Installing Outpost24 Agents

Purpose

This document describes how to install Outpost24 Agents mobile assets that are rarely office based. 

Introduction

The Outpost24 Agent is primarily designed for mobile employees who are rarely office based, but still requires vulnerability scanning of their assets. When working remotely, often via a VPN, it is not possible to run a remote vulnerability scan of these assets as it can have a serious impact on network performance. Using the Outpost24 Agent, makes it possible to get these results, with no impact on network capacity, giving details of missing patches, updates, and hotfixes for both OS and common business software. The Outpost24 Agent can be downloaded based on Operating System from the OUTSCAN UI, under Menu > Support.

It is recommended that the Outpost24 Agent is deployed and updated using your normal software deployment method. Follow the best practices of these software deployment mechanisms to ensure a successful installation. The methods outlined in this document guide you through the steps needed for a successful installation.

Caution!

When running an Outpost24 Agent, some Anti Virus/Anti-Malware software will trigger on the agent.

To avoid triggering the AV/Malware platform, the path to the agents executable need to be whitelisted.

_{Example from Bitdefender}

Requirements

• It is required for agents to have full connectivity to teddysalad.outpost24.com
• The Linux Agent comes both in rpm and deb format.
• The Windows Agent only support Windows 10, 64-bit, MSI installer.
• The MacOS Agent only support x64.

Tested Version

Prior to release, the most recent version of the Agent is tested.

The current released version of the Agent can be found in Main Menu > About or Main Menu > Support in the Agent Installer tab.

OS	Version	Build
Windows	10
Windows Server	2012 R2  (Datacenter Edition)	9600
Windows Server	2016 (Datacenter Edition)	14393
Windows Server	2019 (Datacenter Edition)	17763
Centos	7
Centos	8
Debian	10
Fedora	33
RHEL	7
macOS	Big Sur 11 (Experimental support on Sierra10.12 and newer) The agent for macOS is built for amd64 but are dependent on Rosetta 2 for other architectures and versions.

The Outpost24 Agent may work on other Windows, Mac, and Debian/Fedora based system as well, however testing is underway to ensure these are fully supported.

Before Starting

Check Connectivity to Agent Server

Ensure you can reach Outpost24 Agent server by checking you can reach the following URL from the target where the Agent is installed.

Windows

Run the following command in DOS Command Prompt:

telnet teddysalad.outpost24.com 443

Linux

Run the following command:

telnet teddysalad.outpost24.com 443

Linux example:

Downloading the Agent

To download agents:

1. Log in to OUTSCAN.
2. Click on Main Menu > Support.
3. Navigate to the Agents Installers tab.
   
   

   

4. Select Platform, Architecture, and Package from the drop-down menus.
   
   1. Select Platform, for example Linux or Windows.
   2. Select Architecture, for example amd64.
   3. Select Package, for example pkg, rpm, deb or msi depending on platform.
   4. Optional: Fill in Attributes  such as Team and Asset type
5. Click the Download button to save the agent installation file in your download folder.

The current version, platform and architecture is part of the filename.

Installing the Agent

Linux

Log in at the workstation on which you want to install the software.

Ensure that the user can get root privileges using the sudo command.

Fedora

1. Download and verify the package you wish to install as shown in Downloading the Agent. The package is named o24-agent-<version>.linux.amd64.rpm.

2. To install the package using the RPM package manager, enter the following command at the prompt:

   BASH

   sudo rpm -ivh o24-agent-<version>.linux.amd64.rpm

   
   

   

   You can also use dnf the next upcoming major version of the yum package manager for RPM-based Linux distribution, as follow:

   BASH

   sudo dnf install o24-agent-<version>.linux.amd64.rpm

CentOS

1. Download and verify the package you wish to install as shown in Downloading the Agent. The package is named o24-agent-<version>.linux.amd64.rpm.

2. To install the package using RPM package manager, enter the following command at the prompt:

   BASH

   sudo rpm -ivh o24-agent-<version>.linux.amd64.rpm

   

   You can also use dnf the next upcoming major version of the yum package manager for RPM-based Linux distribution, as follow:

   BASH

   sudo yum install o24-agent-<version>.linux.amd64.rpm

Debian

1. Download the package you wish to install as shown in Downloading the Agent. The package is named o24-agent-<version>.linux.amd64.deb.

2. To install the package using Package Manager for Debian, enter the following command at the prompt:

   BASH

   sudo dpkg -i o24-agent-<version>.linux.amd64.deb

   

   You can also use Debian high level command line interface for the package management system provided by apt as follow:

   BASH

   sudo apt /FULL_PATH_TO/o24-agent-<version>.linux.amd64.deb

Windows

To install an agent:

1. Run the downloaded o24-agent-1.22.1-1.el7.windows.amd64.msi to start the installation.
2. Check to see that the Outpost24 Agent been enrolled properly by checking:
   1. Start > Windows Systems > Control Panel > Programs > Programs and Features.
      
      

      

      
      
      
   2. Check that the Outpost24 Agent Service is running in Start > Windows Administrative Tools > Services.
      
      

      

      
      
      
   3. Check This PC > Windows 10(C:) ProgramData > Outpost24 > Agent for a o24agent.crt certificate.
      
      

      

      

macOS

Overview

The following flowchart illustrates the two mechanisms through which a macOS Agent may be configured and enrolled.

For automated deployment to a large number of targets we recommend flow A, in which the system administrator first manually obtains an enrollment configuration file which is then deployed to the entire fleet.
In flow B, the agent application is instead provided with a REST API token and retrieves its configuration file from its enrollment host. This flow implies additional network traffic overhead and the potential exposure of a more general credential.

Flow A

This flow reduces the required network communication between the agent and the enrollment host, and also minimizes the exposure of the REST API token needed for enrollment configuration file acquisition.

1. Obtain enrollment configuration file
   The system administrator installs the agent application on a single system, from which the enrollment configuration is bootstrapped.
   This configuration file, which contains a long-lived enrollment token, is then deployed to all targets in the subsequent step.
   Refer to the Acquiring a JSON Web Token (JWT) for Interfacing with the Outpost24 REST API and Obtaining Enrollment Configuration sections for guidance.

2. Install agent .pkg and enrollment configuration file on targets
   The enrollment configuration file is placed in the /etc/o24-agent/ directory and the agent binary is installed to /usr/local/bin/o24-agent. (see Installing the macOS Agent).
   Granted that the configuration file is valid and readable, the agent will be able to enroll on first startup.
   
   

   

   Important!

   The configuration file should be owned by the root user and have its permissions set to 640.

Flow B

In this flow, the agent application retrieves its enrollment configuration file using a REST API token; automated installation on multiple targets using this flow would entail issuing a longer-lived token and distributing it to all installation targets.

1. Install agent .pkg on target(s)
   Refer to the instructions in the Installing the macOS Agent section.
2. Obtain enrollment configuration file
   Obtain a REST API token and subsequently the enrollment configuration file as described in Acquiring a JSON Web Token (JWT) for Interfacing with the Outpost24 REST API and Obtaining Enrollment Configuration.

After concluding either flow A or B, see Starting the service for finalization.

Installing the macOS Agent

1. If you have access to the GUI, double-click the downloaded .pkg file and follow the installation wizard instructions.
   
   1. If prompted to choose installation directory, use the default (the volume the OS is installed to).

2. Otherwise, from the command-line, use the following command:

   BASH

   installer -pkg <path-to-agent.pkg> -target /

Retrieve a REST API Token From XMLAPI

It is possible to retrieve a REST API token through the XMLAPI action GETRESTTOKEN by using the XMLAPI apptoken.

This procedure requires a super user account.

1. Generate an API Token in the OUTSCAN UI Menu Menu > Settings > Security Policy.

   1. With that key, run the API command



      https://<O24-URL>/opi/XMLAPI?ACTION=GETRESTTOKEN&APPTOKEN=<Key from Step 1>

      
<O24-URL> could be either https://outscan.outpost24.com/ or your HIAB IP Address/FQDN.

2. A token is returned that lasts 10 minutes from the REST API.

Acquiring a JSON Web Token (JWT) for Interfacing with the Outpost24 REST API

An Outpost24 REST API may be acquired by issuing a POST request to the /opi/rest/auth/login endpoint. The endpoint accepts the following request body parameters:

• username (mandatory) - Outpost24 sign-in username.
• password (mandatory) - Outpost24 sign-in password.
• validUntil (optional) - Timestamp indicating when the token will expire; default lifetime is 10 minutes.
• code (optional) - Two-factor authentication (2FA) code, required if enabled for the user account.

Example POST request using cURL:

read -p "Username: " USER && \
read -sp "Password: " PASS && echo && \
curl --data-urlencode "username=${USER}" --data-urlencode "password=${PASS}" https://outscan.outpost24.com/opi/rest/auth/login && echo && \
unset USER PASS

Obtaining Enrollment Configuration

The /usr/local/bin/o24-agent binary provides a command fetch-enrollment-config, it retrieves a configuration file and installs it to /etc/o24-agent/agent-config.yml.

/usr/local/bin/o24-agent fetch-enrollment-config --token "<token>"

This command requires the following mandatory arguments:

• --url: This should point to the OUTSCAN/Scheduler that you wish to run against; this defaults to https://outscan.outpost24.com.
• --token: This should be a valid, non-expired JWT for the Outpost24 REST API, as outlined above.
  
  • In order to restrict the token scope, we recommend issuing the JWT for an IAM restricted sub-user.

This command accepts the following optional arguments:

• --no-config-install: This skips installing the configuration file to /etc/o24-agent/, instead leaving it available in /tmp/.
  
  • By obtaining the configuration file in this manner you may subsequently incorporate it into a specific deployment workflow, for example automatically placing it in /etc/o24-agent/ during installation, Sidestepping the need to expose a valid JWT in the same flow.
  • See the "Enrollment flow overview" for additional information.
• --insecure-skip-verify: Skips TLS certificate validation for the given --url.
  • Should only be utilized if required for particular DSAgent deployments.

This command must be invoked as the root user due to the privileged configuration file location.

Starting the Service

After the enrollment configuration file has been obtained, launch the agent service as such:

launchctl load -w /Library/LaunchDaemons/com.outpost24.agent.plist

On first run, the agent is enrolled against the OUTSCAN or Scheduler instance. This operation includes a randomized timeout in order to support large-scale deployments, and may thus require up to an hour to conclude.

Large Scale Deployments

It is recommended using existing infrastructure for large scale deployments such as but not limited to:

• Azure AD https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-started/deploy-apps?view=o365-worldwide for Windows hosts
• Ansible https://docs.ansible.com/ansible/latest/user_guide/index.html for Linux hosts

Setting Up an Agent Using System Proxy

Linux

Edit the /etc/sysconfig/o24-agent file to add a block to specify and HTTPS_PROXY directive.

HTTPS_PROXY="http://<PROXY_IP>:<PROXY_PORT>"

Windows

In the Start menu:

1. Open Settings.
2. Go to About.
3. Click on Advanced System Settings.
4. Click on Environment Variables.
5. Under System Variables click New.
6. Under New System Variable, fill in the new Variable Name and Variable Value.
   

   

7. Click OK to add each new variable.

macOS

Edit the /Library/LaunchDaemons/com.outpost24.agent.plist file to add a block to specify and Launch Service Environment key.

<key>LSEnvironment</key>
<dict>
      <key>HTTPS_PROXY</key>
      <string>http://<PROXY-IP>:<PROXY-PORT></string>
</dict>

You can also use standard agent-settings.yml file extracted from another pages which allows you to not make a curl call to get the enrollment configuration.

Setting up the Agent as a Target

Once the agent has been installed, perform a discovery scan for enrolled agents.

1. Open Main Menu > Netsec > Scan Scheduling.
2. Click + New button to open a Maintain Scan Schedule.
3. Add a new name, for example agent discovery.
   
4. Select Scan Mode in the drop-down menu: Discovery [Discovery|Discovery/Scan|Scan].
5. Select the Discovery Settings tab.
6. Select the Agent Discovery checkbox.
7. Select the Add Found Targets To Targets Group check box.
8. Under All Targets tree, select a target.
   
   

   

   
   
   
9. Click the Save button.
10. Select the new agent schedule listed under the Scan Schedules tab.
11. Click the Scan now button.

Once the discovery scan has finished the agent is added under Manage Targets and can be handled as any other target in Scan Scheduling.

Reference

1. Scan Scheduling
2. Manage Targets

Related Articles

_Copyright

_{© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.}

_Trademark

_{Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.}