AttackLens Docs

Appearance

Deploy a Sensor on Linux

This guide walks you through installing and enrolling an AttackLens sensor on a Linux machine.

Prerequisites

  • Role: Posture Manager or higher.
  • Enrollment token: You need a valid enrollment token. See Create an Enrollment Token if you have not created one yet.
  • Network access: The target machine must be able to reach your AttackLens instance over HTTPS.
  • Permissions: Root or sudo access on the target machine.

Step 1: Download the Sensor Binary

  1. In AttackLens, navigate to Settings > Sensor Downloads.
  2. Download the binary that matches your target architecture:
    • sensor-linux-amd64 for x86_64 systems (most servers and workstations)
    • sensor-linux-arm64 for ARM64 systems (AWS Graviton, Raspberry Pi 4+, etc.)

Alternatively, transfer the binary to the target machine using scp or any file transfer method:

bash
scp sensor-linux-amd64 user@target-machine:/tmp/

Step 2: Make the Binary Executable

SSH into the target machine and set the executable permission:

bash
chmod +x /tmp/sensor-linux-amd64

Step 3: Move the Binary to a System Location

Move the sensor to a standard location:

bash
sudo mv /tmp/sensor-linux-amd64 /usr/local/bin/attacklens-sensor

Step 4: Enroll the Sensor

Run the enrollment command with your AttackLens instance URL and the enrollment token:

bash
sudo /usr/local/bin/attacklens-sensor enroll \
  --server https://your-attacklens-instance:8080 \
  --token YOUR_ENROLLMENT_TOKEN

Replace:

  • your-attacklens-instance:8080 with the actual hostname and port of your AttackLens backend.
  • YOUR_ENROLLMENT_TOKEN with the token you copied from AttackLens.

TIP

If your AttackLens instance uses a self-signed TLS certificate, you may need to add the --insecure-skip-verify flag during enrollment. This is not recommended for production environments.

On successful enrollment, you will see output similar to:

[INFO] Enrolling sensor with AttackLens backend...
[INFO] Enrollment successful. Sensor ID: s-a1b2c3d4
[INFO] Starting sensor service...
[INFO] Sensor is now running.

Step 5: Install as a systemd Service

The sensor can run as a systemd service so it starts automatically on boot. Create the service file:

bash
sudo tee /etc/systemd/system/attacklens-sensor.service > /dev/null <<EOF
[Unit]
Description=AttackLens Sensor
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/attacklens-sensor run
Restart=always
RestartSec=10
User=root

[Install]
WantedBy=multi-user.target
EOF

Enable and start the service:

bash
sudo systemctl daemon-reload
sudo systemctl enable attacklens-sensor
sudo systemctl start attacklens-sensor

Step 6: Verify the Sensor

Check that the service is running:

bash
sudo systemctl status attacklens-sensor

You should see active (running) in the output.

In AttackLens, navigate to Sensors to confirm the new sensor appears in the list with an Online status.

WARNING

If the sensor shows as Pending for more than a few minutes, check the sensor logs for errors:

bash
sudo journalctl -u attacklens-sensor -f

Common issues include incorrect server URLs, expired enrollment tokens, or network connectivity problems.

Verify Data Collection

Once the sensor is online, it will begin its first data collection cycle. You can verify data is flowing by:

  1. Navigating to Sensors and clicking on the new sensor.
  2. Checking the Last Seen timestamp -- it should update within the collection interval.
  3. Navigating to Inventory to see the packages and services discovered on the endpoint.

Uninstalling the Sensor

To remove a sensor from a Linux machine:

bash
sudo systemctl stop attacklens-sensor
sudo systemctl disable attacklens-sensor
sudo rm /etc/systemd/system/attacklens-sensor.service
sudo systemctl daemon-reload
sudo rm /usr/local/bin/attacklens-sensor

INFO

Uninstalling the sensor from the machine does not remove it from AttackLens. The sensor will appear as Offline in the sensor list. You can delete the sensor record from the AttackLens UI if it is no longer needed.

Next Steps

AttackLens - Continuous Exposure Management

Copyright 2026 AttackLens. All rights reserved.