Skip to main content
Red Canary help

Deploy an EDR sensor agent

  • Updated .

This article describes the installation requirements and instructions for deploying a sensor. 

Estimated procedure time: 10 minutes

Installation Requirements

System

Supported Linux architectures

  • x86_64

  • AArch64 (ARM 64-bit)

Supported Linux server distributions and versions

  • Amazon Linux 1 & 2

  • Ubuntu 14.04, 16.04, 18.04, 20.04

  • CentOS 6, 7, 8

  • RHEL 6, 7, 8

  • Debian 8, 9, 10

  • Fedora 31, 32

  • SUSE/openSUSE 11

  • Oracle Linux 7, 8 (RHEL & UEK kernels)

Supported Linux kernel versions

  • 2.6.32-71 and above (mainline)

Support and installation notes

  • We do not support systems running auditd.

  • We do not support systems running software that consume from the audit netlink socket.

  • Installation will disable the auditd.service and the systemd-journald-audit.socket. It will not change any configuration files for auditd. The previous system state will be restored if you choose to uninstall.

Network

Outbound network connectivity

  • s3-us-east-2.amazonaws.com (tcp/443) (Sensor telemetry sent to Red Canary's AWS account)

  • 35.188.42.15 (tcp/443) (Sentry proactive error monitoring)

  • 34.120.195.249 (tcp/443) (Sentry proactive error monitoring)


To utilize a SOCKS proxy:

  • Set the HTTPS_PROXY or HTTP_PROXY environment variables

  • Or, add the following to config.json: "http_proxy": "https://HOST:PORT"

Installation Instructions

1. In Red Canary, click Endpoint, and then click Deploy Sensors to view the instructions, username, and password.
 
2. Make your selections for your third-party platform and sensor. You will see the different installation instructions separated by tabs. These contain the credentials that are specific to your portal.

Note: If the Sensor Auto-Upgrade is enabled, replace canary-forwarder and the canary_forwarder below with cwp.

RPM

1. Place the information below into a file titled redcanary.repo in /etc/yum.repos.d/.

[RedCanary]
name=Red Canary Cloud Workload Protection
username=<username>
password=<password>
baseurl=https://redcanary.jfrog.io/artifactory/forwarder-rpm-prod-local/
enabled=1
gpgcheck=0

2. Run the following, sudo yum install canary_forwarder.

3. Place the information below into a file titled config.json in /opt/redcanary/.

{
  "access_token": "<access_token>",
  "subscription_plan": "Managed"
}

Debian

1. Place the information below into a file titled redcanary.list in /etc/apt/sources.list.d/.

Note: Use the contents specific to the system whether it is x86_64/amd64 or AArch64/arm64.

x86_64/amd64

deb [arch=amd64] https://<subdomain>:<password>@redcanary.jfrog.io/artifactory/forwarder-debian-prod-local main restricted

AArch64/arm64

deb [arch=arm64] https://<subdomain>:<password>@redcanary.jfrog.io/artifactory/forwarder-debian-prod-local main restricted

2. Place the information below into a file titled redcanary_auth.conf in /etc/apt/auth.conf.d/ :.

machine redcanary.jfrog.io
login <username>
password <password>

3. Install the GPG key with the following command below.

wget -qO - https://<subdomain>.my.redcanary.co/keys/artifactory.gpg.public | sudo apt-key add -

4. Run the content below.

sudo apt-get update
sudo apt-get install canary-forwarder

5. Place the information below into a file titled config.json in /opt/redcanary/.

{
  "access_token": "<access_token>",
  "subscription_plan": "Managed"
}

AMI/VM Setup

1. Start the instance.

2. Install Red Canary Linux EDR via the Debian or RPM instructions.

  • Follow the instructions from the RPM or Debian tabs. Place the config.json file into /opt/redcanary/.

3. Stop the cfsvcd service.

  • sudo systemctl stop cfsvcd or sudo initctl stop cfsvcd

4. Run the following to delete any saved state. sudo rm /opt/redcanary/state.json

5. Shut down the instance.

6. Create the AMI or clone from the VM instance.

Manual Setup

1. Begin by downloading the relevant package.

2. You can find the download links in the portal by clicking Endpoints, and then click Deploy sensors

3. Select your desired platform, and then select your desired sensor technology. 

4. Scroll down to the Installation Instructions section and click Manual Setup.

5. Find your desired operating system and reference Uninstalling the package.

Install the Package

Ubuntu 16.04 and Newer

Installing the package

sudo apt install ./canary-forwarder-1.2.1_amd64.deb

Uninstalling the package

sudo apt remove canary-forwarder

sudo apt autoremove

 

Debian 9 and Newer

Installing the package

sudo apt install ./canary-forwarder-1.2.1_amd64.deb

Uninstalling the package

sudo apt remove canary-forwarder

sudo apt autoremove

 

Debian 8 and Ubuntu 14.04

Installing the package

sudo dpkg -i canary-forwarder-1.2.1_amd64.deb

sudo apt-get -y --fix-broken install

Uninstalling the package

sudo apt-get -y remove canary-forwarder

sudo apt-get -y autoremove

 

RHEL/Centos 6, 7, 8

Installing the package

sudo yum install -y canary_forwarder-1.2.1.x86_64.rpm

Uninstalling the package

sudo yum remove -y canary_forwarder

Comments

0 comments

Please sign in to leave a comment.