Deploy Threat Stack Agent 1.x Series

Follow

Overview

This document describes pre-installation, installation, and configuration steps for the Threat Stack host-based Agent 1.x series.

Tip

Threat Stack maintains a list of supported Operating Systems (OSs). Ensure your environment is compatible with the supported OSs.

Pre-Installation for the Threat Stack Agent

Before you install the Threat Stack host-based Agent, you must prepare your Linux OS to work with the Agent.

The Threat Stack host-based Agent uses the Linux Audit Framework to collect file, network, and process data. The Agent uses the following kernel services:

  • auditd
  • inotify
  • fanotify

Note

Conflict can occur between the Threat Stack Agent and other tools leveraging these kernels. Before deploying the Agent, ensure no other tools use these kernels.

Prerequisites

Ensure your environment is in compliance with Threat Stack System Requirements.
Install the Threat Stack Agent

The method of Agent installation depends on your Linux OS.

Prerequisites

  • Access to the Threat Stack Console
  • If you use a Debian OS, then install the Transport tool to view Threat Stack hosted packages

Tip

Use side-by-side windows – one browser window for Threat Stack and one window for the Command Line – to complete these instructions.

Begin Agent Installation

Threat Stack automatically walks customers through an Agent install on the Servers page.
  1. Log into Threat Stack.
  2. Click Servers. The Servers page displays.

    ServerPgAddSrv.png

  3. Click the + Add Server button. The + Add Server dialog displays.

    AddNewSrvDialog.png

  4. Proceed to the set of instructions, below, specific to your OS.
Amazon Linux

Tip

Confirm your Amazon Linux OS matches a Threat Stack supported version on the list of supported OSs.

  1. Open the Command Line.
  2. Go to the server node.
  3. Go to /etc/yum.repos.d/.
  4. Create a .repo file titled “threatstack.repo”.
  5. In the Threat Stack browser window, in the + Add Server dialog, select the Amazon Linux button.
  6. Confirm the Investigate radio button is selected.
  7. In the Assign one or more rulesets to your new server (optional) field, click the field to select additional rulesets to apply to the server. More information on base rulesets and their compliance abilities here.

    Warning

    This is the only time during the deployment process you can add rulesets to Threat Stack.

  8. In the Threat Stack browser window, under the Add the following repository information to etc/yum.repos.d/threatstack.repo field, click the Copy to clipboard button.
  9. In the Command Line, in the .repo file you created in step 4, paste the repository information and press ENTER.
  10. In the Threat Stack browser window, under the Import our PGP key field, click the Copy to clipboard button.
  11. In the Command Line, paste the PGP key and press ENTER.
  12. In the Threat Stack browser window, under the Install and configure the agent field, click the Copy to clipboard button.
  13. In the Command Line, paste the install and configure instructions.
  14. Do one of the following:
    • If this install is on an Amazon Machine Image (AMI) or other machine image, then delete the second line of the install and configuration instructions:
      sudo cloudsight setup --deploy-key=<your deploy key> --ruleset="Base Rule Set" --agent_type=i

      or else every server will use the same Agent ID.

    • If this install is on a single server, then do nothing.
  15. Press ENTER. The Threat Stack host-based Agent installs on the OS.
  16. To add the deploy key to servers built of an AMI or other machine image, follow the instructions in Steps for Deploying the Threat Stack Agent via Amazon AMI’s.
CentOS

The Agent install process for CentOS depends on the version of CentOS.

Tip

Confirm your CentOS / RHEL OS matches a Threat Stack supported version on the list of supported OSs.

CentOS / RHEL 6
  1. Open the Command Line.
  2. Go to the server node.
  3. Go to /etc/yum.repos.d/.
  4. Create a .repo file titled “threatstack.repo”.
  5. In the Threat Stack browser window, in the + Add Server dialog, click the Centos/RHEL button and select Centos/RHEL 6.
  6. Confirm the Investigate radio button is selected.
  7. In the Assign one or more rulesets to your new server (optional) field, click the field to select additional rulesets to apply to the server. More information on base rulesets and their compliance abilities here.

    Warning

    This is the only time during the deployment process you can add rulesets to Threat Stack.

  8. In the Threat Stack browser window, under the Add the following repository information to /etc/yum.repos.d/threatstack.repo field, click the Copy to clipboard button.
  9. In the Command Line, in the .repo file you created in step 4, paste the repository information and press ENTER.
  10. Under the Import our PGP key field, click the Copy to clipboard button.
  11. In the Command Line, paste the PGP key and press ENTER.
  12. In the Threat Stack browser window, under the Install and configure the agent field, click the Copy to clipboard button.
  13. In the Command Line, paste the install and configure instructions.
  14. Do one of the following:
    • If this install is on an Amazon Machine Image (AMI) or other machine image, then delete the second line of the install and configuration instructions:
      sudo cloudsight setup --deploy-key=<your deploy key> --ruleset="Base Rule Set" --agent_type=i

      or else every server will use the same Agent ID.

    • If this install is on a single server, then do nothing.
  15. Press ENTER. The Threat Stack host-based Agent installs on the OS.
  16. To add the deploy key to servers built of an AMI or other machine image, follow the instructions in Steps for Deploying the Threat Stack Agent via Amazon AMI’s.
CentOS / RHEL 7 OS
  1. Open the Command Line.
  2. Go to the server node.
  3. Go to /etc/yum.repos.d/.
  4. Create a .repo file titled “threatstack.repo”.
  5. In the Threat Stack browser window, in the + Add Server dialog, click the Centos/RHEL button and select Centos/RHEL 7.
  6. Confirm the Investigate radio button is selected.
  7. In the Assign one or more rulesets to your new server (optional) field, click the field to select additional rulesets to apply to the server. More information on base rulesets and their compliance abilities here.

    Warning

    This is the only time during the deployment process you can add rulesets to Threat Stack.

  8. In the Threat Stack browser window, under the Add the following repository information to /etc/yum.repos.d/threatstack.repo field, click the Copy to clipboard button.
  9. In the Command Line, in the .repo file you created in step 4, paste the repository information and press ENTER.
  10. In the Threat Stack browser window, under the Import our PGP key field, click the Copy to clipboard button.
  11. In the Command Line, paste the PGP key and press ENTER.
  12. In the Threat Stack browser window, under the Install and configure the agent field, click the Copy to clipboard button.
  13. In the Command Line, paste the install and configure instructions.
  14. Do one of the following:
    • If this install is on an Amazon Machine Image (AMI) or other machine image, then delete the second line of the install and configuration instructions:


      sudo cloudsight setup --deploy-key=<your deploy key> --ruleset="Base Rule Set" --agent_type=i

      or else every server will use the same Agent ID.

    • If this install is on a single server, then do nothing.
  15. Press ENTER. The Threat Stack host-based Agent installs on the OS.
  16. To add the deploy key to servers built of an AMI or other machine image, follow the instructions in Steps for Deploying the Threat Stack Agent via Amazon AMI’s.
CoreOS

The supported Threat Stack host-based Agent 1.x series does not support the CoreOS OS. The supported Threat Stack containerized Agent 1.x series supports the CoreOS OS.

Debian

Tip

Confirm your Debian OS matches a Threat Stack supported version on the list of supported OSs.

  1. Open the Command Line.
  2. Log into the server node as the owner of the host (root user).
  3. In the Threat Stack browser window, in the + Add Server dialog, click the Other button and select Debian.
  4. Confirm the Investigate radio button is selected.
  5. In the Assign one or more rulesets to your new server (optional) field, click the field to select additional rulesets to apply to the server. More information on base rulesets and their compliance abilities here.

    Warning

    This is the only time during the deployment process you can add rulesets to Threat Stack.

  6. In the Threat Stack browser window, under the Add our PGP key field, click the Copy to clipboard button.
  7. In the Command Line, paste the PGP key and press ENTER.
  8. In the Threat Stack browser window, under the Add the following repository information field, click the Copy to clipboard button.
  9. In the Command Line, paste the repository information and press ENTER.
  10. In the Threat Stack browser window, under the Update, install and configure the agent field, click the Copy to clipboard button.
  11. In the Command Line, paste the install and configure instructions.
  12. Do one of the following:
    • If this install is on an Amazon Machine Image (AMI) or other machine image, then delete the second line of the install and configuration instructions:
      sudo cloudsight setup --deploy-key=<your deploy key> --ruleset="Base Rule Set" --agent_type=i

      or else every server will use the same Agent ID.

    • If this install is on a single server, then do nothing.
  13. Press ENTER. The Threat host-based Stack Agent installs on the OS.
  14. To add the deploy key to servers built of an AMI or other machine image, follow the instructions in Steps for Deploying the Threat Stack Agent via Amazon AMI’s.
RedHat

The Agent install process for RedHat depends on the version of RedHat.

Tip

Confirm your RedHat OS matches a Threat Stack supported version on the list of supported OSs.

RedHat 6
  1. Open the Command Line.
  2. Go to the server node.
  3. Go to /etc/yum.repos.d/.
  4. Create a .repo file titled “threatstack.repo”.
  5. In the Threat Stack browser window, in the + Add Server dialog, click the Centos/RHEL button and select Centos/RHEL 6.
  6. Confirm the Investigate radio button is selected.
  7. In the Assign one or more rulesets to your new server (optional) field, click the field to select additional rulesets to apply to the server. More information on base rulesets and their compliance abilities here.

    Warning

    This is the only time during the deployment process you can add rulesets to Threat Stack.

  8. In the Threat Stack browser window, under the Add the following repository information to /etc/yum.repos.d/threatstack.repo field, click the Copy to clipboard button.
  9. In the Command Line, in the .repo file you created in step 4, paste the repository information and press ENTER.
  10. In the Threat Stack browser window, under the Import our PGP key field, click the Copy to clipboard button.
  11. In the Command Line, paste the PGP key and press ENTER.
  12. In the Threat Stack browser window, under the Install and configure the agent field, click the Copy to clipboard button.
  13. In the Command Line, paste the install and configure instructions.
  14. Do one of the following:
    • If this install is on an Amazon Machine Image (AMI) or other machine image, then delete the second line of the install and configuration instructions:
      sudo cloudsight setup --deploy-key=<your deploy key> --ruleset="Base Rule Set" --agent_type=i

      or else every server will use the same Agent ID.

    • If this install is on a single server, then do nothing.
  15. Press ENTER. The Threat Stack host-based Agent installs on the OS.
  16. To add the deploy key to servers built of an AMI or other machine image, follow the instructions in Steps for Deploying the Threat Stack Agent via Amazon AMI’s.
RedHat 7
  1. Open the Command Line.
  2. Go to the server node.
  3. Go to /etc/yum.repos.d/.
  4. Create a .repo file titled “threatstack.repo”.
  5. In the Threat Stack browser window, in the + Add Server dialog, click the Centos/RHEL button and select Centos/RHEL 7.
  6. In the Assign one or more rulesets to your new server (optional) field, click the field to select additional rulesets to apply to the server. More information on base rulesets and their compliance abilities here.

    Warning

    This is the only time during the deployment process you can add rulesets to Threat Stack.

  7. Confirm the Investigate radio button is selected.
  8. In the Threat Stack browser window, under the Add the following repository information to /etc/yum.repos.d/threatstack.repo field, click the Copy to clipboard button.
  9. In the Command Line, in the .repo file you created in step 4, paste the repository information and press ENTER.
  10. In the Threat Stack browser window, under the Import our PGP key field, click the Copy to clipboard button.
  11. In the Command Line, paste the PGP key and press ENTER.
  12. In the Threat Stack browser window, under the Update, install, and configure the agent field, click the Copy to clipboard button.
  13. In the Command Line, paste the install and configure instructions.
  14. Do one of the following:
    • If this install is on an Amazon Machine Image (AMI) or other machine image, then delete the second line of the install and configuration instructions:
      sudo cloudsight setup --deploy-key=<your deploy key> --ruleset="Base Rule Set" --agent_type=i

      or else every server will use the same Agent ID.

    • If this install is on a single server, then do nothing.
  15. Press ENTER. The Threat Stack host-based Agent installs on the OS.
  16. To add the deploy key to servers built of an AMI or other machine image, follow the instructions in Steps for Deploying the Threat Stack Agent via Amazon AMI’s.
Ubuntu

Tip

Confirm your RedHat OS matches a Threat Stack supported version on the list of supported OSs.

  1. Open the Command Line.
  2. Log into the server node as the owner of the host (root user).
  3. In the Threat Stack browser window, in the + Add Server dialog, click the Ubuntu button.
  4. Confirm the Investigate radio button is selected.
  5. In the Assign one or more rulesets to your new server (optional) field, click the field to select additional rulesets to apply to the server. More information on base rulesets and their compliance abilities here.

    Warning

    This is the only time during the deployment process you can add rulesets to Threat Stack.

  6. In the Threat Stack browser window, under the Add our PGP key field, click the Copy to clipboard button.
  7. In the Command Line, paste the PGP key and press ENTER.
  8. In the Threat Stack browser window, under the Add the following repository information field, click the Copy to clipboard button.

    Note

    The $distro is either trusty or xenial.

  9. In the Command Line, paste the repository information and press ENTER.
  10. In the Threat Stack browser window, under the Update, install and configure the agent field, click the Copy to clipboard button.
  11. In the Command Line, paste the install and configure instructions.
  12. Do one of the following:
    • If this install is on an Amazon Machine Image (AMI) or other machine image, then delete the second line of the install and configuration instructions
      sudo cloudsight setup --deploy-key= --ruleset="Base Rule Set" --agent_type=i

      or else every server will use the same Agent ID.

    • If this install is on a single server, then do nothing.
  13. Press ENTER. The Threat Stack browser-based Agent installs on the OS.
  14. To add the deploy key to servers built of an AMI or other machine image, follow the instructions in Steps for Deploying the Threat Stack Agent via Amazon AMI’s.
Upgrade the Threat Stack Agent

If your Threat Stack Agent is currently supported, then you can upgrade the Agent rather than performing a fresh install. For more information, see the Upgrade the Agent instructions.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.