Install Arctic Wolf Agent on a single Linux endpoint

You can install Arctic Wolf® Agent on a single Linux endpoint using the command line.

Note:

  • Agent is designed to maintain a minimal footprint on all systems, but Arctic Wolf recommends some OS requirements. Arctic Wolf cannot guarantee functionality on virtual machine (VM) environments if resources do not meet recommended levels.

  • Agent does not support ARM architecture.

These resources are required:

  • To correctly view Agent risks in the Unified Portal, Linux Agent version 2024.02.84 or later is required

  • Administrator permissions or the ability to do administrator or root level functions

  • One of these Linux distributions:
    • AlmaLinux 10, 9 or 8
    • Amazon Linux 2023 or 2
    • CentOS 7
    • CentOS Stream 9
    • Debian 13, 12 or 11
    • Linux Mint 20.3
    • Oracle Linux 10, 9 or 8
    • Red Hat 10, 9, 8 or 7
    • Rocky Linux 10, 9 or 8
    • SUSE 15
    • Ubuntu 24.04, 22.04, 20.04, or 18.04
    Note:
    • Center for Internet Security (CIS) Benchmarks, which are used in Aurora Vulnerability Management (Aurora VM) benchmark scanning, are not yet available for these distributions:
      • AlmaLinux 10
      • Debian 13
      • Oracle Linux 10
      • Red Hat 10
      • Rocky Linux 10
    • Vulnerability scanning is not supported for CentOS Stream 10
  • These system resources:
    • A x64 or x86 processor
    • At a minimum:
      • A dual-core CPU
      • 2 GB of memory
      • 50 MB of disk space
  • Routing using IPv4 or IPv6
    Note: IPv4 or IPv6 must be enabled to ensure containment functions as expected.

These actions are required:

  • If the Linux distribution is Debian, make sure that sudo is installed on the root account.

  • Make sure outbound access is available for ports 443 and 1514.

Configure your environment firewall

Configure your firewall to allow traffic to Agent DNS hostnames.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Resources > Allowlist Requirements.
  3. Configure your firewall to allow outbound traffic for all the hostnames, not IP addresses, listed in the Agent section.
    Note:

    Agent must contact Arctic Wolf servers to register. If this process fails, Agent retries every 15 seconds. This has no negative effect on the system.

Add Agent processes to the allowlist

If you install Agent and an antivirus, endpoint scanner, Endpoint Detection and Response (EDR) solution, Unified Threat Management (UTM) solution, or similar software, add Agent processes to the allowlist in those applications to maintain stable CPU and memory utilization:

  1. Configure your security systems to allow the processes listed in Arctic Wolf Agent processes.
    Tip:

    Arctic Wolf recommends that you define a security rule or policy exclusion for the parent folder. Then, if new processes are added during a future Agent software update, the new rule or policy exclusion applies to it. For example, for a Linux endpoint, define a rule that applies to this file path: /var/arcticwolfnetworks/agent.

  2. Add the files listed in Arctic Wolf Agent hash values to all allowlists.
  3. If you use an EDR solution, verify that your EDR configuration changes are applied to all endpoints.

See the technical documentation for the security systems that you are configuring for more information.

Download and install Agent

  1. Download the Agent installer:
    1. Sign in to the Arctic Wolf Unified Portal.
    2. In the navigation menu, click Resources > Downloads.
    3. In the Arctic Wolf Agent section, in the Operating System list, select the required operating system.
    4. Click Download Agent.
  2. Extract the Agent zip contents into a folder to access the arcticwolfagent_version.deb or arcticwolfagent_version.rpm, and customer.json files.
  3. Based on your Linux distribution, run one of these commands:
    Note: To exclude the Agent desktop component from non-GUI Linux endpoints during installation, include the DISABLE_AGENT_DESKTOP=true install option before the package manager command. For example,
    SHELL 
    sudo DEBIAN_FRONTEND=noninteractive AWN_CUSTOMER_JSON=/tmp/customer.json DISABLE_AGENT_DESKTOP=true apt install ./arcticwolfagent_<version>.deb
    • Amazon Linux 2023 or 2:
      Note: For Amazon Linux 2023, before installing Agent, you must install and start the rsyslog service to make sure that Agent log data is captured.
      1. For Amazon Linux 2023, if rsyslog is not installed:
        CODE 
        sudo dnf install -y rsyslog
sudo systemctl enable rsyslog.service
sudo systemctl start rsyslog.service
      2. Install Agent:
        CODE 
        sudo AWN_CUSTOMER_JSON=/tmp/customer.json yum install arcticwolfagent_<version>.rpm
    • AlmaLinux, Redhat, Rocky Linux or CentOS:
      SHELL 
      sudo AWN_CUSTOMER_JSON=/tmp/customer.json yum install arcticwolfagent_<version>.rpm
    • Debian 12 or 13:
      SHELL 
      sudo apt install rsyslog
sudo systemctl enable --now rsyslog
    • SUSE:
      SHELL 
      sudo AWN_CUSTOMER_JSON=/tmp/customer.json zypper install arcticwolfagent_<version>.rpm
    • Ubuntu:
      SHELL 
      sudo DEBIAN_FRONTEND=noninteractive AWN_CUSTOMER_JSON=/tmp/customer.json apt install ./arcticwolfagent_<version>.deb
    Note:

    Make sure that the customer.json path is specified correctly. If you receive any errors pertaining to the customer.json file, see Troubleshoot Arctic Wolf Agent.

  4. When the command line prompts you, install the Linux utilities that are required for your Linux distribution if they are not installed:

    Linux distributions

    Required Linux utilities
    • Debian
    • Linux Mint
    • Ubuntu
    • adduser
    • bsdutils
    • coreutils
    • debconf
    • debianutils
    • dnsutils
    • hostname
    • iproute2
    • iptables
    • libc6 (>= 2.7)
    • lsb-release
    • lshw
    • net-tools
    • network-manager
    • procps
    • systemd
    • usbutils
    • AlmaLinux
    • Amazon Linux
    • CentOS
    • Oracle Linux
    • Red Hat
    • Rocky Linux
    • SUSE
    • chkconfig
    • coreutils
    • iptables
    • systemd
    • which
    Note: If included in your Linux distribution, Arctic Wolf recommends installing:
    • hostname
    • lshw
    • net-tools or net-tools-deprecated
  5. Contact your Concierge Security® Team (CST) at security@arcticwolf.com to confirm that Agent data is being received by Arctic Wolf.