Deploying Server Sensors

Stellar Cyber uses a wide variety of sensors to collect data to ingest into its security data base. One type of sensor is a Server Sensor. Server Sensors are installed in a host as a system daemon process. The System | Agents screen helps you deploy both Linux and Windows Server Sensors — there are separate tabs for each.

For more information regarding sensors that are currently installed, see the Sensor Overview page.

Linux Deployment

The Linux deployment option appears by default when the System | Agents screen first appears, as in the image below:

The Linux deployment leverages the widely-used Ansible system. The user must provide a playbook file (which contains the instructions on how to install the agent software) and an inventory file (which contains a list of target systems). See the following section for sample files.

The controls on this screen include:

  • Select Playbook File – This is a browser file-select tool to select the file on the local system that contains the Ansible playbook.

  • Select Inventory File – This is a browser file-select tool used to select the file on the local system that contains the Ansible inventory file.

  • Upload – Select to upload the files selected above.

  • Deploy – Select to initiate execution of the Ansible playbook.

The right hand side of the screen shows the current status log. It updates once a deployment is in progress.

Sample Ansible Files

The following files are provided to illustrate how the Ansible files might appear. Some modification of these files to accommodate the local installation will be required.

These files may be used via the user interface as describe above or run from an Ansible administrator system.

Playbook file

The playbook file is a YAML-format file similar to the following:

--- - hosts: target become_method: sudo become: yes gather_facts: true vars: cm_ip: 192.168.1.223 cloud_url: acps.stellarcyber.ai version: 3.8.0 tasks: - name: Installing Data Sensor Agent - CentOS/Redhat - Please wait... when: (ansible_distribution == "CentOS" or ansible_distribution == "Red Hat Enterprise Linux") and (cloud_url == "acps.stellarcyber.ai") shell: | curl -k -u user310:HMTe3dJ3cmAPK https://{{cloud_url}}/release/{{version}}/datasensor/ds_centos_install.sh -o /tmp/ds_centos_install.sh --fail bash /tmp/ds_centos_install.sh -v {{version}} --cm {{cm_ip}} args: warn: off - name: Installing Data Sensor Agent - Ubuntu/Debian - Please wait... when: (ansible_distribution == "Ubuntu" or ansible_distribution == "Debian") and (cloud_url == "acps.stellarcyber.ai") shell: | curl -k -u user310:HMTe3dJ3cmAPK https://{{cloud_url}}/release/{{version}}/datasensor/ds_ubuntu_install.sh -o /tmp/ds_ubuntu_install.sh --fail bash /tmp/ds_ubuntu_install.sh -v {{version}} --cm {{cm_ip}} args: warn: off - name: Display post install message debug: msg: - 'Aella Agent Data Sensor Installation Done' - name: wait for config received from CM in case network slow pause: seconds=60 - name: get hostname coming back from CM shell: egrep 'cm_assigned_name =' /etc/aella/aos.yaml | awk '{print $4}' register: device - name: Display Agent Assigned Name from CM debug: var=device.stdout - name: get engid shell: egrep 'engid =' /etc/aella/aos.yaml | awk '{print $4}' register: engid - name: Display engid debug: var=engid.stdout

The required modifications to this file include:

  1. In the vars: section change the cm_ip value to the IP address that is assigned to the data processor. This is the address that the installed sensor will use to send data.

The file can then be used as described above.

To download the sample Ansible install file, use the following command:

curl -k -u AellaMeta:WroTQfm/W6x10 -o aella-agent-install.yml https://acps.stellarcyber.ai/release/4.3.7/datasensor/aella-agent-install.yml

Inventory File

A sample Ansible inventory is shown as follows:

Copy
[hosts_centos]
192.168.1.113

[hosts_centos:vars]
ansible_connection=ssh
ansible_port=22
ansible_user=aella
ansible_ssh_pass=aella
ansible_become_pass=aella
ansible_ssh_common_args='-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'

[target:children]
hosts_centos

The modifications to this file include:

  1. Update the [hosts-centos] section to include the IP addresses of all target systems.
  2. Change the ansible_ssh_pass value.
  3. Change the ansible_become_pass value.

The file may then be used as describe above.

To download the sample Ansible inventory file, use the following command:

curl -k -u AellaMeta:WroTQfm/W6x10 -o aella-agent-inventory https://acps.stellarcyber.ai/release/4.3.7/datasensor/aella-agent-inventory

For more information on installing Linux Agent sensors, see the Linux Agent install page.

Windows Deployment

Click the Windows tab to deploy Windows Server sensors in a screen similar to the following:

There are two independent functions on this page.

  • Agent – This section configures an MSI image and downloads it to the local browser environment as an MSI file.
  • GPO - Bulk Installations – This section downloads an MST image to the local browser environment which can be used in a Windows Active Directory installation.

Agent

Supply the following information to download a customized Agent installer:

  • Architecture – This field selects between 32-bit or 64-bit architectures. This must be set to match the architecture type of the system where the agent will be installed. This controls which image is downloaded.
  • Tenant Name – The Tenant to which the sensor will be assigned. If there is no particular tenant use the Root Tenant option.
  • CM Address – This field accepts either an IP address or a DNS address of the Data Processor. The installed sensor will connect to this address.

When the form values are set, you can select the Agent Installer button. The MSI installation file will be downloaded into the download directory in the browser environment.

The form values Tenant Name and CM Address update the instructions that appear on the screen in the section. Specifically the Tenant ID number is provided, which is needed when the agent is installed.

The downloaded file can then be transferred to a target system and either executed by double-clicking or double-tapping it in the File Explorer or from a command line such as the one that follows.

msiexec /i <full_path_name_of_msi_file> /quiet CM_HOST=myportal.mydomain.com TENANT_ID=62802740 TENANT_NAME=CompanyABCD

See the Windows Agent installation page for more information on working with these files.

GPO - Bulk Installations

This section provides no options. You can click the Configuration(MST) button to download the MST file into the browser environment's local download folder.

Refer to the Microsoft Active Directory Administrator's manual for further information on working with MST files.