Deploy an EDR Sensor Agent

Note: If the Sensor Auto-Upgrade is enabled, replace canary-forwarder and the canary_forwarder below with cwp.

RPM

1. Place the information below into a file titled redcanary.repo in /etc/yum.repos.d/.
   

   [RedCanary]
   name=Red Canary Cloud Workload Protection
   username=
   password=
   baseurl=https://redcanary.jfrog.io/artifactory/forwarder-rpm-prod-local/
   enabled=1
   gpgcheck=0
   repo_gpgcheck=1 
   gpgkey=https://.my.redcanary.co/keys/artifactory.gpg.public
   

2. Run the following, sudo yum install canary_forwarder.

3. Place the information below into a file titled config.json in /opt/redcanary/.

{
   "access_token":"xxxxxxxxxxxxxx",
   "outpost_auth_token":"xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxx",
   "offload_target":"Outpost"
}

Debian

1. Place the information below into a file titled redcanary.list in /etc/apt/sources.list.d/.

Note: Use the contents specific to the system whether it is x86_64/amd64 or AArch64/arm64.

x86_64/amd64

deb [arch=amd64] https://:@redcanary.jfrog.io/artifactory/forwarder-debian-prod-local main restricted

AArch64/arm64

deb [arch=arm64] https://:@redcanary.jfrog.io/artifactory/forwarder-debian-prod-local main restricted

2.  Place the information below into a file titled redcanary_auth.conf in /etc/apt/auth.conf.d/ :.

machine redcanary.jfrog.io
login 
password 

3. Install the GPG key with the following command or place the contents of the following key into a temporary file titled redcanary.key

wget -qO - https://.my.redcanary.co/keys/artifactory.gpg.public | sudo gpg --dearmor -o /usr/share/keyrings/redcanary.gpg

4.  If copying key contents, run the following command from the same directory.

cat redcanary.key | sudo gpg --dearmor -o /usr/share/keyrings/redcanary.gpg

5. Run the content below.

sudo apt-get update
sudo apt-get install canary-forwarder

6.  Place the information below into a file titled config.json in /opt/redcanary/.

{
  "access_token": "xxxxxxxxxxxxxx",
  "outpost_auth_token": "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxx,
  "offload_target": "Outpost",
  "telemetry": {
      "source": "ebpf"
  }
}

7. (Optional) The above configuration tells the sensor to attempt to use eBPF as the telemetry source, defaulting to Audit if eBPF is unavailable. If you wish to instead try Audit first (e.g., you are using an older system that doesn't support eBPF) remove the telemetry key and object out of the config.json .

8. (Optional) After changes to config.json restart the sensor.

AMI/VM Setup

1. Start the instance.

2. Install Red Canary Linux EDR via the Debian or RPM instructions.

• Follow the instructions from the RPM or Debian tabs. Place the config.json file into /opt/redcanary/.

3. Stop the cfsvcd service.

• sudo systemctl stop cfsvcd or sudo initctl stop cfsvcd

4. Run the following to delete any saved state. sudo rm /opt/redcanary/state.json

5. Shut down the instance.

6. Create the AMI or clone from the VM instance.

Manual Setup

1. Begin by downloading the relevant package.

2. To find the download links in Red Canary, click the dropdown arrow next to Endpoints, and then click Deploy sensors. 

3. Select your desired platform, and then select your desired sensor technology. 

4. Scroll down to the Installation Instructions section and click Manual Setup.

5. Find your desired operating system and reference Uninstalling the package.