Install Arctic Wolf Agent on multiple Linux endpoints

You can install Arctic Wolf® Agent on multiple endpoints in your organization using a package manager.

Note:

  • Agent is designed to maintain a minimal footprint on all systems, but Arctic Wolf recommends some OS requirements. Arctic Wolf cannot guarantee functionality on virtual machine (VM) environments if resources do not meet recommended levels.

  • Agent does not support ARM architecture.

These resources are required:

  • To correctly view Agent risks in the Unified Portal, Linux Agent version 2024.02.84 or later is required

  • Administrator permissions or the ability to do administrator or root level functions

  • One of these Linux distributions:
    • AlmaLinux 10, 9 or 8
    • Amazon Linux 2023 or 2
    • CentOS 7
    • CentOS Stream 9
    • Debian 13, 12 or 11
    • Linux Mint 20.3
    • Oracle Linux 10, 9 or 8
    • Red Hat 10, 9, 8 or 7
    • Rocky Linux 10, 9 or 8
    • SUSE 15
    • Ubuntu 24.04, 22.04, 20.04, or 18.04
    Note:
    • Center for Internet Security (CIS) Benchmarks, which are used in Aurora Vulnerability Management (Aurora VM) benchmark scanning, are not yet available for these distributions:
      • AlmaLinux 10
      • Debian 13
      • Oracle Linux 10
      • Red Hat 10
      • Rocky Linux 10
    • Vulnerability scanning is not supported for CentOS Stream 10
  • These system resources:
    • A x64 or x86 processor
    • At a minimum:
      • A dual-core CPU
      • 2 GB of memory
      • 50 MB of disk space
  • Routing using IPv4 or IPv6
    Note: IPv4 or IPv6 must be enabled to ensure containment functions as expected.

These actions are required:

  • If the Linux distribution is Debian, make sure that sudo is installed on the root account.

  • Make sure outbound access is available for ports 443 and 1514.

Configure your environment firewall

Configure your firewall to allow traffic to Agent DNS hostnames.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Resources > Allowlist Requirements.
  3. Configure your firewall to allow outbound traffic for all the hostnames, not IP addresses, listed in the Agent section.
    Note:

    Agent must contact Arctic Wolf servers to register. If this process fails, Agent retries every 15 seconds. This has no negative effect on the system.

Add Agent processes to the allowlist

If you install Agent and an antivirus, endpoint scanner, Endpoint Detection and Response (EDR) solution, Unified Threat Management (UTM) solution, or similar software, add Agent processes to the allowlist in those applications to maintain stable CPU and memory utilization:

  1. Configure your security systems to allow the processes listed in Arctic Wolf Agent processes.
    Tip:

    Arctic Wolf recommends that you define a security rule or policy exclusion for the parent folder. Then, if new processes are added during a future Agent software update, the new rule or policy exclusion applies to it. For example, for a Linux endpoint, define a rule that applies to this file path: /var/arcticwolfnetworks/agent.

  2. Add the files listed in Arctic Wolf Agent hash values to all allowlists.
  3. If you use an EDR solution, verify that your EDR configuration changes are applied to all endpoints.

See the technical documentation for the security systems that you are configuring for more information.

Download and install Agent

  1. Download the Agent installer:
    1. Sign in to the Arctic Wolf Unified Portal.
    2. In the navigation menu, click Resources > Downloads.
    3. In the Arctic Wolf Agent section, in the Operating System list, select the required operating system.
    4. Click Download Agent.
  2. Make sure that the Agent zip file is extracted into the arcticwolfagent_version.deb|rpm package file and the customer.json file.
    CAUTION:
    • Do not edit the customer.json file. Editing this file causes installation errors.
    • Do not save the Agent installer or customer.json to a location with public access. Keep the customer.json file confidential.
  3. Based on your OS and preferred package manager, run one of these commands:
    Note: To exclude the Agent desktop component from non-GUI Linux endpoints during installation, include the DISABLE_AGENT_DESKTOP=true install option before the package manager command. For example,
    SHELL 
    sudo DEBIAN_FRONTEND=noninteractive AWN_CUSTOMER_JSON=/tmp/customer.json DISABLE_AGENT_DESKTOP=true apt install ./arcticwolfagent_<version>.deb
    • CentOS, Red Hat, or Amazon Linux:
      • YUM (preferred):
        SHELL 
        sudo AWN_CUSTOMER_JSON=/tmp/customer.json yum install arcticwolfagent_<version>.rpm
      • Zypper:
        SHELL 
        sudo AWN_CUSTOMER_JSON=/tmp/customer.json zypper install --allow-unsigned-rpm arcticwolfagent_<version>.rpm
      • DNF:
        SHELL 
        sudo AWN_CUSTOMER_JSON=/tmp/customer.json dnf install arcticwolfagent_<version>.rpm
    • SUSE using zypper:
      SHELL 
      sudo AWN_CUSTOMER_JSON=/tmp/customer.json zypper install arcticwolfagent_<version>.rpm
    • Ubuntu using APT:
      SHELL 
      sudo DEBIAN_FRONTEND=noninteractive AWN_CUSTOMER_JSON=/tmp/customer.json apt install /tmp/arcticwolfagent_<version>.deb
    Note:
    • You must save customer.json in the /tmp folder.
    • Use an absolute path to customer.json and verify that it is correct. If any errors occur pertaining to the customer.json file, see Troubleshoot Arctic Wolf Agent.
    • You can install Agent with any package manager on CentOS, Red Hat, or Amazon Linux, but only YUM has been tested.
    • Agent only performs automated tests with YUM, DNF, and Zypper.
  4. When the command line prompts you, install the Linux utilities that are required for your Linux distribution if they are not installed:

    Linux distributions

    Required Linux utilities
    • Debian
    • Linux Mint
    • Ubuntu
    • adduser
    • bsdutils
    • coreutils
    • debconf
    • debianutils
    • dnsutils
    • hostname
    • iproute2
    • iptables
    • libc6 (>= 2.7)
    • lsb-release
    • lshw
    • net-tools
    • network-manager
    • procps
    • systemd
    • usbutils
    • AlmaLinux
    • Amazon Linux
    • CentOS
    • Oracle Linux
    • Red Hat
    • Rocky Linux
    • SUSE
    • chkconfig
    • coreutils
    • iptables
    • systemd
    • which
    Note: If included in your Linux distribution, Arctic Wolf recommends installing:
    • hostname
    • lshw
    • net-tools or net-tools-deprecated
  5. Contact your Arctic Wolf Customer Success Manager or your Concierge Security® Team (CST) at security@arcticwolf.com to confirm that Agent data is reaching Arctic Wolf.