Agent for Linux

System requirements

The agent supports linux systems with glibc - 2.23+ and kernel - 4.15+. Running the agent on lower versions is possible, but not guaranteed. The list of distributions on which the agent was tested is presented on the page with system requirements.

If particular components of the agent are incompatible with the operating system, the agent’s functionality will be reduced without loss of overall performance.

Starting with version 0.12.0, the Linux agent supports the i686, x86_64 and arm64 architectures.

Linux Agent Features

Linux agent supports:

  • agent management through the configuration in the Staffcop web console;

  • taking screenshots with a specified time interval;

  • takinging screenshots depending on the user’s activity (by switching the window or changing the window title);

  • changing the format and degree of compression of screenshots;

  • application attributes - window names and icons;

  • accounting of time of work in applications;

  • keylogger (X11 and low-level);

  • tracking of the connection of USB devices;

  • ability to block USB-devices (by setting of white and black lists);

  • local or remote login and logout (including ssh connections);

  • recording the history of entering shell commands (bash, zsh);

  • tracking of printing events (CUPS);

  • remote control;

  • recording desktop video;

  • recording the history and time of site visits in Firefox, Chrome and Vivaldi;

  • tracking the contents of the clipboard;

  • agent management functions in the command line;

  • tracking system logs and managing monitoring rules through the agent’s config;

  • sound recording from connected microphones;

  • module for capturing images from a webcam;

  • file operations: definition of actions with files, support for monitoring rules (black and white lists of control);

  • creating shadow copies of files when trackiing file operations;

  • the ability to block sites;

  • interception of shell sessions in the form of text or gif-file;

  • support for SNAP packages of browsers;

  • interception of letters from mail clients Thunderbird, Akonadi, Evolution, Geary, P7-Office.Organizer;

  • interception of Telegram;

  • access to webcams on computers;

  • DLP module;

  • file scanner;

  • network interception of outgoing tcp and ssl/tls sessions;

  • network interception of sending SMTP mail;

  • network interception of IMAP mail;

  • a distribution package for the Portage package manager in Gentoo.

Agent installation

  1. Download the agent installation script: in the “Control Panel - Computers - Download agent” section, select the version for Linux.

Note

When downloading, the IP address of the machine to which it is downloaded is automatically added to the script name (usually the server address).

  1. Copy the script to the target machine:

wget http://10.10.0.1/agent-install-[10.10.0.1].sh

Here 10.10.0.1 is an example of a server IP address.

  1. Run the installer:

sudo bash /path/to/agent-install-[10.10.0.1].sh 10.10.0.1 8080

Here /path/to/agent-install-[10.10.0.1].sh is the full path to the script and its name; 10.10.0.1 - IP address of the Staffcop server where the agent being installed will send data; 8080 - port for agent-server communication (if left blank, port 443 will be used).

Warning

Disable SELinux for full agent operation.

After installing the agent, restart the machine.

Additional server address

Starting with agent version 0.8.0-master, you can specify additional servers for event transmission, which will be used if the main server is unavailable.

To specify an additional server:

  1. Open scela file:

sudo nano /etc/scelarc
  1. Add the address and port of the backup server after the line server

server2 = 192.168.0.3
port2 = 4334

If you don’t specify a port number, 443 will be used by default.

Agent setup

Tracking of printing events

To enable tracking of printing events:

  1. In the Control Panel - Computer Configurations section, select the machine on which you want to enable interception.

  2. In the settings window that opens, enable the Files - Shadow Copying option.

  3. Enable the option Printers - Printing.

Setup printer spooler interception allows you to intercept printing tasks by the name of the file being printed. For this option to work properly, install libmagic - a library for determining the Content-Type of files:

sudo apt-get install libmagic-dev

After installing the library, restart your PC.

IMAP4/SMTP Network Mail Interception

To configure mail interception:

  1. In the Control Panel - Computer Configurations section, select the machine on which you want to enable interception

  2. In the settings window that opens, in the Network connections section, enable the Network monitoring option.

  3. In the Email and messengers section, select E-mail.

Note

For agent versions 0.11.0-master and later, support for collaboration with AppArmor has been added. For versions earlier than 0.11.0-master, disable AppArmor on the agent workstation:

sudo systemctl disable apparmor

To intercept attachments, additionally enable Files - Shadow copying and specify the file size in the Shadow copying is active for files with size not exceeding:.

Intercepting emails in local clients

Mail tracking and attachment interception is available for Thunderbird, Evolution, Geary and clients based on the Akonadi framework (Kmail, Gmail…). For Akonadi clients, the application name for the event is Akonadi.

To intercept mail:

  1. In Control Panel - Computer Configurations select the machine.

  2. In the Email and messengers section, enable the E-mail (MAPI/Exchange) option.To intercept attachments, additionally enable Files - Shadow copying and specify the size of the files in the field Shadow copying is active for files with size not exceeding:.

File Activity

To track file operations and create shadow copies of files, enable the appropriate rules in the agent settings in the Files section.

Commands for working with an agent

Action

Command

Agent start

sudo /usr/share/staff/agent start

Agent stop

sudo /usr/share/staff/agent stop

Agent restart

sudo /usr/share/staff/agent restart

Agent process PID

sudo /usr/share/staff/agent status

Agent Information

sudo /usr/share/staff/agent info

Agent uninstallation

sudo /usr/share/staff/agent uninstall

Change HWID of agent

sudo /usr/share/staff/agent hwid

Show current config

sudo /usr/share/staff/agent config

Create archive with agent log

sudo /usr/share/staff/agent zip

Log output for a day

sudo /usr/share/staff/agent log

Log output for a month

sudo /usr/share/staff/agent logs

Logs in real time

sudo /usr/share/staff/agent tail

Removing an agent

There are several ways to remove an agent:

  • on the machine with the agent installed, execute the command:

    sudo /usr/share/staff/agent uninstall
    
  • on the machine with the agent installed, call the installer:

    sudo bash agent-install.sh uninstall
    
  • call removal of the agent from the web interface on the server.

Agent update

Starting from version 0.7.46, the Linux agent supports the function of updating to a new version by command from the server.

To update an agent:

  1. In Control Panel - Computers section, select the desired computer.

  2. Run action select Update to latest version.

The agent will be updated to the latest version on the server