3.1.8.3. Agent Configuration
In this section, we can configure the agent options, download it, see the required patches, and generate tags creating rules matched by an expression.
3.1.8.3.1. DOWNLOAD & PARSE
In the Download & parse tab, we will find information about the Parser options, the agent download and install options, and the different agent versions for each OS.
- Parser options
The computer information sent by the ON Agent is processed in the ON Core. Some information is automatically saved in the user’s device using tags. The remaining data could be manually processed using ON Agent Parsers.
Autoload software tags: Enabling it generates an IAI tag for each software found by ON Agent.
Autoload software compliance: Enabling it adds a NCA tag if a specific software does not meet the requirements of its corresponding TAR tag (Autoload software tags must be enabled to take effect).
Autoload root CA certificates: Enabling it adds CAI tags if there is some certificate in the agent response.
Strict software compliance: Enabling it adds NCA tags if there is no TAR for a specific software (Autoload software compliance must be enabled to take effect).
Only process trusted payloads: By enabling it, only authenticated agent payloads will be processed. If they are not authenticated, the payload will be received but the information collected will not be used later to add tags, run scripts, etc. It will also trigger the notification “Only authenticated agents can send data to opennac server” to users.
- Download & Install agent options
This section sets up the configuration the agent is installed with and from where it can be installed.
Server list: From this section, you can configure multiple agent URLs and set one as the default to indicate where the Agent can be downloaded from. IP, IP:PORT or FQDN are possible values. This is where the ON Agent will send the payloads.
The following parameters will only be applied when installing the Agent. If they are changed later, the Agent must be updated.
Enable UI autostart: Allows running the Agent’s UI when the Agent is installed.
Create shortcut on desktop: Enabling it creates an Agent shortcut in the desktop.
Display Terms & Conditions: Disable this flag if you want avoid being asked to accept the Terms & Conditions disclaimer in massive deployments.
Enable Wireguard: Inserts the Wireguard plugin in the agent configuration.
Use a custom URL for CDN agent soluble: Flag to enable using Content Delivery Network (CDN) to download the soluble agent. The CDN infrastructure optimizes the download process for the soluble agent.
CDN URL (Windows): Field to insert CDN URL specific to Windows.
CDN URL (Linux): Field to insert CDN URL specific to Linux.
CDN URL (Macosx): Field to insert CDN URL specific to Macosx.
CDN URL (windows x32): Field to insert CDN specific to Windows x32.
- Download agents links
This section contains the links of the different types of agents for downloading.
Installers |
Solubles |
Others |
|---|---|---|
Windows Agents |
Windows Agent Soluble |
Script to install using ActiveDirectory GPO |
Macosx Agent (x64) |
Macosx Agent Soluble |
Windows Agent Soluble (x32) |
Macosx Agent (arm64) |
Android Agent (Experimental) |
|
Linux Agent |
Linux Agent Soluble |
Warning
The Android Agent is an Alpha version and is not stable. Use with caution as it may contain bugs or incomplete features until the final release.
Note that there is a 5-minute timeout for the Agent download, and the user will receive a notification if this time is exceeded: “The new agent version could not be downloaded because the maximum time limit for it has been exceeded”.
3.1.8.3.2. LICENSES
In the Licenses tab, you can create licenses for the soluble and installable versions of the Agent in multiple languages.
To create a new license, click on the Add new button. It will display the following configuration window:
License title: Specify a title for the new license.
License: Provide the license text in this field.
Type: Select either Soluble or Installable, depending on your specific case.
Language: Choose the preferred language from the available options: Basque, Catalan, English, French, Galician, German, Italian, Spanish.
In addition to creating licenses, you can edit and delete them. The corresponding buttons for these actions are located next to the add new button. This allows you to make changes to existing licenses or remove them from the system as needed.
3.1.8.3.3. AGENT RULES
In the Agent rules tab, you can configure the Agent rules. These rules are used to add tags related to the information retrieved by the agent depending on data found in the user device.
To create a new rule, click the Add new button. Add a name, an optional description, and configure the expression for the rule. After that, we will be able to choose the action that we want to be performed once the expression matches with the information retrieved from the user device, add or delete a tag or a prefix if the expression matches or not.
Here we will present practical examples of Agent rules along with their respective configuration expressions: Agent Installed, Netskope Daemon, and CrowdStrike AV:
1. Agent Installed
In the Expression column, we can see the configured expression that matches the configured rule. We will be able to see it by clicking the eye icon, the expression will be displayed in a toolbox at the top right of the screen.
If the expression matches, the tag that will be added is specified in the column Tag name if match. If the tag doesn’t match the tag that will be added is specified in the column Tag name if not match.
2. Netskope Daemon
3. CrowdStrike AV
This view capabilities include:
Add new: Add new Agent rules.
Edit: Edit existing rules (not all rules are editable).
Clone: Clone an existing configuration to create a new one with similar settings.
Delete: Delete a rule.
Tags simulator: Tests a set of agent rules and displays the tags that the passed payload should have, specifically derived from those agent rules. To use it, download the payload JSON file from the Agent payloads section. Clicking on “tags simulator” will open a file browser for you to upload the .json file. The result will be displayed as in the following example:
Manage rule variables: Defined variables to facilitate the creation of rule expressions.
Refresh: Refreshes the table.
3.1.8.3.4. AGENT OSQUERIES
The Agent OSQueries tab, allows you to manage customized OSQueries from the Administration Portal. You can customize OSQueries that the Agent will will respond with through Agent payloads. Additionally,the tab provides a guided wizard for streamlined OSQueries administration.
This tab displays the Entity, its Description (if there is any), Used on platforms (OS), and the Processes that will execute the query. If you hover over the icons, you can read their meaning. You can also see the Process Types icons list in the Agent payload section.
You can quickly Enable and Disable a default OSQuery by selecting it and clicking on its corresponding button Enable or Disable.
To create a new OSQuery, click on the Add new button.
Fill in the pop-up window fields with the Entity and its Description, and select the processes that will execute the query:
By clicking on the Add new button of the OSQueries by platform field, it will display the following configuration window:
Used on platforms: You can select Windows, Linux, or OSX platforms.
Query SQL: Directly write the OSQuery to be executed.
Impersonate on execute OSQuery: Enable this flag to execute the query as the currently active user or disable it to execute it as the root or admin user.
Allow empty result: enable this flag if the defined OSQuery can yield empty results; if it is disabled, an error message will be displayed inside the payload entity when it returns empty data.