Arctic Wolf Agent Installation on Linux

Updated Sep 19, 2023

Arctic Wolf Agent installation on Linux
Requirements
Download the Agent installer
Install Agent
Uninstall Agent
Agent deactivation

Arctic Wolf Agent installation on Linux

Arctic Wolf® Agent is an endpoint security management tool that functions as a component of the following solutions:

Managed Detection and Response (MDR) — Agent forwards security-relevant event and audit logs from endpoint devices in your network to Arctic Wolf to support continuous threat monitoring.
Managed Risk — Agent creates an inventory of endpoint devices in your network and performs routine host vulnerability scans and security control benchmark scans to identify security risks. See Arctic Wolf Agent Scans for more information.

You can bulk install Agent on Linux systems across your organization using a package manager.

Requirements

Supported operating systems
System resources
Port access
Linux utilities
Administrator permissions or the ability to perform administrator or root level functions

Supported operating systems

Amazon Linux 2
CentOS 7 and 8
CentOS Stream 9
Debian 11.2 (Stable)
Linux Mint 20.3
Oracle Linux 8.5
Red Hat 7 and 8
Ubuntu 16.04, 18.04, 20.04, and 22.04

Note: Vulnerability scanning is not supported on CentOS.

System requirements

At a minimum, dual-core CPU
x64 or x86 processor
At a minimum, 2 GB of memory
Notes:
- Although Agent is designed to maintain a minimal footprint on all systems, Arctic Wolf recommends certain operating system requirements. Arctic Wolf cannot guarantee Arctic Wolf Agent functionality on virtual machine (VM) environments if resources do not meet recommended levels.
- Agent does not support ARM architecture.

Networking requirements

Ports 443 and 1514 outbound open
Add all necessary Arctic Wolf Agent DNS entries to your allowlist. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Agent.

Note: Agent must contact Arctic Wolf servers to register. If this process fails, Agent retries every 15 seconds. This has no negative impact on the system.

Linux utilities

After running the Arctic Wolf Agent installer, the command line prompts you to install the following dependencies if they aren't already installed:

Operating systems	Required Linux utilities
Debian, Linux Mint, and Ubuntu	`libc6 (>= 2.7), lsb-release, debconf, adduser, iptables, systemd, debianutils, bsdutils, procps, iproute2, dnsutils, hostname, coreutils, network-manager, usbutils, lshw, net-tools`
Amazon, CentOS, Oracle Linux, and Red Hat	`coreutils, iptables, systemd, which, lshw, hostname, net-tools` Note: Red Hat, CentOS, and other RPM-based distributions do not require the `net-tools` utility.

Download the Agent installer

In the Arctic Wolf Portal, click Accounts > Downloads.
Under Endpoint Agent, select the desired Operating System option.
Click Download Agent.

Install Agent

Update your skel file once to add timestamp information to the bash history for more accurate alerting data for all new users:

Note: If you are using Red Hat, CentOS, and other RPM-based distributions, you do not need to update your skel file.
```
    echo "
    if [ -z \"\$HISTTIMEFORMAT\" ]
    then export HISTTIMEFORMAT=\"%F %T \"
    fi
    " >> /etc/skel/.bashrc
```
Update the ~/.bashrc file for each existing user.

Note: If you are using Red Hat, CentOS, and other RPM-based distributions you do not need to update the ~/.bashrc files.
1. Run the following command to find all ~/.bashrc files:
```
    ls -l /home/*/.bashrc
```
2. Run the following command to add timestamp information to the bash history for more accurate alerting data for each existing user.
  
  Replace <file_path> with each ~/.bashrc file from above:
```
    echo "
    if [ -z \"\$HISTTIMEFORMAT\" ]
    then export HISTTIMEFORMAT=\"%F %T \"
    fi
    " >> <file_path>
```
Ensure that the Agent .zip contents are extracted into the same folder, specifically the arcticwolfagent_<version>.<deb|rpm> package file and the customer.json file.
Caution:
- Do not make any edits to the customer.json file. Editing this file causes installation errors.
- Do not save the Agent installer or customer.json to publicly accessible storage. customer.json should be kept confidential.
Run the appropriate command, based on your operating system and preferred package manager:
- Ubuntu (using APT):
```
sudo DEBIAN_FRONTEND=noninteractive AWN_CUSTOMER_JSON=/tmp/customer.json apt install /tmp/arcticwolfagent_<version>.deb
```
- CentOS, Red Hat, or Amazon Linux:
  - YUM (preferred):
```
sudo AWN_CUSTOMER_JSON=/tmp/customer.json yum install arcticwolfagent_<version>.rpm
```
  - Zypper:
```
sudo AWN_CUSTOMER_JSON=/tmp/customer.json zypper install --allow-unsigned-rpm arcticwolfagent_<version>.rpm
```
  - DNF:
```
sudo AWN_CUSTOMER_JSON=/tmp/customer.json dnf install arcticwolfagent_<version>.rpm
```
Notes:
- You must place customer.json in the /tmp folder.
- Use an absolute path to customer.json and verify that it is correct. If any errors occur pertaining to the customer.json file, see Arctic Wolf Agent Troubleshooting.
- You can install Agent with any package manager on CentOS, Red Hat, or Amazon Linux, but only YUM has been tested.
- Agent only performs automated tests with YUM, DNF, and Zypper.
Contact your Arctic Wolf Customer Success Manager or your Concierge Security® Team to confirm that Agent data is reaching Arctic Wolf.

Uninstall Agent

Note: When Arctic Wolf Agent is uninstalled, devices and associated risks are removed from the Arctic Wolf Portal and Risk Dashboard.

Run the appropriate command, based on your operating system and preferred package manager:
- Ubuntu (using APT):
```
sudo apt remove arcticwolfagent
```
- CentOS, Red Hat, or Amazon Linux:
  - YUM (preferred):
```
sudo yum remove arcticwolfagent
```
  - Zypper:
```
sudo zypper remove arcticwolfagent
```
  - DNF:
```
sudo dnf remove arcticwolfagent
```
(Optional) If you are not reinstalling Agent, remove the /var/arcticwolfnetworks/agent folder from your device.

Agent deactivation

You can deactivate Agents by removing them from the Endpoints table in the Arctic Wolf Portal. We recommend uninstalling Agents before deactivating them. If you deactivate an Agent that is still installed on a system, the endpoint reappears in the Endpoints table the next time that it is Online.

Deactivating an endpoint does not delete existing data from Arctic Wolf internal databases.

Contained Agent deactivation

You are not required to deactivate Agents if they are contained. We recommend keeping Agents in the Endpoints table until the containment incident is resolved.

You can remove contained endpoints from the Endpoints table once the incident is resolved and the Agent is uninstalled from the device.

Tip: You can only remove endpoints that have not checked in for 72 hours.

Automatic Agent deactivation and activation

Any devices that were not Online for 90 days are automatically removed from the Endpoints table. The endpoint automatically reappears in the table the next time that Agent detects it as Online.

Deactivate an Agent

If you are a Managed Risk (MR) customer, you can deactivate devices in the Arctic Wolf Portal. If you cannot access the Arctic Wolf Portal, contact your Concierge Security Team (CST).

Note: You cannot make these changes in the Risk Dashboard.

Confirm that the Agent is uninstalled from the device.
On the Arctic Wolf Portal, click Endpoint Status.
In the Endpoints table, click Remove offline endpoint on the appropriate device.

Tip: You can only remove devices that are Offline. The Agent only identifies devices as Offline if the Agent did not check in with them for 72 hours.
In the dialog, click Remove Endpoint.

Note: If you accidentally remove an endpoint, the endpoint automatically reappears in the table the next time that Agent detects it as Online.