Document toolboxDocument toolbox

Endpoint Agent deployment

Supported Endpoints 

Devo Endpoint Agent supports different kinds of endpoints. This section depicts the operating systems where the client can be deployed. 

Windows Endpoints

Windows x64: The Devo Endpoint Agent Client and osquery is fully supported in Windows 64-bit architecture.

Windows x86: Devo Endpoint Agent and osquery are NOT supported in Windows 32-bit architectures.

Windows ARM: Devo Endpoint Agent and osquery are NOT supported in Windows ARM architectures.

Linux Endpoints

Most of Linux x86_64 distributions are supported, and installers are provided for systems based on Debian and RedHat Linux families.

macOS Endpoints

macOS is supported from 10.14 onwards.

Continuous Integration currently tests stable release versions of osquery against macOS 10.14. There are no reported issues which block expected core functionality on 10.11 and greater, however 10.9 and previous macOS versions are not supported.

Access Endpoint Agent Repository

  1. Open the agent repository URL in the EA Manager installation for your environment (https://<DEAM_IP>:8081). Access credentials were defined during the EA Manager installation process.

  2. A warning message is displayed (no certificates available). Click the Advanced configuration button and then click Proceed to [...].

  3. Use the configured credentials to access the agent repository website.

EAM’s agent repository is displayed with all available versions of the the EA listed per targeted platform:

Save the downloaded packages and extracted files in a secure place, because these packages contain configuration properties, secret tokens, certificates and other assets necessary to connect to manager. These assets can grant access to DEA manager API to every one that has it.

Deploying Windows Endpoint Agent

Click win-dea-Osquery-xxxxx.zip to download the the EA agent package and unzip it in the local filesystem of the endpoint to monitor (for example, in C:\user\Downloads\DEA). If dea_ap_win_zip_password property (only from EA 1.3) was configured in var section of the inventory file during manager deployment then you will be asked for a password before extraction of the content file. The password is the value configured in this property.

The unzipped folder contents should look like this:

 

  • exts: extensions of the baseline agent functionality (log collector).

  • .crt, secret: certificate and tokens for agent authentication and secure communications path establishment with the EA Manager.

  • osquery-x.x.x.msi: osquery agent installation package.

  • osquery.flags: configuration parameters and paths.

  • install.ps1: EA installation script.

  • README.txt: installation instructions.

  1. Follow the instructions in the README.txt file. A common issue is the permissions level required to execute the installation script. Should that be the case, make sure you temporarily disable all restrictions using the commands listed in the same file. Remember to restore the restrictions as they were configured before.

  2. After the installation script is finished, check that the agent is up and running by opening Windows Task Manager and finding the osquery daemon listed as an active process:

  3. Log in to the EAM (see previous paragraphs for instructions). The endpoint should be automatically detected and listed as an active host.

  4. Log in to the destination domain in Devo (US > demo for the demo platform). Open one of the box.devo_ea.xxx.xxx tables in it. Data corresponding to the endpoint should start appearing in the data structure, identified by the hostname.

Deploying the Linux Endpoint Agent

Click deb-dea-osquery-X.X.X-devo-ea-manager.tgz to download the EA agent package and untar (tar -xzf deb-dea-osquery-X.X.X-devo-ea-manager.tgz) it in the local filesystem of the endpoint to monitor (for example. in /var/tmp/devo-ea-manager). The untar folder contents should look like this:

 

  • exts: extensions of the baseline agent functionality (log collector).

  • .crt, secret: certificate and tokens for agent authentication and secure communications path establishment with the EA Manager.

  • Osquery-x.x.x.deb: osquery agent installation package.

  • Osquery.flags: configuration parameters and paths.

  • install.sh: EA installation script.

  • README.txt: installation instructions.

  1. Follow the instructions in the README.txt file.

  2. After the installation script is finished, you can check that the agent is up and running by executing ps -ef | grep osquery . You should see several osquery processes running.

  3. Log in to the EAM (see previous paragraphs for instructions). The endpoint should be automatically detected and listed as an active host.

     

  4. Log in to the destination domain in Devo (US > demo for the demo platform). Open one of the box.devo_ea.xxx.xxx tables in it. Data corresponding to the endpoint should start appearing in the data structure, identified by the hostname. The next screenshots show some examples:

  • To check the operations system connected with EA:

 

 

  • To check the network connected with EA:

 

 

Deploying the macOS Endpoint Agent

Keep in mind that if you manage macOS full disk permission through a profile, you will need to update it from OSQuery 5.0.1 or above. See how to do it in this link.

Click darwin-dea-osquery-xxxxx.tgz to download the EA agent package and unzip it in the local filesystem of the endpoint to monitor (for example. in /Users/user/Downloads/DEA).

The unzipped folder contents should look like this:

 

  • exts: extensions of the baseline agent functionality (log collector).

  • .crt, secret: certificate and tokens for agent authentication and secure communications path establishment with the EA Manager.

  • osquery-x.x.x.pkg: osquery agent installation package.

  • osquery.flags: configuration parameters and paths.

  • install.sh: EA installation script.

  • README.txt: installation instructions.

  1. Follow the instructions in the README.txt file.

  2. After the installation script is finished, you can check that the agent is up and running by executing ps -ef | grep osquery . You should see several osquery processes running.

  3. Log in to the EAM (see previous paragraphs for instructions). The endpoint should be automatically detected and listed as an active host.

  4. Log in to the destination domain in Devo (US > demo for the demo platform). Open one of the box.devo_ea.xxx.xxx tables in it. Data corresponding to the endpoint should start appearing in the data structure, identified by the hostname.