Installing a Linux Server Sensor

This article describes how to install a Linux Server Sensor in a supported operating system.

A Linux server sensor is a managed background daemon that works as a modular sensor without log forwarding that also monitors:

  • Process info
  • Command execution
  • Files
  • File events

The server sensor converts that information to metadata and forwards it to the DP as Interflow. The DP can then correlate traffic, processes, users, and commands for security, DDoS, and breach attempt detections.

The server sensor launches the following processes:

  • aella_audit—collects audit logs and provides file integrity monitoring
  • aella_conf—handles the configuration
  • aella_ctrl—monitors other services, and can stop or start them based on the configuration
  • aella_flow—collects metadata in traffic
  • aella_mon—collects system resource usage, including CPU, RAM, and disk

Data collected by the Linux server sensor can feed the following Stellar Cyber indices:

  • Traffic (aella-adr-*)

  • Linux Events (aella-audit-*)

  • Sensor Monitoring (aella-ade-*)

Choosing an Installation Script

Stellar Cyber provides two different installation scripts for the Linux Server Sensor:

  • ds_linux_install_all_in_one.sh is an entirely self-contained installation script that includes the images for all supported target environments. Because of this, it does not require access to the Internet and can be used in dark sites. However, it is quite large (on the order of ~700 MB).

  • ds_linux_install.sh does not bundle images with the script and instead pulls the correct image from the Stellar Cyber production server at run time. Because of this, it is much smaller than the all-in-one script (on the order of 10 KB, plus the single 200 MB image pulled from Stellar Cyber production servers).

    To support dark site installation, the ds_linux_install.sh script can also point to a local copy of the image with the -p/--package parameter. However, it is generally simpler to use ds_linux_install_all_in_one.sh for dark site installations because it contains everything you need in a single package.

The table below provides you with details on the two scripts:

Name

Type/Size

Usage

Dark Site Support

Pros

Cons

ds_linux_install.sh

Small

Installer does not include images and is roughly 10 KB. If used without the -p/--package parameter, the single image pulled from Stellar Cyber production servers is roughly 200 MB.

  Yes, but only if the installation image is downloaded separately, copied to the target machine, and pointed to with the -p/--package parameter at run time. Script is small and only downloads the one image required for installation.

Internet access required in most use cases.

ds_linux_install_all_in_one.sh

Large

Installer includes images for all supported target environments and is roughly ~700 MB.

Mostly identical. Obtain credentials from Customer Support, download and execute script with optional arguments. Yes, with no further download. Supports dark site installation with no further downloads.

Script is large.

Supported Operating Systems

The list below summarizes the operating systems supported for Linux Server Sensor installation in the 5.3.0 release.

For all operating systems, you can choose either the small (ds_linux_install.sh) or large (ds_linux_install_all_in_one.sh) script, depending on your installation requirements.

Note that support for Kali Linux 2023.4, Rocky Linux 9, Oracle Linux 8.6, Oracle Linux 8.8, SUSE 12 SP5, and SUSE 15 SP5 is new in the 5.3.0 release.

  • Alma Linux 9

  • Amazon Linux 2 and 2023

  • CentOS 7 and 8

  • Debian 8, 9, 10, 11, and 12

  • Kali Linux 2023.4

  • Linux Mint 18, 19, 20, 21

  • Oracle Linux 7, 8.5, 8.6, 8.8

  • Red Hat Enterprise Linux 7, 8, and 9

  • Rocky Linux 8 and 9

  • SUSE Linux 12 SP3-SP5

  • SUSE Linux 15 GA, SP1-SP5

  • Ubuntu 16.04, 18.04, 20.04, 21.04, and 22.04

About the ds_linux_install.sh Script in Previous Releases

The 4.3.7 release included a self-contained installation script called ds_linux_install.sh. The 5.1.1 release (and later) replaced that installer with the ds_linux_install_all_in_one.sh script and reverted the ds_linux_install.sh script back to its pre-4.3.7 behavior, downloading images from Stellar Cyber instead of bundling them with the installer.

Installation Prerequisites

  • Click to see the minimum system requirements for installing a Linux agent sensor.

  • All the procedures that follow require that you are logged in to an account with sufficient system storage and sudo access.

  • Both installation scripts require the curl, ntp, and zip packages on the target machine. The installer checks for the presence of curl before installing and returns an error if it is not found.

Python Requirements

Version 5.3.0 does not require or use Python 2 in any of the supported environments listed in the table above. Python 3 is used in all supported Linux server sensor environments.

CentOS 8 Prerequisite – Update the Base URL

You must update the source link for some CentOS 8 environments to vault.centos.org instead of mirror.centos.org to ensure that dependent packages can be installed.

This issue is present in CentOS 8.5.2111 but may also exist in other CentOS 8 versions. The symptom for this issue is typically a series of No URLs in mirrorlist errors when installing in CentOS 8. 

The following commands make the necessary changes for most environments to ensure that dependent packages can be downloaded from vault.centos.org:

cd /etc/yum.repos.d/
sudo sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
sudo sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
sudo yum update -y

CentOS 7.9.2009 Prerequisite – Enable the EPEL Repository for pip Installation

CentOS 7.9.2009 does not install pip by default because it is not available in the core CentOS 7 repositories. To ensure that pip is installed, you must enable the Extra Packages for Enterprise Linux (EPEL) repository. This repository provides additional packages (including pip) that aren't included in the standard CentOS and Red Hat repositories.

Perform the following the steps to enable the EPEL repository and install pip:

  1. Add the EPEL repository with the following command:

    sudo yum install epel-release

  2. Install pip with the following command:

    sudo yum install python-pip

  3. Verify pip installation with the following command:

    pip --version

Red Hat 7.x AWS Prerequisites

When running Red Hat 7.x in the AWS environment, you must perform the following steps before downloading and installing the Server Sensor:

  1. Use the following commands to enable the required repository access:

    sudo yum install –y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    sudo yum install -y yum-utils
    sudo yum-config-manager --enable epel
    
  2. The current libssh library must be manually downloaded from the following URL. A Red Hat login is required.

    https://access.redhat.com/downloads/content/libssh/0.7.1-3.el7/x86_64/fd431d51/package
    
  3. The downloaded RPM file can then be installed with the following command:

    sudo rpm -i <downloaded rpm>
    

NUMA Requirements

To prevent configuration errors, Stellar Cyber recommends that you do not install the Linux Server Sensor on target hosts with two NUMA nodes. You can use the following command to check the number of NUMA nodes in your target host:

$ lscpu | grep -i numa

For example, the following example shows the output returned by this command for a system with two NUMA nodes:

Copy
$ lscpu | grep -i numa
NUMA node(s):          2
NUMA node0 CPU(s):     0-19,40-59
NUMA node1 CPU(s):     20-39,60-79

Monitoring a Bonded Interface

Linux Server Sensors can monitor bonded interfaces using Mode 1. Keep in mind, however, that a Linux Server Sensor monitoring a bonded interface cannot forward traffic using the VXLAN Forwarding feature.

Installation Summary

Regardless of the Linux version the main steps to perform an installation are as follows:

  1. Open ports on your firewall for the sensor.

  2. Use the information in Choosing an Installation Script to select which installation script you want to use. Then, download the script from the Stellar Cyber production server.

  3. Use the instructions in the sections below to run the installation script and verify the installation.

  4. Use the aella_cli command to start the agent CLI. Then, use the set cm command to set the IP address to reach the management interface of the DL master in a DP cluster (or DP in a single DP deployment). Alternatively, if you have a data aggregator deployed, use the set aggregator command to specify the IP address of the destination aggregator.

  5. Log on to Stellar Cyber, check the presence of the new sensor, and provide it with authorization. This process is documented in the Sensor Overview topic.

If you are using the small installation script without the -p/--package parameter, the target system must have network access to the Stellar Cyber production servers to download the correct image. You can also install a Linux agent sensor on a system without internet access (a dark site) using either the large or small installation script.

Exclude Server Sensor from AV/EDR Scanning

Stellar Cyber recommends that you prevent potential conflicts by configuring any anti-virus or EDR software installed on the same host as the Server Sensor to exclude the Server Sensor installation directories from scanning. The directories to exclude for a Linux Server Sensor are as follows:

Server Sensor Type

Folders/Files to Exclude from AV/EDR Scanning

Linux

/var/aella

/var/log/aella

/opt/aella

/opt/aelladata

Installing the Linux Server Sensor with the Small Script

The following procedure explains how to use the small installation script (ds_linux_install.sh) to install the Linux Server Sensor.

  1. See the Supported Operating Systems for supported versions.

  2. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  3. The following command retrieves the installation script:

    curl -k -u login:password -o ds_linux_install.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_linux_install.sh --fail

    Substitute the exact release number for version. For example, if the version is 5.3.0, enter this:

    curl -k -u login:password -o ds_linux_install.sh https://acps.stellarcyber.ai/release/5.3.0/datasensor/ds_linux_install.sh --fail
  4. Run the script with the following command:

    sudo bash ds_linux_install.sh -v version
    

    Substitute the exact release number for version. For example, if the version is 5.3.0, enter this:

    sudo bash ds_linux_install.sh -v 5.3.0
    

    Refer to Supported Arguments for Installation Scripts for additional arguments you can use to customize the installation. The only required argument is the -v argument for the sensor software version.

  5. When the installation completes, configure the agent sensor.

Installing the Linux Server Sensor with the All-In-One Script

The following procedure explains how to use the all-in-one installation script (ds_linux_install_all_in_one.sh) to install the Linux Server Sensor.

  1. See the Supported Operating Systems for supported versions.

  2. Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials.

  3. The following command retrieves the installation script:

    curl -k -u login:password -o ds_linux_install_all_in_one.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_linux_install_all_in_one.sh --fail

    Substitute the exact release number for version (for example, 5.3.0).

  4. Run the script with the following command:

    sudo bash ds_linux_install_all_in_one.sh <arguments>
    

    Refer to Supported Arguments for Installation Scripts for additional arguments you can use to customize the installation.

  5. When the installation completes, configure the agent sensor.

Supported Arguments for Installation Scripts

The table below lists and describes the supported arguments for the ds_linux_install.sh and ds_linux_install_all_in_one scripts:

Argument (Short)

Description

-v | --version

Use this argument to specify the target software version to be installed.

--cm

Optional. You can use this argument to specify the IP address of the managing Stellar Cyber DP for this server sensor. Alternatively, you can do it after sensor installation using the instructions in Linux Server Sensor Configuration.

Note that this option is mutually exclusive with the --token and --token_file options. You connect server sensors to their managing Stellar Cyber servers differently depending on whether they have an "s" in their version number:

  • Servers without an "s" in their version number ( for example, 5.1.1) – Connect the server sensor using the IP address of the managing server, either with the --cm option or the instructions in Linux Server Sensor Configuration. These servers are typically either physical DPs or virtual DPs you installed using an image obtained from Stellar Cyber or were installed for you by Stellar Cyber. You may also have heard these servers referred to informally as "on-prem" or "pre-SaaS".

  • Servers with an "s" in their version number (for example, 5.2.0s) – Connect the server sensor using either a token or a token file. The token/token file has the IP address embedded along with its authorization. These are typically cloud-based servers used as a service from Stellar Cyber. You may also have heard these servers referred to informally as "SaaS."

--tenant_id

Optional. You can use this argument to specify the tenant ID for this server sensor. Alternatively, you can do it after sensor installation using the instructions in Linux Server Sensor Configuration.

-t | --token

Use these options to connect a server sensor to a managing Stellar Cyber server that has an "s" in its version number. You typically use these options with an installer you downloaded directly from a Stellar Cyber server rather than the production build servers. The token or token_file are also obtained from the same Stellar Cyber server.

These options are mutually exclusive with the --cm option and with one another. As described above, you use either an IP address or a token to connect a server sensor to its managing Stellar Cyber server, but not both.

Similarly, if you are using a token, you apply it either as a string (the -t option) or a file (the --F option), but not both.

-F | --token_file
-c | --check Shows system information, helping you decide whether system resources are sufficient to support server sensor installation.

-p | --package

Use this option to perform a dark site installation, supplying the full path to the image you downloaded separately and copied to the target system. Refer to Installing a Linux Server Sensor in a Dark Site for details.

Linux Server Sensor Configuration

Once the services are installed and operating, use the following procedure to configure the Linux Server Sensor:

  1. Use the aella_cli command to start the CLI.

  2. If the sensor is to be assigned to a tenant, enter the command set tenant_id <tenant-id> where the <tenant-id> is replaced by the tenant ID.
  3. If you did not use the --cm argument as part of the sensor installation, use the set cm command as shown in the following examples.

    set cm dataprocessor.samplecompany.com

    or

    set cm 64.71.33.100
    

    This command specifies the IP address to reach the management interface of the Data Processor. For a DP cluster, this is the IP address of the DL-master's management interface. For a single DP deployment, this is simply the DP's management IP address. You can supply either an IP address or a hostname.

  4. If you have a data aggregator installed, use that IP address instead of the DP's management interface. For example:

    set aggregator <primary IP address> <secondary IP address>

    Once this is done, the server sensor connects to the data processor and registers its presence.

    If you encounter a situation where the IP address for the aggregator unexpectedly resets to 0.0.0.0, it is possible that the aggregator configuration for the sensor is mismatched between the local CLI configuration and the DP. You can resolve this issue by specifying the correct IP address for the sensor's Primary Aggregator in the System | Sensors | Edit Sensor Parameters dialog box on the DP

  5. Exit the CLI with the quit command.

Continue with Authorizing Sensors.

Authorizing Sensors

You must authorize the sensor when it appears in the network.

You can authorize multiple sensors at a time. So if you're installing multiple sensors, install them all, then authorize them all at once.

Debian and Ubuntu Uninstall

To uninstall a sensor on Debian or Ubuntu:

apt-get remove aellads

CentOS, Red Hat 6.7, AWS Linux 2 Uninstall

To uninstall a sensor on CentOS or Red Hat:

yum remove aellads