Cisco
Login
Search
Software Secure Workload
Activity Configure

Deploy Software Agents on Workloads Deploy Software Agents Install Linux Agents for Deep Visibility and Enforcement Supported Methods to Install Linux Agents Install Linux Agent Using the Agent Script Installer Method

Last updated: Jun 09, 2025

Install Linux Agent Using the Agent Script Installer Method

We recommend the installer script method to deploy Linux agents for deep visibility and enforcement.


 

To install a Linux agent using the script installer method:

Procedure

1

Navigate to Agent Installation methods:

  • If you are a first-time user, launch the Quick Start Wizard and click Install Agents.

  • From the navigation pane, choose Manage > Agents, and select the Installer tab.
2

Click Agent Script Installer.
3

From the Select Platform drop-down list, choose Linux.

To view the supported Linux platforms, click Show Supported Platforms.
4

Choose the tenant to install the agents.


 

Secure Workload SaaS clusters do not require selecting a tenant.
5

If you want to assign labels to the workload, choose the label keys and enter label values.

When the installed agent reports IP addresses on the host, the installer CMDB labels selected here, along with other uploaded CMDB labels that have been assigned to IPs reported by this host, would be automatically assigned to the new IP address. If there are conflicts between uploaded CMDB labels and installer CMDB labels:

  • Labels assigned to an exact IP address take precedence over labels assigned to the subnet.

  • Existing labels assigned to an exact IP address take precedence over installer CMDB labels.
6

If an HTTP proxy is required to communicate with Secure Workload, choose Yes, and then enter a valid proxy URL.
7

In the Installer expiration section, select an option:

  • No expiration: The installer script can be used multiple times.

  • One time: The installer script can be used only once.

  • Time bound: You can set the number of days for which the installer script can be used.

  • Number of deployments: You can set the number of times the installer script can be used.
8

Click Download and save the file to the local disk.
9

Copy the installer shell script on Linux hosts and run the following command to grant execute permission to the script: chmod u+x tetration_installer_default_sensor_linux.sh


 

The script name may differ depending on the selected agent type and scope.
10

To install the agent, run the following command with root privileges: ./tetration_installer_default_sensor_linux.sh


 

If an agent is already installed on the tenant, you cannot proceed with the installation.

We recommend running the precheck, as specified in the script usage details.

Linux installer script usage details:

bash tetration_linux_installer.sh [--pre-check] [--skip-pre-check=<option>] [--no-install] [--logfile=<filename>] [--proxy=<proxy_string>] [--no-proxy] [--help] [--version] [--sensor-version=<version_info>] [--ls] [--file=<filename>] [--save=<filename>] [--new] [--reinstall] [--unpriv-user] [--force-upgrade] [--upgrade-local] [--upgrade-by-uuid=<filename>] [--basedir=<basedir>] [--logbasedir=<logbdir>] [--tmpdir=<tmp_dir>] [--visibility] [--golden-image]
  --pre-check: run pre-check only
  --skip-pre-check=<option>: skip pre-installation check by given option; Valid options include 'all', 'ipv6' and 'enforcement'; e.g.: '--skip-pre-check=all' will skip all pre-installation checks; All pre-checks will be performed by default
  --no-install: will not download and install sensor package onto the system
  --logfile=<filename>: write the log to the file specified by <filename>
  --proxy=<proxy_string>: set the value of CL_HTTPS_PROXY, the string should be formatted as http://<proxy>:<port>
  --no-proxy: bypass system wide proxy; this flag will be ignored if --proxy flag was provided
  --help: print this usage
  --version: print current script's version
  --sensor-version=<version_info>: select sensor's version; e.g.: '--sensor-version=3.4.1.0'; will download the latest version by default if this flag was not provided
  --ls: list all available sensor versions for your system (will not list pre-3.1 packages); will not download any package
  --file=<filename>: provide local zip file to install sensor instead of downloading it from cluster
  --save=<filename>: download and save zip file as <filename>
  --new: remove any previous installed sensor
  --reinstall: reinstall sensor and retain the same identity with cluster; this flag has higher priority than --new
  --unpriv-user=<username>: use <username> for unpriv processes instead of tet-sensor
  --force-upgrade: force sensor upgrade to version given by --sensor-version flag; e.g.: '--sensor-version=3.4.1.0 --force-upgrade'; apply the latest version by default if --sensor-version flag was not provided
  --upgrade-local: trigger local sensor upgrade to version given by --sensor-version flag: e.g.: '--sensor-version=3.4.1.0 --upgrade-local'; apply the latest version by default if --sensor-version flag was not provided
  --upgrade-by-uuid=<filename>: trigger sensor whose uuid is listed in <filename> upgrade to version given by --sensor-version flag; e.g.: '--sensor-version=3.4.1.0 --upgrade-by-uuid=/usr/local/tet/sensor_id'; apply the latest version by default if --sensor-version flag was not provided
  --basedir=<base_dir>: instead of using /usr/local use <base_dir> to install agent. The full path will be <base_dir>/tetration
  --logbasedir=<log_base_dir>: instead of logging to /usr/local/tet/log use <log_base_dir>. The full path will be <log_base_dir>/tetration
  --tmpdir=<tmp_dir>: instead of using /tmp use <tmp_dir> as temp directory
  --visibility: install deep visibility agent only; --reinstall would overwrite this flag if previous installed agent type was enforcer
  --golden-image: install Cisco Secure Workload Agent but do not start the Cisco Secure Workload Services; use to install Cisco Secure Workload Agent on Golden Images in VDI environment or Template VM. On VDI/VM instance created from golden image with different host name, Cisco Secure Workload Services will work normally


 

  • Ubuntu uses the native .deb package, and new installations and reinstallations switch to this package type. Upgrades from previous versions continue with the .rpm package.

  • Ubuntu .deb package is installed under /opt/cisco/tetration.

  • There is no relocation support for the .deb package and so the –basedir option is not supported for Ubuntu.
Previous topic Install Linux Agent using the Agent Image Installer Method Next topic Agent Support for NVIDIA Bluefield Networking Platform