Agent Installation in an Air-Gapped Environment

A guide for installing the ZeroLock™ Agent into an Air-Gapped Environment.

Air-Gapped Environments   

An air-gapped computer or network is physically segregated and incapable of connecting wirelessly or physically with other network devices outside its own network. Air gaps protect critical computer systems or data from potential attacks ranging from malware and ransomware to keyloggers or a variety of other attacks from malicious actors. 

Note: The settings contained are only supported on ZeroLock Agents v2.1.x or later.

---

Advanced Settings 

Regardless of the installation method, the following settings must be done.  These settings are for the Collector that the endpoint will be connecting to.  The Collector is the ZeroLock™ Management Console (ZMC) service that collects endpoint connection and threat information.  It also authenticates and communicates with the ZeroLock™ Agents. 

These settings should only have to be done once when configuring the ZMC, as the values rarely change after that point. 

Navigate to Deploy on the left side menu which opens the screen below. 

1. Click on Advanced Settings which opens the Advanced Settings screen. 
   
   
2. On the screen that appears, select the Agent Version to deploy. The default is the latest release. 
3. The Endpoint Profile may remain default unless you wish to use another profile from the drop-down list.
4. If desired, additional Endpoint Groups may be added by selecting from the drop-down list. 
5. Enter the Collector IP address(s) or the FQN for one or more collector server(s).
6. Click the Save as Default button to save the information and return to the Deploy home screen.

---

Agent Installation 

Once back on the Deploy home screen, select the center Download option.  There are two methods with which to install an air-gapped system: Self-Extracting Script or Tar Installer. 

Regardless of the method chosen, the -a option (Perform air-gapped installation) is necessary for an air-gapped system.  Other useful options include: 

-n   Perform a dry run, where no installation occurs, and no changes are made.  Useful for testing and debugging. 

-v   Output more information during installation. Useful for testing and debugging. 

-x   Perform troubleshooting steps for diagnosing problems. 

-p   Update the AppArmor or SELinux security profile or policy if additional permissions are required. 

-h   Print this help list and exit. 

---

Self-Extracting Script Installation 

• In the Download section on the Deploy page, click on the Self-Extracting tab. 
• Download the self-extracting script file by clicking the Install-ZeroLock-{version number}.sh button. 
  
• Copy the downloaded script file to the endpoint to install.  
• On the endpoint, run the following command to install the ZeroLock Agent:  

         bash ./install-zerolock-<version number>.sh -a 

The example below shows a RHEL system installation.  The actual results may look different depending on the Linux distribution.

::: Vali Cyber ZeroLock Endpoint Software Installer (<version number>) ::: 

Installing ... 

Preparing... ################################# [100%] 

Updating / installing... 

1:zerolock-<version number>-1 ################################# [100%] 

Authenticating token with https://<Collector IP> 

Successfully connected to collector https://<Collector IP> from [https://<Collector IP>] 

Starting ... 

Done! 

 

---

TGZ Installation 

• In the Download section on the Deploy page, click the TAR Installer tab. 
• Download the TAR file by clicking the ZeroLock_Installer-{version number}.tgz button. 

 

• Copy the downloaded TAR file to the endpoint to install ZeroLock Agent.  
• On the endpoint, run the following command:

tar xzf zerolock_installer-{version number}.tgz && cd zerolock_installer && bash ./install_zerolock.sh -a

The example below shows a RHEL system installation.  The actual results may look different depending on the Linux distribution. 

::: Vali Cyber ZeroLock Endpoint Software Installer (<version number>) ::: 
Installing ... 
Preparing... ################################# [100%] 
Updating / installing... 
1:zerolock-version number-1 ################################# [100%] 
Authenticating token with https://<Collector IP> 
Successfully connected to collector https://<Collector IP> from [https://<Collector IP>] 
Starting ... 
Done! 

The installer will create the /opt/zerolock/.airgapped file during the first installation. This file helps determine whether to perform air-gapped installation when updating/reinstalling agent from UI next time. 

This file is important as, if a previously non-airgapped system becomes air-gapped, then updating or reinstalling an agent from UI can fail. To avoid failures, run the following command on newly air-gapped systems: touch /opt/zerolock/.airgapped.

---

Validating Agent Installation 

To validate the installation process, select the Endpoints tab on the main menu. The new endpoint will be listed; the green dot in the status column indicates a successfully installed agent on the endpoint system. 

---

View ZeroLock™ Agent Logs 

To locate the ZeroLock™ Agent logs, open a terminal session to the new Endpoint. 

cd /opt/zerolock/zerolock-tyr   To go to the Tyr directory. 

/opt/zerolock/zerolock-tyr$ ls -al  To list the contents of the directory.

To see the ZeroLock™ Agent log in detail: 

cat tyr.log   To read the log. 

For more information, please see the Vali Cyber Support page.