======================================================================
Important Note: The correct flag value MUST be in the flags file before starting osqueryd service
================================================================
Method of Procedure:
Before installing Uptycs Protect package on any AIX endpoints, check process blocking flag is set to false by executing the below command:
bash-5.1# grep process_blocking /opt/uptycs/osquery/etc/osquery.flags
--enable_process_blocking=false
Action: If the output shows true — Don't install Uptycs Protect. Keep using Standard build and assign the correct flag profile so that the asset gets process_blocking=false on disk.
If the process blocking flag is set to false, then proceed to the next step.
If the AIX endpoints are installed with existing Protect, then use the below command to force install the new version of the Protect osquery.
rpm -Uvh --nopost --force uptycs-protect-5.9.2.28-Uptycs-202312071624.aix7.2.ppc.rpm
Upgrading osquery will overwrite an old version. When upgrading from Standard to Protect we don't have to worry about uninstalling the KEXT first.
Make sure the asset is assigned the correct flag profile before downloading (Best option is to assign a non-blocking flag profile and then use the base osquery protect package with no flags+secret. After verifying that the asset has the correct flag value, only then install Uptycs Protect build.)
Verify if process_blocking is set to FALSE:
# grep process_blocking /opt/uptycs/osquery/etc/osquery.flags
--enable_process_blocking=false
Verify if remediation is enabled:
# grep process_blocking /opt/uptycs/osquery/etc/osquery.flags
--enable_remediation=true
Then start osqueryd:
# /etc/rc.d/init.d/osqueryd start
This should start the osqueryd service with remediation enabled and process blocking disabled.
Should you need any help, please free to contact support@uptycs.com