Deploy on Linux
The InfraScout agent runs as a systemd service and connects back to the InfraScout server over an encrypted channel. Once enrolled, the agent accepts shell commands from AI-driven assessments and optionally queries Active Directory over LDAP.
Prerequisites
You need a Linux distribution with systemd (Ubuntu 18.04+, RHEL/CentOS 7+, Debian 10+, or equivalent), outbound network access to the InfraScout server on port 443, an enrollment token from the InfraScout dashboard (Settings → Enrollment Tokens), and root or sudo privileges on the host.
Download the Agent
Download the agent binary from the InfraScout dashboard under Settings → Downloads. Choose infrascout-agent-linux-amd64 for x86-64 hardware or infrascout-agent-linux-arm64 for ARM hardware.
Once downloaded, install the binary to /usr/local/bin/:
sudo install -m 755 infrascout-agent-linux-amd64 /usr/local/bin/infrascout-agentEnroll the Agent
Enrollment registers the host with the InfraScout server and provisions a mutual TLS certificate for the agent. Run the enrollment command as root:
sudo infrascout-agent enroll \
--token YOUR_ENROLLMENT_TOKEN \
--server YOUR_SERVER_ADDRESSReplace YOUR_ENROLLMENT_TOKEN with the token from the dashboard and YOUR_SERVER_ADDRESS with the gRPC server address shown in Settings → Enrollment Tokens. The agent performs a certificate exchange with the server and writes agent-config.yaml to /etc/infrascout/. When enrollment succeeds, the command prints a confirmation message that includes the agent's assigned ID.
INFO
The enrollment token is consumed on first use. Generate a new token from the dashboard if you need to re-enroll this host or enroll an additional host.
Install as a systemd Service
After enrollment, install the agent as a managed systemd service so it starts automatically and restarts on failure:
sudo infrascout-agent service installThen enable and start the service:
sudo systemctl enable infrascout-agent
sudo systemctl start infrascout-agentVerify it is running:
sudo systemctl status infrascout-agentThe service runs as root. To follow live log output, use:
journalctl -u infrascout-agent -fConfigure LDAP (Optional)
If this host can reach an Active Directory domain controller, you can enable LDAP queries so assessments can read directory data from this agent. Add an ldap block to /etc/infrascout/agent-config.yaml:
ldap:
server: ldap://dc01.example.com
base_dn: DC=example,DC=com
bind_dn: CN=svc-infrascout,OU=Service Accounts,DC=example,DC=com
bind_password: YourServiceAccountPasswordAfter saving the file, restart the service:
sudo systemctl restart infrascout-agentThe agent encrypts bind_password in place on first startup, so the file will no longer contain the plaintext value after the service has run.
TIP
Use a read-only service account for the bind credentials. The agent only reads from Active Directory — it never writes to the directory.
Capabilities on Linux
After enrollment, this agent reports the shell capability to InfraScout, allowing assessments to run commands via /bin/sh. If LDAP is configured and the service restarts successfully, the agent also reports the ldap capability.
Windows-only capabilities — powershell, wmi, and eventlog — are not available on Linux hosts.
Troubleshooting
Service fails to start — Run journalctl -u infrascout-agent -n 50 to see the last 50 log lines. Missing config or certificate files under /etc/infrascout/ are the most common cause. Re-running enrollment usually resolves this.
Enrollment fails — Verify that the host has outbound connectivity to port 443 on the InfraScout server. If a TLS-inspecting proxy sits between this host and the server, add an exception for the InfraScout server endpoint — mTLS client certificates are incompatible with SSL inspection.
Agent appears offline in the dashboard — Confirm the service is active with systemctl is-active infrascout-agent. Also check that ntpd or systemd-timesyncd is keeping the system clock synchronized; clock skew beyond a small tolerance causes the mTLS handshake to fail.