Utilization Guide - Ivanti Application Control for Linux

This is an introduction to the utilization of Ivanti Application Control for Linux. Linked help topics describe how to configure and maintain the configuration settings available via the web console, and the logic of how polices and rules are applied. Maintenance information may help you debug or troubleshoot configuration across the component parts of your system.

The content is intended for system administrators.

Installation help is available from the User Workspace Manager help system (link will open in a new window).

Application Control for Linux Features

Application Control for Linux is highly configurable. Its powerful features include the following in the 2021.4.1 release:

Local Allowlist Changes

This is an RPM package and GPG keys extractor:

  • Can be found here: Devices > Details for device... > Device Contents

  • Once the device and backend connection have been established, the information will start to flow and collect on the backend and DB side.

The Refresh RPM information button is an on-demand action that will refresh the table when new keys or new RPM packages have been added to the Linux endpoint.

AC Server Console Debug

The console debug information has been updated:

  • The back-end log information is now stored locally as well as in the database and the console view.

  • The local disk log can be found here: C:\ProgramData\Ivanti\ACServer and the log name format is: ACServerLogxxxxx.txt

  • Modify file C:\Program Files\Ivanti\ACServer\AC Server\appsettings.json for verbosity of the log here:

{

"Serilog": {

"Using": [

"Serilog.Sinks.Console",

"Serilog.Sinks.File"

],

"MinimumLevel": "Debug", <--- modify this

"WriteTo": [

  • From low to high, these are: Verbose, Debug, Information, Warning, Error, Fatal.

  • The database table that stores the header of the info in this local log is: dbo.Logs

  • The console view of this log can be found here: Advanced Settings tab > Server Logs

Be advised that after 1500000 entries in this viewer, loading times of the page might increase up to 15 minutes

AC Server Manifest/Agent/Engine Automatic Deployment

Automatic deployment is available on Centos 8 and Redhat 8 but not available on Oracle 8.

The engine will be deployed in max 15 minutes from the request issued (yes that means auto install of the engine for your convenience).

Once the agent has been deployed by hand on the Linux Endpoint , and the register command has been issued , the agent will verify engine presence. If the engine is not found , you will be notified by an auto-update command.

The master installer is shipped with the latest agent and engine rpms , these are located here:

C:\Program Files\Ivanti\ACServer\AC Server\HostedFiles

Installation information is found in the UWM documentation.

AC Server Converted to IIS Web Site

The Application Control Linux server has been converted from an executable to an IIS Web Site. With this conversion, the AF server remains an executable.

IIS management tools need to be installed on the server prior to AC for Linux master installer deployment.

The order of execution is :

  1. Install master installer.

  2. Access the website in your browser https://localhost:5001.

  3. Start the AF Server executable using "run as admin ".

The first time you are accessing the website via https://localhost:5001, the database will also be automatically created, and, for the first access only, the loading time will be between 5 and 10 minutes.

Some usefull logs to look into

  • C:\ProgramData\Ivanti\ACServer\ConsoleResponses.txt -- log for AF Server console -- contains chekin information from Linux endpoints.

  • C:\ProgramData\Ivanti\ACServer and log name format is : ACServerLogxxxxx.txt -- All the actions that the backend undertake its going to be logged in here.

  • C:\ProgramData\Ivanti\ACServer and log name format is : master_20220117151751.txt -- while running the master installer, the info will be logged in here.

  • C:\ProgramData\Ivanti\ACServer and log name format is : master_20220117151751_003_AcServerSetup.msi.txt -- AcServerSetup.msi is the bit that installs AC for Linux.

  • C:\Program Files\Ivanti\ACServer\Configure Environment\configureApp.log -- in here you can see info about SSL certificates

  • /opt/ivanti/ac/logs/stmqttservice.log -- look in here to see if the agent is communicating properly to the Backend broker

  • /opt/ivanti/ac/logs/stagentupdater_0.log -- look in here to see if the backend is updating the agent with latest info

  • /opt/ivanti/ac/logs/stagentd.log -- check in here to see if the information from the linux machine is qued and shiped to the Backend

  • /opt/ivanti/ac/engines/ivanti-ac-engine-<distribution>/logs/acengd.log - this is the engine log , look in here to see in real time actions enforced by the engine

Troubleshooting

If the agent is fully register but no data exchange occurs; communication to broker error reported in agent logs

  1. Stop IIS

  2. Stop AF server

  3. Open an admin CMD and cd to C:\Program Files\Ivanti\ACServer\Configure Environment

    1. ConfigureEnvironmentApp.exe -uninstall and wait for it to finish

    2. ConfigureEnvironmentApp.exe -install and wait for it to finish

  4. Start IIS

  5. Start AF server ( as admin )

  6. Restart Mosquitto broker service

  7. Copy new CA.pem to your endpoint

  8. Register agent

  9. Communication should start in under 10 minutes

If the backend looses network connectivity or power, the agents will loose connection to the broker. This causes an increase in the time to check in and it will grow boundless.

If this has happened, the stmqttservice.log will show : "/MqttServices.cpp:404 Did not connect. Waiting 6470466 milliseconds before trying again."

At this point, the connection would not recover on its own.

Solution: issue the register command again . Nothing will be lost, logs will start flowing again in under 15 minutes.

Related Topics:

Configuration

Maintenance

Installation (opens UWM Help)

The following features were included in the 2021.3 AC Linux release:

Zero-Day Protection

Once installed and running on your Linux endpoints the Ivanti Application Control for Linux engine automatically denies all execution operations of binaries, shared objects, scripts, or commands. The exception to this is any functionality you have explicitly allowed via Policy Defaults.

Local Allowedlists

After start up, the Application Control for Linux engine scans the local RPM database and automatically adds all the packages found to the local Allowedlist - based on their contents.

Allow/Deny Rules

The default working mode of the Application Control for Linux system is to deny execution operations unless they are permitted via Policy Defaults, locally allowlisted, or explicitly allowed.

Allowing and denying specific paths and/or binaries is achieved be deploying policies and rules:

Create policies inside the Application Control for Linuxweb console,

Establish required rules,

Select a list of registered devices (or groups of devices) to be protected.

Audit vs. Restrict

A policy in the Application Control for Linux system can be setup into either Audit or Restrict modes:

Audit Mode:

Instructs the Application Control for Linux engine to monitor all operations on the protected endpoint and to report back to the administrator what would have been the enforcement results based on the rule set of the policy deployed on it.

This mode enables administrators to audit the possible effects of a policy’s rule set and to monitor the actions of users. Review of audit data provides valuable feedback when preparing to implement a new policy.

Restrict Mode:

Instructs the Application Control for Linux engine to monitor all operations on the protected endpoint, enforce the rule set contained in the deployed policy (this includes policy defaults and local allowlisting), and to report back to the administrator all the operations monitored, and the enforcements applied.