Sensor Deployment and Management Guide

Introduction

This document aims to furnish detailed instructions on installing the GYTPOL Validator Sensor across different operating systems, including Windows, Linux, and macOS.

GYTPOL Sensor location

To obtain the latest GYTPOL Sensor versions, please request the download links from your GYTPOL Customer Success Manager. If you're unsure of your assigned CSM, you can reach out to support@gytpol.com for assistance.

Supported Operating Systems

Microsoft:

Endpoints: Windows 7 (x32/x64) and newer

Servers: Windows Server 2008 and newer

 

Microsoft Sensor / OS support matrix

OS

Detection

Remediation / Revert

OS

Detection

Remediation / Revert

Windows 7

V

X

Windows 8 / 8.1

V

X

Windows 10 / 11

V

V

Windows Server 2008 / 2008 r2

V

X

Windows Server 2012 / 2012 r2

V

X

Windows Server 2016 / 2019 / 2022

V

V

Important Note: Remediation functionality is supported on older versions of Microsoft Windows and Servers as long as Powershell v5.1 and newer are installed.

 

Linux Distribution support matrix

Distribution

Supported Versions

ARM64 Architecture

Distribution

Supported Versions

ARM64 Architecture

Alibaba Cloud Linux

2 and newer

Not Supported

Alma

7 and newer

Not Supported

Amazon Linux

2 and 2023

Not Supported

CentOS

7 and newer

Not Supported

Debian

10 and newer

Not Supported

Red Hat Enterprise Linux (RHEL)

7 and newer

Not Supported

Rocky Linux

9 and newer

Not Supported

SUSE Linux Enterprise Server (SLES)

12 and newer

Not Supported

Ubuntu

16 and newer

Not Supported

macOS:

Catalina 10.15 (x64) and newer

Windows OS

Pre-Installation

Ports to open:

GYTPOL Sensor to GYTPOL server on-Prem - port 9093

GYTPOL Sensor to GYTPOL SaaS - port 443

 

Does the Endpoint need to be a member of the domain?

No

Installation

Open elevated CMD (r. click on CMD > Run as Administrator).

Once opened, please go to the MSI file you wish to install > hold L. Shift > r. click it > click “Copy as Path”.

Go to the elevated CMD you opened in step 1 and paste the path into the CMD window > Enter.

Once finished, the progress window will be disappeared.

Post-Installation

To verify the successful installation of the Sensor, follow these steps:

  1. Open Task Scheduler as an Administrator.

  2. Check for the gytpol folder under the main Library.

  3. Expand the folder, and you should observe three tasks, as exemplified below:he example below:

Where will I see the scanned machine?

Under ‘Windows’ tab in the GYTPOL UI:

Where is the installation path?

C:\Program Files\WindowsPowerShell\Modules\gytpol

 

Where are the logs?

C:\Program Files\WindowsPowerShell\Modules\gytpol\log

 

Log retention policy

Every Windows Sensor is configured to retain up to 10 log files, with each file being 5MB in size. Once the 10-file limit is reached, the oldest log files are automatically deleted to make room for new ones, ensuring efficient log management.

This behavior can be observed in any installed Windows Sensor under the log directory C:\Program Files\WindowsPowerShell\Modules\gytpol\log.

Uninstalling

To uninstall the GYTPOL Sensor:

  1. Open "Programs and Features."

  2. Locate "gytpolClient" in the list of installed programs.

  3. Right-click on "gytpolClient" and select "Uninstall" or "Remove."

Linux

Pre-Installation

Ports to open:

GYTPOL Sensor to GYTPOL server on-Prem - port 9093

GYTPOL Sensor to GYTPOL SaaS - port 443

 

Does the Endpoint need to be a member of the domain?

No

Installation

Command to run:

  • Debian (Ubuntu): sudo dpkg -i <gytpol-Sensor-path>

  • RPM (RHEL, centOS, SUSE etc.): sudo rpm -ivh <gytpol-Sensor-path>

Post-Installation

Where will I see the scanned machine?

Under ‘Linux’ tab in the GYTPOL UI:

How do I see and change the service status?

systemctl stop/start/status gytpol-client

 

Where is the installation path?

/opt/gytpol

 

Where are the logs?

/opt/gytpol/logs

 

Log retention policy

The Sensor is configured to retain logs for a period of 10 days. Each day may generate one or more log files, depending on the number of actions performed (e.g., scans, service logs, remediations). After 10 days, older log files are automatically deleted to maintain efficient log management.

This behavior can be observed in any installed Linux Sensor under the directory /opt/gytpol/log.

 

Where are the configuration folder?

config.json ” for Sensor’s configuration to a dedicated server

metrics.json” for metrics configuration.

 

config.json

This file contains Sensor’s configuration:

{

"HttpVerifyCert" : false,

"HttpTimeout" : 10000000000,

"ServerAddress" : "_gytpol",

"ArchiveFolderPath" : "archive"

}



Fields explanations:

HttpVerifyCert - Indicate whether to validate the server’s certificate when using HTTP requests.

HttpTimeout - Determine the timeout (in Nano Seconds) for HTTP requests.

ServerAddress - The address of the GYTPOL server.

ArchiveFolderPath - Folder (relative to /opt/gytpol) in which reports are being saved to before sending them to the server.

Uninstalling

 

Debian: sudo dpkg —remove gytpol-client

* Use the “—purge” instead of “—remove” to also delete the logs, archive etc.

 

RPM: sudo rpm -e gytpol-client

 

Both rpm and dpkg commands listed above may remove certain configuration files associated with Gytpol. Deleting files that may result in loss is at your own risk, so ensure that no critical data is being removed before proceeding.

It is highly recommended to take a backup of important data before making any changes to the system to mitigate any potential data loss. Always exercise caution when executing commands that may impact system configurations.



macOS

Pre-Installation:

Ports to open:

GYTPOL Sensor to GYTPOL server on-Prem - port 9093

GYTPOL Sensor to GYTPOL SaaS - port 443

 

Does the Endpoint need to be a member of the domain?

No

Installation:

Before proceeding with the installation, determine the platform architecture by checking the "About this Mac." This information will help ensure that the correct version of the software is installed for your system.

 

To identify the platform architecture through a terminal command, you can use uname -p command.

Identify and choose the right package according to the table below:

Platform

Architecture

Terminal output

Package file

macOS

Intel chipset

i386

gytpol-client-<version>_amd64.pkg

macOS

Apple silicon

arm

gytpol-client-<version>_arm64.pkg

 

Command to run:

sudo /usr/sbin/installer -pkg <pkg_path> -target /

 

example:

sudo /usr/sbin/installer -pkg ~/Downloads/gytpol-client-0.5.1.0-0_arm64.pkg -target /

To check that the launch daemon is running run:

sudo launchctl list | grep com.gytpol.gytmac

 

If the daemon is currently running, you can identify its process by checking the process ID (PID) on the left side of the output. The PID is typically highlighted in red for easy identification:

For further information run:

sudo launchctl list com.gytpol.gytmac

If you are using an Intel processor, ensure that you run the correct binary with the "_amd64" designation (e.g., gytpol-client-1.2.1.2-28_amd64.pkg).

Note: While an amd64 binary can run on an arm64 processor, it is not recommended and is not officially supported. It is advisable to use the binary that corresponds to your processor architecture for optimal performance and compatibility.

 

Your output should look like this:

Post-Installation

Where will I see the scanned machine?

Under ‘Mac’ tab in the GYTPOL UI:

How do I see and change the service status?

sudo launchctl stop/start/list com.gytpol.gytmac

 

/opt/gytpol/config/config.json (you may need to create the ‘config’ folder and the config.json file). See the file example below.

 

Where is the installation path?

/opt/gytpol

 

Where are the logs?

/opt/gytpol/logs

 

Log retention policy

The Sensor is configured to retain logs for a period of 10 days. Each day may generate one or more log files, depending on the number of actions performed (e.g., scans, service logs, remediations). After 10 days, older log files are automatically deleted to maintain efficient log management.

This behavior can be observed in any installed macOS Sensor under the directory /opt/gytpol/log.

 

Where are the configuration folder?

config.json ” for Sensor’s configuration to a dedicated server

metrics.json” for metrics configuration.

 

config.json

This file contains Sensor’s configuration:

{

"HttpVerifyCert" : false,

"HttpTimeout" : 10000000000,

"ServerAddress" : "_gytpol",

"ArchiveFolderPath" : "archive"

}

 

Fields explanations:

HttpVerifyCert - Indicate whether to validate the server’s certificate when using HTTP requests.

HttpTimeout - Determine the timeout (in Nano Seconds) for HTTP requests.

ServerAddress - The address of the GYTPOL server.

ArchiveFolderPath - Folder (relative to /opt/gytpol) in which reports are being saved to before sending them to the server.



Uninstalling

Stop the launch daemon.

sudo launchctl stop com.gytpol.gytmac

Unload the launch daemon from launchctl.

sudo launchctl unload -w /Library/LaunchDaemons/com.gytpol.gytmac.plist

Delete the lauanch daemon configuration plist file.

sudo rm -rf /Library/LaunchDaemons/com.gytpol.gytmac.plist

Remove folder (including all sub-directories & sub-files).

sudo rm -rf /opt/gytpol

Discard receipt data.

sudo pkgutil --forget com.gytpol.gytmac

 

Deleting files that may lead to loss is at your own risk, please make sure that nothing important is being removed before deleting! It's always a good idea to take a backup of important data before making any changes to the system.