XDR: Deploying the Linux Agent Sensor - Ubuntu/CentOS/RedHat/Debian Deployment

XDR: Deploying the Linux Agent Sensor - Ubuntu/CentOS/RedHat/Debian Deployment

Table of contents


 The Linux Agent on the servers has the capability to detect various events. Due to the nature of the agent and complexity of what needs to be seen from the server is crucial. The Linux Agent gives us the scope in the following: 

1. Abnormal Parent/Child Processes
2. Server Commands
3. File Actions
4. Process Anomaly
5. User Login Failures and Scanner Reputation/Port scans 

These are the few and we will have many more in terms of correlation with the Kill-chain detection's.  

The Default Profile assigned with Linux agents have the following: 
1. Application Identification
2. Application Session
3. Application Metadata
4. Process Correlation
5. Packet Duplication
6. Command and File Integrity Monitoring 
7. Handshake Failure and Flood Attack


Server requirement (min: 6GB memory, 4 cores CPU)

Agent will limit itself to run less than 5% of memory and CPU usage

The agent reacts to the server activity in terms of the Memory and Utilization. Any spikes in the CPU and Memory utilization should be notified in order for SOC to understand the root cause. 

For smaller installation, you can use the following steps to install. For large scale installation, puppet installation may be the way to go.

Note: The User installing the agent on the machine should ideally have sudo privileges. 


Deployment Steps

Agent Sensor - Ubuntu/CentOS/RedHat/Debian Deployment

For Debian 9 or Ubuntu 18.04/16.04/14.04 environments, execute the following:

curl -k -u AellaMeta:WroTQfm/W6x10 -o ds_ubuntu_install.sh https://acps.stellarcyber.ai/release/4.3.1/datasensor/ds_ubuntu_install.sh --fail 

s udo bash ds_ubuntu_install.sh --version 3.4.2

For CentOS 6.1/6.5/6.7/6.9/7.x/Redhat 6.7 environment, execute the following:

curl -k -u AellaMeta:WroTQfm/W6x10 -o ds_centos_install.sh https://acps.stellarcyber.ai/release/4.3.1/datasensor/ds_centos_install.sh --fail 

sudo bash ds_centos_install.sh --version 3.4.2

For RedHat 7.x local environment, execute the following:

# please make sure you have previously subscribed to redhat subscription service

subscription-manager register --username xxxxx --password xxxxx --auto-attach

subscription-manager repos --enable rhel-7-server-extras-rpms

curl -k -u AellaMeta:WroTQfm/W6x10 -o

ds_centos_install.sh https://acps.stellarcyber.ai/release/4.3.1/datasensor/ds_centos_install.sh --fail

sudo bash ds_centos_install.sh --version 3.4.2


Step 1: Download the linux agent based on the type of Operating System      

Step 2: Type ‘aella_cli’ to launch the page of the Data Sensor.

Step 3: Enter the following command in the command prompt window: "set tenant_id tenantname/tenant id" Example: set tenant_id CyFlare/58029192. Your Customer Success Manager can send you your Tenant Name and Tenant ID if you did not receive it within your welcome email.

Step 4: Enter the following command: "set cm" 

Step 5: Enter the following command to see the version “show version”

Step 6: Enter the following command to see the connection was established with the CM “show cm”

Step 7: Let your Customer Success Manager or soc@cyflare.com know that you have deployed the agent. The SOC will need to authorize each linux server before log events are ingested.



    • Related Articles

    • XDR: Deploying The Windows Agent

      Overview The Windows agent collects relevant security data from Windows event logs running. Forwarding Windows event logs provides necessary log data required for many compliance regulations and increases overall visibility within the organization. ...
    • XDR-Syslog Forwarding- Ports To Send To

      Firewall Ports to Open for Log Ingestion Network and security sensors require open inbound UDP ports on your firewall in order to receive and parse logs from devices on your network. The ports are already open by default on the sensor, so you must ...
    • XDR: Vendor Advisory for SolarWinds Orion Products - Countermeasure guidelines

      December 2020 Detect SolarWinds SUNBURST Backdoor with Stellar Cyber Open-XDR Platform On December 13 2020, multiple vendors such as FireEye and Microsoft reported emerging threats from a nation-state threat actor who compromised SolarWinds, and ...
    • AlienVault USM Anywhere Customer Quick Start Guide

      Summary This document is intended as a step by step guide for new customer implementations of USM Anywhere with an introduction to the incident ticketing process and interacting with the SOC.  The solution and service are deployed in phases. The ...
    • XDRaaS - Quick Start Guide (QSG)

      XDRaaS – Quick Start Guide The following items will help guide you through what CyFlare’s deployment team will be working on with you, to get you ingesting data, and moving to being monitored, by the SOC, as quickly as possible. The main items that ...