Deploy a Sensor on Linux

This guide walks you through installing and enrolling an AttackLens sensor on a Linux machine.

Prerequisites

• Role: Posture Manager or higher.
• Enrollment token: You need a valid enrollment token. See Create an Enrollment Token if you have not created one yet.
• Network access: The target machine must be able to reach your AttackLens instance over HTTPS.
• Permissions: Root or sudo access on the target machine.

Step 1: Download the Sensor Binary

1. In AttackLens, navigate to Settings > Sensor Downloads.
2. Download the binary that matches your target architecture:
   • sensor-linux-amd64 for x86_64 systems (most servers and workstations)
   • sensor-linux-arm64 for ARM64 systems (AWS Graviton, Raspberry Pi 4+, etc.)

Alternatively, transfer the binary to the target machine using scp or any file transfer method:

scp sensor-linux-amd64 user@target-machine:/tmp/

Step 2: Make the Binary Executable

SSH into the target machine and set the executable permission:

chmod +x /tmp/sensor-linux-amd64

Step 3: Move the Binary to a System Location

Move the sensor to a standard location:

sudo mv /tmp/sensor-linux-amd64 /usr/local/bin/attacklens-sensor

Step 4: Enroll the Sensor

Run the enrollment command with your AttackLens instance URL and the enrollment token:

sudo /usr/local/bin/attacklens-sensor enroll \
  --server https://your-attacklens-instance:8080 \
  --token YOUR_ENROLLMENT_TOKEN

Replace:

• your-attacklens-instance:8080 with the actual hostname and port of your AttackLens backend.
• YOUR_ENROLLMENT_TOKEN with the token you copied from AttackLens.

TIP

If your AttackLens instance uses a self-signed TLS certificate, you may need to add the --insecure-skip-verify flag during enrollment. This is not recommended for production environments.

On successful enrollment, you will see output similar to:

[INFO] Enrolling sensor with AttackLens backend...
[INFO] Enrollment successful. Sensor ID: s-a1b2c3d4
[INFO] Starting sensor service...
[INFO] Sensor is now running.

Step 5: Install as a systemd Service

The sensor can run as a systemd service so it starts automatically on boot. Create the service file:

sudo tee /etc/systemd/system/attacklens-sensor.service > /dev/null <<EOF
[Unit]
Description=AttackLens Sensor
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/attacklens-sensor run
Restart=always
RestartSec=10
User=root

[Install]
WantedBy=multi-user.target
EOF

Enable and start the service:

sudo systemctl daemon-reload
sudo systemctl enable attacklens-sensor
sudo systemctl start attacklens-sensor

Step 6: Verify the Sensor

Check that the service is running:

sudo systemctl status attacklens-sensor

You should see active (running) in the output.

In AttackLens, navigate to Sensors to confirm the new sensor appears in the list with an Online status.

WARNING

If the sensor shows as Pending for more than a few minutes, check the sensor logs for errors:

sudo journalctl -u attacklens-sensor -f

Common issues include incorrect server URLs, expired enrollment tokens, or network connectivity problems.

Verify Data Collection

Once the sensor is online, it will begin its first data collection cycle. You can verify data is flowing by:

1. Navigating to Sensors and clicking on the new sensor.
2. Checking the Last Seen timestamp -- it should update within the collection interval.
3. Navigating to Inventory to see the packages and services discovered on the endpoint.

Uninstalling the Sensor

To remove a sensor from a Linux machine:

sudo systemctl stop attacklens-sensor
sudo systemctl disable attacklens-sensor
sudo rm /etc/systemd/system/attacklens-sensor.service
sudo systemctl daemon-reload
sudo rm /usr/local/bin/attacklens-sensor

INFO

Uninstalling the sensor from the machine does not remove it from AttackLens. The sensor will appear as Offline in the sensor list. You can delete the sensor record from the AttackLens UI if it is no longer needed.

Next Steps

• Manage Sensors -- View sensor details, link to assets, monitor status.
• Sensor Auto-Update -- Learn how sensors keep themselves up to date.