Installation of the AMP for Endpoints Linux Connector
Available Languages
Contents
Introduction
This document describes how to install and verify the Red Hat Enterprise Linux (RHEL) and CentOS Advanced Malware Protection (AMP) for Endpoints connector.
Contributed by Juan Carlos Castillero and edited by Yeraldin Sanchez, Cisco TAC Engineers.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Linux machines on an AMP For Endpoints supported Operating System (OS)
Components Used
The information in this document is based on these software and hardware versions:
- A Linux connector installer Red Hat Package Manager (RPM)
- A GNU Privacy Guard (GPG) Key to verify updates (Optional)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configure
Configurations
Step 1. Download the Linux RPM package from the AMP For Endpoints Portal, as shown in the image.
Step 2. Move the RPM package to the endpoint in question, either download it directly from the dashboard or manually move it to the endpoints. For this example, a Graphic User Interface (UI) is used, though it is possible, and often common, to work with a minimal installation, in which case, it is required to know how to handle the Linux terminal and find their RPM package.
Step 3. In order to install the Connector, execute the command: sudo yum localinstall [rpm package] -y where [rpm package] is the name of the file, for example, "amp_Audit.rpm".
If the GUI is in use, open the terminal, as shown in the image.
Once the installation begins, no user input is required, it is an automatic process, as shown in the image.
Verify
Use this section to confirm that your configuration works properly.
In order to verify the successful installation, run the AMP CLI. The AMP for Endpoints Linux Connector command line interface can be found at /opt/cisco/amp/bin/ampcli. It can be run in interactive mode or execute a single command then exit. Run the command ./ampcli --help to see a full list of options and commands available. All log files generated by the Connector can be found in /var/log/cisco.
An installation event also shows up on the AMP console, if flash scans were requested when the RPM package was downloaded, they also show up.
The connector also requires a GNU Privacy Guard (GNU) to push for connector updates, it can be installed without the GPG key, but if it is planned to push Connector updates via policy, the GPG key has to be imported into the RPM DB.
The RPM package needs to be installed while the atd service runs.
How to import the GPG key
Step 1. Verify the GPG key, click the GPG Public Key link on the Download Connector page. Compare the key to the one at /opt/cisco/amp/etc/rpm-gpg/RPM-GPG-Key-cisco-amp.
Step 2. Run the command from a terminal to import the key: sudo rpm --import /opt/cisco/amp/etc/rpm-gpg/RPM-GPG-KEY-cisco-amp.
Step 3. Verify the key was installed, run the command from the terminal: rpm -q gpg-pubkey --qf ‘%{name}-%{version}-%{release} --> %{summary}\n’.
Step 4. Look for a GPG key from Sourcefire in the output. The Updater is run by the system's init daemon and when an update is available, automatically triggers the RPM upgrade process. Some SELinux configurations forbid this behavior and cause the Updater to fail.
If you suspect this is the case, examine the system's audit log (e.g., /var/log/audit/audit.log) and search for denial events related to ampupdater. You may need to adjust SELinux rules to allow Updater to function.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)