Deploy the Threat Stack Agent

Follow

Overview

This document describes pre-installation, installation, and configuration steps for the Threat Stack Agent.

The Threat Stack Agent must be run on the host for Threat Stack to function in your environment.

Tip

Threat Stack maintains a list of supported Operating Systems (OSs). Ensure your environment is compatible with the supported OSs.

Pre-Installation for the Threat Stack Agent

Before you install the Threat Stack Agent, you must prepare your Linux OS to work with the Agent.

The Threat Stack Agent uses the Linux Audit Framework to collect file, network, and process data. The Agent uses the following kernel services:

  • auditd
  • inotify
  • fanotify

Note

Conflict can occur between the Threat Stack Agent and other tools leveraging these kernels. Before deploying the Agent, ensure no other tools use these kernels.

Prerequisites

Ensure your environment is in compliance with Threat Stack System Requirements.
Install the Threat Stack Agent

The method of Agent installation depends on your Linux OS.

Prerequisites

  • Access to the Threat Stack Console
  • If you use a Debian OS, then install the Transport tool to view Threat Stack hosted packages

Tip

Use side-by-side windows – one browser window for Threat Stack and one window for the Command Line – to complete these instructions.

Begin Agent Installation

Threat Stack automatically walks customers through an Agent install on the Servers page.
  1. Log into Threat Stack.
  2. Click Servers. The Servers page displays.

    ServerPgAddSrv.png 

  3. Click the + Add Server button. The + Add Server dialog displays.

    AddNewSrvDialog.png

  4. Proceed to the set of instructions, below, specific to your OS.

    Note

    If you use the Debian OS, then click the Other Button > Debian.

Amazon Linux

Tip

Confirm your Amazon Linux OS matches a Threat Stack supported version on the list of supported OSs.

  1. Open the Command Line.
  2. Go to the server node.
  3. Go to /etc/yum.repos.d/.
  4. Create a .repo file titled “threatstack.repo”.
  5. In the Threat Stack browser window, in the + Add Server dialog, select the Amazon Linux button.
  6. Confirm the Investigate radio button is selected.
  7. In the Assign one or more rulesets to your new server (optional) field, click the field to select additional rulesets to apply to the server. More information on base rulesets and their compliance abilities here.

    Warning

    This is the only time during the deployment process you can add rulesets to Threat Stack.

  8. Under the Add the following repository information to etc/yum.repos.d/threatstack.repo field, click the Copy to clipboard button.
  9. In the Command Line, paste the repository information and press ENTER.
  10. Under the Import our PGP key field, click the Copy to clipboard button.
  11. In the Command Line, paste the PGP key and press ENTER.
  12. In the Threat Stack browser window, in the + Add Server dialog, under the Install and configure the agent field, click the Copy to clipboard button.
  13. In the Command Line, paste the install and configure instructions.
  14. Do one of the following:
    • If this install is on an Amazon Machine Image (AMI) or other machine image, then delete the second line of the install and configuration instructions:


      sudo cloudsight setup --deploy-key=<your deploy key> --ruleset="Base Rule Set" --agent_type=i

      or else every system will use the same Agent ID.

    • If this install is on a single server, then do nothing.
  15. Press ENTER. The Threat Stack Agents installs on the OS.
  16. To add the deploy key to servers built of an AMI or other machine image, follow the instructions in Steps for Deploying the Threat Stack Agent via Amazon AMI’s.
CentOS / RHEL

The Agent install process for CentOS / RHEL depends on the version of CentOS / RHEL.

Tip

Confirm your CentOS / RHEL OS matches a Threat Stack supported version on the list of supported OSs.

CentOS / RHEL 6
  1. Open the Command Line.
  2. Go to the server node.
  3. Go to /etc/yum.repos.d/.
  4. Create a .repo file titled “threatstack.repo”.
  5. In the Threat Stack browser window, in the + Add Server dialog, click the Centos/RHEL button and select Centos/RHEL 6.
  6. Confirm the Investigate radio button is selected.
  7. In the Assign one or more rulesets to your new server (optional) field, click the field to select additional rulesets to apply to the server. More information on base rulesets and their compliance abilities here.

    Warning

    This is the only time during the deployment process you can add rulesets to Threat Stack.

  8. Under the Add the following repository information to /etc/yum.repos.d/threatstack.repo field, click the Copy to clipboard button.
  9. In the Command Line, paste the repository information and press ENTER.
  10. Under the Import our PGP key field, click the Copy to clipboard button.
  11. In the Command Line, paste the PGP key and press ENTER.
  12. In the Threat Stack browser window, in the + Add Server dialog, under the Install and configure the agent field, click the Copy to clipboard button.
  13. In the Command Line, paste the install and configure instructions.
  14. Do one of the following:
    • If this install is on an Amazon Machine Image (AMI) or other machine image, then delete the second line of the install and configuration instructions:


      sudo cloudsight setup --deploy-key=<your deploy key> --ruleset="Base Rule Set" --agent_type=i

      or else every system will use the same Agent ID.

    • If this install is on a single server, then do nothing.
  15. Press ENTER. The Threat Stack Agents installs on the OS.
  16. To add the deploy key to servers built of an AMI or other machine image, follow the instructions in Steps for Deploying the Threat Stack Agent via Amazon AMI’s.
CentOS / RHEL 7 OS
  1. Open the Command Line.
  2. Go to the server node.
  3. Go to /etc/yum.repos.d/.
  4. Create a .repo file titled “threatstack.repo”.
  5. In the Threat Stack browser window, in the + Add Server dialog, click the Centos/RHEL button and select Centos/RHEL 7.
  6. Confirm the Investigate radio button is selected.
  7. In the Assign one or more rulesets to your new server (optional) field, click the field to select additional rulesets to apply to the server. More information on base rulesets and their compliance abilities here.

    Warning

    This is the only time during the deployment process you can add rulesets to Threat Stack.

  8. Under the Add the following repository information to /etc/yum.repos.d/threatstack.repo field, click the Copy to clipboard button.
  9. In the Command Line, paste the repository information and press ENTER.
  10. Under the Import our PGP key field, click the Copy to clipboard button.
  11. In the Command Line, paste the PGP key and press ENTER.
  12. In the Threat Stack browser window, in the + Add Server dialog, under the Install and configure the agent field, click the Copy to clipboard button.
  13. In the Command Line, paste the install and configure instructions.
  14. Do one of the following:
    • If this install is on an Amazon Machine Image (AMI) or other machine image, then delete the second line of the install and configuration instructions:


      sudo cloudsight setup --deploy-key=<your deploy key> --ruleset="Base Rule Set" --agent_type=i

      or else every system will use the same Agent ID.

    • If this install is on a single server, then do nothing.
  15. Press ENTER. The Threat Stack Agents installs on the OS.
  16. To add the deploy key to servers built of an AMI or other machine image, follow the instructions in Steps for Deploying the Threat Stack Agent via Amazon AMI’s.
CoreOS

Tip

Confirm your CoreOS OS matches a Threat Stack supported version on the list of supported OSs.

  1. Copy the Threat Stack Agent installer to your system.
  2. Open the Command Line.
  3. Go to the server node.
  4. Copy and paste the following commands to run the Threat Stack Agent installer:


    tar -xvzf threatstack-agent_latest.coreos[version]_amd64.tar.gz

    cd threatstack-agent_[version].coreos[version]_amd64

    Warning

    The installer must be run from the untarred package directory or the install fails.

  5. Do one of the following to complete the install process:
    • Use a single command

      Note

      This command uses cloudsight arguments to complete the Threat Stack Agent installation. CoreOS installs the Agent software and dependencies under /opt/threatstack and lists the Agent as a standard systemd service.

      1. In the Command Line, copy and paste the following command:


        sudo ./threatstack-coreos-installer.sh --deploy-key=<your deploy key>

      2. In the Threat Stack browser window, in the + Add Server dialog, under the Update, install, and configure the agent field, click the Copy to clipboard button.
      3. In the Command Line, delete [KEY] and paste the install and configure instructions.
      4. Delete everything up through --deploy key=. The only remaining information is the Threat Stack deploy key.
      5. Press ENTER. The Threat Stack Agents installs on the OS.
    • Use a manual installation process

      Note

      CoreOS installs the Agent software and dependencies under /opt/threatstack and lists the Agent as a standard systemd service.

      1. In the Command Line, copy and paste the following command:


        sudo ./threatstack-coreos-installer.sh

      2. Press ENTER.
      3. The first time you start the Threat Stack Agent, do the following:
        1. Open the Command Line.
        2. Copy and paste the following command:


          /opt/threatstack/bin/cloudsight setup --deploy-key=<your deploy key>

        3. Log into Threat Stack.
        4. Go to Servers. The Servers page displays.
        5. Click the + Add Server button. The + Add Server dialog displays.
        6. Under the Update, install, and configure the agent field, click the Copy to clipboard button.
        7. In the Command Line, delete [KEY] and paste the install and configure instructions.
        8. Delete everything up through --deploy key=. The only remaining information is the Threat Stack deploy key.
        9. Press ENTER. The Threat Stack Agents installs on the OS.
  6. Optionally, if you do not use containers, then copy and paste the following commands to disable container monitoring:


    /opt/threatstack/bin/cloudsight config enable_containers=0

    /opt/threatstack/bin/cloudsight restart

Debian

Tip

Confirm your Debian OS matches a Threat Stack supported version on the list of supported OSs.

  1. Open the Command Line.
  2. Log into the server node as the root user (the owner of the host).
  3. In the Threat Stack browser window, in the + Add Server dialog, click the Other button and select Debian.
  4. Confirm the Investigate radio button is selected.
  5. In the Assign one or more rulesets to your new server (optional) field, click the field to select additional rulesets to apply to the server. More information on base rulesets and their compliance abilities here.

    Warning

    This is the only time during the deployment process you can add rulesets to Threat Stack.

  6. Under the Add our PGP key field, click the Copy to clipboard button.
  7. Open the Command Line.
  8. In the Command Line, paste the PGP key and press ENTER.
  9. In the Threat Stack browser window, in the + Add Server dialog, under the Add the following repository information field, click the Copy to clipboard button.
  10. In the Command Line, paste the repository information and press ENTER.
  11. In the Threat Stack browser window, in the + Add Server dialog, under the Update, install and configure the agent field, click the Copy to clipboard button.
  12. In the Command Line, paste the install and configure instructions.
  13. Do one of the following:
    • If this install is on an Amazon Machine Image (AMI) or other machine image, then delete the second line of the install and configuration instructions:


      cloudsight setup --deploy-key=<your deploy key> --ruleset="Base Rule Set" --agent_type=i

      or else every system will use the same Agent ID.

    • If this install is on a single server, then do nothing.
  14. Press ENTER. The Threat Stack Agents installs on the OS.
  15. To add the deploy key to servers built of an AMI or other machine image, follow the instructions in Steps for Deploying the Threat Stack Agent via Amazon AMI’s.
RedHat

The Agent install process for RedHat depends on the version of RedHat.

Tip

Confirm your RedHat OS matches a Threat Stack supported version on the list of supported OSs.

RedHat 6
  1. Open the Command Line.
  2. Go to the server node.
  3. Go to /etc/yum.repos.d/.
  4. Create a .repo file titled “threatstack.repo”.
  5. In the Threat Stack browser window, in the + Add Server dialog, click the Centos/RHEL button and select Centos/RHEL 6.
  6. Confirm the Investigate radio button is selected.
  7. In the Assign one or more rulesets to your new server (optional) field, click the field to select additional rulesets to apply to the server. More information on base rulesets and their compliance abilities here.

    Warning

    This is the only time during the deployment process you can add rulesets to Threat Stack.

  8. Under the Add the following repository information to /etc/yum.repos.d/threatstack.repo field, click the Copy to clipboard button.
  9. In the Command Line, paste the repository information and press ENTER.
  10. Under the Import our PGP key field, click the Copy to clipboard button.
  11. In the Command Line, paste the PGP key and press ENTER.
  12. In the Threat Stack browser window, in the + Add Server dialog, under the Install and configure the agent field, click the Copy to clipboard button.
  13. In the Command Line, paste the install and configure instructions.
  14. Do one of the following:
    • If this install is on an Amazon Machine Image (AMI) or other machine image, then delete the second line of the install and configuration instructions:


      sudo cloudsight setup --deploy-key=<your deploy key> --ruleset="Base Rule Set" --agent_type=i

      or else every system will use the same Agent ID.

    • If this install is on a single server, then do nothing.
  15. Press ENTER. The Threat Stack Agents installs on the OS.
  16. To add the deploy key to servers built of an AMI or other machine image, follow the instructions in Steps for Deploying the Threat Stack Agent via Amazon AMI’s.
RedHat 7
  1. Open the Command Line.
  2. Go to the server node.
  3. Go to /etc/yum.repos.d/.
  4. Create a .repo file titled “threatstack.repo”.
  5. In the Threat Stack browser window, in the + Add Server dialog, click the Centos/RHEL button and select Centos/RHEL 7.
  6. In the Assign one or more rulesets to your new server (optional) field, click the field to select additional rulesets to apply to the server. More information on base rulesets and their compliance abilities here.

    Warning

    This is the only time during the deployment process you can add rulesets to Threat Stack.

  7. Confirm the Investigate radio button is selected.
  8. Under the Add the following repository information to /etc/yum.repos.d/threatstack.repo field, click the Copy to clipboard button.
  9. In the Command Line, paste the repository information and press ENTER.
  10. Under the Import our PGP key field, click the Copy to clipboard button.
  11. In the Command Line, paste the PGP key and press ENTER.
  12. In the Threat Stack browser window, in the + Add Server dialog, under the Update, install, and configure the agent field, click the Copy to clipboard button.
  13. In the Command Line, paste the install and configure instructions.
  14. Do one of the following:
    • If this install is on an Amazon Machine Image (AMI) or other machine image, then delete the second line of the install and configuration instructions:


      sudo cloudsight setup --deploy-key=<your deploy key> --ruleset="Base Rule Set" --agent_type=i

      or else every system will use the same Agent ID.

    • If this install is on a single server, then do nothing.
  15. Press ENTER. The Threat Stack Agents installs on the OS.
  16. To add the deploy key to servers built of an AMI or other machine image, follow the instructions in Steps for Deploying the Threat Stack Agent via Amazon AMI’s.
Ubuntu

Tip

Confirm your RedHat OS matches a Threat Stack supported version on the list of supported OSs.

  1. Open the Command Line.
  2. Log into the server node as the root user (the owner of the host).
  3. In the Threat Stack browser window, in the + Add Server dialog, click the Ubuntu button.
  4. Confirm the Investigate radio button is selected.
  5. In the Assign one or more rulesets to your new server (optional) field, click the field to select additional rulesets to apply to the server. More information on base rulesets and their compliance abilities here.

    Warning

    This is the only time during the deployment process you can add rulesets to Threat Stack.

  6. Under the Add our PGP key field, click the Copy to clipboard button.
  7. Open the Command Line.
  8. In the Command Line, paste the PGP key and press ENTER.
  9. In the Threat Stack browser window, in the + Add Server dialog, under the Add the following repository information field, click the Copy to clipboard button.

    Note

    The $distro is either trusty or xenial.

  10. In the Command Line, paste the repository information and press ENTER.
  11. In the Threat Stack browser window, in the + Add Server dialog, under the Update, install and configure the agent field, click the Copy to clipboard button.
  12. In the Command Line, paste the install and configure instructions.
  13. Do one of the following:
    • If this install is on an Amazon Machine Image (AMI) or other machine image, then delete the second line of the install and configuration instructions. Otherwise every system will use the same Agent ID.
    • If this install is on a single server, then do nothing.
  14. Press ENTER. The Threat Stack Agent installs on the OS.
  15. To add the deploy key to servers built of an AMI or other machine image, follow the instructions in Steps for Deploying the Threat Stack Agent via Amazon AMI’s.
Upgrade the Threat Stack Agent

If your Threat Stack Agent is currently supported, then you can upgrade the Agent rather than performing a fresh install. For more information, see the Upgrade the Agent instructions.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.