Linux-based Installation of the Config Scan Agent

Prerequisites

Supported operating systems
  • Ubuntu: 20.04 and above (GLIBC >= 2.28)
  • RHEL: 8 and above (GLIBC >= 2.28)
Privileges required
  • sudo access (not needed if the user is a root user)
  • Read access, for input files
  • Execute access, for extracting service metadata
  • Write access, for the output folder in which the scan reports must be saved

Installation Instructions

  1. Login and download the latest Linux variant of the AppViewX Config Scan Agent from the release portal (link given below), in your Ubuntu or RHEL machine, as required.
    https://release.appviewx.com/downLoadArtifact?id=1820
    Note: This agent can be used to perform configuration scan, certificate scan, and network scan.
  2. To verify that the tar file has not been tampered with and is secure for use.
    1. Download the signature file from the release portal, https://release.appviewx.com/downLoadArtifact?id=1821.
    2. Execute the following command: 
      openssl cms -verify -in /path/to/SIG-file -inform DER -binary -noverify -content /path/to/tar-file
      Here:
      • /path/to/SIG-file: Signature file downloaded from release portal
      • /path/to/tar-file: Location of the tar file downloaded from the release portal
  3. From the downloaded folder, execute the following command to untar the downloaded file: 
    tar -xvf config-scan-agent-linux-v2.0.0-2026.1.tar.gz
    The AppViewX Config Scan Agent, config-scan-agent, is extracted from the zipped file.
  4. Save the AppViewX Config Scan Agent in all the endpoint machines where the configuration scan needs to be performed.
  5. Verify if the execute permission has been assigned to the executable. If not, execute the following command: 
    chmod +x config-scan-agent
  6. Create the configuration file required to run the AppViewX Config Scan Agent. 
    ./config-scan-agent --create-config

    For additional options that you can use with the ./config-scan-agent command, click here.

    Executing this command will display a series of prompts to set up the configuration scan (as shown in the image below); your responses to these prompts will be entered in the configuration file.
    Note: For a full list of the options available for configuring the AppViewX Config Scan Agent, execute the following command:
    ./config-scan-agent --help
  7. Reply to the configuration prompts displayed.
    The prompts and their recommended responses are explained in detail here.
    Important: You will also be required to enter your service account details as part of the configuration file set up. Ensure that the service account is created and you have the required details. For instructions, see Configuring a Service Account to Send Reports to AppViewX.
    The prompt responses will be used the following two files in the working directory of the host machine: config.ini (configuration file) and secret.key (file containing the secret key for the encryption and decryption)
  8. To view the existing configuration, execute the following command: 
    ./config-scan-agent --view-config <config_file_path> --secret-key <secret_key_path>
    Here:
    • <config_file_path>: Location of the configuration file
    • <secret_key_path>: Location of the secret key file
  9. To perform the config scan, execute the following command: 
    ./config-scan-agent --config <config_file_path> --secret-key <secret_key_path> --log-dir <log_directory>
    Here:
    • <config_file_path>: Location of the configuration file
    • <secret_key_path>: Location of the secret key file
    • <log_directory>: Location of the file where the logs must be saved
    After the scan is completed:
    • Output reports (JSON/CSV/CycloneDX CBOM) will be saved in the output path provided in the configuration file.
    • If enabled, the output reports will be sent to AppViewX and the corresponding data will be displayed in the List of Scans inventory in the Quantum Trust Hub.
    • The configuration scan results will be displayed on the Configuration Scan Dashboard in the Quantum Trust Hub.
    • Depending on the response to the corresponding prompt, certificates discovered as part of the scan will be uploaded to the AppViewX certificate inventory, in the Monitored state.
    • Logs will be generated and saved in the working directory, by default.

      To save the logs in a custom log directory use the <log_directory>argument to specify the required location.

Additional Instructions

  • To update the contents of the configuration file:
    1. Execute the following command:
      ./config-scan-agent --update-config <config_file_path> --secret-key <secret_key_path>
      The configuration prompts are displayed.
    2. Update the prompt responses as required.

      All updated values will overwrite the existing values

  • To update only the service account details, execute the following command and update the prompt responses:
    ./config-scan-agent --update-service-acc  <config_file_path> --secret-key <secret_key_path>
  • To set log levels, log directory, output directory use the options provided in the - -help option.
    For example: 
    • --log-level INFO ['DEBUG', 'INFO', 'WARNING', 'ERROR', 'CRITICAL']
    • --log-dir /path/to/log/dir
    • --output /path/to/output/dir
  • To rotate the secret key (by default generated every time a new configuration file is generated) used for encryption and decryption of the service account credentials and the configuration file, execute the following command:
    ./config-scan-agent --rotate-key <secret_key_path> --config <config_file_path>
    Pass the --config argument to continue using the existing configuration file with the newly rotated secret key.