Uninstalling GuardMode Agent on Linux
Before uninstallation, ensure that the GuardMode Agent service is stopped and disabled. This prevents the service from automatically starting during the uninstallation process:
systemctl stop Catalogic.GuardMode.Agent.service
systemctl disable Catalogic.GuardMode.Agent.service
Next, remove symbolic links and files related to the GuardMode Agent service:
find /etc/systemd/system/ -type l -name "*Catalogic.GuardMode.Agent*" -exec echo "removing {}" \; -exec rm -f {} \;
find /etc/systemd/system/ -type f -name "*Catalogic.GuardMode.Agent*" -exec echo "removing {}" \; -exec rm -f {} \;
find /usr/lib/systemd/system/ -type l -name "*Catalogic.GuardMode.Agent*" -exec echo "removing {}" \; -exec rm -f {} \;
find /usr/lib/systemd/system/ -type f -name "*Catalogic.GuardMode.Agent*" -exec echo "removing {}" \; -exec rm -f {} \;
Adjust system service properties:
sed -i 's/^RefuseManualStop=no$/RefuseManualStop=yes/' /usr/lib/systemd/system/auditd.service
# For OES 2023 only:
sed -i 's/^[ \t]*ProtectHome=read-only$/ProtectHome=true/' /usr/lib/systemd/system/augenrules.service
sed -i 's/^[ \t]*ProtectHome=read-only$/ProtectHome=true/' /usr/lib/systemd/system/auditd.service
Reload the system daemon:
systemctl daemon-reload
Remove the GuardMode Agent installation directory and any related configuration files:
rm -rf /opt/catalogic/guard-mode/agent
rm -f /etc/audit/rules.d/GuardMode.rules
rm -f /etc/audit/plugins.d/CatalogicAuditDispatcher.conf
rm -f /etc/audisp/plugins.d/CatalogicAuditDispatcher.conf
Update Audit Rules and Restarting the Service:
augenrules
systemctl restart auditd.service
(Optional) Depending on your specific requirements, you might want to remove
auditd
from your system.
For RHEL 7, 8, 9:
yum remove audit audit-libs libicu
For OES 2023:
zypper remove audit libaudit1 libauparse0