Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How Install Linux Sensor using install.sh

Carbon Black Cloud: How Install Linux Sensor using install.sh

Environment

  • Carbon Black Linux Sensor: 2.6.0 and Higher
  • Linux: All Supported Versions

Objective

How Install Linux Sensor using install.sh

Resolution

  1. Obtain the Agent Sensor Kits.
  2. Unpack Agent into a temporary directory.
  3. Navigate into the folder that was created when the agent was unpacked.
  4. Install and register the sensor by running:
    sudo ./install.sh ‘<COMPANY_CODE>’
    NOTE: replace ‘<COMPANY_CODE>’ with your company registration code.

Additional Notes

  • The Linux sensor keeps its primary configuration details, along with some more ephemeral state values in the /var/opt/carbonblack/psc/cfg.ini file.
  • The cfg.ini file is created when the sensor is installed, changes while the sensor is running, and is used to manage many longer term stateful processes such as software upgrades, communication configuration and state, and device registration information.
  • The sensor normally reads the cfg.ini file once on startup and writes it one or more times when the sensor needs to update this information. Therefore the cfg.ini file should only be edited while the sensor is stopped. Modifications done while the sensor is running are likely to be overwritten by the sensor’s next update of the file, and in any case will not be visible to the sensor until it’s next startup. However, it is advisable to plan what changes to make in order to reduce the time span of sensor downtime that occurs while editing the file.
  • Although not always used, the --prop parameter is provided for those instances when there is a need to populate values in the cfg.ini file, such as when a proxy address/port needs to be configured or a PEM file needs to be specified.
  • Supported Install.sh cfg.ini (--prop) options
The install.sh script is used to install the sensor on an endpoint. When running this script, cfg.ini fields may be set using the --prop option of that script. For example, the following would set the email address for this sensor: 
./install --prop 'EmailAddress=bill@example.com'
NOTE: The quotes are not needed for this example, but are a good practice if the value may contain spaces or punctuation marks that may be interpreted by the shell. 
 
OptionValueNotes
CompanyCodeString value

Navigate to Endpoints > Sensor Options > Company Codes to access or create a new Company Code.
The Company Code should be enclosed in single-quotes

This value should only be used in rare circumstances such as when managing VDI environments, as it is set during sensor installation when providing a registration code to the install.sh script (see example above under "Resolution").

GroupNameString value

Always enclose this value with quotes if the policy name includes spaces. 
Optional policy name assignment. This field sets the Policy value for this endpoint. This affects what rulesets are applied to this sensor.

This can be used to pre-set the policy used by the sensor at install time. It may be easier to manage this in the UI, and the backend may change this field depending on changes made in the UI. This may also be set during installation:

./install.sh --groupname 'SensorGroupName'
EmailAddressThis can be set to any email address.The intention is that this is the point of contact for administering this sensor. This provided address will be visible in the Endpoints page in the UI for this sensor.
ProxyServerserver:port
 
The ProxyServer field may be set to direct sensor network traffic through a proxy server (such as a `squid` proxy server.)
The server IP address may be specified.
ProxyPemFileProvide the full file path and file name of the pem file. i.e.
./install.sh --proxy 1.2.3.4:3129 --prop ProxyPemFile=/some/path/my-pem-file.pem
The PEM file is used to connect to some proxies that use certificate based authentication. The PEM file will only be used if the proxy server is also set. If there is no PEM file, the proxy server connection will be attempted without authentication.

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎02-17-2022
Views:
2970
Contributors