_samba_username

Step 8: Restarting Samba

  • After making changes to the smb.conf file, restart the Samba service using the below command:

sudo systemctl restart smb


Step 9: Ensuring the Samba service is added to the firewall

  • Check if the Samba service is added to the firewall by executing the below command: 

firewall-cmd --list-all


  • If Samba is not present in services list [services: cockpit dhcpv6-client samba ssh], add it using the below command:

firewall-cmd --permanent --add-service=samba

firewall-cmd --reload

 

Step 10: Confirming if the folder has been made shareable

  • Ensure the folder has been made shareable by accessing it from Windows.



Configuring Samba in Debian


  1. Installing Samba:


  • Open a terminal and run the following command to install the Samba package:

sudo apt install samba

  1. Creating a shareable directory:


  • Choose a directory (new or existing one) that should be shared over the network. 


Example: To create a new directory called ‘shared_folder’, the following command should be executed:

sudo mkdir /shared_folder


  1. Configuring Samba:


  • Open the Samba configuration file in a text editor using the below command:

sudo /etc/samba/smb.conf


Note: You need root privileges to edit this file.


  • Add the following lines at the end of the configuration file to define your network share:

[SharedFolder]

path = /shared_folder

valid users = <username>

writable = yes

guest ok = yes

guest only = yes

force create mode = 777

force directory mode = 777


  1. Setting up the password for Samba:


  • Set a password for your Samba user (which corresponds to your Linux username) by executing the following command:


smbpasswd -a <username>

smbpasswd -a <username>


  • Provide the password when prompted. 


  1. Restarting Samba:


  • After making changes to the Samba configuration, restart the Samba service:


sudo service smbd restart


  1. Configuring the Firewall:


  • Check if Samba is present in the services of the firewall by executing the below command:. 


sudo firewall-cmd --list-all


  • If not available, add the Samba service using the command:


firewall-cmd --permanent --add-service=samba

firewall-cmd --reload

  1. Accessing the share location:


  • You should now be able to access the shared folder from other devices on the network from the following location path:


\\<debian machine hostname or IP address>\SharedFolder