GuardMode 2024.3
  • Welcome to GuardMode!
  • Intro
  • Installation
    • System requirements
    • Installing GuardMode Agent on Windows
      • Updating GuardMode Agent on Windows
    • Installing GuardMode Agent on Linux
      • Using Containerized GuardMode Agent
    • Uninstalling GuardMode Agent on Windows
    • Uninstalling GuardMode Agent on Linux
    • Configuring GuardMode Agent for SAMBA setup
    • Uninstalling GuardMode Agent on SAMBA setup
  • Agent Configuration
    • General Settings
    • Excluded Paths Configuration
    • Adding malware detection rules
      • Honeypot and Decoy Files
      • Write Operations Threshold
      • Detecting File Renaming with Abnormal File Extensions
      • Special Files Monitoring
    • Security Incident Detection
    • SMB Monitoring (Linux Only)
    • Event Reports
      • Configuring Event Reports
      • Excluding Paths From Event Reports
      • Tagging Agent
    • NFS Share Monitoring
    • Altering Audit Rules
    • Configuring DPX for Automatic Blocklist Updates
    • Using TLS
    • Configuring YARA-X
  • Using GuardMode Agent Command Line
  • REST API Documentation
  • On-demand Scanning
  • Logging
  • FAQ
  • Technical Support
Powered by GitBook
On this page
  • Downloading GuardMode Agent installer
  • Before installation
  • Audit System configuration
  • System configuration changes during installation
  • Unpacking and Installation
  • Managing systemd service
  • Upgrading the GuardMode Agent
  • Setting up Basic Authentication
  • Setting up DPX Notifications
  • Setting up Syslog Notifications
  • Registering GuardMode Agent with DPX
  1. Installation

Installing GuardMode Agent on Linux

PreviousUpdating GuardMode Agent on WindowsNextUsing Containerized GuardMode Agent

Last updated 3 months ago

Downloading GuardMode Agent installer

Go to the Catalogic website. Select the latest version of GuardMode Agent and click the installer download link.

Tip. Make sure you run all steps as the root user.

Note. GuardMode Agent can be installed on NFS clients. It includes helper scripts for NFS client installs, which automate the creation of systemd services to restart auditd after each NFS mount.

Before installation

Audit System configuration

Attention! GuardMode Agent is designed for exclusive access to the audit system to function correctly and cannot operate concurrently with osquery, which also hooks into the audit system for event monitoring and logging.

To prevent this issue, verify that osquery and any other tools that utilize the audit system are not installed or running on the system before installing GuardMode Agent.

Before installing the GuardMode Agent, ensure the Audit System configuration files are in their default state. These files are located in:

  • /etc/audit/

It is crucial not to alter these files post-installation.

If you have customized these files for other purposes, contact support for compatibility guidance.

System configuration changes during installation

During installation, some Audit System configuration files may be altered. The following files will be added:

  • /etc/audit/rules.d/GuardMode.rules

  • /etc/audit/plugins.d/CatalogicAuditDispatcher.conf (for RHEL 8, RHEL 9, OES 2023)

Installing GuardMode Agent also modifies the following systemd configuration files:

  • /usr/lib/systemd/system/auditd.service

  • /usr/lib/systemd/system/augenrules.service (OES 2023 only)

Additionally, a new service file /usr/lib/systemd/system/Catalogic.GuardMode.Agent.service will be added.

Attention! GuardMode Agent relies on the auditd service for certain monitoring functionalities. Before proceeding with the installation, ensure that auditd is installed on your Linux system.

Unpacking and Installation

Tip. By default, GuardMode Agent installs in directory/opt/catalogic/guard-mode/agent.

Once you have downloaded the program archive, unzip it and navigate to GuardMode Agent’s directory, using:

unzip Catalogic-GuardMode-Agent-{version}-linux-x64.zip
cd Catalogic-GuardMode-Agent-{version}-linux-x64

Now, you can execute the installation script, using:

./install.sh

GuardMode Agent will be installed in /opt/catalogic/guard-mode/agent regardless of the directory from which install.sh is run.

If you are using OES, reboot your system after the installation.

Tip. If you wish to specify a watch root directory, add it as a parameter. The default watch root is the root filesystem /.

Keep in mind that the root / directory as the watch root covers only native Linux file systems and does not cover SAMBA and NFS file systems!

Attention! GuardMode Agent installation changes the following security settings:

  • RHEL: systemd setting for auditd service the RefuseManualStop is changed from yes to no.

  • OES: systemd settings for augenrules and auditd services regarding the /home directory are downgraded from protected to read-only!

Managing systemd service

The installation and upgrade scripts create and run a systemd service. To stop and disable this service, use:

systemctl stop Catalogic.GuardMode.Agent
systemctl disable Catalogic.GuardMode.Agent

Upgrading the GuardMode Agent

To update GuardMode Agent, run:

./upgrade.sh

Tip. The script sets up the new version of GMA using JSON files from the current directory. Additionally, it replicates the Data and Logs directories from the current directory to the new one.

The script locates the current installation directory or accepts one as a parameter. It transfers data and logs directories to the new installation. Post-upgrade, the old directory can be removed manually.

Note. Downgrades are not supported.

Setting up Basic Authentication

You can set up basic authentication for REST API access using:

cd /opt/catalogic/guard-mode/agent
./Catalogic.GuardMode.Agent config update basic-authentication --username {username} --password {password}

Setting up DPX Notifications

Before configuring the connection between the DPX Master Server and the GuardMode Agent’s API, you need to open port 5000/TCP using:

firewall-cmd --add-port=5000/tcp && firewall-cmd --runtime-to-permanent

Now you can register the GuardMode Agent with the DPX Master Server with:

cd /opt/catalogic/guard-mode/agent
./Catalogic.GuardMode.Agent config add notification-provider dpx --hostname {dpx_hostname} --username {dpx_username} --password {dpx_password}

If a certificate error is thrown when adding DPX as the notification provider, use the additional --validate-certificate false flag.

Note. When configuring notification providers or DPX authentication, you can specify a full hostname with the protocol (e.g. http://dpxserver.com) instead of just the hostname. If no protocol is provided, the default HTTPS will be used.

Setting up Syslog Notifications

Note. Starting with GuardMode 2024.3, Syslog notifications follow the CEF (Common Event Format) standard.

To configure Syslog notifications, provide the hostname, port, and certificate details (if using TLS):

cd /opt/catalogic/guard-mode/agent
./Catalogic.GuardMode.Agent config add notification-provider syslog --hostname {hostname} --port {port} --validate-tls-certificate {validate_certificate} --tls-enabled {use_tls} --tls-certificate-path {certificate_path} --application-name {app_name}

Registering GuardMode Agent with DPX

After setting up DPX Notifications, register the GuardMode Agent as a DPX security node. Follow these steps:

  2. Once the DPX notification provider is configured, use the following command to register the GuardMode Agent with DPX:

cd /opt/catalogic/guard-mode/agent
./Catalogic.GuardMode.Agent register dpx --username {agent_username} --password {agent_password}

Replace {agent_username} and {agent_password} with the credentials for the GuardMode Agent’s REST API you set up during the basic authentication step.

Note. You must have already registered the DPX notification provider before running this command.

See also. If you want to alter audit rules after installation, see .

Ensure you have added the DPX notification provider as described in the section.

Altering Audit Rules
Setting up DPX Notifications
MySupport