Utilization Guide - Ivanti Application Control for Linux

This is an introduction to the utilization of Ivanti Application Control for Linux. Linked help topics describe how to configure and maintain the configuration settings available via the web console, and the logic of how polices and rules are applied. Maintenance information may help you debug or troubleshoot configuration across the component parts of your system.

The content is intended for system administrators.

Installation help is available from the User Workspace Manager help system (link will open in a new window).

Application Control for Linux New Features 2022.4

Application Control for Linux is highly configurable. Its powerful features include the following in the 2022.4 release:

Auto-Complete for Policy Creation

A registered Linux device can have the list of all the installations and their paths sent to the server, for perusal by the Administrator. The new feature means that when creating or editing a policy, these paths are used to offer suggestions for what to list in the Policy Rules. Using this feature will ensure the correct path is always entered when adding rules to policies.

Some useful logs to look into

  • C:\ProgramData\Ivanti\ACServer\ConsoleResponses.txt -- log for AF Server console -- contains checkin information from Linux endpoints.

  • C:\ProgramData\Ivanti\ACServer and log name format is : ACServerLogxxxxx.txt -- The server action logs are stored in this file.

  • C:\ProgramData\Ivanti\ACServer and log name format is : master_20220117151751.txt -- while running the master installer, the info will be logged in here.

  • C:\ProgramData\Ivanti\ACServer and log name format is : master_20220117151751_003_AcServerSetup.msi.txt -- AcServerSetup.msi is the bit that installs AC for Linux. Logs for the installer are here.

  • C:\Program Files\Ivanti\ACServer\Configure Environment\configureApp.log -- in here you can see information pertaining to the SSL certificates.

  • /opt/ivanti/ac/logs/stmqttservice.log -- this log contains the communication transactions with the server, any issues or errors will be shown in this file.

  • /opt/ivanti/ac/logs/stagentupdater_0.log --this log contains information about when the agent is updated from the server.

  • /opt/ivanti/ac/logs/stagentd.log -- this log shows what data is being queued and also what has been sent to the server.

  • /opt/ivanti/ac/engines/ivanti-ac-engine-<distribution>/logs/acengd.log - This log shows the actions carried out by the engine, use it to see what has been done, in real time, without having to review them on the server.

Troubleshooting

In the event that an endpoint does not seem to be exchanging data with the server but the agent is registered and the agent log (stagentupdater_0.log) is reporting a communication error then the problem may be that the SSL certificate has been corrupted. To address this follow these steps:

On the Ivanti Application Control for Linux Server:

  1. Stop IIS

  2. Stop AF server (by closing the cmd window)

  3. Launch a new CMD process using the 'Run as Administrator' option.

  4. Use the command:

    cd "C:\Program Files\Ivanti\ACServer\Configure Environment"

  5. Uninstall ConfigureEnvironmentApp.exe using:

    wmic ConfigureEnvironmentApp.exe

  6. Install ConfigureEnvironmentApp.exe

    Configure EnvironmentApp.exe

  7. Re-start IIS

  8. RE-start AF Server by locating the item in the start menu and ensuring to right-click and run as Administrator.

  9. In Windows services, restart the 'Mosquitto Broker' service.

  10. Copy step 6 of the installation guide to copy the CA.pem back to the endpoint.

  11. Copy step 9 of the installation guide to re-register the agent.

Communication should start in under 10 minutes

In the event that the Ivanti Application Control for Linux server loses connectivity for some reason, the endpoints will continue to attempt to check-in with it. The agents will increase the interval between check-in attempts at each failure, this can become a very long time.

To check if this has happened, look in the stmqttservice.log on an endpoint to see if there is a message that reads:

/MqttServices.cpp:404 Did not connect.

Waiting 6470466 milliseconds before trying again.

If so, you can re-register the agent to reset the interval and have the communication restored. Registration is described in Step 9 of the installation guide.

Related Topics:

Configuration

Maintenance

Installation (opens UWM Help)

Previous Releases

Support for Oracle 7.x

Application Control for Linux now supports Oracle 7.x.

Policy Version

You can now add versioning to policies.

Device Summary - Network Information

The Devices tab now includes network information.

Enhancements to lists of executables on registered endpoints

The list of executable files on each endpoint has had two major enhancements with this iteration. Firstly, the list can be searched for specific file names so their location in the hierarchy can be quickly identified. Secondly, having identified an executable that the administrator would like to add to a policy, there is a new button that copies the full path to the clipboard, eliminating errors in typing the path manually.

Authentication Required for access to Web Console

Access to the administration console is only available to users who are able to authenticate with either a local Windows account or AD credentials. Sessions timeout after 5 minutes of inactivity.

Import lists of devices for Device Groups

Lists of devices to be added to groups can now be imported via csv.

Ivanti Application Control Server.exe converted to Windows service

Similarly to the AC Server component that was converted to an IIS site in the 2021.4 release, the AF Server is now a Windows Service that can be automatically started, it does not need to continuously run on the desktop any longer.

Ivanti Application Control Server Relay Service that helps communicate with Endpoints has been implemented.

This is will start automatically once the Ivanti Application Control backend has been installed and at each server restart.

New "Restrict Log" tab

Replacing the deprecated Debug Info tab on the device details, the new Restrict Log shows all the information pertaining to restrictions on the device in a new, filterable format. Administrators can now easily sort through and search the events that show what as been restricted as part of the policy.

If you have upgraded from 2021.4 to 2022.1, you can still find your Debug Info logs in the ACDatabase, under dbo.DebugInfo , via an sql querry. However, the old data will not be displayed in the console due to new formatting

Support for RedHat Enterprise Linux 7 and CentOS 7Linux

In addition to supporting RedHat Enterprise Linux 8, CentOS 8 and Oracle 8 we have added support for RedHat Enterprise Linux 7 and CentOS 7. Both operating systems are supported for install and upgrade via manifest.

Windows Authentication for Database creation and access

Creation of and access to the AcDatabase, required by Ivanti Application Control for Linux is now achieved via a Windows authenticated account. The account must be created in the SQL Server prior to the installation of Ivanti Application Control for Linux 2022.1 and it requires the ‘dbcreator’ role. For further information, please see the Installation guide.

Please note:

  • We support both Windows Authentication and Sequal Authentication towards MSSQL DB servers

For WINAUTH , the most secure way to implement is against a preconfigured database login. Please note that your database admin needs to configure the login before installing Application Control for Linux 2022.1.

The account needs to be in the format of Domain\BackendName$ and to be a dbcreator.

  • The Application Control Server is now no longer a stand alone executable . This has been ported into IIS and is configured to not only start the main console, but also, with WINAUTH configured, to automatically create the database for Ivanti Application Control for Linux, called AcDatabase.

Bulk registered device import

For 2022.1, we can import bulk registered devices into groups from the Registered Devices list in the console via the Device Groups.

Time zone improvements

Both the device local date and UTC are now stored in the backend for all incoming logs as well as displayed in the database. These are normalized for all logs across Application Control for Linux.

Linux Device information displayed in console

With this release, the name and structure of your Linux Device and the executable files are displayed in the Application Control for Linux console, under Details for device > Device Contents > Executable Files.

Please note that for folders that contain over 20,000 executable files the time to display can be up to 10 minutes. The browser will ask if you want to wait or close the window and we suggest Wait for the page to load.

Improved data collection and display

For Application Control for Linux 2022.1, all of the data stored in the database has been normalized or standardized for display in the console. Those that were formerly not fully displayed for formatting, lengths, special characters and other reasons, are now fully accessible.

Improved information access

On the Home page of the Ivanti Application Control for Linux Console the links to the Ivanti Application Control for Linux Online Help page, The Ivanti Support Portal and the Ivanti Community link have been provided for easier access to information resources.

Review Device Details

A new tab on the Devices page, Device Contents shows more information about what is on the device being viewed. This information includes a list of all the RPM packages as well as GPG keys. This information can be used to guide the administrator in creating the allow- and denylists.

To ensure the information is up-to-date, the 'Refresh RPM' button can be used to refresh this list.

Ivanti Application Control for Linux Automatic Deployment from Server

It is now possible to have the manifest, agent and engine automatically deploy from the server for endpoints using the CentOS 8 or RedHat 8 Operating Systems.

Any endpoint that has had the agent installed and is registered with the Ivanti Application Control for Linux server will have the engine automatically downloaded and installed within 15 minutes.

Future agent or engine updates will then be auto-deployed and installed.

The console debug information has been updated:

  • The back-end log information is now stored locally as well as in the database and the console view.

  • The local disk log can be found here: C:\ProgramData\Ivanti\ACServer and the log name format is: ACServerLogxxxxx.txt

  • Modify file C:\Program Files\Ivanti\ACServer\AC Server\appsettings.json for verbosity of the log here:

{

"Serilog": {

"Using": [

"Serilog.Sinks.Console",

"Serilog.Sinks.File"

],

"MinimumLevel": "Debug", <--- modify this

"WriteTo": [

  • From low to high, these are: Verbose, Debug, Information, Warning, Error, Fatal.

  • The database table that stores the header of the info in this local log is: dbo.Logs

  • The console view of this log can be found here: Advanced Settings tab > Server Logs

Be advised that after 1500000 entries in this viewer, loading times of the page might increase up to 15 minutes

Ivanti Application Control for Linux Automatic Deployment from Server

Automatic deployment is available on Centos 8 and Redhat 8 but not available on Oracle 8.

The engine will be deployed in max 15 minutes from the request issued (yes that means auto install of the engine for your convenience).

Once the agent has been deployed by hand on the Linux Endpoint , and the register command has been issued , the agent will verify engine presence. If the engine is not found , you will be notified by an auto-update command.

The master installer is shipped with the latest agent and engine rpms , these are located here:

C:\Program Files\Ivanti\ACServer\AC Server\HostedFiles

Installation information is found in the UWM documentation.

Ivanti Application ControlServer Converted to IIS Web Site

The Application Control Linux server has been converted from an executable to an IIS Web Site. With this conversion, the AF server remains an executable.

IIS management tools need to be installed on the server prior to Ivanti Application Controlfor Linux master installer deployment.

 

The following features were included in the 2021.3 AC Linux release:

Zero-Day Protection

Once installed and running on your Linux endpoints the Ivanti Application Control for Linux engine automatically denies all execution operations of binaries, shared objects, scripts, or commands. The exception to this is any functionality you have explicitly allowed via Policy Defaults.

Local Allowedlists

After start up, the Application Control for Linux engine scans the local RPM database and automatically adds all the packages found to the local Allowedlist - based on their contents.

Allow/Deny Rules

The default working mode of the Application Control for Linux system is to deny execution operations unless they are permitted via Policy Defaults, locally allowlisted, or explicitly allowed.

Allowing and denying specific paths and/or binaries is achieved be deploying policies and rules:

Audit vs. Restrict

A policy in the Application Control for Linux system can be setup into either Audit or Restrict modes:

Audit Mode:

  • Instructs the Application Control for Linux engine to monitor all operations on the protected endpoint and to report back to the administrator what would have been the enforcement results based on the rule set of the policy deployed on it.

This mode enables administrators to audit the possible effects of a policy’s rule set and to monitor the actions of users. Review of audit data provides valuable feedback when preparing to implement a new policy.

Restrict Mode:

  • Instructs the Application Control for Linux engine to monitor all operations on the protected endpoint, enforce the rule set contained in the deployed policy (this includes policy defaults and local allowlisting), and to report back to the administrator all the operations monitored, and the enforcements applied.