Installing a Linux Server Sensor in a Dark Site

This article describes how to install a Linux server sensor in a supported operating system on a site without internet connectivity (a dark site).

A Linux server sensor is a managed background daemon that works as a network sensor without log forwarding that also monitors:

• Process info
• Command execution
• Files
• File events

The server sensor converts that information to metadata and forwards it to the DP as Interflow. The DP can then correlate traffic, processes, users, and commands for security, DDoS, and breach attempt detections.

The server sensor launches the following processes:

• aella_audit—collects audit logs and provides file integrity monitoring
• aella_conf—handles the configuration
• aella_ctrl—monitors other services, and can stop or start them based on the configuration
• aella_flow—collects metadata in traffic
• aella_mon—collects system resource usage, including CPU, RAM, and disk

Supported Operating Systems

The 4.3.7 release introduces a new, self-contained installation script named ds_linux_install.sh that can be used together with the image file corresponding to your target environment to install the Linux server sensor in a dark site.

The table below summarizes the installation script and images used for dark site installations in each supported operating system.

Target OS	Installation Script	Image File
Alma Linux	ds_linux_install.sh	aellads-4.3.7-1.redhat-binary.x86_64.rpm
Amazon Linux 2	ds_linux_install.sh	aellads-4.3.7-1.redhat-binary.x86_64.rpm
Oracle Linux 8.5	ds_linux_install.sh	aellads-4.3.7-1.redhat-binary.x86_64.rpm
Red Hat 7, 8, 9	ds_linux_install.sh	aellads-4.3.7-1.redhat-binary.x86_64.rpm
SUSE 12 SP3 or SP4	ds_linux_install.sh	aellads-4.3.7-1.sles12.x86_64.rpm
Ubuntu 16.04, 18.04, 20.04, 21.04 or 22.04	ds_linux_install.sh	aellads_4.3.7ubuntu1-binary_amd64.deb

Installation Prerequisites

• Click to see the minimum system requirements for installing a Linux agent sensor.

• All the procedures that follow require that you are logged in to an account with sufficient system storage and sudo access.

• Dark site installation requires a USB drive to move the installation script and image from the machine where you downloaded them to the target machine without internet access.

• The self-contained installation script (ds_linux_install.sh) requires the curl, ntp, and zip packages on the target machine. The installer checks for the presence of curl before installing and returns an error if it is not found.

Installations using the self-contained installer (ds_linux_install.sh) do NOT require Python 2.

Installation Summary

Regardless of the Linux version the main steps to perform a dark site installation are as follows:

1. Open ports on your firewall for the sensor.
2. Acquire the installation script and image file from a system with access to the internet.
3. Copy the installation script and image file to the target dark site machine.
4. Install the server sensor.
5. Configure the IP address of the Stellar Cyber data processor (or a data aggregator if you have one) on the agent sensor.
6. Authorize the sensor.

Acquiring and Installing the Agent Sensor

To get the installation script and image:

1. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

2. Refer to the Installation Matrix for supported target operating systems.

3. Copy the installation files corresponding to your target environment to a local system with access to the internet using the commands appropriate for your operating system below. Click the appropriate version below to display the commands.

   For Red Hat, Amazon, Oracle, and Alma Linux:

   curl -k -u login:password https://acps.stellarcyber.ai/release/4.3.7/datasensor/ds_linux_install.sh -O --fail

   curl -k -u login:password https://acps.stellarcyber.ai/release/4.3.7/datasensor/aellads-4.3.7-1.redhat-binary.x86_64.rpm -O --fail

   For Ubuntu Linux:

   curl -k -u login:password https://acps.stellarcyber.ai/release/4.3.7/datasensor/ds_linux_install.sh -O --fail

   curl -k -u login:password https://acps.stellarcyber.ai/release/4.3.7/datasensor/aellads_4.3.7ubuntu1-binary_amd64.deb -O --fail

   For SUSE Linux:

   curl -k -u login:password https://acps.stellarcyber.ai/release/4.3.7/datasensor/ds_linux_install.sh -O --fail

   curl -k -u login:password https://acps.stellarcyber.ai/release/4.3.7/datasensor/aellads-4.3.7-1.sles12.x86_64.rpm -O --fail

4. Copy the two files to the USB drive.
5. Mount the USB drive on the target dark system.
6. Copy the two files to a directory on the target dark system.
7. On the target system, cd to the directory where you copied the files.

8. Run the script to install the sensor. Keep in mind the following when running the script:

   • The script uses either the -p or --package argument to specify the path of the image file.

   • You must specify the full path to the image file, regardless of whether the image is in the same folder as the script.

   For Red Hat, Amazon, Oracle, and Alma Linux:

   sudo bash ds_linux_install.sh -p [path]/aellads-4.3.7-1.redhat-binary.x86_64.rpm

   For Ubuntu:

   sudo bash ds_linux_install.sh -p [path]/aellads_4.3.7ubuntu1-binary_amd64.deb

   For SUSE:

   sudo bash ds_linux_install.sh -p [path]/aellads-4.3.7-1.sles12.x86_64.rpm

   The script installs the sensor. When it finishes, an install package done message appears.

   Examples

   Here are examples of the commands when the image is stored under /home/stellar.

   Red Hat, Amazon, Oracle, and Alma Linux	sudo bash ds_linux_install.sh -p /home/stellar/aellads-4.3.7-1.redhat-binary.x86_64.rpm
   Ubuntu	sudo bash ds_linux_install.sh -p /home/stellar/aellads_4.3.7ubuntu1-binary_amd64.deb
   SUSE	sudo bash ds_linux_install.sh -p /home/stellar/aellads-4.3.7-1.sles12.x86_64.rpm

Agent Sensor Configuration

Once the services are installed and operating, use the following procedure to configure the Linux Server Sensor:

1. Use the aella_cli command to start the CLI.

2. If the sensor is to be assigned to a tenant, enter the command set tenant_id <tenant-id> where the <tenant-id> is replaced by the tenant ID.

3. Use the set cm command as shown in the following examples.

   set cm dataprocessor.samplecompany.com

   or

   set cm 64.71.33.100
   				

   This command specifies the IP address to reach the management interface of the Data Processor. For a DP cluster, this is the IP address of the DL-master's management interface. For a single DP deployment, this is simply the DP's management IP address. You can supply either an IP address or a hostname.

4. If you have a data aggregator installed, use that IP address instead of the DP's management interface. For example:

   set aggregator <primary IP address> <secondary IP address>

   Once this is done, the server sensor connects to the data processor and registers its presence.

5. Exit the CLI with the quit command.

Authorizing Sensors

You must authorize the sensor when it appears in the network.

You can authorize multiple sensors at a time. So if you're installing multiple sensors, install them all, then authorize them all at once.

Upgrading the Agent Sensor

You can upgrade the sensor as you normally would.