.Universal Agent deployment vv7.0.8

Supported endpoints

Devo Universal Agent supports different kinds of endpoints. This section depicts the operating systems where the client can be deployed.

Windows endpoints

Windows x64: Osquery and the Devo Universal Agent Client are fully supported in Windows 64-bit architecture.
Windows x86: OSquery is not fully supported in Windows 32-bit architectures. It is possible to deliver an installation package for Windows 32-bit, but we cannot support bugs or issues raised against it. Please be aware that the 32-bit version of the Universal Agent Client is not extensively tested and could contain unexpected issues.

Linux endpoints

Most Linux x86_64 distributions are supported, and installers are provided for both Debian (Ubuntu) and RedHat (CentOS) based systems.

macOS endpoints

macOS is supported from 10.14 onward.

Continuous integration currently tests stable release versions of osquery against macOS 10.14. There are no reported issues that block expected core functionality on 10.11 and greater, however, 10.9 and previous macOS versions are not supported.

Access Universal Agent repository

Open the agents' repository URL in the UA Manager installation for your environment (https://<DUAM_IP>:8081). Access credentials were defined during the UA Manager installation process.
A warning message is displayed (no certificates available). Click on the advanced configuration button and then click on Proceed to [...]
Use the configured credentials to access the agent's repository website.

UAM’s agents' repository is displayed with all available versions of the Universal Agent listed per targeted platform:

Deploying Windows Universal Agent

Click on win-dua-Osquery-xxxxx.zip to download the Universal Agent package and unzip it in the local filesystem of the endpoint to monitor (e.g., in C:\user\Downloads\DUA).

The unzipped folder contents should look like this:

File	Description
exts	Extensions of the baseline agent functionality (e.g. log collector).
.crt and secret	Certificate and tokens for agent authentication and secure communications path establishment with the Universal Agent Manager.
install.ps1	Universal Agent installation script
osquery.flags	Configuration parameters and paths
osquery-x.x.x.msi	osquery agent installation package
README.txt	Installation instructions

Follow the instructions in the README.txt file. A common issue is the permissions level required to execute the installation script. Should that be the case, make sure you temporarily disable all restrictions using the commands listed in the same file. Remember to also restore the restrictions as they were configured before.
Once the installation script is finished, check that the agent is up and running by opening Windows’ task manager and finding the Osquery daemon listed as an active process:
Log in to the Universal Agent Manager (see above for instructions). The endpoint should be automatically detected and listed as an active host.
Log in to the destination domain in Devo (US > demo for the demo platform). Open one of the box.devo_ua.xxx.xxx tables in it. Data corresponding to the endpoint should start appearing in the data structure, identified by the hostname.

Deploying the Linux Universal Agent

Click on deb-dua-osquery-X.X.X-devo-ua-manager.tgz to download the Universal Agent package and untar (tar -xzf deb-dua-osquery-X.X.X-devo-ua-manager.tgz) it in the local filesystem of the endpoint to monitor (e.g., in /var/tmp/devo-ua-manager). The untar folder contents should look like this:

File	Description
exts	Extensions of the baseline agent functionality (e.g. log collector).
.crt and secret	Certificate and tokens for agent authentication and secure communications path establishment with the Universal Agent Manager.
install.sh	Universal Agent installation script
osquery.flags	Configuration parameters and paths
osquery-x.x.x.deb	osquery agent installation package
README.txt	Installation instructions

Follow the instructions in the README.txt file.
Once the installation script is finished, you can check that the agent is up and running by executing ps -ef | grep osquery . You should see several osquery processes running:
Log in to the UAM (see previous paragraphs for instructions). The endpoint should be automatically detected and listed as an active host.
Log in to the destination domain in Devo (US > demo for the demo platform). Open one of the box.devo_ua.xxx.xxx tables in it. Data corresponding to the endpoint should start appearing in the data structure, identified by the hostname. In the next screenshots you can see some examples:

- To check the operations system connected with Universal Agent:

- To check the network connected with Universal Agent:

.

Deploying the macOS Universal Agent

Click on darwin-dua-Osquery-xxxxx.zip to download the Universal Agent package and unzip it in the local filesystem of the endpoint to monitor (e.g., in C:\user\Downloads\DUA).

The unzipped folder contents should look like this:

File	Description
exts	Extensions of the baseline agent functionality (e.g. log collector).
.crt and secret	Certificate and tokens for agent authentication and secure communications path establishment with the Universal Agent Manager.
install.sh	Universal Agent installation script
osquery.flags	Configuration parameters and paths
osquery-x.x.x.pkg	osquery agent installation package
README.txt	Installation instructions

Follow the instructions in the README.txt file.
Once the installation script is finished, you can check that the agent is up and running by executing ps -ef | grep osquery . You should see several osquery processes running.
Log in to the UAM (see previous paragraphs for instructions). The endpoint should be automatically detected and listed as an active host.
Log in to the destination domain in Devo. Open one of the box.devo_ua.xxx.xxx tables in it. Data corresponding to the endpoint should start appearing in the data structure, identified by the hostname.