Runtime Sensor
Deployment
Arch Linux

Arch Linux

Deployment Guide

This guide covers deploying Endura Sensor on Arch Linux. Since Endura does not provide native pacman repository support, the installation script will make use of the generic TGZ package.

Prerequisites

Before starting, ensure you have:

  • Arch Linux (current release)
  • Root or sudo access for package installation
  • curl command available for repository installation
  • systemd for service management
  • Active internet connection for package downloads
  • At least 512MB of available RAM
  • 1GB of available disk space

Installation

Step 1: Install Endura Sensor Package

Install the Endura Sensor using the installation script, which will automatically detect Arch Linux:

curl -sSf https://repo.endurasecurity.com/install/endura-sensor/testing.sh | sudo -E sh

This command will:

  • Detect Arch Linux and download the appropriate package
  • Install the sensor binary and files to system locations
  • Install systemd service files
  • Set up appropriate file permissions

Step 2: Verify Installation

Verify that the Endura Sensor is installed correctly:

endura version

You should see output showing the installed version of the Endura Sensor.

Step 3: Check Service Status

Check that the systemd service is installed but not yet running:

sudo systemctl status endura-sensor

The service should be installed but inactive (stopped) by default.

Configuration

Step 1: Configure Team Server Connection

In order for the Runtime Sensor to report data to a centralized Team Server instance, edit the environment configuration file:

sudo nano /opt/endura/sensor/environ

Add or modify the following environment variables in this file:

# Required for Team Server integration
ENDURA_TEAM_SERVER=https://your-team-server.company.com
ENDURA_SENSOR_TOKEN=your_sensor_token_from_team_server

# Optional configuration variables
ENDURA_BATCHER_AUTOFLUSH=false
ENDURA_HTTP_TIMEOUT=30
ENDURA_LOG_FILE=/var/log/endura/sensor.log
ENDURA_LOG_LEVEL=info
ENDURA_SENSOR_KILL_TASK=true
ENDURA_TLS_VERIFY=true

You can obtain the value for ENDURA_SENSOR_TOKEN as follows:

  1. Browse to your Team Server instance and login.
  2. Select “Sensors” in the main navigation on the left-hand side.
  3. Click the “Create” button in the upper-left hand corner.
  4. Provide a name and description for the sensor and click “Save”.
  5. The provided “Access Token” serves as your ENDURA_SENSOR_TOKEN.

Configuration Variables

Required for Team Server Integration:

  • ENDURA_TEAM_SERVER: The fully qualified URL of your Team Server instance
  • ENDURA_SENSOR_TOKEN: The sensor token generated by Team Server for this sensor

Optional Configuration:

  • ENDURA_BATCHER_AUTOFLUSH: Set to true to automatically submit violations as detected instead of batching them (default: false)
  • ENDURA_HTTP_TIMEOUT: Number of seconds the HTTP client will wait when interacting with Team Server (default: 5)
  • ENDURA_LOG_FILE: Fully qualified path to a log file on disk for saving logs (default: /var/log/endura/sensor.log)
  • ENDURA_LOG_LEVEL: Log level of either trace, debug, info, warn, or error (default: info)
  • ENDURA_SENSOR_KILL_TASK: Set to false to disable killing tasks/processes that trigger violations (default: true)
  • ENDURA_TLS_VERIFY: Controls TLS certificate verification (default: true) - WARNING: Setting to false is dangerous and only suitable for testing

Step 2: Start and Enable the Service

Start the Endura Sensor service and enable it to start automatically at boot:

# Start the service
sudo systemctl start endura-sensor

# Enable automatic startup at boot
sudo systemctl enable endura-sensor

# Verify the service is running
sudo systemctl status endura-sensor

Step 3: Verify Service Operation

Check that the sensor is operating correctly:

# Check service status
sudo systemctl is-active endura-sensor

# View recent logs
sudo journalctl -u endura-sensor -n 20

# Follow live logs
sudo journalctl -u endura-sensor -f

Step 4: Verify Team Server Connection (Optional)

If you configured Team Server integration, verify the connection is working:

  1. Browse to your Team Server instance and login.
  2. Select Sensors in the main navigation on the left-hand side.
  3. Search for your recently created Sensor and verify the Status column shows “Active”.
  4. Select Deployments in the main navigation on the left-hand side.
  5. Verify a new Deployment appears whose name reflects the hostname of this host.

Service Management

Viewing Logs

View service logs using journalctl:

# View all logs for the service
sudo journalctl -u endura-sensor

# View recent logs (last 50 lines)
sudo journalctl -u endura-sensor -n 50

# Follow live logs
sudo journalctl -u endura-sensor -f

# View logs since a specific time
sudo journalctl -u endura-sensor --since "2024-01-01 00:00:00"

# View logs with timestamps
sudo journalctl -u endura-sensor -o short-iso

Service Control Commands 

# Start the service
sudo systemctl start endura-sensor

# Stop the service
sudo systemctl stop endura-sensor

# Restart the service
sudo systemctl restart endura-sensor

# Reload configuration (if supported)
sudo systemctl reload endura-sensor

# Check service status
sudo systemctl status endura-sensor

# Enable automatic startup
sudo systemctl enable endura-sensor

# Disable automatic startup
sudo systemctl disable endura-sensor

# Check if service is enabled
sudo systemctl is-enabled endura-sensor

Updating the Sensor

Update via Install Script

Since Endura does not provide native pacman packages, updates are performed by re-running the installation script:

# Stop the service before updating
sudo systemctl stop endura-sensor

# Re-run the installation script to get the latest version
curl -sSf https://repo.endurasecurity.com/install/endura-sensor/testing.sh | sudo -E sh

# Start the service with the new version
sudo systemctl start endura-sensor

# Verify the new version
endura version

Note: The installation script will detect that the sensor is already installed and update it to the latest version while preserving your configuration.

Verify Update

After updating, verify the sensor is running correctly:

# Check service status
sudo systemctl status endura-sensor

# Check logs for any issues
sudo journalctl -u endura-sensor -n 20

# Verify the new version
endura version

Security Considerations

File Permissions

The sensor runs with appropriate security permissions:

# Check service file permissions
ls -la /etc/systemd/system/endura-sensor.service

# Check configuration file permissions
ls -la /opt/endura/sensor/environ

# Ensure configuration files have restricted permissions
sudo chmod 600 /opt/endura/sensor/environ
sudo chown root:root /opt/endura/sensor/environ

Firewall Configuration

Arch Linux typically uses iptables or nftables for firewall management. If using a firewall, ensure the sensor can communicate with Team Server:

# For iptables
sudo iptables -A OUTPUT -d your-team-server-ip -p tcp --dport 443 -j ACCEPT

# For nftables
sudo nft add rule inet filter output ip daddr your-team-server-ip tcp dport 443 accept

# Or if using ufw
sudo ufw allow out 443

AppArmor Considerations

Some Arch Linux installations may use AppArmor. If you encounter AppArmor denials:

# Check for AppArmor denials
sudo journalctl | grep -i apparmor | grep endura

# Check AppArmor status
sudo aa-status

# View AppArmor profiles
sudo ls /etc/apparmor.d/

Uninstalling the Sensor

Remove the Installation

To completely remove the Endura Sensor:

# Stop the service
sudo systemctl stop endura-sensor
sudo systemctl disable endura-sensor

# Remove systemd service file
sudo rm -f /etc/systemd/system/endura-sensor.service

# Remove the sensor binary and files
sudo rm -rf /opt/endura/
sudo rm -f /usr/bin/endura

# Remove user and group (if created)
sudo userdel endura 2>/dev/null || true
sudo groupdel endura 2>/dev/null || true

# Remove logs if desired
sudo rm -rf /var/log/endura/

# Reload systemd to remove the service
sudo systemctl daemon-reload

Troubleshooting

Common Issues

Service fails to start:

# Check detailed service status
sudo systemctl status endura-sensor -l

# Check configuration syntax
sudo /usr/bin/endura --help

# Verify configuration file exists and is readable
sudo ls -la /opt/endura/sensor/environ

# Check for permission issues
sudo journalctl -u endura-sensor | grep -i permission

Cannot connect to Team Server:

# Test network connectivity
curl -v https://your-team-server.company.com/_health

# Check DNS resolution
nslookup your-team-server.company.com

# Verify firewall rules
sudo iptables -L | grep 443
# or for nftables
sudo nft list ruleset | grep 443

# Check TLS certificate issues
openssl s_client -connect your-team-server.company.com:443

High resource usage:

# Monitor resource usage
top -p $(pgrep endura-sensor)

# Check memory usage
ps aux | grep endura-sensor

# View detailed system usage
sudo systemd-cgtop

Configuration issues:

# Validate environment file syntax
sudo cat /opt/endura/sensor/environ

# Test configuration
sudo -u endura /usr/bin/endura version

# Check file permissions
sudo ls -la /opt/endura/sensor/

Installation issues:

# Verify installation script execution
curl -sSf https://repo.endurasecurity.com/install/endura-sensor/testing.sh | sudo -E sh -x

# Check disk space
df -h /opt/

# Verify file system permissions
sudo ls -la /opt/

Log Analysis 

# Search for error messages
sudo journalctl -u endura-sensor | grep -i error

# Search for connection issues
sudo journalctl -u endura-sensor | grep -i "connection\|timeout\|refused"

# Check startup messages
sudo journalctl -u endura-sensor --since "$(date -d '1 hour ago')"

# Export logs for analysis
sudo journalctl -u endura-sensor --no-pager > endura-sensor.log

Getting Help

If you encounter issues:

  1. Check service logs: sudo journalctl -u endura-sensor
  2. Verify configuration: sudo cat /opt/endura/sensor/environ
  3. Test network connectivity to Team Server
  4. Ensure proper file permissions
  5. Check system resources and kernel compatibility
  6. Verify installation completed successfully

For additional support, refer to the Endura documentation or contact your system administrator.

Amazon Linux 2023CentOS Stream