Aurora Focus prerequisites

Prerequisites for running Aurora Focus on supported operating systems.

Agents

Agent

Requirements

Aurora Protect Desktop agent
  • You must install the Aurora Protect Desktop agent on a device before you install the Aurora Focus agent. The Aurora Focus agent requires the Aurora Protect Desktop agent to function.
  • Arctic Wolf recommends installing the latest available version of the Aurora Protect Desktop agent to benefit from the latest features and fixes.
  • The Aurora Focus agent for Windows version 3.4 requires Aurora Protect Desktop 3.3.1001 or later.
  • For the Aurora Focus agent version 3.3, the minimum required version of the Aurora Protect Desktop agent is 3.1.x. The Windows sensors introduced in Aurora Focus 3.3 require Aurora Protect Desktop agent for Windows is 3.2.x or later.
  • The Aurora Focus agent version 3.2 and 3.1 require these minimum versions of the Aurora Protect Desktop agent:
    • Windows: 2.1.1578.x
    • macOS: 3.0.1000.x
    • Linux: 2.1.1590.x
  • Review the Aurora Protect Desktop compatibility matrix and the Aurora Protect Desktop requirements to verify that you install a supported Aurora Protect Desktop agent and meet all other requirements.

Aurora Focus agent
  • Arctic Wolf recommends installing the latest available version of the Aurora Focus agent on each device.
  • Aurora Focus agent version 3.x is required to support automatically storing collected data in the Aurora Focus cloud database. Earlier versions of the agent store Aurora Focus data in a local database on the device.
  • In agent 3.x, the data that is collected by the Aurora Focus sensors is cached locally before it is sent to the Aurora Focus cloud database. If the device is offline, the data is cached until the device can connect to the cloud database. A maximum of 1 GB of data can be stored locally. If more than 1 GB of data is stored before it can be uploaded, the lowest priority data will be deleted so that higher priority data can be cached.
  • See the Aurora Focus Release Notes for considerations when upgrading from Aurora Focus agent 2.x to 3.x.
  • When you upgrade from version 2.x to 3.x, the full contents of the Aurora Focus local database are uploaded to the cloud database in batches.
  • After you upgrade to version 3.x, you cannot downgrade the agent to version 2.x. If you want to install version 2.x, you must uninstall version 3.x, then install version 2.x.

OS support and additional requirements

For information about the operating systems that Aurora Focus supports, see the Endpoint Defense compatibility matrix. To view support timelines for all Arctic Wolf products, see the BlackBerry Enterprise Software Lifecycle Reference Guide.

This table lists the supported operating systems that have additional requirements or considerations. Note that this table is not a comprehensive list of supported operating systems. If an operating system is not listed in the table, it means that there are no additional requirements or considerations.

OS

Additional requirements or considerations

Windows operating systems

Windows 8.1

Windows 7 SP1

See this Microsoft article for additional dependencies for .NetCore support.

macOS operating systems

macOS Sequoia (15.x)

macOS Sonoma (14.x)

macOS Ventura (13.x)

macOS Monterey (12.x)

macOS Big Sur (11.x)

macOS Catalina (10.15)

Enable full disk access. For more information, see KB 42221301076123.

Linux operating systems

All supported Linux systems
  • kernel-headers and kernel-devel are required, and the version must match the running kernel. During the installation, the package manager will indicate the versions that are required. For supported Ubuntu and Debian systems, linux-headers is the equivalent of kernel-headers.
  • One of these Linux sensor suites is required: eBPF, Netlink (with multicast Netlink socket support 3.16 or later, or audit daemon uninstalled), or Auditdsp (with the auditd and auditdsp plugins enabled to start on boot). eBPF is recommended for the best performance with the Aurora Focus agent. If eBPF is not available, the agent tries to use Netlink for the next best level of performance. If Netlink is not available, the agent tries to use Auditdsp. The available sensor suites vary depending on the version of your OS.
  • The Microsoft .NET Framework runtime packages depend on libicu and libssl but are not listed as package dependencies because their names differ on different Linux distributions. For the exact package names, see https://github.com/dotnet/core/blob/master/Documentation/linux-prereqs.md. In the case that any required libraries are missing, Endpoint DefenseTcpService reports the missing library and exits.

RHEL/CentOS 8.x

RHEL/CentOS 7.x

AlmaLinux 8.10

Rocky Linux 8.10
  • For RHEL/CentOS 8.x, ncurses-compat-libs is required unless devices are running Aurora Focus agent version 3.2.1140-x or later.
  • Firewalld must be enabled and running to support the lockdown device feature. Firewalld is available by default with RHEL/CentOS, AlmaLinux, and Rocky Linux.

Amazon Linux 2
  • ncurses-compat-libs is required unless devices are running Aurora Focus agent version 3.2.1140-15000 or later.
  • Firewalld must be enabled and running to support the lockdown device feature.

Oracle Linux Server UEK 8 (64-bit)

Oracle Linux Server 8 (64-bit)

Oracle Linux Server UEK 7 (64-bit)

Oracle Linux Server 7 (64-bit)
  • ncurses-compat-libs is required unless devices are running Aurora Focus agent version 3.2.1140-37000 or later.
  • Firewalld must be enabled and running to support the lockdown device feature. Firewalld is available by default with Oracle Linux.

Ubuntu 22.04

Ubuntu 20.04

Ubuntu 18.04
  • Ubuntu 20.04 requires libtinfo5 unless devices are running Aurora Focus agent version 3.2.1140-x or later.
  • Firewalld must be enabled and running to support the lockdown device feature. Firewalld must be installed manually for Ubuntu.

SUSE Enterprise Linux 15 SP4

SUSE Enterprise Linux 12 SP5
  • policycoreutils is required.
  • For SUSE 15.x, kernel-default-devel to match the kernel is required. libncurses5 is also required unless devices are running Aurora Focus agent version 3.2.1140-29000 or later.
  • Firewalld must be enabled and running to support the lockdown device feature on SUSE 15.x. Firewalld is available by default with SUSE 15.x. The lockdown device feature is not supported for SUSE 12.

Debian 11

Debian 10
  • Debian 10 devices require iptables 1.8.5 or later to support the lockdown device feature.
  • Firewalld must be enabled and running to support the lockdown device feature. Firewalld must be installed manually for Debian.

Compatibility with other EDR solutions

The Aurora Focus agent is not compatible with other EDR (Endpoint Detection and Response) solutions installed on the same device. Remove any third-party EDR solutions from a device before you install and enable the Aurora Focus agent.

Hardware

Item

Requirements

Processor (CPU)
  • In general use, as low as 1% additional CPU
  • For heavy sustained workloads, additional 5% to 25% CPU bursts can be required, depending on the workload

Memory (RAM)

The agent requires 0.2 to 1.0 GB of additional memory, depending on the workload.

Disk space (hard drive)

Minimum 1 GB

  • For Aurora Focus agent 2.x and earlier, 1 GB minimum is required for the local database.
  • For Aurora Focus 3.0 and later, 1 GB minimum is recommended for caching Aurora Focus sensor data before the device can upload the data to the Aurora Focus cloud database when it is online.

Virtual machines

Aurora Focus is supported for virtual machines. For requirements, deployment guidance, and best practices, see Best practices for deploying Aurora Protect Desktop on Windows virtual machines. If you use Aurora Focus on a virtual machine, Arctic Wolf recommends disabling the Advanced WMI visibility sensor to reduce the number of recorded events.