Installing a Linux Server Sensor in a Dark Site
This article describes how to install a Linux server sensor in a supported operating system on a site without internet connectivity (a dark site).
A Linux server sensor is a managed background daemon that works as a network sensor without log forwarding that also monitors:
- Process info
- Command execution
- Files
- File events
The server sensor converts that information to metadata and forwards it to the DP as Interflow. The DP can then correlate traffic, processes, users, and commands for security, DDoS, and breach attempt detections.
The server sensor launches the following processes:
aella_audit
—collects audit logs and provides file integrity monitoringaella_conf
—handles the configurationaella_ctrl
—monitors other services, and can stop or start them based on the configurationaella_flow
—collects metadata in trafficaella_mon
—collects system resource usage, including CPU, RAM, and disk
Supported Operating Systems
The 4.3.7 release introduces a new, self-contained installation script named ds_linux_install.sh that can be used together with the image file corresponding to your target environment to install the Linux server sensor in a dark site.
The table below summarizes the installation script and images used for dark site installations in each supported operating system.
Target OS |
Installation Script |
Image File |
---|---|---|
Alma Linux | ds_linux_install.sh |
aellads-4.3.7-1.redhat-binary.x86_64.rpm |
Amazon Linux 2 | ds_linux_install.sh |
aellads-4.3.7-1.redhat-binary.x86_64.rpm |
Oracle Linux 8.5 | ds_linux_install.sh |
aellads-4.3.7-1.redhat-binary.x86_64.rpm |
Red Hat 7, 8, 9 | ds_linux_install.sh |
aellads-4.3.7-1.redhat-binary.x86_64.rpm |
SUSE 12 SP3 or SP4 | ds_linux_install.sh |
aellads-4.3.7-1.sles12.x86_64.rpm |
Ubuntu 16.04, 18.04, 20.04, 21.04 or 22.04 | ds_linux_install.sh |
aellads_4.3.7ubuntu1-binary_amd64.deb |
Installation Prerequisites
-
Click to see the minimum system requirements for installing a Linux agent sensor.
-
All the procedures that follow require that you are logged in to an account with sufficient system storage and
sudo
access. -
Dark site installation requires a USB drive to move the installation script and image from the machine where you downloaded them to the target machine without internet access.
-
The self-contained installation script (ds_linux_install.sh) requires the
curl
,ntp
,and
zip packages on the target machine. The installer checks for the presence ofcurl
before installing and returns an error if it is not found.
Installations using the self-contained installer (ds_linux_install.sh) do NOT require Python 2.
Installation Summary
Regardless of the Linux version the main steps to perform a dark site installation are as follows:
- Open ports on your firewall for the sensor.
- Acquire the installation script and image file from a system with access to the internet.
- Copy the installation script and image file to the target dark site machine.
- Install the server sensor.
- Configure the IP address of the Stellar Cyber data processor (or a data aggregator if you have one) on the agent sensor.
- Authorize the sensor.
Acquiring and Installing the Agent Sensor
To get the installation script and image:
-
Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.
- Refer to the Installation Matrix for supported target operating systems.
-
Copy the installation files corresponding to your target environment to a local system with access to the internet using the commands appropriate for your operating system below. Click the appropriate version below to display the commands.
For Red Hat, Amazon, Oracle, and Alma Linux:curl -k -u login:password https://acps.stellarcyber.ai/release/4.3.7/datasensor/ds_linux_install.sh -O --fail
curl -k -u login:password https://acps.stellarcyber.ai/release/4.3.7/datasensor/aellads-4.3.7-1.redhat-binary.x86_64.rpm -O --fail
For Ubuntu Linux:curl -k -u login:password https://acps.stellarcyber.ai/release/4.3.7/datasensor/ds_linux_install.sh -O --fail
curl -k -u login:password https://acps.stellarcyber.ai/release/4.3.7/datasensor/aellads_4.3.7ubuntu1-binary_amd64.deb -O --fail
For SUSE Linux:curl -k -u login:password https://acps.stellarcyber.ai/release/4.3.7/datasensor/ds_linux_install.sh -O --fail
curl -k -u login:password https://acps.stellarcyber.ai/release/4.3.7/datasensor/aellads-4.3.7-1.sles12.x86_64.rpm -O --fail
- Copy the two files to the USB drive.
- Mount the USB drive on the target dark system.
- Copy the two files to a directory on the target dark system.
- On the target system, cd to the directory where you copied the files.
-
Run the script to install the sensor. Keep in mind the following when running the script:
-
The script uses either the
-p
or--package
argument to specify the path of the image file. -
You must specify the full path to the image file, regardless of whether the image is in the same folder as the script.
For Red Hat, Amazon, Oracle, and Alma Linux:
sudo bash ds_linux_install.sh -p [path]/aellads-4.3.7-1.redhat-binary.x86_64.rpm
For Ubuntu:
sudo bash ds_linux_install.sh -p [path]/aellads_4.3.7ubuntu1-binary_amd64.deb
For SUSE:
sudo bash ds_linux_install.sh -p [path]/aellads-4.3.7-1.sles12.x86_64.rpm
The script installs the sensor. When it finishes, an
install package done
message appears.Examples
Here are examples of the commands when the image is stored under
/home/stellar
.Red Hat, Amazon, Oracle, and Alma Linux sudo bash ds_linux_install.sh -p /home/stellar/aellads-4.3.7-1.redhat-binary.x86_64.rpm
Ubuntu sudo bash ds_linux_install.sh -p /home/stellar/aellads_4.3.7ubuntu1-binary_amd64.deb
SUSE sudo bash ds_linux_install.sh -p /home/stellar/aellads-4.3.7-1.sles12.x86_64.rpm
-
Agent Sensor Configuration
Once the services are installed and operating, use the following procedure to configure the Linux Server Sensor:
-
Use the
aella_cli
command to start the CLI. - If the sensor is to be assigned to a tenant, enter the command
set tenant_id <tenant-id>
where the<tenant-id>
is replaced by the tenant ID. -
Use the
set cm
command as shown in the following examples.set cm dataprocessor.samplecompany.com
or
set cm 64.71.33.100
This command specifies the IP address to reach the management interface of the Data Processor. For a DP cluster, this is the IP address of the DL-master's management interface. For a single DP deployment, this is simply the DP's management IP address. You can supply either an IP address or a hostname.
-
If you have a data aggregator installed, use that IP address instead of the DP's management interface. For example:
set aggregator <primary IP address> <secondary IP address>
Once this is done, the server sensor connects to the data processor and registers its presence.
-
Exit the CLI with the
quit
command.
Authorizing Sensors
You must authorize the sensor when it appears in the network.
You can authorize multiple sensors at a time. So if you're installing multiple sensors, install them all, then authorize them all at once.
Upgrading the Agent Sensor
You can upgrade the sensor as you normally would.