Installing a Linux Server Sensor in a Dark Site

This article describes how to install a Linux server sensor in a supported operating system on a site without internet connectivity (a dark site).

A Linux server sensor is a managed background daemon that works as a modular sensor without log forwarding that also monitors:

  • Process info
  • Command execution
  • Files
  • File events

The server sensor converts that information to metadata and forwards it to the DP as Interflow. The DP can then correlate traffic, processes, users, and commands for security, DDoS, and breach attempt detections.

The server sensor launches the following processes:

  • aella_audit—collects audit logs and provides file integrity monitoring
  • aella_conf—handles the configuration
  • aella_ctrl—monitors other services, and can stop or start them based on the configuration
  • aella_flow—collects metadata in traffic
  • aella_mon—collects system resource usage, including CPU, RAM, and disk

Data collected by the Linux server sensor can feed the following Stellar Cyber indices:

  • Traffic (aella-adr-*)

  • Linux Events (aella-audit-*)

  • Sensor Monitoring (aella-ade-*)

Choosing an Installation Script

There are two different ways to install a Linux Server Sensor in a dark site:

  • All-In-One Installation – The ds_linux_install_all_in_one.sh script is entirely self-contained and includes the images for all supported target environments. Because of this, it does not require access to the Internet and can be used in dark sites. However, because it includes the images for all supported environments, it is quite large (on the order of ~700 MB).

  • Script and Package Installation – The ds_linux_install.sh script does not bundle images with the script. However, it can be used with the -p/--package parameter to point to a local copy of an image you download separately and copy to the target system. With this technique, the total download is smaller because you only need to download the correct image for your target OS and the script itself, which is quite small.

Refer to Choosing an Installation Script for details on the differences between the two scripts.

Supported Operating Systems

The table below summarizes the operating systems supported for dark site installations. For each operating system, you use ONE of the following techniques:

  • Download only the ds_linux_install_all_in_one.sh script and copy it to the target system. This script includes all the necessary images and requires no further software.

  • Download the ds_linux_install.sh script AND the image file corresponding to your target environment from the table below.

Target OS

Image File for Use with
ds_linux_install.sh

Installation Scripts

Alma Linux

aellads-5.1.1-1.redhat-binary.x86_64.rpm

Either of the following are supported for all operating systems:

  • ds_linux_install.sh

  • ds_linux_install_all_in_one.sh

 

 

 

Amazon Linux 2
CentOS 7, 8
Oracle Linux 8.5
Red Hat 7, 8, 9
Rocky Linux 8
Debian 8, 9, 10, 11, 12

aellads_5.1.1ubuntu1-binary_amd64.deb

Linux Mint 18, 19, 20, 21
Ubuntu 16.04, 18.04, 20.04, 21.04 or 22.04
SUSE 12 SP3 or SP4
SUSE 15 GA, SP1-SP4

aellads-5.1.1.1-1.suse-binary.x86_64.rpm

Installation Prerequisites

  • Click to see the minimum system requirements for installing a Linux server sensor.

  • All the procedures that follow require that you are logged in to an account with sufficient system storage and sudo access.

  • Dark site installation requires a USB drive to move the Stellar Cyber software from the machine where you downloaded it to the target machine without internet access.

  • Both installation scripts require the curl, ntp, and zip packages on the target machine. The installer checks for the presence of curl before installing and returns an error if it is not found.

Installation Summary

Regardless of the Linux version the main steps to perform a dark site installation are as follows:

  1. Open ports on your firewall for the sensor.

  2. Use the information in Choosing an Installation Script to select which installation script you want to use. Then, download the necessary software from the Stellar Cyber production server to a system with access to the internet:

    • All-In-One Installation – Download just ds_linux_install_all_in_one.sh.
    • Script and Package Installation – Download ds_linux_install.sh and the image for your target operating system from the table in Supported Operating Systems.

  3. Copy the Stellar Cyber software you downloaded in the previous step to the target dark site machine.

  4. Use the instructions in the sections below to run the installation script and verify the installation.

  5. Configure the IP address of the Stellar Cyber data processor (or a data aggregator if you have one) on the agent sensor.

  6. Authorize the sensor.

Exclude Server Sensor from AV/EDR Scanning

Stellar Cyber recommends that you prevent potential conflicts by configuring any anti-virus or EDR software installed on the same host as the Server Sensor to exclude the Server Sensor installation directories from scanning. The directories to exclude for a Linux Server Sensor are as follows:

Server Sensor Type

Folders/Files to Exclude from AV/EDR Scanning

Linux

/var/aella

/var/log/aella

/opt/aella

/opt/aelladata

Downloading the Server Sensor Software

Use the following procedure to download the Server Sensor software. Keep in mind the following:

  • If you are installing using the all-in-one script, you download only ds_linux_install_all_in_one.sh.

  • If you are installing using the script-and-package technique, you download both ds_linux_install.sh and the image file corresponding to your target operating system from Supported Operating Systems.

  1. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  2. Refer to the Installation Matrix for supported target operating systems.
  3. If you are using the all-in-one installation script, download it to a local system with access to the internet using the following command:

    curl -k -u login:password https://acps.stellarcyber.ai/release/5.1.1/datasensor/ds_linux_install_all_in_one.sh -O --fail

    For installations using the all-in-one script, no further downloads are necessary.

  4. If you are using the script-and-package technique, copy the ds_linux_install.sh script and the image for your target environment to a local system with access to the internet using the commands appropriate for your operating system below. Click the appropriate version below to display the commands.

Installing with the All-In-One Script

The following procedure explains how to use the all-in-one installation script (ds_linux_install_all_in_one.sh) to install the Linux Server Sensor on a dark site.

  1. Copy the downloaded software to a USB drive.

  2. Mount the USB drive on the target dark system.

  3. Copy the downloaded software to a directory on the target dark system.

  4. On the target system, cd to the directory where you copied the files.

  5. Run the script with the following command:

    sudo bash ds_linux_install_all_in_one.sh <arguments>
    

    Refer to Supported Operating Systems for additional arguments you can use to customize the installation.

  6. When the installation completes, configure the agent sensor.

Installing with the Script-and-Package Technique

This section provides installation instructions for the script-and-package technique.

  1. Copy the downloaded software to a USB drive.

  2. Mount the USB drive on the target dark system.

  3. Copy the downloaded software to a directory on the target dark system.

  4. On the target system, cd to the directory where you copied the files.

  5. Run the script to install the sensor. Keep in mind the following when running the script:

    • The script uses either the -p or --package argument to specify the path of the image file.

    • You must specify the full path to the image file, regardless of whether the image is in the same folder as the script.

    For Red Hat, CentOS, Amazon, Oracle, Rocky, and Alma Linux:

    sudo bash ds_linux_install.sh -p [path]/aellads-5.1.1-1.redhat-binary.x86_64.rpm

    For Ubuntu , Debian, and Mint Linux:

    sudo bash ds_linux_install.sh -p [path]/aellads_5.1.1ubuntu1-binary_amd64.deb

    For SUSE:

    sudo bash ds_linux_install.sh -p [path]/aellads-5.1.1-1.sles12.x86_64.rpm

    The script installs the sensor. When it finishes, an install package done message appears.

    Examples

    Here are examples of the commands when the image is stored under /home/stellar.

    Red Hat, CentOS, Amazon, Oracle, Rocky, and Alma Linux sudo bash ds_linux_install.sh -p /home/stellar/aellads-5.1.1-1.redhat-binary.x86_64.rpm
    Ubuntu , Debian, and Mint Linux sudo bash ds_linux_install.sh -p /home/stellar/aellads_5.1.1ubuntu1-binary_amd64.deb
    SUSE sudo bash ds_linux_install.sh -p /home/stellar/aellads-5.1.1-1.sles12.x86_64.rpm

Supported Arguments for Installation Scripts

The table below lists and describes the supported arguments for the ds_linux_install.sh and ds_linux_install_all_in_one scripts in a dark site installation:

Argument (Short)

Description

--cm

Optional. You can use this argument to specify the IP address of the managing Stellar Cyber DP for this server sensor. Alternatively, you can do it after sensor installation using the instructions in Linux Server Sensor Configuration.

-c | --check Shows system information, helping you decide whether system resources are sufficient to support server sensor installation.

-p | --package

Use this option to perform a dark site installation, supplying the full path to the image you downloaded separately and copied to the target system.

Linux Server Sensor Configuration

Once the services are installed and operating, use the following procedure to configure the Linux Server Sensor:

  1. Use the aella_cli command to start the CLI.

  2. If the sensor is to be assigned to a tenant, enter the command set tenant_id <tenant-id> where the <tenant-id> is replaced by the tenant ID.
  3. If you did not use the --cm argument as part of the sensor installation, use the set cm command as shown in the following examples.

    set cm dataprocessor.darksite.net

    or

    set cm 192.168.1.100
    

    This command specifies the IP address to reach the management interface of the Data Processor. For a DP cluster, this is the IP address of the DL-master's management interface. For a single DP deployment, this is simply the DP's management IP address. You can supply either an IP address or a hostname.

  4. If you have a data aggregator installed, use that IP address instead of the DP's management interface. For example:

    set aggregator <primary IP address> <secondary IP address>

    Once this is done, the server sensor connects to the data processor and registers its presence.

  5. Exit the CLI with the quit command.

Authorizing Sensors

You must authorize the sensor when it appears in the network.

You can authorize multiple sensors at a time. So if you're installing multiple sensors, install them all, then authorize them all at once.

Upgrading the Agent Sensor

You can upgrade the sensor as you normally would.