Installation of the Cisco Secure Endpoint Linux Connector

Available Languages

Download Options

  • PDF     (933.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.0 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (563.0 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 11, 2022
Document ID:215378

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to install and verify the Cisco Secure Endpoint Linux connector for Red Hat Enterprise Linux (RHEL) and Debian based systems.

    Contributed by Juan Carlos Castillero and edited by Yeraldin Sanchez, Cisco TAC Engineers.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Linux machines on an Linux connector supported Operating System (OS)

      

    Components Used

    The information in this document is based on these software and hardware versions:

    • A Secure Endpoint Linux connector installer Red Hat Package Manager (RPM)
    • A Secure Endpoint Linux connector installer Debian Package Manager (dpkg)
    • A GNU Privacy Guard (GPG) Key to verify updates (Optional)
    • A Linux connector installer DPKG (Debian Package Management System)

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    RHEL/CentOS/Amazon Linux 2/SUSE 15

    Configurations

    Step 1. Download the Linux RPM package from the Cisco Secure Endpoint Portal, as shown in the image.

    Download RPM

    Note: Be mindful that the OS distribution matters as both different connectors have drastically different architectures.

    Step 2. Move the RPM package to the endpoint in question, either download it directly from the dashboard or manually move it to the endpoints. For this example, a Graphic User Interface (UI) is used, though it is possible, and often common, to work with a minimal installation, in which case, it is required to know how to handle the Linux terminal and find their RPM package.

    File location

    Step 3. In order to install the Linux connector, execute the command: sudo yum localinstall [rpm package] -y (or sudo zypper install -y [rpm package] on SUSE 15)

    where [rpm package] is the name of the file, for example, "amp_Audit.rpm". The RPM package needs to be installed while the atd service runs.

    Install the connector

    If the GUI is in use, open the terminal, as shown in the image.

    Launching terminal

     Once the installation begins, no user input is required, it is an automatic process, as shown in the image.

    Installing

    How to import the GPG key

    The GPG Public Key can be copied from the Download Connector page to verify the signing of the RPM package. The connector can be installed without the GPG key; however, a user would need to import the GPG key into their RPM DB if they plan on pushing connector updates via policy on RHEL.

    Note: Starting with connector version 1.17.0, the GPG key used to verify upgrade packages during connector updates is installed automatically.

    Step 1. Verify the GPG key, click the GPG Public Key link on the Download Connector page. Compare the key to the one at /opt/cisco/amp/etc/rpm-gpg/RPM-GPG-Key-cisco-amp.

    GPGkey

    Open GPGkey

    Step 2. Run the command from a terminal to import the key: sudo rpm --import /opt/cisco/amp/etc/rpm-gpg/RPM-GPG-KEY-cisco-amp.

    Compare the GPGkey

    Step 3. Verify the key was installed, run the command from the terminal: rpm -q gpg-pubkey --qf ‘%{name}-%{version}-%{release} --> %{summary}\n’.

    Verify the GPGkey

    Step 4. Look for a GPG key from Sourcefire in the output. The Updater is run by the system's init daemon and when an update is available, automatically triggers the RPM upgrade process. Some SELinux configurations forbid this behavior and cause the Updater to fail.

    If you suspect this is the case, examine the system's audit log (e.g., /var/log/audit/audit.log) and search for denial events related to ampupdater. You may need to adjust SELinux rules to allow Updater to function.

    Ubuntu

    Configurations

    Step 1. Download the Linux DEB package from the Cisco Secure Endpoint Portal, as shown in the image.

    Download DEB package

    Step 2. Move the DEB package to the endpoint in question, either download it directly from the dashboard or manually move it to the endpoints. For this example, a Graphic User Interface (UI) is used, though it is possible, and often common, to work with a minimal installation, in which case, it is required to know how to handle the Linux terminal and find their DEB package.

    Copy package to endpoint

    Step 3. In order to install the Linux connector, execute the command: sudo dpkg -i [deb package] where [deb package] is the name of the file, for example, "amp_Audit.deb".  Once the installation begins, no user input is required, it is an automatic process, as shown in the image.

    Run sudo

    How to import the GPG key

    The GPG Public Key can be copied from the Download Connector page to verify the signing of the DEB package. The connector can be installed without the GPG key; however, a user would need to import the GPG key into their debsig keyring if they plan on pushing connector updates via policy on Ubuntu. For more information on how to import the GPG key and verify the connector has not been modified on Ubuntu, see https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/216524-amp-for-endpoints-ubuntu-connector.html#anc6

    Note: Starting with connector version 1.17.0, the GPG key used to verify upgrade packages during connector updates is installed automatically. To verify this GPG key, click the GPG Public Key link on the Download Connector page and compare it to the key that was installed at /opt/cisco/amp/etc/dpkg-gpg/DPKG-GPG-Key-cisco-amp.

    Verify

    Use this section to confirm that your configuration works properly.

    In order to verify the successful installation, run the AMP CLI. The Linux connector command line interface can be found at /opt/cisco/amp/bin/ampcli. It can be run in interactive mode or execute a single command then exit. Run the command ./ampcli --help to see a full list of options and commands available. All log files generated by the connector can be found in /var/log/cisco.

    Verify install

    An installation event also shows up on the Cisco Secure console, if flash scans were requested when the RPM package was downloaded, they also show up.

    Console event

    Troubleshoot

    There is currently no specific troubleshooting information available for this configuration.

    Related Information

    Revision History

    Revision Publish Date Comments
    3.0
    11-Apr-2022
    Added SUSE 15 to the list of installable packages.
    2.0
    13-Sep-2021
    Add note about GBG key being automatically imported for 1.17 release
    1.0
    07-Apr-2020
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Juan Carlos Castillero
      Cisco TAC Engineer
    • Edited by Yeraldin Sanchez
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products