Deploying the Linux Agent Sensor - Ubuntu/CentOS/RedHat/Debian Deployment for Pulse Breach Detection System

Deploying the Linux Agent Sensor - Ubuntu/CentOS/RedHat/Debian Deployment for Pulse Breach Detection System

Overview

 A Linux agent sensor is a managed background daemon that works as a network sensor, without log forwarding, that also monitors:

  • process info
  • command execution
  • files
  • file events

The agent sensor converts that information to metadata and forwards it to the cloud based Data Processor (DP)  as Interflow records. The DP can then correlate traffic, processes, users, and commands for security, DDoS, and breach attempt detections.


The following systems are supported:
  • CentOS versions:
    • 7
  • Debian versions:
    • 8
    • 9
  • Red Hat versions (64 bit):
    • 6
    • 7
    • 8
  • Ubuntu versions:
    • 14.04
    • 16.04
    • 18.04
    • 19.04
    • 20.04 (Supported Q3 - 2021)

The latest Linux distributions install Python 3 by default, but the sensor requires Python 2. Before you install the sensor, make sure that Python 2 is installed.


These are the few and we will have many more in terms of correlation with the Kill-chain detection's.  

The Default Profile assigned with Linux agents have the following: 
1. Application Identification
2. Application Session
3. Application Metadata
4. Process Correlation
5. Packet Duplication
6. Command and File Integrity Monitoring 
7. Handshake Failure and Flood Attack

Pre-requisites

Server requirement (min: 6GB memory, 4 cores CPU)

Agent will limit itself to run less than 5% of memory and CPU usage


The agent reacts to the server activity in terms of the Memory and Utilization. Any spikes in the CPU and Memory utilization should be notified in order for SOC to understand the root cause. 

For smaller installation, you can use the following steps to install. For large scale installation, puppet installation may be the way to go.


Note: The User installing the agent on the machine should ideally have sudo privileges. 

Firewall Rules

 Outbound From Linux Servers for agent communication and sending logs:

  1. TCP on port 8888 to 52.7.164.23
  2. TCP on port 8888 to 3.92.7.89
  3. TCP on port 8443 to 52.7.164.23
  4. TCP  on ports 6640-6648 to 52.7.164.23

Deployment Steps

Agent Sensor - Ubuntu/CentOS/RedHat/Debian Deployment

For Debian 9 or Ubuntu 19.04/18.04/16.04/14.04 environments, execute the following:

curl -k -u AellaMeta:WroTQfm/W6x10 -o ds_ubuntu_install.sh https://acps.stellarcyber.ai/release/3.10.1/datasensor/ds_ubuntu_install.sh --fail 

sudo bash ds_ubuntu_install.sh --version 3.10.1

For CentOS 6.1/6.5/6.7/6.9/7.x/Redhat 6.7 environment, execute the following:

curl -k -u AellaMeta:WroTQfm/W6x10 -o ds_centos_install.sh https://acps.stellarcyber.ai/release/3.10.1/datasensor/ds_centos_install.sh --fail 

sudo bash ds_centos_install.sh --version 3.10.1

For RedHat 7.x local environment, execute the following:

# please make sure you have previously subscribed to redhat subscription service

subscription-manager register --username xxxxx --password xxxxx --auto-attach

subscription-manager repos --enable rhel-7-server-extras-rpms

curl -k -u AellaMeta:WroTQfm/W6x10 -o ds_centos_install.sh https://acps.stellarcyber.ai/release/3.10.1/datasensor/ds_centos_install.sh --fail

sudo bash ds_centos_install.sh --version 3.10.1

 

Step 1: Download the linux agent based on the type of Operating System      

Step 2: Type ‘aella_cli’ to launch the page of the Data Sensor.

Step 3: Enter the following command in the command prompt window: "set tenant_id tenant id" Example: set tenant_id 58029192. Your Customer Success Manager can send you your Tenant Name and Tenant ID if you did not receive it within your welcome email.

Step 4: Enter the following command: "set cm 52.7.164.23" 

Step 5: Enter the following command to see the version “show version”

Step 6: Enter the following command to see the connection was established with the CM “show cm”

Step 7: Let your Customer Success Manager or soc@cyflare.com know that you have deployed the agent. The SOC will need to authorize each linux server before log events are ingested.

 

 



    • Related Articles

    • Deploying The Windows Agent for Pulse Breach Detection System

      ​Overview The Windows agent collects relevant security data from Windows event logs running. Forwarding Windows event logs provides necessary log data required for many compliance regulations and increases overall visibility within the organization. ...
    • 3 1 Breach Detection System Release Notes

        3. Highlights  Amazing new navigation menu and dashboard to match day to day operation workflow and provide intuitive navigation 4 new detections to further enhance cyber safety 5+ new data source capability added to gain even more visibility over ...
    • Syslog Forwarding - Breach Detection System - Ports To Send To

      Firewall Ports to Open for Log Ingestion Network and security sensors require open inbound UDP ports on your firewall in order to receive and parse logs from devices on your network. The ports are already open by default on the sensor, so you must ...
    • Office 365 Integration with Breach Detection Service (Latest Version)

      Overview Office 365 is a critical part of your infrastructure. The Pulse Breach Detection platform provides API based integration with Office 365 & Azure AD to provide visibility into system changes, file sharing and authentication related events ...
    • AWS Cloudtrail Integration Guide With Breach Detection

      Overview AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS ...