Rapid 7 Mac Insight Agent

kjenkins
New Contributor

Has anyone found an easy way to deploy the Rapid7 Mac Insight Agent using Jamf

54 REPLIES 54

coryhowell2
New Contributor III

I used Composer to put the agent_installer.sh file onto our Macs in the /private/tmp/ directory. I had an issue with the permissions on the script so I have a post install script file in the composer package to change the permissions on the script file chmod u+x. In the Jamf policy I have Files and Processes setup to execute the command along with installing the package made in composer. sh /private/tmp/agent_installer.sh install_start --token <your token>
I got the agent_installer.sh and the token from my InfoSec team. Rapid 7 would be able to give you that information as well I'm sure. replace <your token> with the token setup for your company.

kjenkins
New Contributor

Thanks for the help.

KJ

PCSysops
New Contributor II

Thank you, this helped alot. I decided to just create the package in composer, then have a script run after the pkg was pushed to change permissions and execute the agent_installer.sh

cnoboa
New Contributor II

Hello,

Has anyone found a way to uninstall the Rapid7 Agent via script?

#!/bin/bash

# Stop Rapid7 services
sudo launchctl stop ir_agent.service
sudo launchctl stop com.rapid7.ir_agent

# Remove LaunchDaemon plist
sudo rm -f /Library/LaunchDaemons/com.rapid7.ir_agent.plist

# Disable Rapid7 service
sudo launchctl disable system/ir_agent

# Remove Rapid7 directory and its contents
sudo rm -rf /opt/rapid7/ir_agent
sudo rm -rf /opt/rapid7/

# Print uninstallation completed message
echo "Rapid7 uninstallation completed."

chase_g
New Contributor III

@cnoboa I have had success using basically the same install package I built in composer and just changed my pre-install script to do the command: sudo ./agent_installer.sh uninstall
And that seems to work. So you should be able to do the same with a script that points to the location of the agent_installer.sh script with the uninstall command.

soms
New Contributor

I'm having this same issue, I'm relatively new to composer and osx so I'm looking on how I can achieve this. How do you use composer to package the agent_installer.sh and have it moved to /private/tmp

PCSysops
New Contributor II

@soms First create the folder in your location. For example /private/tmp/Rapid7. Put all your files into your folder. Open Composer, and drag the folder from finder into composer. Then you can create a package. In Jamf, set it to install in your policy and it will just install the files to the path you set up. I set a script to run afterwards to install the agent with the token. Make sure you chmod u+x in the script like @coryhowell2 said.

markopolo
Contributor
I set a script to run afterwards to install the agent with the token. Make sure you chmod u+x in the script like @coryhowell2 said.

Where exactly do I put the "chmod u+x"? Do I run as separate command after the installer like this?

a342e5d4a86d428ea4315fcd8955998e

lassekivikas
New Contributor II

@mcantwell I think coryhowell2 meant that you need to create a script in the settings for the chmod, and then back to the policy, from the left side bar (fourth from the top) choose the script you just made and choose the priority to 'after'. Now the script will run after everything else.

I am currently doing this exact same thing, and I was wondering that if I have a package with the agent_installer, and then I have the install command in the 'Files and Processes', doesn't that mean that the package (with the agent_installer.sh) will run before the executable command in the 'Files and Processes' which should activate the agent_installer?

NOLA2ATX78
New Contributor II

so here's is my conundrum: When I deploy my policy I am using a .pkg with dropping the agent_installer.sh in the correct folder, plus the uninstall command. Then I am running the actual install from a command in "Files and Processes" using the following command: sudo ./agent_installer.sh install_start --token xxxxxxxxxxxxxxxxxx. But when automagically deployed it doesn't recognize the command, however if I flush the log and then go into terminal and do a sudo jamf policy manually the policy works beautifully. Am I missing something?

tphet
New Contributor II

I am seeing a similar behavior. When I run the policy via "sudo jamf policy" in terminal it works. But when I push it out to test machines and have it install during Check-In, I get this error when running the script "Script result: tput: No value for $TERM and no -T specified".

 

Hoping to find a solution..

 

 

dwynn
New Contributor III

@soms Can you share the script you use to install the package? I have the installer in private/tmp/Rapid7. Now I just need the chmod + token script.

PCSysops
New Contributor II

@dwynn

This is what I use, and works with no issue. Put your Rapid7 token in and you should be good. I have the script set to run after the package is pushed.

!/bin/bash

cd /private/tmp/Rapid7

chmod u+x agent_installer.sh

sudo sh ./agent_installer.sh install_start --token=us:"token given to you"

dwynn
New Contributor III

@PCSysops We have over 30 operating companies in our Jamf instance. Each one will need to put the company attribute into the install command like so:

insight_installer.sh install_start --token us:xxxxxxxxxx --attributes "CompanyAttribute Agent"

So what I did was in composer create the InsightVM package with "chmod u+x /private/tmp/InsightVM/insight_installer.sh" in a post install script.

Then create in the policy in Jamf Pro. Configure "Files and Proccess" and add /private/tmp/InsightVM/insight_installer.sh install_start --token us:xxxxxxxx --attributes "CompanyAttribute Agent" into Execute Command.

I hope this helps anybody else coming across this issue.

tphet
New Contributor II

@dwynn - Question: How are you triggering the deployment? Are you installing the policy upon Recurring Check-In?

dwynn
New Contributor III

I have it set up in the Self-Service portal and some set it for Recurring Check-in. What kind of issue are you having?

tphet
New Contributor II

Ah, I'm hoping to set it for Recurring Check-In. I'm able to install the agent if I manually go to the computer and type in "sudo jamf policy", but when I trigger it for Recurring Check-In I get this: 

tphet_0-1687455477367.png

 

dwynn
New Contributor III

You need to create a pkg with Composer. Here are the instructions. The name of your .sh file will vary. In this example I use "insight_installer.sh"

 

 

  1. Create a new folder at /private/tmp called InsightVM and extract all install files to this directory. Drag the directory into Composer.
  2. Create a Post Install script for the package. Paste this command: chmod u+x /private/tmp/InsightVM/insight_installer.sh
  3. Create the Package and upload it to Jamf Pro
  4. Then create a policy in Jamf Pro. Add the PKG you just uploaded and Configure "Files and Proccess" and add /private/tmp/InsightVM/insight_installer.sh install_start --token us:xxxxxxxx --attributes "CompanyAttribute Agent" into Execute Command.

You might not use any --attributes "CompanyAttribute Agent". If not just leave that out.

 

For Apple Silicon the command is: /private/tmp/InsightVM/insight_installer-arm.sh install_start --token us:xxxxxxxx --attributes "CompanyAttribute Agent"

 

dwynn
New Contributor III

ckulesza
New Contributor III

I am very new to doing this type of packaging. Can someone give me the steps they used in Composer to create the package that has the folder it is in and such. I am being asked to roll this out to our company. In the near future.

Thanks

DJRizzo
New Contributor II

Could anyone tell me how to verify the agent was installed correctly? Thanks!

dwynn
New Contributor III

You can run the command: ps aux | grep ir_agent

 

https://docs.rapid7.com/insight-agent/agent-controls/

Hey @DJRizzo 

not sure if the question is still open but we use the following EA to collect the Rapid7 Status:

 

#!/bin/bash

if [ -e /opt/rapid7/ir_agent/ir_agent ]; then
    versionCheck=$(/opt/rapid7/ir_agent/components/insight_agent/insight_agent --version | awk '/Semantic/ {print $3}')
    sleep 2
    lastExecuted=$(date -r $(cat /opt/rapid7/ir_agent/components/insight_agent/common/config/agent.jobs.tem_realtime.json | awk '/remote_execution_last_collection_time/ {print$2}' | sed s/,//g))
	sleep 2
    echo "<result>Version: $versionCheck Date: $lastExecuted</result>"
else
	echo "<result>Agent Not Installed</result>"
fi

ckulesza
New Contributor III

I had my infosec team verify from the rapid7 console.

dmcnicholas1
New Contributor II

Hello, I was able to get the file copied to the /private/tmp folder and run the command. According to my security team the device is still not reporting in. Does the ir_agent need to be granted full disk access?

dwynn
New Contributor III

What do the Policy Logs details say for that machine?

dmcnicholas1
New Contributor II

Actually, the issue was with the dashboard. Seems it took 48 hours to start reporting in. Now all of my devices are reporting with no issues. 

kprimm
New Contributor III

Hello,
We have about 40% of our devices not getting the Rapid7 portion of our enrollment for whatever reason.  These devices are about 30% intel, 70% carbon chipsets.  I have dinked around with a handful of scripts but the screenshot I uploaded is the original script that has successfully worked on a little over half of our devices.  I went in and edited to some of the information above as in including the chmod and sudo portions mentioned by PCSysops but logs returned 'Failed' results as well, although they didn't return a permissions issue, they returned a "File not found" error instead.

Does this look familiar to anyone?  Any advice is greatly appreciated.

Kerry

 

2023-02-23 13_50_40-Rapid7 Update_.png

2023-02-23 13_51_34-Rapid7 Apple Silicon install Script_.png

medu
New Contributor

Be sure to change permissions in the install script.

Ex.

#!/bin/bash

chmod u+x /private/tmp/Rapid7/agent_installer-arm64.sh

/private/tmp/Rapid7/agent_installer-arm64.sh install_start --token us:Your Token Goes Here

rm -rf /private/tmp/Rapid7

exit 0

Hey @kprimm 

Did you run the chmod command prior the script executing?

JevermannNG
Contributor II

Just wondering if I can use the following folder for the Rapid7 installation files because I want to keep them for the case of a re-installation:

/usr/local/bin/

jhuls
Contributor III

We just purchased Rapid7 so I don't have any documentation or anything yet but I've been provided two scripts and token.

I'm seeing here that people are talking about creating a pkg to run the script. I'm curious why would a package need to be created? Can the script not be put into Jamf and let a policy run it?

dmcnicholas1
New Contributor II

Did not work for me. Had to cache policy, then install via script with the token. 

No, the script has to be in a directory on the Mac, e.g. /usr/local/bin/Rapid7/

I created a PKG which places both Rapid7 Installer Scripts in that place. In two seoarated Policies, one for x86 and one for arm Macs, I send the PKG to the Mac followed by the following Script which helps me to run the specified Agent Installer Script on the Mac:

#!/bin/bash

echo "### Token: $4 #####"
sleep 2

cd /usr/local/bin/Rapid7/
chmod u+x agent_installer-x86_64.sh && echo "### chmod done #####"
sleep 2

cd /usr/local/bin/Rapid7/
./agent_installer-x86_64.sh install_start --token $4
echo "### The following script has been executed: Rapid7-Agent-Installer-Preparation-x86_64.sh #####"
sleep 2

echo "### List of /usr/local/bin/Rapid7/
$(ls -l /usr/local/bin/Rapid7/) #####"
sleep 2

exit 0

 

The Script has the following options under Parameter 4 (I placed the Rapid7 Token there):

Bildschirmfoto 2023-07-20 um 09.58.20.png

 

Rapid7 provides a documentation how to distribute Rapid7 via Jamf Pro.

 

cslemp
New Contributor III

@JevermannNGHow did you get the documentation from Rapid7?  They told us they don't have it...

cslemp
New Contributor III

Yeah, I have that.  Those are just single install instruction though, not what I would consider comprehensive mass deployment documentation (like they have for Windows).

Considering the comment below about FDA and that Rapid7 has a mobile config file in use internally, I do think they ought to have better documentation...

- Chris

dmcnicholas1
New Contributor II

Agreed, I ended up creating the script below, and install cached and it worked for me. 

 

#!/bin/sh

# Install Rapid7 Agent

cd /private/tmp

chmod u+x agent_installer-arm64.sh

sleep 10

sudo ./agent_installer-arm64.sh install_start --token us:**********************

exit