Skip to main content
Red Canary help

How do I deploy the agent?

  • Updated .

This document describes the installation requirements and instructions for deploying the sensor. 

Installation Requirements

System

Supported Linux architectures:
  • x86_64
  • AArch64 (ARM 64-bit)

Supported Linux server distributions and versions:
  • Amazon Linux 1 & 2
  • Ubuntu 14.04, 16.04, 18.04, 20.04
  • CentOS 6, 7, 8
  • RHEL 6, 7, 8
  • Debian 8, 9, 10
  • Fedora 31, 32
  • SUSE/openSUSE 11
  • Oracle Linux 7, 8 (RHEL & UEK kernels)

Supported Linux kernel versions:
  • 2.6.32-71 and above (mainline)

Support and installation notes
  • We do not support systems running auditd
  • We do not support systems running software that consume from the audit netlink socket
  • Installation will disable the auditd.service and, if it exists, the systemd-journald-audit.socket. It will not change any configuration files for auditd. The previous system state will be restored if you choose to uninstall

Network

Outbound network connectivity
  • s3-us-east-2.amazonaws.com (tcp/443) (Sensor telemetry sent to Red Canary's AWS account)
  • 35.188.42.15 (tcp/443) (Sentry proactive error monitoring)
  • 34.120.195.249 (tcp/443) (Sentry proactive error monitoring)

To utilize a SOCKS proxy:
  • Set the HTTPS_PROXY or HTTP_PROXY environment variables
  • Or, add the following to config.json: "http_proxy": "https://HOST:PORT"

Installation Instructions

Please note these instructions and the username and password mentioned below are viewable in your portal by going to Endpoint -> Deploy sensors. Make selections in the portal for platform and sensor, then you will see the different Installation Instructions separated by tabs. These contain the credentials, specific to your portal, mentioned in the below steps.

RPM

1. Place these contents into a file titled redcanary.repo in /etc/yum.repos.d/

[RedCanary]
name=Red Canary Cloud Workload Protection
username=<username>
password=<password>
baseurl=https://redcanary.jfrog.io/artifactory/forwarder-rpm-prod-local/
enabled=1
gpgcheck=0

2. Run the following: sudo yum install canary_forwarder

3. Place these contents into a file titled config.json in /opt/redcanary/

{
  "access_token": "<access_token>",
  "subscription_plan": "Managed"
}

Debian

1. Place these contents into a file titled redcanary.list in /etc/apt/sources.list.d/. Note: Use the contents specific to the system whether it is x86_64/amd64 or AArch64/arm64.

x86_64/amd64

deb [arch=amd64] https://<subdomain>:<password>@redcanary.jfrog.io/artifactory/forwarder-debian-prod-local main restricted

AArch64/arm64

deb [arch=arm64] https://<subdomain>:<password>@redcanary.jfrog.io/artifactory/forwarder-debian-prod-local main restricted

2. Place these contents into a file titled redcanary_auth.conf in /etc/apt/auth.conf.d/ :

machine redcanary.jfrog.io
login <username>
password <password>

3. Install the GPG key with the following command

wget -qO - https://<subdomain>.my.redcanary.co/keys/artifactory.gpg.public | sudo apt-key add -

4. Run the following

sudo apt-get update
sudo apt-get install canary-forwarder

5. Place these contents into a file titled config.json in /opt/redcanary/

{
  "access_token": "<access_token>",
  "subscription_plan": "Managed"
}

AMI/VM Setup

1. Start the instance

2. Install Red Canary Cloud Workload Protection via Debian or RPM instructions

  1. Follow the instructions from the RPM or Debian tabs, ensuring you place the config.json file into /opt/redcanary/

3. Stop the cfsvcd service

  1. sudo systemctl stop cfsvcd or sudo initctl stop cfsvcd

4. Run the following to delete any saved state: sudo rm /opt/redcanary/state.json

5. Shut down the instance

6. Create the AMI or clone from this VM instance

Manual Setup

Begin by downloading the relevant package. You can find the download links in the portal by going to Endpoint -> Deploy sensors -> [Make your selection] -> Installation Instructions -> Manual Setup.

Install the Package

Ubuntu 16.04 and Newer

Installing the package

sudo apt install ./canary-forwarder-1.2.1_amd64.deb

Uninstalling the package

sudo apt remove canary-forwarder

sudo apt autoremove

 

Debian 9 and Newer

Installing the package

sudo apt install ./canary-forwarder-1.2.1_amd64.deb

Uninstalling the package

sudo apt remove canary-forwarder

sudo apt autoremove

 

Debian 8 and Ubuntu 14.04

Installing the package

sudo dpkg -i canary-forwarder-1.2.1_amd64.deb

sudo apt-get -y --fix-broken install

Uninstalling the package

sudo apt-get -y remove canary-forwarder

sudo apt-get -y autoremove

 

RHEL/Centos 6, 7, 8

Installing the package

sudo yum install -y canary_forwarder-1.2.1.x86_64.rpm

Uninstalling the package

sudo yum remove -y canary_forwarder

Related articles