Installation of the Cisco Secure Endpoint Linux Connector

Introduction

This document describes how to install and verify the Cisco Secure Endpoint Linux connector for Red Hat Enterprise Linux (RHEL) and Debian based systems.

Contributed by Juan Carlos Castillero and edited by Yeraldin Sanchez, Cisco TAC Engineers.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Linux machines on an Linux connector supported Operating System (OS)

Components Used

The information in this document is based on these software and hardware versions:

• A Secure Endpoint Linux connector installer Red Hat Package Manager (RPM)
• A Secure Endpoint Linux connector installer Debian Package Manager (dpkg)
• A GNU Privacy Guard (GPG) Key to verify updates (Optional)
• A Linux connector installer DPKG (Debian Package Management System)

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

RHEL/CentOS/Amazon Linux 2

Configurations

Step 1. Download the Linux RPM package from the Cisco Secure Endpoint Portal, as shown in the image.

Note: Be mindful that the OS distribution matters as both RHEL/CentOS connectors have drastically different architectures.

Step 2. Move the RPM package to the endpoint in question, either download it directly from the dashboard or manually move it to the endpoints. For this example, a Graphic User Interface (UI) is used, though it is possible, and often common, to work with a minimal installation, in which case, it is required to know how to handle the Linux terminal and find their RPM package.

Step 3. In order to install the Linux connector, execute the command: sudo yum localinstall [rpm package] -y where [rpm package] is the name of the file, for example, "amp_Audit.rpm". The RPM package needs to be installed while the atd service runs.

If the GUI is in use, open the terminal, as shown in the image.

 Once the installation begins, no user input is required, it is an automatic process, as shown in the image.

How to import the GPG key

The GPG Public Key can be copied from the Download Connector page to verify the signing of the RPM package. The connector can be installed without the GPG key; however, a user would need to import the GPG key into their RPM DB if they plan on pushing connector updates via policy on RHEL.

Note: Starting with connector version 1.17.0, the GPG key used to verify upgrade packages during connector updates is installed automatically.

Step 1. Verify the GPG key, click the GPG Public Key link on the Download Connector page. Compare the key to the one at /opt/cisco/amp/etc/rpm-gpg/RPM-GPG-Key-cisco-amp.

Step 2. Run the command from a terminal to import the key: sudo rpm --import /opt/cisco/amp/etc/rpm-gpg/RPM-GPG-KEY-cisco-amp.

Step 3. Verify the key was installed, run the command from the terminal: rpm -q gpg-pubkey --qf ‘%{name}-%{version}-%{release} --> %{summary}\n’.

Step 4. Look for a GPG key from Sourcefire in the output. The Updater is run by the system's init daemon and when an update is available, automatically triggers the RPM upgrade process. Some SELinux configurations forbid this behavior and cause the Updater to fail.

If you suspect this is the case, examine the system's audit log (e.g., /var/log/audit/audit.log) and search for denial events related to ampupdater. You may need to adjust SELinux rules to allow Updater to function.

Ubuntu

Configurations

Step 1. Download the Linux DEB package from the Cisco Secure Endpoint Portal, as shown in the image.

Step 2. Move the DEB package to the endpoint in question, either download it directly from the dashboard or manually move it to the endpoints. For this example, a Graphic User Interface (UI) is used, though it is possible, and often common, to work with a minimal installation, in which case, it is required to know how to handle the Linux terminal and find their DEB package.

Step 3. In order to install the Linux connector, execute the command: sudo dpkg -i [deb package] where [deb package] is the name of the file, for example, "amp_Audit.deb".  Once the installation begins, no user input is required, it is an automatic process, as shown in the image.

How to import the GPG key

The GPG Public Key can be copied from the Download Connector page to verify the signing of the DEB package. The connector can be installed without the GPG key; however, a user would need to import the GPG key into their debsig keyring if they plan on pushing connector updates via policy on Ubuntu. For more information on how to import the GPG key and verify the connector has not been modified on Ubuntu, see https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/216524-amp-for-endpoints-ubuntu-connector.html#anc6

Note: Starting with connector version 1.17.0, the GPG key used to verify upgrade packages during connector updates is installed automatically. To verify this GPG key, click the GPG Public Key link on the Download Connector page and compare it to the key that was installed at /opt/cisco/amp/etc/dpkg-gpg/DPKG-GPG-Key-cisco-amp.

Verify

Use this section to confirm that your configuration works properly.

In order to verify the successful installation, run the AMP CLI. The Linux connector command line interface can be found at /opt/cisco/amp/bin/ampcli. It can be run in interactive mode or execute a single command then exit. Run the command ./ampcli --help to see a full list of options and commands available. All log files generated by the connector can be found in /var/log/cisco.

An installation event also shows up on the Cisco Secure console, if flash scans were requested when the RPM package was downloaded, they also show up.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

• Install the AMP for Endpoints Connector in Linux video
• Technical Support & Documentation - Cisco Systems