Enterprise Recon 2.11.1

macOS Agent

This section covers the following topics:

Supported Platforms

The following platforms are supported by the macOS Agent:

  • macOS Monterey 12.0
  • macOS Ventura 13.0
  • macOS Sonoma 14.0

To scan a macOS Target that is not supported by the macOS Agent, perform an Agentless Scan or Remote Access via SSH scan on the Target instead.

Requirements

To install the macOS Node Agent:

  1. Make sure your user account has administrator rights.

  2. Configure Gatekeeper.
  3. Install the Node Agent.
  4. Configure the Node Agent.
  5. Enable Full Disk Access.

Configure Gatekeeper

Gatekeeper must be set to allow applications from identified developers for the Agent installer to run.

Under System Settings > Privacy & Security > Security, check that "Allow apps downloaded from:" is set to either:

  • Mac App Store and identified developers
  • Anywhere

To configure Gatekeeper to allow the Agent installer to run:

  1. On the macOS Agent host, open System Settings.
  2. Click Privacy & Security, and scroll down to Security.
  3. Click on the lock at the bottom left corner, and enter your login credentials.
  4. Under "Allow apps downloaded from:", select Mac App Store and identified developers. macOS may prompt you to confirm your selection.
  5. Click on the lock to lock your preferences.

Install the Node Agent

  1. Log in to the ER2 Web Console.
  2. Go to Settings > Agents > Node Agent Downloads.
  3. On the Node Agent Downloads page, click on the Filename for your Platform.

  4. (Optional) Verify the checksum of the downloaded Node Agent package file.

  5. Once the macOS Node Agent package has been downloaded:
    1. Double-click on the Node Agent package to start the installation wizard.
    2. At Introduction, click Continue.
    3. At Installation Type, click Install.
    4. Enter your login credentials, and click Install Software.
  6. Restart the Node Agent. A restart is only required when upgrading the Node Agent.

Verify Checksum for Node Agent Package File

You can determine the integrity of the downloaded Node Agent package file by verifying the checksum before installing the Node Agent.

  1. Download the Node Agent package file.
  2. Run the commands in a terminal to generate the hash value for the Node Agent package file.
    • MD5 hash (128-bit)

      # Syntax: md5 <path to Node Agent package file> md5 er2-2.x.x-osx-x64.pkg
      Example MD5 hash: f65a2cd26570ddb7efb6a2a4318388ac

    • SHA1 hash (160-bit)

      # Syntax: shasum -a 1 <path to Node Agent package file> shasum -a 1 er2-2.x.x-osx-x64.pkg
      Example SHA1 hash: 33bcd6678580ae38a03183e94b4038e72b8f18f4

    • SHA256 hash (256-bit)

      # Syntax: shasum -a 256 <path to Node Agent package file> shasum -a 256 er2-2.x.x-osx-x64.pkg
      Example SHA256 hash: 1ee094a222f7d9bae9015ab2c4ea37df71000556b3acd2632ee27013844c49da

  3. In the ER2 Web Console, go to the Settings > Agents > Node Agent Downloads page. The Hash column lists the expected hash values for each Node Agent package file.
  4. Compare the generated hash values from Step 2 with the expected hash values listed in the Web Console; both hash values should be equal.

Configure the Node Agent

After you have installed the Node Agent, configure the Node Agent to:

  1. Point to the Master Server.
  2. (Optional) Use the Master Public Key (see Server Information) when connecting to the Master Server.
  3. (Optional) Specify Target initial group.
  4. Test the connection settings.

To configure the Node Agent, choose either mode:

  • Interactive Mode
  • Manual Mode

For the changes to take effect, you must Restart the Node Agent.

Interactive Mode

Running this command helps you to quickly configure the Node Agent:

/usr/local/er2/er2-config -interactive

The interactive mode asks you for the following information to help you configure the Node Agent.

Interactive Mode Command Prompts Description
Master server host name or IP Address [10.1.100.0] Specify a Master Server's host name or IP address.
(Optional) Master server public key Enter the Master Public Key.
(Optional) Target initial group Specify Target initial group.
Test connection settings (Y/N) Test the Node Agent\'s connection settings to the Master Server, enter Y.

For the changes to take effect, you must Restart the Node Agent.

Manual Mode

To configure the Node Agent without interactive mode, run:

## Required for connecting to the Master Server # -i <hostname|ip_address>: Master Server IP address or host name. ## Optional parameters # -t: Tests if the Node Agent can connect to the given host name or IP address. # -k <master_public_key>: Sets the Master Public Key. # -g <target_group>: Sets the default Target Group for scan locations added for this Agent.
/usr/local/er2/er2-config -i <hostname|ip_address> [-t] [-k <master_public_key>] [-g <target_group>]

For the changes to take effect, you must Restart the Node Agent.

Restart the Node Agent

For your configuration settings to take effect, you must restart the Node Agent:

/usr/local/er2/er2-agent -stop # stops the agent /usr/local/er2/er2-agent -start # starts the agent

Enable Full Disk Access

Full Disk Access must be enabled to allow ER2 to:

  • Probe and scan locations within the top-level Users folder in macOS Catalina 10.15 and above, and/or
  • Perform agentless scans in macOS Ventura 13 and above.

To enable Full Disk Access for the installed macOS Agent:

  1. On the macOS Agent host, open System Settings.
  2. Click Privacy & Security > Full Disk Access.
  3. Enable the required full disk access:
    1. To probe and scan locations within the top-level Users (/Users) folder in macOS Catalina 10.15 Agents and above, select the toggle button for er2-agent to enable full disk access for the ER2 Agent.

    2. To perform agentless scans for macOS Ventura 13 Agents and above, also select the toggle button for sshd-keygen-wrapper to enable full disk access for the SSH Secure Shell Key Generator.

Uninstall the Node Agent

To completely uninstall the Node Agent, run the following commands:

# Stop the agent sudo /usr/local/er2/er2-agent -stop
# Stop the ER2 service sudo launchctl unload /Library/LaunchDaemons/com.groundlabs.plist
# Remove all ER2 agent files sudo rm -fr /var/run/er2 sudo rm -fr /var/lib/er2 sudo rm /Library/LaunchDaemons/com.groundlabs.plist sudo pkgutil --forget com.groundlabs.er2-agent
# Delete ER2 agent user sudo dscl . -delete /Users/erecon sudo dscl . -delete /Groups/erecon

Upgrade the Node Agent

See Agent Upgrade for more information.