Installing GuardMode Agent on Linux

Tip. Make sure you run all steps as the root user.

Note. GuardMode Agent can be installed on NFS clients. It includes helper scripts for NFS client installs, which automate the creation of systemd services to restart auditd after each NFS mount.

Before installation

Audit System configuration

Attention! GuardMode Agent is designed for exclusive access to the audit system to function correctly and cannot operate concurrently with osquery, which also hooks into the audit system for event monitoring and logging.

To prevent this issue, verify that osquery and any other tools that utilize the audit system are not installed or running on the system before installing GuardMode Agent.

Before installing the GuardMode Agent, ensure the Audit System configuration files are in their default state. These files are located in:

  • /etc/audit/

  • /etc/audisp/ (RHEL 7 only)

It's crucial not to alter these files post-installation.

If you've customized these files for other purposes, contact support for compatibility guidance.

System configuration changes during installation

During installation, some Audit System configuration files may be altered. The following files will be added:

  • /etc/audit/rules.d/GuardMode.rules

  • /etc/audit/plugins.d/CatalogicAuditDispatcher.conf (for RHEL 8, RHEL 9, OES 2023)

  • /etc/audisp/plugins.d/CatalogicAuditDispatcher.conf (for RHEL 7)

Installing GuardMode Agent also modifies the following systemd configuration files:

  • /usr/lib/systemd/system/auditd.service

  • /usr/lib/systemd/system/augenrules.service (OES 2023 only)

Additionally, a new service file /usr/lib/systemd/system/Catalogic.GuardMode.Agent.service will be added.

Attention! GuardMode Agent relies on the auditd service for certain monitoring functionalities. Before proceeding with the installation, ensure that auditd is installed on your Linux system.

Unpacking and installation

Hint. By default, GuardMode Agent installs in directory/opt/catalogic/guard-mode/agent.

Once you have downloaded the program archive, you have to unzip it and navigate to GuardMode Agent's directory, using:

unzip Catalogic-GuardMode-Agent-{version}-linux-x64.zip
cd Catalogic-GuardMode-Agent-{version}-linux-x64

Now, you can execute the installation script, using:

./install.sh

GuardMode Agent will be installed in /opt/catalogic/guard-mode/agent regardless of the directory from which install.sh is run.

If you are using OES, reboot your system after the installation.

Tip. If you wish to specify a watch root directory, add it as a parameter. The default watch root is the root filesystem /.

Keep in mind that the root / directory as the watch root covers only native Linux file systems and does not cover SAMBA and NFS file systems!

Attention! GuardMode Agent installation changes the following security settings:

  • RHEL: systemd setting for auditd service the RefuseManualStop is changed from yes to no.

  • OES: systemd settings for augenrules and auditd services regarding the /home directory are downgraded from protected to read-only!

Managing systemd service

The installation and upgrade scripts create and run a systemd service. To stop and disable this service, use:

systemctl stop Catalogic.GuardMode.Agent
systemctl disable Catalogic.GuardMode.Agent

Upgrading the GuardMode Agent

To update GuardMode Agent, simply run:

./upgrade.sh

Tip. The script sets up the new version of GMA using JSON files from the current directory. Additionally, it replicates the Data and Logs directories from the current directory to the new one.

The script locates the current installation directory or accepts one as a parameter. It transfers data and logs directories to the new installation. Post-upgrade, the old directory can be removed manually.

Attention. Downgrades are not supported.

Setting up basic authentication

You can set up basic authentication for REST API access using:

cd /opt/catalogic/guard-mode/agent
./Catalogic.GuardMode.Agent config update basic-authentication --username {username} --password {password}

Setting up DPX Notifications

Before configuring the connection between the DPX Master Server and the GuardMode Agent's API, you need to open port 5000/TCP using:

firewall-cmd --add-port=5000/tcp && firewall-cmd --runtime-to-permanent

Now you can register the GuardMode Agent with the DPX Master Server with:

cd /opt/catalogic/guard-mode/agent
./Catalogic.GuardMode.Agent config add notification-provider dpx --hostname {dpx_hostname} --username {dpx_username} --password {dpx_password}

Note. When configuring notification providers or DPX authentication, you can specify a full hostname with the protocol (e.g. http://dpxserver.com) instead of just the hostname. If no protocol is provided, the default HTTPS will be used.

Setting up Syslog notifications

To configure Syslog notifications, provide the hostname, port, and certificate details (if using TLS):

cd /opt/catalogic/guard-mode/agent
./Catalogic.GuardMode.Agent config add notification-provider syslog --hostname "{hostname}" --port "{port}" --validate-tls-certificate "{validate_certificate}" --tls-enabled "{use_tls}" --tls-certificate-path "{certificate_path}" --application-name "{app_name}"

See also. If you want to alter audit rules after installation, see Altering Audit Rules.

Registering GuardMode Agent with DPX

After setting up DPX Notifications, you need to register the GuardMode Agent as a DPX security node. Follow these steps:

  1. Ensure you have added the DPX notification provider as described in the Setting up DPX Notifications section.

  2. Once the DPX notification provider is configured, use the following command to register the GuardMode Agent with DPX:

cd /opt/catalogic/guard-mode/agent
./Catalogic.GuardMode.Agent register dpx --username {agent_username} --password {agent_password}

Replace {agent_username} and {agent_password} with the credentials for the GuardMode Agent's REST API that you set up during the basic authentication step.

Note. You must have already registered the DPX notification provider before running this command.

Last updated