Agent installation - Linux
Prerequisites
•We recommend that you use the latest version of OpenSSL 1.1.1. OpenSSL 3.x is not supported. The minimum supported version of OpenSSL for Linux is openssl-1.0.1e-30. There can be more versions of OpenSSL installed on one system simultaneously. At least one supported version must be present on your system.
oUse the command openssl version to show the current default version.
oYou can list all versions of OpenSSL present on your system. See the filename endings listed using the command sudo find / -iname *libcrypto.so*
oVerify if your Linux client is compatible using the following command: openssl s_client -connect google.com:443 -tls1_2
•Install the lshw package on the client/server Linux machine for the ESET Management Agent to report the hardware inventory correctly.
Linux distribution |
Terminal command |
---|---|
Debian, Ubuntu |
sudo apt-get install -y lshw |
Red Hat, CentOS, RHEL |
sudo yum install -y lshw |
OpenSUSE |
sudo zypper install lshw |
• For Linux CentOS, we recommend installing the policycoreutils-devel package. Run the command to install the package:
yum install policycoreutils-devel
•Server-assisted Agent installation:
oThe server computer must be reachable from the network and have ESET PROTECT Server and ESET PROTECT Web Console installed.
•Offline Agent installation:
oThe server computer must be reachable from the network and have ESET PROTECT Server installed.
oA Certificate for the Agent must be present.
oA server Certification Authority public key file must be present.
Installation
Follow the steps below to install the ESET Management Agent component on Linux using a Terminal command:
Make sure to meet all the installation prerequisites listed above. |
1.Download the Agent installation script:
wget https://download.eset.com/com/eset/apps/business/era/agent/latest/agent-linux-x86_64.sh |
2.Make the file executable:
chmod +x agent-linux-x86_64.sh
3.Run the installation script based on the example below (New lines are split by "\" for copying the whole command to Terminal):
For more details, see Parameters below. |
Server-assisted installation:
sudo ./agent-linux-x86_64.sh \ |
Offline installation:
sudo ./agent-linux-x86_64.sh \ |
We recommend that you delete commands containing sensitive data (for example, a password) from the command line history: 1.Run history to see the list of all commands in the history. 2.Run history -d line_number (specify the line number of the command). Alternatively, run history -c to delete the entire command line history. |
4.When prompted, press y to accept the certificate. You can ignore any errors about SELinux returned by the installer.
5.After the installation, verify that the ESET Management Agent service is running:
sudo systemctl status eraagent
6.Set the eraagent service to start at boot: sudo systemctl enable eraagent
Installer log The installer log may be useful for troubleshooting. You can find it in Log files. |
Parameters
Connection to the ESET PROTECT Server is resolved using the parameters --hostname and --port (port is not used when an SRV record is provided). Possible connection formats.
Attribute |
Description |
Required |
|||
---|---|---|---|---|---|
--hostname |
Hostname or IP address of ESET PROTECT Server to connect. |
Yes |
|||
--port |
ESET PROTECT Server port (default value is 2222). |
Yes |
|||
--cert-path |
Local path to the Agent certificate file (more about certificate). |
Yes (Offline) |
|||
--cert-auth-path |
Path to the Server Certificate Authority file (more about authority). |
Yes (Offline) |
|||
--cert-password |
Agent Certificate password. |
Yes (Offline) |
|||
--cert-auth-password |
Certificate Authority password. |
Yes (if used) |
|||
--skip-license |
The installer will not ask the user for license agreement confirmation. |
No |
|||
--cert-content |
Base64 encoded content of PKCS12 encoded public key certificate plus private key used to set up secure communication channels with Server and Agents. Use only one of the --cert-path or --cert-content options. |
No |
|||
--cert-auth-content |
Base64 encoded content of DER-encoded Certificate Authority private key certificate used to verify remote peers (Proxy or Server). Use only one of the --cert-auth-path or --cert-auth-content options. |
No |
|||
--webconsole-hostname |
Hostname or IP address used by Web Console to connect to the server (if left empty, the installer will copy the value from 'hostname'). |
No |
|||
--webconsole-port |
Port used by Web Console to connect to the server (default value is 2223). |
No |
|||
--webconsole-user |
Username used by Web Console to connect to the server (the default value is Administrator).
|
No |
|||
--webconsole-password |
Password used by Web Console to connect to the server. |
Yes (Server-assisted) |
|||
--proxy-hostname |
HTTP Proxy hostname. Use this parameter to enable using HTTP Proxy (already installed in your network) for replication between ESET Management Agent and ESET PROTECT Server (not for caching of updates). |
If a proxy is used |
|||
--proxy-port |
HTTP Proxy port for connecting to the server. |
If a proxy is used |
|||
--enable-imp-program |
Turn on the Product improvement program. |
No |
|||
--disable-imp-program |
Turn off the Product improvement program. |
No |
Connection and certificates
•Connection to the ESET PROTECT Server must be provided: --hostname, --port (port is not needed if service record is provided, the default port value is 2222)
•Provide this connection information for Server-assisted installation: --webconsole-port, --webconsole-user, --webconsole-password
•Provide certificate information for Offline installation: --cert-path, --cert-password. Installation parameters --cert-path and --cert-auth-path require certification files (.pfx and .der) which can be exported from ESET PROTECT Web Console. (Read how to export the .pfx file and the .der file.)
Password type parameters
Password type parameters can be provided as environment variables, files, read from stdin, or as plain text. That is:
--password=env:SECRET_PASSWORD where SECRET_PASSWORD is an environment variable with a password
--password=file:/opt/secret where first line of regular file /opt/secret contains your password
--password=stdin instructs the installer to read the password from standard input
--password="pass:PASSWORD" is equal to --password="PASSWORD" and is mandatory if the actual password is "stdin" (standard input) or a string starting with "env:", "file:" or "pass:"
The certificate passphrase must not contain the following characters: " \ These characters cause a critical error during the initialization of the Agent. |
HTTP Proxy connection
If you are using HTTP Proxy for replication between ESET Management Agent and ESET PROTECT Server (not for caching of updates), you can specify the connection parameters in --proxy-hostname and --proxy-port.
EXAMPLE - Offline Agent installation with HTTP Proxy Connection:
./agent-linux-x86_64.sh \ --skip-license \ --cert-path=/home/admin/Desktop/agent.pfx \ --cert-auth-path=/home/admin/Desktop/CA.der \ --cert-password=N3lluI4#2aCC \ --hostname=10.1.179.36 \ --port=2222 \ --proxy-hostname=10.1.180.3 \ --proxy-port=3333 \ |
The communication protocol between Agent and ESET PROTECT Server does not support authentication. Any proxy solution used for forwarding Agent communication to ESET PROTECT Server that requires authentication will not work. If you choose to use a non-default port for the Web Console or Agent, it may require a firewall adjustment. Otherwise, the installation may fail. |
Upgrade and repair installation of Agent on Linux
If you run the Agent installation manually on a system where the Agent is already installed, the following scenarios can occur:
•Upgrade - Run a later version of the installer.
oServer-assisted installation - application is upgraded, but it will keep using previous certificates.
oOffline installation - application is upgraded and new certificates are used.
•Repair - Run the same version of the installer. You can use this option to migrate the Agent to a different ESET PROTECT Server.
oServer-assisted installation - application is reinstalled and it will get current certificates from the ESET PROTECT Server (defined by hostname parameter).
oOffline installation - application is reinstalled and new certificates are used.
If you are migrating Agent from an earlier Server to a different later ESET PROTECT Server manually and using Server-assisted installation, run the installation command twice. The first will upgrade the Agent, and the second one will get the new certificates so that the Agent can connect to the ESET PROTECT Server.