Forescout SecureConnector - generates log errors

Gonzalez
New Contributor III

In a recent deployment of the SecureConnector, we are discovering a large number of systems generating errors after the SecureConnector deployment. It is suspected the process is being spawned twice. Our install policy is very generic without any custom configurations. Has anyone experienced similar behavior or found a resolution?

6/29/15 9:16:46.339 PM sshd[22462]: error: Bind to port 2201 on 127.0.0.1 failed: Address already in use.
6/29/15 9:16:46.340 PM sshd[22462]: fatal: Cannot bind any address.

10 REPLIES 10

johnklimeck
Contributor II

We are also using ForeScout SecureConnector. Recently it seems they created an actual Mac agent, not a cobbled folder with ssh keys. It seems to be working, but I suspect we have Macs that have SC installed but are not reporting in successfully to the Forescout console. Continuing to investigate....

spark
New Contributor

Can I ask how you are pushing SC out?

thoule
Valued Contributor II

@johnklimeck Last time I looked at SC, it was a bash script, not a real agent. It's in /var/ somewhere.

@Gonzalez I suspect you are right and it is being installed twice. The agent opens a root accessible sshd port, allowing the SC server to SSH into the workstation. To me, that is a big security hole. But binding to the same port twice suggests it is starting twice. Look in your LaunchDaemons/LaunchAgents; I don't remember how it started anymore. When I played with SC, I needed to download an installer from the server on each machine and couldn't deploy a package to all machines via the JSS. That change was also planned for the release about the end of the year.

jreinstedler
New Contributor III

We're running Forescout - haven't had problems pushing the package out. I just tossed the .mpkg downloaded from the server into Casper Admin and created a policy to push it once per computer at check in.

Just make sure you are using the following options when downloading it from your Enterprise Manager server (important items are the "show the...icon" and "Install Permanent..."):

01598af150dd4d0f80f1efa3a4e0798a

merps
Contributor III

@jreinstedler What version of OS X are you running? (Edit: we're on 10.10.5) We installed the SecureConnector downloaded from the appliance and show it running when doing

ps auxww | egrep 'forescout|secureconnector' -i

but the ForeScout console is only showing the info that was available before installation.

jreinstedler
New Contributor III

Forescout just released a massive update to their Mac agent. This is now a proper agent with less of the funny business that the previous agent used. This is not a simple update however... the usual FS plugin for Macintosh is updated and a new OS X plugin is required. Once the plugins are installed, you'll also need to push an upgrade to all your existing agents from within the EM. Any machines without the agent can be installed using a shell script - however the system must NOT have FS installed. Check your Forescout portal for more info... I just went through the update myself.

One note - they added an app to the /Applications folder which makes FS removal too easy - I would suggest at a minimum hiding the application...

johnklimeck
Contributor II

@jreinstedler,

Great to hear, questions, if I may:

  • I imagine one gets this new installer PKG from our Forsecout admins (from the FS appliance)

  • Can I just push this new PKG out with the JSS, and it will overwrite the existing, or, do I have to un-install first, before the new install

Agreed, chflags hidden on the FS app in /Applications, is a good idea

jreinstedler
New Contributor III

@johnklimeck The installer is provided as a DMG which contains a .app for the install. You can get it from your FS admins or you can grab it yourself if you know the IP address of one of your FS appliances or the FS Enterprise Manager. Typing https://{IP ADDRESSorHOSTNAME}/sc.jsp will get you to the page seen previously in this thread. From there you can download the standalone install package.

You cannot use any of the packages to update the existing FS managed endpoints. The FS admins will need to run a policy on FS to update the clients - they will need to review the FS docs for this.

All new clients can have FS installed one of two ways: slipped into your image or pushed via Casper. If you push via casper, you'll need a separate package that the FS admins will need to provide (it's in tgz form, which extracts to several sh files). This 2nd option will NOT work for existing machines - the install will fail and will leave the host in an unmanageable state, so you must make sure that only new machines receive this new package. I have not yet tested the package install on new endpoints yet. I am planning to do so soon, for now, the machines are getting upgraded via FS.

One major issue I see with this new version is that it's extremely easy to remove and if you use the "visible" version with the app icon, users can "Quit" the app which breaks communication with FS. This only lasts until the machine is restarted though. Hopefully FS can do something better in terms of protecting the agent and preventing it from being stopped. The previous version was very good at this... this new one... not so much.

jche
New Contributor

sorry to bump, but in a similar position.

how are you guys deploying it without needed to reboot/authenticate to open the app?

those are the only ways i am able to get it run, which, unlike trend or webex, launches and goes straight to menu bar.

thoughts?

evaldes
New Contributor III

Hey guys, I created a bash file. Just put it in your scripts and deploy... It works perfectly.

[START CODE]

!/bin/sh

Downloading OSX Update Package to /tmp on the host

curl -o /tmp/update.tgz http://IPADDRESS/SC_packages/update.tgz; sleep 3

Extracting update.tgz to /tmp

tar -zxvf /tmp/update.tgz -C /tmp; sleep 3

Installing SecureConnector as a Daemon/Dissolvable w/ visible/invisible menu bar icon

echo '[Enter Password]' | sudo -S /tmp/Update/Update.sh -t daemon -v 1; sleep 3

Checking/Starting processes in case they did not start on install

daemon_pid=ps auxww | grep -v grep | egrep "ForeScout SecureConnector.-daemon" | awk '{print $2}'
agent_pid=ps auxww | grep -v grep | egrep "ForeScout SecureConnector.
-agent" | awk '{print $2}'
daemon_plist=/Library/LaunchDaemons/com.forescout.secureconnector.daemon.plist
agent_plist=/Library/LaunchAgents/com.forescout.secureconnector.agent.plist

if [[ -z "$daemon_pid" && -z "$agent_pid" ]]; then #Starting Daemon process launchctl unload $daemon_plist launchctl load $daemon_plist

#Starting GUI process launchctl unload $agent_plist launchctl load $agent_plist
elif [[ ! -z "$daemon_pid" && -z "$agent_pid" ]]; then #Starting GUI process launchctl unload $agent_plist launchctl load $agent_plist
fi

Clean-up a little

rm -rf /tmp/update.tgz /tmp/Update/

[END CODE]