¶ FCP Agent howto
FCP agent is very small piece of software which gathers information about machine. When installed on machine, it regularly sends basic information about machine to help Foresight Cyber Platform to identify and correlate assets.
¶ Compatibility
FCP agent has native support for Windows and Debian Bookworm. We will implement more platforms later.
In fact, it is simple Python application which can be even installed manually where Python is available.
¶ Security
FCP Agent communicates with WebDAV server. So it is as secure as your WebDAV server. Agent can even encrypt all information. See --key option. In this case, all gathered information except agent version and complete status are encrypted by RSA public key. Private key is stored only in fcpc database and data cannot be decrypted without this key.
¶ Flow
¶ Data gathered
¶ Windows
- List of network interfaces and their IPs
- List of local accounts
- List of installed software
- List of applications installed from Microsoft Store
¶ Linux
Linux uses Ansible as a backend so it can gather all information from it. See https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html
In fact, FCP Agent on linux is needed only if there is no connection to SSH from central point. To gather all information from Ansible, SSH port must be opened from central server and there must be automated way how to pass credentials to it. It can be somwhow tricky.
FCP Agent works opposite way. After installation, it runs ansible-playbook locally, gathers information and upload to server.
¶ Server support
By default, all agents reports to central server. This can be any WebDAV server.
You can use this snippet od docker-compose to run it. Server does not need any permanent storage. All data reported by agents are downloaded by platform and processed later.
webdav:
image: bytemark/webdav
restart: always
ports:
- "8092:80"
environment:
AUTH_TYPE: Basic
USERNAME: fcp-agent
PASSWORD: simple-pass
¶ Agent configuration
Agent supports ini config file. By default, it searches for it in these location:
- Windows: c:/fcp-agent/config.ini
- Linux: /etc/fcp-agent/config.ini
but this can be changed by env variable FCPA_CONFIG.
Agent can be either configured to read ini file, to get config from commandline or to get config from environment.
See all agent options below.
¶ Linux installation and configuration
This will install and configure agent on linux based on environment variables.
Variables are not needed to run agent later. They are used just for initial configuration of package.
- Agent.ini will be automatically generated based in this.
- Cron entry is automatically added to run agent and push data every day.
apt-get update
apt-get -y install curl lsb-release gnupg
echo "deb https://box.foresightcyber.com/fcpc-dev/bookworm/ ./" \
| tee /etc/apt/sources.list.d/fcpc.list
curl https://box.foresightcyber.com/fcpc/fcpc.gpg.pub \
| apt-key add
apt-get update
export FCPA_OUTPUT_DIR=/var/lib/fcp-agent
export FCPA_GROUP=default
export FCPA_PRECLEAN_OUTPUT_DIR=1
export FCPA_GROUP=default
export FCPA_KEY="-----BEGIN PUBLIC KEY-----\nKEYDATA\n-----END PUBLIC KEY-----\n"
export FCPA_SERVER_URL="https://webdav.server"
export FCPA_SERVER_USERNAME="fcp-agent"
export FCPA_SERVER_PASSWORD="password"
apt-get install -y fcp-agent
¶ Windows installation
Windows agent does not have any automation yet. It can be later run any time by user or it can be triggered by InTune, LoginScript or other trigger.
cd ${env:HOMEDRIVE}${env:HOMEPATH}
del fcp-agent.exe
$wc = New-Object net.webclient
$wc.Downloadfile("https://box.foresightcyber.com/fcpc-dev/windows/fcp-agent.exe", "fcp-agent.exe")
${env:FCPA_OUTPUT_DIR}="${env:TMP}\fcp-agent"
${env:FCPA_PRECLEAN_OUTPUT_DIR}="1"
${env:FCPA_PRECREATE_OUTPUT_DIR}="1"
${env:FCPA_GROUP}="default"
export FCPA_KEY="-----BEGIN PUBLIC KEY-----\nKEYDATA\n-----END PUBLIC KEY-----\n"
${env:FCPA_SERVER_URL}="https://webdav.server"
${env:FCPA_SERVER_USERNAME}="fcp-agent"
${env:FCPA_SERVER_PASSWORD}="password"
.\fcp-agent init | sc "${env:HOMEDRIVE}${env:HOMEPATH}\fcp-agent.ini"
¶ Examples
To collect data only to local directory
fcp-agent collect
To collect and upload data
fcp-agent collect+upload
¶ Creating agent group
There can be multiple agent groups, for example for different locations or organizations.
Group must exists before data from agent is uploaded to server.
This command will create default agent group and generate required RSA keys which are then displayed on console.
Use public key on agent as a key parameter.
fcpc agent add-group default
¶ Importing jobs to platform
Simplest way how to import all jobs is to configure all required parameters and run
fcpc agent download-and-import-all
usage: fcpc agent [-h] [--agent.webdav.url AGENT.WEBDAV.URL]
[--agent.webdav.username AGENT.WEBDAV.USERNAME]
[--agent.webdav.password AGENT.WEBDAV.PASSWORD]
{list-group-jobs,add-group,import-job,download-and-import-all}
[agentobjects ...]
positional arguments:
{list-group-jobs,add-group,import-job,download-and-import-all}
Choices:
list-group-jobs
add-group
import-job
download-and-import-all
agentobjects
options:
-h, --help show this help message and exit
--agent.webdav.url AGENT.WEBDAV.URL
Agent WebDav server
URL[Defined:fcplib.module.agent.cmd] (default: None)
--agent.webdav.username AGENT.WEBDAV.USERNAME
Agent WebDav server
username[Defined:fcplib.module.agent.cmd] (default:
None)
--agent.webdav.password AGENT.WEBDAV.PASSWORD
Agent WebDav server
password[Defined:fcplib.module.agent.cmd] (default:
None)
¶ Agent options and environment variables
usage: fcp-agent.py [-h] [-c CONFIG] [-d {DEBUG,INFO,WARNING,ERROR}]
[-o OUTPUT_DIR] [-C {0,1}] [-M {0,1}] [-z {0,1}]
[-Z {0,1}] [-s SERVER_URL] [-u SERVER_USERNAME]
[-p SERVER_PASSWORD] [-V SERVER_VERIFY]
[-O ONLY_COLLECTIONS] [-S SKIP_COLLECTIONS] [-i ID]
[-G GROUP] [-K KEY] [-r RANDOM_PRESLEEP]
{collect,pull,upload,collect+upload,apply,init}
positional arguments:
{collect,pull,upload,collect+upload,apply,init}
Action
options:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
Config file path [env var: FCPA_CONFIG]
-d {DEBUG,INFO,WARNING,ERROR}, --debug {DEBUG,INFO,WARNING,ERROR}
Debug level [env var: FCPA_DEBUG]
-o OUTPUT_DIR, --output_dir OUTPUT_DIR
Output directory to save (will be <output-dir>/<id>).
Output-dir must exists. <id> directory will be created
if needed. [env var: FCPA_OUTPUT_DIR]
-C {0,1}, --preclean_output_dir {0,1}
Clean output directory before collect. [env var:
FCPA_PRECLEAN_OUTPUT_DIR]
-M {0,1}, --precreate_output_dir {0,1}
Precreate output directory before collect if not
exists. [env var: FCPA_PRECREATE_OUTPUT_DIR]
-z {0,1}, --output_zip {0,1}
Zip results within output directory
-Z {0,1}, --output_zip_only {0,1}
Remove output directory and leave only zip file
-s SERVER_URL, --server_url SERVER_URL
Server URL to push report to. [env var:
FCPA_SERVER_URL]
-u SERVER_USERNAME, --server_username SERVER_USERNAME
Server Username for authentication [env var:
FCPA_SERVER_USERNAME]
-p SERVER_PASSWORD, --server_password SERVER_PASSWORD
Server Password for authentication [env var:
FCPA_SERVER_PASSWORD]
-V SERVER_VERIFY, --server_verify SERVER_VERIFY
Server TLS verify (set to 0 or 1) [env var:
FCPA_SERVER_VERIFY]
-O ONLY_COLLECTIONS, --only_collections ONLY_COLLECTIONS
Collections to use (use ',' for more of them). By
default all [env var: FCPA_ONLY_COLLECTIONS]
-S SKIP_COLLECTIONS, --skip_collections SKIP_COLLECTIONS
Collections to skip (use ',' for more of them). By
default none [env var: FCPA_SKIP_COLLECTIONS]
-i ID, --id ID ID of this computer [env var: FCPA_ID]
-G GROUP, --group GROUP
Agent group [env var: FCPA_GROUP]
-K KEY, --key KEY Agent group signing key [env var: FCPA_KEY]
-r RANDOM_PRESLEEP, --random_presleep RANDOM_PRESLEEP
Random sleep before run [env var: FCPA_PRESLEEP]
Args that start with '--' can also be set in a config file
(C:\Users\LukasMacura\PycharmProjects\fcp\agent/fcp-agent.ini or c:/fcp-
agent/config.ini or specified via -c). Config file syntax allows: key=value,
flag=true, stuff=[a,b,c] (for details, see syntax at https://goo.gl/R74nmi).
In general, command-line values override environment variables which override
config file values which override defaults.