Get a demo
AppSec with Zero Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Support
Scan Agents

Installing scan agents on Linux (RedHat Distribution)

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

If you want to scan a website in a demilitarized zone (DMZ), internal networks that are not publicly accessible, you can install Invicti scan agents in your network. The agent will conduct the actual scan job and then report the results back to Invicti Enterprise.

In addition to the scanning agent, you can install an authentication verifier agent in your network that will verify the form authentication on your website. For further information, refer to Installing Authentication Verifier Agents.

You can install the agent on a Linux operating system. If you choose this installation, you must install some dependencies on the system, such as .NET.

This topic explains how to install a Invicti Enterprise scan agent on Linux (RedHat distribution) operating systems. To install the agent in Debian distributions, please see Installing a Scan Agent on Linux (Debian Distribution).

INFORMATION

The instructions below were tested on CentOS 7, CentOS 8, Fedora 32, and Fedora 33.

There are three stages to this process:

  1. Download the Invicti Enterprise agent file
  2. Install the Invicti agent
  3. Set the Invicti agent as a Linux service

Prerequisites

Hardware Requirements

  • Processor: 1.4 GHz minimum (2.0 GHz or faster recommended)
  • Memory: 4 GB or higher recommended
  • Storage: 10 GB free disk space per internal agent
  • If NTLM is used as the authentication method, Ubuntu version 24.04 or its equivalent must be used at a minimum.

Network Requirements

  • The agent must access your internal website via HTTP/HTTPS.
  • The agent must connect to the Invicti Enterprise Authentication Verifier Server over HTTP(S) (port 443).

Allowlisting Requirements

  • Domains:
  • IP addresses:
  • US: 54.85.169.114, 3.232.155.177, netsparkercloud.com, s3.us-east-1.amazonaws.com
  • EU: 3.122.90.89, 3.71.172.17, eu.netsparker.cloud, s3.eu-central-1.amazonaws.com
  • CA: 15.223.111.146, 3.99.19.87, 3.96.72.255, ca.netsparker.cloud, s3.ca-central-1.amazonaws.com

Required Access

  • Users must have root privileges to execute the required commands. If root privileges are unavailable, use the Docker-based scan agent instead. For instructions, refer to Installing a Docker Scan Agent.

Step 1: Download the Agent

To install the scan agent, download the installation files to a machine on your internal network. These are the steps to download a Scan Agent in Invicti Enterprise On-Demand:

  1. In Invicti Enterprise, select Agents > Manage Agents from the left-side menu.
  2. Click Configure New Agent.

  1. From the Agent - Direct Download section, select Linux to download the required files to install the verifier agent.

Step 2: Install the agent

To install the Invicti Agent follow these instructions:

INFORMATION:

Disable SELinux before starting the installation. For further information about disabling SELinux, see Changing SELinux states and modes.

  1. Open a terminal window.
  2. Update operating system application repositories:

sudo yum update -y

  1. Next, Install the dependent packages:

sudo yum install -y nano tar gssntlmssp mono-complete libgdiplus p7zip p7zip-plugins

WARNING:

RHEL 9 has removed support for NTLM authentication and no longer includes the gssntlmssp package. As a result, Invicti Enterprise agents installed on RHEL 9 will not be capable of handling NTLM authentication.

Please ensure your systems and configurations account for this limitation when using Invicti Enterprise with RHEL 9.

  1. Install the Headless Chrome browser dependencies:

sudo yum install -y pango.x86_64 libXcomposite.x86_64 libXcursor.x86_64 libXdamage.x86_64 libXext.x86_64 libXi.x86_64 libXtst.x86_64 cups-libs.x86_64 libXScrnSaver.x86_64 libXrandr.x86_64 GConf2.x86_64 alsa-lib.x86_64 atk.x86_64 gtk3.x86_64 xorg-x11-fonts-100dpi xorg-x11-fonts-75dpi xorg-x11-utils xorg-x11-fonts-cyrillic libX11-xcb.so.1 libnss3.so xorg-x11-fonts-Type1 xorg-x11-fonts-misc

If the operating system is Ubuntu 24.04 or higher, the following should be used:

sudo apt install -y libasound2t64 libatk1.0-0 libatk-bridge2.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 libgcc1 libgdk-pixbuf2.0-0 libglib2.0-0 libgtk-3-0 libnspr4 libpango-1.0-0 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6 ca-certificates fonts-liberation libnss3 lsb-release xdg-utils libgdiplus

  1. Next, extract the TAR file:

To extract the scan agent, run the following commands:

cd /home/[YOUR_USER]

tar -xvf Acunetix_360_Scanner_Agent.tar --one-top-level

NOTE:

[YOUR_USER] in step 6 must be the same as [YOUR_USER] in the unit file described later in this article.

  1. Open appsettings.json file via any text editor you prefer:

cd /home/[YOUR_USER]/Acunetix_360_Scanner_Agent

nano appsettings.json

   

NOTE: Use a note element when you want to draw the reader's attention to some additional useful information. This could include linking to other documentation.

These settings will be used by the scan agent:

  • AgentName: This can be anything you want. This text will be displayed when you are starting a new scan. (If you are going to install more than one instance of the agent, you must set a unique agentName value for each instance, something you will use later.)
  • AgentType: This can be Standard or Cloud. If you want to use Cloud Provider for scanning, AgentType must be Cloud.
  • ApiToken: In Invicti Enterprise, the Agent Token is displayed in the Configure New Agent window. Copy the value into the apiToken. (For further information, see How to Get an Agent Token for the Scan Agent.)
  • ApiRootUrl: This is the URL of Invicti Enterprise or the Invicti Enterprise On-Premises.

Changing the default data folder for the scanner Agent

To change the default data folder, add the following attribute under AgentInfo in the appsettings.json file:

"ScanDataFolderPath": "FullPath"

For example, you can set the path like this:

/home/[YOUR_USER]/[data folder]/

  • If you modify an existing agent's appsettings.json file, you must restart the service after making the change.
  • If you are adding this line to a new agent, you can continue with the installation process as usual.

NOTE: To detect Out of band vulnerabilities via Invicti Hawk, please allowlist the following ports on your agent server: TCP 80 and 443, UDP 53. For further information about Invicti Hawk, see How Invicti Hawk Finds Vulnerabilities.

Step 3: Set agent as a Linux Service

An internal scanning agent should be configured as a Linux service so that it can poll the Invicti Enterprise servers regularly and can take the scan initiation command from the server.

Additionally, you can update the scan agent or enable it to auto-update itself. For further information about the agent update, see Auto-Update Support for Scanner Agents.

You can complete this process in three steps:

3.1 Add a unit file for an Invicti Agent

Follow these steps to add a unit file fon the Invicti Agent:

  1. Open a terminal
  2. cd /etc/systemd/system
  3. sudo touch [YOUR_AGENT_NAME].service
  4. sudo nano [YOUR_AGENT_NAME].service

IMPORTANT:

The AgentName specified in the appsettings.json file must match the unit file name of the agent. Consistency between these names is required for proper operation.

  1. Add the following script into [YOUR_AGENT_NAME].service

For internal agents older than 2.0.2.157, use the following script:

[Unit]

Description=netsparker.service description

[Service]

Type=notify

KillMode=process

Restart=always

RestartSec=30

SyslogIdentifier=[YOUR_USER]

KillSignal=SIGINT

User=[YOUR_USER]

WorkingDirectory= [YOUR_AGENT_DIRECTORY_PATH]

ExecStart=/usr/bin/dotnet [YOUR_AGENT_DIRECTORY_PATH]/Acunetix.Cloud.Agent.dll

ExecStop=/usr/bin/pkill -f "[YOUR_AGENT_DIRECTORY_PATH]/Nhs/NetsparkerHelperService.exe"

[Install]

WantedBy=multi-user.target

For internal agents version 2.0.2.157 or newer, use the following script:

[Unit]

Description=netsparker.service description

[Service]

Type=notify

KillMode=process

Restart=always

RestartSec=30

SyslogIdentifier=[YOUR_USER]

KillSignal=SIGINT

User=[YOUR_USER]

WorkingDirectory= [YOUR_AGENT_DIRECTORY_PATH]

ExecStart = [Your Agent Directory path]/Acunetix.Cloud.Agent

ExecStop=/usr/bin/pkill -f "[YOUR_AGENT_DIRECTORY_PATH]/Nhs/NetsparkerHelperService.exe"

[Install]

WantedBy=multi-user.target

 

  1. Save and close the document.

3.2 Configure Sudoers for an Invicti Agent

To configure Sudoers for the Invicti agent, follow these steps:

  1. Navigate to the sudoers directory:

sudo cd /etc/sudoers.d

  1. Create a new sudoers file:

sudo touch [YOUR_AGENT_NAME]-systemctl

  1. Edit the file with visudo:

sudo visudo -f [YOUR_AGENT_NAME]-systemctl

  1. Add the following script to grant the necessary permissions:

[YOUR_USER] ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl start [YOUR_AGENT_NAME].service  

[YOUR_USER] ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl stop [YOUR_AGENT_NAME].service

  1. Save and close the file.

3.3 Start Invicti Enterprise Agent as a Linux Service

  1. Reload the system daemon to recognize the new service:

sudo systemctl daemon-reload

  1. Start the agent service:

sudo systemctl start [YOUR_AGENT_NAME].service

You can now check the status of the connection between Invicti Enterprise and the scan agent. From the Agents menu, click Manage Agents. The Agents window is displayed.

NOTE:
Any changes in the appsetting.json file, such as setting proxy and changing API Token, require restarting the service so that the changes can take effect.

You can set a proxy for the scanning agent in Invicti Enterprise. For further information about the proxy, see Setting Proxy in Scanner Agents. Using Proxy Auto-Configuration? For further information, see Using Proxy Auto-Configuration file.

Defining and Scanning an Internal Website in Invicti Enterprise

Now, you have installed a scanning agent into your infrastructure, you should configure Invicti Enterprise to let it know which websites should be scanned with an internal agent rather than with the built-in agents.

How to Define an Internal Website in Invicti Enterprise

  1. Log in to Invicti Enterprise.
  2. Select Websites > New Website from the left-side menu.
  3. Enter your internal website details (see Adding a Website in Invicti Enterprise).
  4. From the Agent mode field, select Internal.
  5. Select Save.

How to Scan an Internal Website with Agent

  1. In Invicti Enterprise, select Scans > New Scan from the left-side menu.
  2. From the Target URL field, select your Internal Website (if the field is not already populated).
  3. The Preferred Agent field is already selected by default. Your newly installed scanning Agent is displayed as an option. If you installed more than one instance, select the one which can access your Internal Website. If any of them can access your Internal Website, select the default option Any of the available agents. By selecting this, one of the idle agents will scan your website.
  4. Select Launch. (For simplicity, optimization and other settings are ignored in this procedure.)

Your scan has been started in the Queued state. Shortly, you will see that its status changes to Scanning. Once it is completed, you will be able to explore the vulnerabilities found on your website.

Installing Multiple Agents on the Same Operating System

You can install more than one scan agent in Linux. Follow these steps:

  1. Open a terminal window.
  2. Create a new folder for the new agent.
  3. Copy the TAR file into the new folder, and extract the TAR file
  4. Follow the instructions in Installing the Agent and Setting Agent as a Linux Service.

Make sure that you enter a different name for the new agent.

For further information about managing agents, see Managing Groups.

Top Articles

What is Invicti?

Overview of Scan Policies

Scheduling Scans

Managing Integrations

Built-In Reports