SUPPORT

Contact Support

OPEN A TICKET

Installing a Scan Agent on Linux (RedHat Distribution)

If you want to scan a website in a demilitarized zone (DMZ), internal networks that are not publicly accessible, you can install Netsparker scan agents in your network. The agent will conduct the actual scan job and then report the results back to Netsparker Enterprise.

In addition to the scanning agent, you can install an authentication verifier agent in your network that will verify the form authentication on your website. For further information, see Installing Authentication Verifier Agents.

You can install the agent on a Linux operating system. If you choose this installation, you must install some dependencies on the system, such as .NET, Mono. Mono is a software platform designed to allow developers to easily create cross-platform applications that become part of the .NET Foundation.

This topic explains how to install a Netsparker Enterprise scan and verifier agents on Linux (RedHat distribution) operating systems. To install the agent in Debian distributions, please see Installing a Scan Agent on Linux (Debian Distribution)

The instructions below were tested on CentOS 7, CentOS 8, Fedora 32, and Fedora 33.

There are three stages to this process:

  1. Download the Netsparker Enterprise agent file
  2. Install the Netsparker agent
  3. Configure the Netsparker agent as a Linux service

Prerequisites

Hardware Requirements

  • 1.4 GHz Processor (2.0 GHz or faster recommended)
  • 2 GB RAM (4 GB or higher recommended)
  • 10 GB Free Disk space for each internal agent

Network Requirements

  • Agent should be configured so that it can reach your internal website through HTTP/HTTPS.
  • Agent needs to be able to access the Netsparker Enterprise Application Server’s HTTP(S) (443) port.

Required Access

  • User(s) must have administrator privileges to run the required commands.

Downloading the Agent

You need to download the installation files of the scan agent to a machine on your internal network.

Downloading the scan agent to your on-premises environment? Please contact support@netsparker.com.
How to Download a Scan Agent in Netsparker Enterprise On-Demand
  1. Log in to Netsparker Enterprise.
  2. From the main menu, go to Agents > Manage Agents > Configure New Agent.
  3. From the Agent section, select Linux to download the required files to install the scan agent. 

Installing the Agent

Please note that the verifier and scanning agent have the same installation instruction.

Once you download the required file, you can install a Netsparker Enterprise scanning agent in your environment.

How to Install a Netsparker Enterprise Agent
  1. Open a terminal window.
  2. Update operating system application repositories:
sudo yum update -y

  1. Install the dependent packages (Ignore this step for Fedora distribution):
sudo yum install -y epel-release

  1. Install the dependent packages:
sudo yum install p7zip p7zip-plugins

sudo yum install -y nano tar gssntlmssp mono-complete libgdiplus

  1. Next, install .NET Core 3.1 SDK for Linux OS:
If you've already installed the SDK or runtime, use the dotnet --list-sdks and dotnet --list-runtimes commands to see which versions are installed.

CentOS 8, Fedora 32, Fedora 33:

sudo yum install -y dotnet-sdk-3.1

CentOS 7:

sudo rpm -Uvh https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm

sudo yum install -y dotnet-sdk-3.1

  1. Create folder for Netsparker Scanner dependency (be sure to have permission for current user):
sudo mkdir -p /home/[YOUR_USER]/.local/share/Netsparker_Ltd
sudo chown -R [YOUR_USER] /home/[YOUR_USER]/.local/share/Netsparker_Ltd

[YOUR_USER] in the 5th step must be the same as [YOUR_USER] in the unit file described later in this article.
  1. Install the Headless Chrome browser dependencies:
sudo yum install -y pango.x86_64 libXcomposite.x86_64 libXcursor.x86_64 libXdamage.x86_64 libXext.x86_64 libXi.x86_64 libXtst.x86_64 cups-libs.x86_64 libXScrnSaver.x86_64 libXrandr.x86_64 GConf2.x86_64 alsa-lib.x86_64 atk.x86_64 gtk3.x86_64 xorg-x11-fonts-100dpi xorg-x11-fonts-75dpi xorg-x11-utils xorg-x11-fonts-cyrillic libX11-xcb.so.1 libnss3.so xorg-x11-fonts-Type1 xorg-x11-fonts-misc

  1. Next, extract the TAR file:
  • To extract the scan agent, run the following commands:
tar xf Netsparker_Enterprise_Scanner_Agent.tar

chmod +x .local-chromium/Linux-*/chrome-linux/chrome

  • To extract the authentication verifier agent, run the following commands:
tar xf Netsparker_Enterprise_Verifier_Agent.tar

chmod +x .local-chromium/Linux-*/chrome-linux/chrome

          Open appsettings.json file via any text editor you prefer in order to enter the necessary information, such as ApiToken:

sudo nano appsettings.json

These settings will be used by the agent:

  • AgentName: This can be anything you want. This text will be displayed when you are starting a new scan. (If you are going to install more than one instance of the agent, you must set a unique agentName value for each instance, something you will use later.)
  • AgentType: This can be Standard or Cloud. If you want to use Cloud Provider for scanning, AgentType must be Cloud.
  • ApiToken: In Netsparker Enterprise, the Agent Token is displayed in the Configure New Agent window. Copy the value into the apiToken. (For further information, see How to Get an Agent Token for the Scan Agent.)
  • ApiRootUrl: This is the URL of Netsparker Enterprise or the Netsparker Enterprise On-Premises.
  • AgentMode: This should be Verifier if you plan to authenticate login forms. Otherwise, it should remain Scanner for the scanning.

Setting Agent as a Linux Service

An internal scan agent should be configured as a Linux service, so that it can poll the Netsparker Enterprise servers regularly and can take the scan initiation command from the server.

Additionally, you can update the scan agent or enable it to auto-update itself. For further information about the agent update, see Auto-Update Support for Scanner Agents

You can complete this process in three steps:

Add a Unit File for a Netsparker Scan Agent

  1. Open a terminal window.
  2. cd /etc/systemd/system
  3. sudo touch [YOUR_AGENT_NAME].service
  4. sudo nano [YOUR_AGENT_NAME].service
The AgentName in the appsetting.json file and the unit file name for the agent must have the same name. This is required to start the scan agent as a Linux service and to update the scan agent when a new version is released.
  1. Add the following script into [YOUR_AGENT_NAME].service
[Unit]
Description=netsparker.service description
[Service]
Type=notify
KillMode=process
Restart=always
RestartSec=30
SyslogIdentifier=[YOUR_USER]
KillSignal=SIGINT
User=[YOUR_USER]
WorkingDirectory= [YOUR_AGENT_DIRECTORY_PATH]
ExecStart=/usr/bin/dotnet [YOUR_AGENT_DIRECTORY_PATH]/Netsparker.Cloud.Agent.dll
ExecStop=/usr/bin/pkill -f "[YOUR_AGENT_DIRECTORY_PATH]/Nhs/NetsparkerHelperService.exe"
[Install]
WantedBy=multi-user.target

Save and close the document.

Configure Sudoers for a Netsparker Agent

  1. sudo cd /etc/sudoers.d
  2. sudo touch [YOUR_AGENT_NAME]-systemctl
  3. sudo visudo -f [YOUR_AGENT_NAME]-systemctl
  4. Add the following script into [YOUR_AGENT_NAME]-systemctl
    • [YOUR_USER] ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl start [YOUR_AGENT_NAME].service
    • [YOUR_USER] ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl stop [YOUR_AGENT_NAME].service

Save and close the document.

Start Netsparker Enterprise Agent as a Linux Service

  1. sudo systemctl daemon-reload
  2. sudo systemctl start [YOUR_AGENT_NAME].service

You can now check the status of the connection between Netsparker Enterprise and the scan agent. From the Agents menu, click Manage Agents. The Agents window is displayed.

Agents in Netsparker Enterprise

Any changes in the appsetting.json file, such as setting proxy and changing API Token, require restarting the service so that the changes can take effect.
You can set a proxy for the scanning agent in Netsparker Enterprise. For further information about the proxy, see Setting Proxy in Scanner AgentsUsing Proxy Auto-Configuration? For further information, see Using Proxy Auto-Configuration file.

Defining and Scanning an Internal Website in Netsparker Enterprise

Now, you have installed a scanning agent into your infrastructure, you should configure Netsparker Enterprise to let it know which websites should be scanned with an internal agent rather than with the built-in agents.

How to Define an Internal Website in Netsparker Enterprise
  1. Log in to Netsparker Enterprise.
  2. From the main menu, select Websites > New Website
  3. Enter your internal website details (see Adding a Website in Netsparker Enterprise).
  4. From the Agent mode field, select Internal.
  5. Select Save
How to Scan an Internal Website with Agent
  1. Log in to Netsparker Enterprise.
  2. From the main menu, select Scans > New Scan.
  3. From the Target URL field, select your Internal Website (if the field is not already populated).
  4. The Preferred Agent field is already selected by default. Your newly installed scanning Agent is displayed as an option. If you installed more than one instance, select the one which can access your Internal Website. If any of them can access your Internal Website, select the default option Any of the available agents. By selecting this, one of the idle agents will scan your website.
  5. Select Launch. (For simplicity, optimization and other settings are ignored in this procedure.)

Your scan has been started in the Queued state. Shortly, you will see that its status changes to Scanning. Once it is completed, you will be able to explore the vulnerabilities found on your website.

Installing Multiple Agents on the Same Operating System

You can install more than one scan agent in Linux.

How to Install Multiple Agents on the Same Operating System
  1. Open a terminal window.
  2. Create a new folder for the new agent.
  3. Copy the TAR file into the new folder, and extract the TAR file
  4. Follow the instructions in Installing the Agent and Setting Agent as a Linux Service.

Make sure that you enter a different name for the new agent. 

For further information about managing agents, see Managing Groups.

How to Get an Agent Token for the Scan Agent

  1. Log in to Netsparker Enterprise.
  2. From the main menu, select Agents > Manage Agents Configure New Agent.

Agent Token

  1. In the Agent Token field, select Copy to clipboard ().
Netsparker

Highly accurate, fast & easy-to-use Web Application Security Scanner

Get a demo