Runtime Sensor
Deployment
Debian and Ubuntu

Debian and Ubuntu

Deployment Guide

This guide covers deploying Endura Sensor on Debian-based distributions including Debian, Ubuntu, Linux Mint, Pop!_OS, and other Ubuntu derivatives using the official Endura package repository.

Prerequisites

Before starting, ensure you have:

  • Debian 11/12 (Bullseye/Bookworm), Ubuntu 20.04/22.04/24.04 LTS, or compatible derivatives
  • Root or sudo access for package installation
  • curl command available for repository installation
  • systemd for service management
  • Active internet connection for package downloads
  • At least 512MB of available RAM
  • 1GB of available disk space

Installation

Step 1: Install Endura Repository and Sensor Package

Install the Endura repository and sensor package with a single command:

curl -sSf https://repo.endurasecurity.com/install/endura-sensor/testing.sh | sudo -E sh

This command will:

  • Add the Endura package repository to your system
  • Install the GPG key for package verification
  • Install the endura-sensor package
  • Install systemd service files

Step 2: Verify Installation

Verify that the Endura Sensor is installed correctly:

endura version

You should see output showing the installed version of the Endura Sensor.

Step 3: Check Service Status

Check that the systemd service is installed but not yet running:

sudo systemctl status endura-sensor

The service should be installed but inactive (stopped) by default.

Configuration

Step 1: Configure Team Server Connection

In order for the Runtime Sensor to report data to a centralized Team Server instance, edit the environment configuration file:

sudo nano /opt/endura/sensor/environ

Add or modify the following environment variables in this file:

# Required for Team Server integration
ENDURA_TEAM_SERVER=https://your-team-server.company.com
ENDURA_SENSOR_TOKEN=your_sensor_token_from_team_server

# Optional configuration variables
ENDURA_BATCHER_AUTOFLUSH=false
ENDURA_HTTP_TIMEOUT=30
ENDURA_LOG_FILE=/var/log/endura/sensor.log
ENDURA_LOG_LEVEL=info
ENDURA_SENSOR_KILL_TASK=true
ENDURA_TLS_VERIFY=true

You can obtain the value for ENDURA_SENSOR_TOKEN as follows:

  1. Browse to your Team Server instance and login.
  2. Select “Sensors” in the main navigation on the left-hand side.
  3. Click the “Create” button in the upper-left hand corner.
  4. Provide a name and description for the sensor and click “Save”.
  5. The provided “Access Token” serves as your ENDURA_SENSOR_TOKEN.

Configuration Variables

Required for Team Server Integration:

  • ENDURA_TEAM_SERVER: The fully qualified URL of your Team Server instance
  • ENDURA_SENSOR_TOKEN: The sensor token generated by Team Server for this sensor

Optional Configuration:

  • ENDURA_BATCHER_AUTOFLUSH: Set to true to automatically submit violations as detected instead of batching them (default: false)
  • ENDURA_HTTP_TIMEOUT: Number of seconds the HTTP client will wait when interacting with Team Server (default: 5)
  • ENDURA_LOG_FILE: Fully qualified path to a log file on disk for saving logs (default: /var/log/endura/sensor.log)
  • ENDURA_LOG_LEVEL: Log level of either trace, debug, info, warn, or error (default: info)
  • ENDURA_SENSOR_KILL_TASK: Set to false to disable killing tasks/processes that trigger violations (default: true)
  • ENDURA_TLS_VERIFY: Controls TLS certificate verification (default: true) - WARNING: Setting to false is dangerous and only suitable for testing

Step 2: Start and Enable the Service

Start the Endura Sensor service and enable it to start automatically at boot:

# Start the service
sudo systemctl start endura-sensor

# Enable automatic startup at boot
sudo systemctl enable endura-sensor

# Verify the service is running
sudo systemctl status endura-sensor

Step 3: Verify Service Operation

Check that the sensor is operating correctly:

# Check service status
sudo systemctl is-active endura-sensor

# View recent logs
sudo journalctl -u endura-sensor -n 20

# Follow live logs
sudo journalctl -u endura-sensor -f

Step 4: Verify Team Server Connection (Optional)

If you configured Team Server integration, verify the connection is working:

  1. Browse to your Team Server instance and login.
  2. Select Sensors in the main navigation on the left-hand side.
  3. Search for your recently created Sensor and verify the Status column shows “Active”.
  4. Select Deployments in the main navigation on the left-hand side.
  5. Verify a new Deployment appears whose name reflects the hostname of this host.

Service Management

Viewing Logs

View service logs using journalctl:

# View all logs for the service
sudo journalctl -u endura-sensor

# View recent logs (last 50 lines)
sudo journalctl -u endura-sensor -n 50

# Follow live logs
sudo journalctl -u endura-sensor -f

# View logs since a specific time
sudo journalctl -u endura-sensor --since "2024-01-01 00:00:00"

# View logs with timestamps
sudo journalctl -u endura-sensor -o short-iso

Service Control Commands 

# Start the service
sudo systemctl start endura-sensor

# Stop the service
sudo systemctl stop endura-sensor

# Restart the service
sudo systemctl restart endura-sensor

# Reload configuration (if supported)
sudo systemctl reload endura-sensor

# Check service status
sudo systemctl status endura-sensor

# Enable automatic startup
sudo systemctl enable endura-sensor

# Disable automatic startup
sudo systemctl disable endura-sensor

# Check if service is enabled
sudo systemctl is-enabled endura-sensor

Updating the Sensor

Update via APT

Update the Endura Sensor to the latest version:

# Update package list
sudo apt update

# Update the sensor package
sudo apt upgrade endura-sensor

# Or update with automatic yes
sudo apt upgrade -y endura-sensor

# Restart the service to use the new version
sudo systemctl restart endura-sensor

# Verify the new version
endura version

Verify Update

After updating, verify the sensor is running correctly:

# Check service status
sudo systemctl status endura-sensor

# Check logs for any issues
sudo journalctl -u endura-sensor -n 20

# Verify the new version
endura version

Security Considerations

File Permissions

The sensor runs with appropriate security permissions:

# Check service file permissions
ls -la /etc/systemd/system/endura-sensor.service

# Check configuration file permissions
ls -la /opt/endura/sensor/environ

# Ensure configuration files have restricted permissions
sudo chmod 600 /opt/endura/sensor/environ
sudo chown root:root /opt/endura/sensor/environ

Firewall Configuration

If using a firewall, ensure the sensor can communicate with Team Server:

# For ufw (Ubuntu default)
sudo ufw allow out 443/tcp comment "Endura Team Server HTTPS"

# For iptables (Debian default)
sudo iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

# Save iptables rules on Debian
sudo iptables-save > /etc/iptables/rules.v4

# For firewalld (if installed)
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

AppArmor Considerations

If AppArmor is enabled (default on Ubuntu), the sensor package includes appropriate AppArmor profiles. If you encounter AppArmor denials:

# Check AppArmor status
sudo aa-status

# Check for AppArmor denials
sudo dmesg | grep -i apparmor | grep endura

# View AppArmor profile status
sudo aa-status | grep endura

# If issues persist, check AppArmor logs
sudo journalctl | grep -i apparmor | grep endura

Ubuntu-Specific Security Features

Ubuntu includes additional security features that may affect the sensor:

# Check if snap confinement is affecting the sensor
sudo snap list | grep endura

# Check for Ubuntu Pro security updates
sudo pro status

# Verify kernel security features
sudo sysctl kernel.yama.ptrace_scope

Uninstalling the Sensor

Remove the Package

To completely remove the Endura Sensor:

# Stop the service
sudo systemctl stop endura-sensor
sudo systemctl disable endura-sensor

# Remove the package
sudo apt remove endura-sensor

# Remove configuration files (optional)
sudo apt purge endura-sensor

# Remove logs if desired
sudo rm -rf /var/log/endura/

Remove Repository (Optional)

To remove the Endura repository from your system:

# Remove repository configuration
sudo rm -f /etc/apt/sources.list.d/endura*.list

# Remove GPG key
sudo apt-key del $(apt-key list | grep -A1 "Endura" | grep pub | awk '{print $2}' | cut -d'/' -f2)

# Or for newer systems using /etc/apt/trusted.gpg.d/
sudo rm -f /etc/apt/trusted.gpg.d/endura*.gpg

# Update package cache
sudo apt update

Troubleshooting

Common Issues

Service fails to start:

# Check detailed service status
sudo systemctl status endura-sensor -l

# Check configuration syntax
sudo /usr/bin/endura --help

# Verify configuration file exists and is readable
sudo ls -la /opt/endura/sensor/environ

# Check for permission issues
sudo journalctl -u endura-sensor | grep -i permission

Cannot connect to Team Server:

# Test network connectivity
curl -v https://your-team-server.company.com/_health

# Check DNS resolution
nslookup your-team-server.company.com

# Verify firewall rules (ufw)
sudo ufw status verbose

# Check TLS certificate issues
openssl s_client -connect your-team-server.company.com:443

High resource usage:

# Monitor resource usage
top -p $(pgrep endura-sensor)

# Check memory usage
ps aux | grep endura-sensor

# View detailed system usage
sudo systemd-cgtop

Configuration issues:

# Validate environment file syntax
sudo cat /opt/endura/sensor/environ

# Test configuration
sudo -u endura /usr/bin/endura version

# Check file permissions
sudo ls -la /opt/endura/sensor/

Debian/Ubuntu Specific Troubleshooting 

# Check distribution version
lsb_release -a

# Verify repository configuration
apt policy endura-sensor

# Check for conflicting packages
apt list --installed | grep -E "(bpf|ebpf)"

# Verify kernel version and eBPF support
uname -r
sudo bpftool version 2>/dev/null || echo "bpftool not available"

# Check for unattended-upgrades interference
sudo systemctl status unattended-upgrades

Package Management Issues 

# Fix broken packages
sudo apt --fix-broken install

# Reconfigure packages
sudo dpkg-reconfigure endura-sensor

# Check package integrity
sudo dpkg --verify endura-sensor

# Clear package cache
sudo apt clean
sudo apt autoclean

# Update package database
sudo apt update

Log Analysis 

# Search for error messages
sudo journalctl -u endura-sensor | grep -i error

# Search for connection issues
sudo journalctl -u endura-sensor | grep -i "connection\|timeout\|refused"

# Check startup messages
sudo journalctl -u endura-sensor --since "$(date -d '1 hour ago')"

# Export logs for analysis
sudo journalctl -u endura-sensor --no-pager > endura-sensor.log

# Check system logs for related issues
sudo grep -i endura /var/log/syslog

Getting Help

If you encounter issues:

  1. Check service logs: sudo journalctl -u endura-sensor
  2. Verify configuration: sudo cat /opt/endura/sensor/environ
  3. Test network connectivity to Team Server
  4. Ensure proper file permissions and AppArmor contexts
  5. Check system resources and kernel compatibility
  6. Verify repository configuration: apt policy endura-sensor
  7. Check for automatic update conflicts: sudo systemctl status unattended-upgrades

For additional support, refer to the Endura documentation or contact your system administrator.

CentOS StreamFedora Linux