Installing a Linux Server Sensor

This article describes how to install a Linux server sensor in a supported operating system.

A Linux server sensor is a managed background daemon that works as a network sensor without log forwarding that also monitors:

  • Process info
  • Command execution
  • Files
  • File events

The server sensor converts that information to metadata and forwards it to the DP as Interflow. The DP can then correlate traffic, processes, users, and commands for security, DDoS, and breach attempt detections.

The server sensor launches the following processes:

  • aella_audit—collects audit logs and provides file integrity monitoring
  • aella_conf—handles the configuration
  • aella_ctrl—monitors other services, and can stop or start them based on the configuration
  • aella_flow—collects metadata in traffic
  • aella_mon—collects system resource usage, including CPU, RAM, and disk

Supported Operating Systems

About the Self-Contained Installation Script in 4.3.7

The 4.3.7 release introduces a new, self-contained installation script named ds_linux_install.sh that can install the Linux server sensor on most supported operating systems. The ds_linux_install.sh script offers the following benefits relative to the installers in previous releases:

  • Self-contained – The ds_linux_install.sh script does not need to download any OS packages from the internet. You just need to make sure that the standard curl, ntp, and zip packages are installed on the target machine.

  • Use with or without Internet access – The same installation script can be used in both Internet-connected environments and dark sites depending on whether you include the --package or -p parameter:

    • Internet Available – The installation script is used without the -p/--package parameter and pulls the correct image for the target environment from Stellar Cyber. You just need to make sure that the target host can reach acps.stellarcyber.ai.

    • Dark Site – The installation script is used with the -p/--package parameter and points to the local image file for your target environment. Refer to Installing a Linux Server Sensor in a Dark Site for installation procedures.

  • Operating System Aware – When you execute ds_linux_install.sh in a supported environment, it automatically detects the target operating system and, when used without the -p/--package parameter, downloads the corresponding image from Stellar Cyber.

  • Flexible – The same installation script can be used to install in multiple different target environments, as summarized in the Installation Matrix below.

Installation Matrix

The Installation Matrix summarizes the different installers used for the Linux server sensor by release and operating system.

Note that the self-contained installation script (ds_install_linux.sh) is supported from 4.3.7 as summarized in the table below.

Target OS

Pre-4.3.7 Installer

4.3.7+ Installer

Dark Site Support in 4.3.7?
Amazon Linux 2

ds_centos_install.sh

 ds_linux_install.sh

Yes
CentOS 7, 8

ds_centos_install.sh

ds_centos_install.sh

No
Debian 8

ds_ubuntu_install.sh

ds_ubuntu_install.sh

No
Debian 9

ds_ubuntu_install.sh

ds_ubuntu_install.sh

No
Debian 10

ds_ubuntu_install.sh

ds_ubuntu_install.sh

No
Debian 11

ds_ubuntu_install.sh

ds_ubuntu_install.sh

No
Red Hat 6.7

ds_centos_install.sh

ds_centos_install.sh

No
Red Hat 7, 8

ds_centos_install.sh

 ds_linux_install.sh

Yes
Red Hat 9

N/A

 ds_linux_install.sh

Yes
SUSE 12 SP3 or SP4

ds_suse_install.sh

 ds_linux_install.sh

Yes

SUSE 15 SP3 or SP4

ds_suse_install.sh

ds_suse_install.sh

No
Ubuntu 14.04

ds_ubuntu_install.sh

ds_ubuntu_install.sh

No
Ubuntu 16.04

ds_ubuntu_install.sh

 ds_linux_install.sh Yes
Ubuntu 18.04

ds_ubuntu_install.sh

 ds_linux_install.sh Yes
Ubuntu 20.04

ds_ubuntu_install.sh

 ds_linux_install.sh Yes
Ubuntu 21.04

N/A

 ds_linux_install.sh Yes
Ubuntu 22.04

N/A

 ds_linux_install.sh Yes
Oracle Linux 8.5

ds_linux_install.sh

 ds_linux_install.sh Yes
Alma Linux 9

N/A

 ds_linux_install.sh Yes

Installation Prerequisites

  • Click to see the minimum system requirements for installing a Linux agent sensor.

  • All the procedures that follow require that you are logged in to an account with sufficient system storage and sudo access.

  • The self-contained installation script (ds_linux_install.sh) requires the curl, ntp, and zip packages on the target machine. The installer checks for the presence of curl before installing and returns an error if it is not found.

Python Requirements

Python requirements are different depending on your target environment:

  • Installations using the self-contained installer (ds_linux_install.sh) do NOT require Python 2.

  • Installations in SUSE 15 SP3/SP4 and Oracle Linux 8.5 do NOT require Python 2, regardless of the sensor version you are installing.

  • For all other target distributions, make sure that Python 2 is installed before installing the Server Sensor. The latest Linux distributions install Python 3 by default and not Python 2.

  • Installations in CentOS 8 require that the pip2 package is installed before installing the Server Sensor.

NUMA Requirements

To prevent configuration errors, Stellar Cyber recommends that you do not install the Linux Server Sensor on target hosts with two NUMA nodes. You can use the following command to check the number of NUMA nodes in your target host:

$ lscpu | grep -i numa

For example, the following example shows the output returned by this command for a system with two NUMA nodes:

Copy 
$ lscpu | grep -i numa
                NUMA node(s):          2
                NUMA node0 CPU(s):     0-19,40-59
            NUMA node1 CPU(s):     20-39,60-79

Installation Summary

Regardless of the Linux version the main steps to perform an installation are as follows:

  1. Open ports on your firewall for the sensor.
  2. Download the software install script for your target operating system from the Stellar Cyber production server.
  3. Use the OS-specific instructions in the sections below to run the installation script and verify the installation.
  4. Use the aella_cli command to start the agent CLI. Then, use the set cm command to set the IP address to reach the management interface of the DL master in a DP cluster (or DP in a single DP deployment). Alternatively, if you have a data aggregator deployed, use the set aggregator command to specify the IP address of the destination aggregator.
  5. Log on to Stellar Cyber, check the presence of the new sensor, and provide it with authorization. This process is documented in the Sensor Overview screen.

The install scripts will expect to be able to download and install dependencies. This requires the target system to have network access to the needed repositories.

You can also install a Linux agent sensor on a system without internet access (a dark site).

Monitoring a Bonded Interface

Linux Server Sensors can monitor bonded interfaces using Mode 1. Keep in mind, however, that a Linux Server Sensor monitoring a bonded interface cannot forward traffic using the VXLAN Forwarding feature.

4.3.7+ (Ubuntu 16.04, 18.04, 20.04, 21.04, and 22.04)

  1. See the Installation Matrix for supported versions.

  2. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  3. The following command gets the installation script:

    curl -k -u login:password -o ds_linux_install.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_linux_install.sh --fail

    Substitute the exact release number for version (for example, 4.3.7).

  4. Run the script with the following command:

    sudo bash ds_linux_install.sh -v version

    Substitute the exact release number for version (for example, 4.3.7).

    Note that 4.3.7 and later are the only values for --version that ds_linux_install.sh supports.

  5. When the installation completes, configure the agent sensor.

Pre-4.3.7 (and 4.3.7 in Ubuntu 14.04)

  1. See the Installation Matrix for supported versions.

  2. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  3. The following command gets the installation script:

    curl -k -u login:password -o ds_ubuntu_install.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_ubuntu_install.sh --fail

    Substitute the exact release number for version (for example, 4.3.6).

    Note that this script only supports 4.3.7 for installation in Ubuntu 14.04. All other Ubuntu versions use ds_linux_install.sh with 4.3.7.

  4. Run the script with the following command:

    sudo bash ds_ubuntu_install.sh --version version

    Substitute the exact release number for version (for example, 4.3.6).

  5. When the installation completes, configure the agent sensor.

4.3.7+

  1. See the Installation Matrix for supported versions.

  2. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  3. The following command gets the installation script:

    curl -k -u login:password -o ds_linux_install.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_linux_install.sh --fail

    Substitute the exact release number for version (for example, 4.3.7).

  4. Run the script with the following command:

    sudo bash ds_linux_install.sh -v version

    Substitute the exact release number for version (for example, 4.3.7).

    Note that 4.3.7 and later are the only values for --version that ds_linux_install.sh supports.

  5. When the installation completes, configure the agent sensor.

Pre-4.3.7

  1. See the Installation Matrix for supported versions.

  2. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  3. Register the target system to the Red Hat subscription management service. Substitute the username and password provided by Red Hat in the register command below.

    subscription-manager register --username xxxxx --password xxxxx --auto-attach

    If you are running an Enterprise version of Red Hat Linux and can already download packages successfully with yum install <package>, you do not need to run this command.

  4. Use the following command to obtain the installation script:

    curl -k -u login:password -o ds_centos_install.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_centos_install.sh --fail

    Substitute the exact release number for version (for example, 4.3.6).

  5. Execute the installation script with the following command:

    sudo bash ds_centos_install.sh --version version

    Substitute the exact release number for version (for example, 4.3.6).

  6. When the installation completes, configure the agent sensor.

4.3.7+

  1. See the Installation Matrix for supported versions.

  2. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  3. The following command gets the installation script:

    curl -k -u login:password -o ds_linux_install.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_linux_install.sh --fail

    Substitute the exact release number for version (for example, 4.3.7).

  4. Run the script with the following command:

    sudo bash ds_linux_install.sh -v version

    Substitute the exact release number for version (for example, 4.3.7).

    Note that 4.3.7 and later are the only values for --version that ds_linux_install.sh supports.

  5. When the installation completes, configure the agent sensor.

Pre-4.3.7

  1. See the Installation Matrix for supported versions.

  2. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  3. The following command gets the installation script:

    curl -k -u login:password -o ds_centos_install.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_centos_install.sh --fail

    Substitute the exact release number for version (for example, 4.3.6).

    Note that 4.3.6 and earlier are the only values for --version that ds_centos_install.sh supports.

  4. Run the script with the following command:

    sudo bash ds_centos_install.sh --version version

    Substitute the exact release number for version (for example, 4.3.6).

  5. When the installation completes, configure the agent sensor.

4.3.7+ (SUSE 12 SP3 & SP4)

  1. See the Installation Matrix for supported versions.

  2. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  3. The following command gets the installation script:

    curl -k -u login:password -o ds_linux_install.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_linux_install.sh --fail

    Substitute the exact release number for version (for example, 4.3.7).

  4. Run the script with the following command:

    sudo bash ds_linux_install.sh -v version

    Substitute the exact release number for version (for example, 4.3.7).

    Note that 4.3.7 and later are the only values for --version that ds_linux_install.sh supports.

  5. When the installation completes, configure the agent sensor.

Pre-4.3.7 (and 4.3.7 in SUSE 15 SP3 & SP4)

  1. See the Installation Matrix for supported versions.

  2. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  3. The following command gets the installation script:

    curl -k -u login:password https://acps.stellarcyber.ai/release/version/datasensor/ds_suse_install.sh -o ds_suse_install.sh --fail

    Substitute the exact release number for version (for example, 4.3.6).

    Note that this script only supports 4.3.7 for installation in SUSE 15 SP3 & SP4. All other SUSE versions use ds_linux_install.sh with 4.3.7.

  4. Run the script with the following command:

    sudo bash ds_suse_install.sh --version version

    Substitute the exact release number for version (for example, 4.3.6).

  5. When the installation completes, configure the agent sensor.

All Versions

  1. See the Installation Matrix for supported versions.

  2. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  3. The following command gets the installation script:

    curl -k -u login:password -o ds_linux_install.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_linux_install.sh --fail

    Substitute the exact release number for version (for example, 4.3.7).

  4. Run the script with the following command:

    sudo bash ds_linux_install.sh -v version

    Substitute the exact release number for version (for example, 4.3.7).

  5. When the installation completes, configure the agent sensor.

The self-contained installation script (ds_linux_install.sh) is not supported for Debian in 4.3.7. Use the following procedure with ds_ubuntu_install.sh instead:

  1. See the Installation Matrix for supported versions.

  2. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  3. The following command gets the installation script:

    curl -k -u login:password -o ds_ubuntu_install.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_ubuntu_install.sh --fail

    Substitute the exact release number for version (for example, 4.3.7).

  4. Run the script with the following command:

    sudo bash ds_ubuntu_install.sh --version version

    Substitute the exact release number for version (for example, 4.3.7).

  5. When the installation completes, configure the agent sensor.

The CentOS and Red 6.7 environments do not use the self-contained installation script (ds_linux_install.sh). Use the following procedure with ds_centos_install.sh instead.

  1. See the Installation Matrix for supported versions.

  2. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  3. The following command gets the installation script:

    curl -k -u login:password -o ds_centos_install.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_centos_install.sh --fail

    Substitute the exact release number for version (for example, 4.3.7).

  4. Run the script with the following command:

    sudo bash ds_centos_install.sh --version version

    Substitute the exact release number for version (for example, 4.3.7).

  5. When the installation completes, configure the agent sensor.

CentOS 8 Prerequisites

Observe the following prerequisites for installation in CentOS 8:

Ensure pip2 is Installed

The pip2 package must be installed in a target CentOS 8 environment before installing the Server Sensor.

Update the Base URL to vault.centos.org

You must update the source link for some CentOS 8 environments to vault.centos.org instead of mirror.centos.org to ensure that dependent packages can be installed.

This issue is present in CentOS 8.5.2111 but may also exist in other CentOS 8 versions. The symptom for this issue is typically a series of No URLs in mirrorlist errors when installing in CentOS 8. 

The following commands make the necessary changes for most environments to ensure that dependent packages can be downloaded from vault.centos.org.:

cd /etc/yum.repos.d/

sudo sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*

sudo sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g'

/etc/yum.repos.d/CentOS-*

sudo yum update -y

CentOS 7.9.2009 Prerequisite – Enable the EPEL Repository for pip Installation

CentOS 7.9.2009 does not install pip by default because it is not available in the core CentOS 7 repositories. To ensure that pip is installed, you must enable the Extra Packages for Enterprise Linux (EPEL) repository. This repository provides additional packages (including pip) that aren't included in the standard CentOS and Red Hat repositories.

Perform the following the steps to enable the EPEL repository and install pip:

  1. Add the EPEL repository with the following command:

    sudo yum install epel-release

  2. Install pip with the following command:

    sudo yum install python-pip

  3. Verify pip installation with the following command:

    pip --version

When running Red Hat 7.x in the AWS environment a slightly different procedure is used.

  1. To enable the required repository access use the following commands:

    sudo yum install –y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
								sudo yum install -y yum-utils
								sudo yum-config-manager --enable epel

  2. The current libssh library must be manually downloaded from the following URL. A Red Hat login is required.

    https://access.redhat.com/downloads/content/libssh/0.7.1-3.el7/x86_64/fd431d51/package

  3. The downloaded RPM file can then be installed with the following command:

    sudo rpm -i <downloaded rpm>

  4. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  5. To get the installation script:

    curl -k -u login:password -o ds_centos_install.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_centos_install.sh --fail

    Substitute the exact release number for version (for example, 4.3.6).

  6. Execute the script with the following command:

    sudo bash ds_centos_install.sh --version version

    Substitute the exact release number for version (for example, 4.3.6).

  7. When the installation completes, configure the agent sensor.

Version 4.3.7+

  1. See the Installation Matrix for supported versions.

  2. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  3. The following command gets the installation script:

    curl -k -u login:password -o ds_linux_install.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_linux_install.sh --fail

    Substitute the exact release number for version (for example, 4.3.7).

  4. Run the script with the following command:

    sudo bash ds_linux_install.sh -v version

    Substitute the exact release number for version (for example, 4.3.7).

    Note that 4.3.7 and later are the only values for --version that ds_linux_install.sh supports.

  5. When the installation completes, configure the agent sensor.

Linux Server Sensor Configuration

Once the services are installed and operating, use the following procedure to configure the Linux Server Sensor:

  1. Use the aella_cli command to start the CLI.

  2. If the sensor is to be assigned to a tenant, enter the command set tenant_id <tenant-id> where the <tenant-id> is replaced by the tenant ID.

  3. Use the set cm command as shown in the following examples.

    set cm dataprocessor.samplecompany.com

    or

    set cm 64.71.33.100

    This command specifies the IP address to reach the management interface of the Data Processor. For a DP cluster, this is the IP address of the DL-master's management interface. For a single DP deployment, this is simply the DP's management IP address. You can supply either an IP address or a hostname.

  4. If you have a data aggregator installed, use that IP address instead of the DP's management interface. For example:

    set aggregator <primary IP address> <secondary IP address>

    Once this is done, the server sensor connects to the data processor and registers its presence.

  5. Exit the CLI with the quit command.

Continue with Authorizing Sensors.

Authorizing Sensors

You must authorize the sensor when it appears in the network.

You can authorize multiple sensors at a time. So if you're installing multiple sensors, install them all, then authorize them all at once.

Debian and Ubuntu Uninstall

To uninstall a sensor on Debian or Ubuntu:

apt-get remove aellads

CentOS, Red Hat 6.7, AWS Linux 2 Uninstall

To uninstall a sensor on CentOS or Red Hat:

yum remove aellads