This has been tested on RedHat Enterprise 8, Fedora 33 (64-bit), Oracle Linux 8 Server

(64-bit) and CentOS 8 Stream(64-bit).


For a full list of installation options one needs to check the Enterprise User guide relevant to the release installed on site.

The correct guide for your installed version can be found on the product download page. Navigate to the version of Forensic Tools to find the link for the manual download.

At time of writing the latest version was ENT 7.4.2 the User Guide that corresponds to this release can be obtained from the link below

Link to Enterprise 4.7.2 User Manual



User with sudo privileges (sudoers) or as root user as the installation and policy updates need to be done with elevated privileges.

Port 3999 needs to be added to the firewall so that it is open for the Agent to connect to Enterprise

This is a simple installation, using default path for Agent installation, consult Enterprise UG for the version running in your Environment

1) Copy the agent off the AD Tools iso which is the same as the one used to install Enterprise

2) Add executable rights to the script

chmod +x

3) Install the agent (below example is a simple installation) see the Enterprise user guide should you wish to change the default options.

The command will install the required agent folder, the agent service will likely fail to start-up in the case of newer Ferdora based OS's, in which case go to step 4 after step 3

sudo ./ 

4) Setting the security context (extended attributes) of the Agent core daemon

sudo /sbin/restorecon -v /etc/rc.d/init.d/agentcored 

5) Searching Audit log and updating the allow/dontaudit policy rule for Agent Core Daemon

sudo ausearch -c '(entcored)' --raw | audit2allow -M my-entcored 

6) Update SELinux policy module

sudo semodule -X 300 -i my-entcored.pp 

7) Restart the agent (first stop then start and confirm that it has started up correctly by checking the status

Command to stop agent

sudo /etc/init.d/agentcored stop 

Command to stop agent

sudo /etc/init.d/agentcored start 

Command to check status of agent

sudo /etc/init.d/agentcored status