Technical Tip: Deploying FortiEDR collector using a custom installer on a Linux machine with a noexec /tmp partition

The custom installer of the FortiEDR Linux collector uses the '/tmp' partition on the target machine for the collector package's extraction and installation by default.

Sometimes, the '/tmp' partition on the target machine is hardened by the system administrator for security reasons.

It prevents users (and many automated exploits) from executing scripts or binaries directly from the temporary directory.

In this case, executing the custom installer on the target machine will fail with a 'permission denied' error - for example: 

#./FortiEDRSilentInstall_5.1.16.1031_{environment}_{organization}.sh
Verifying archive integrity... 100% All good.
Uncompressing Installation of FortiEDRCollector 100%
./FortiEDRSilentInstall_5.1.16.1031_{environment}_{organization}.sh: line 579: ./setup.sh: Permission denied

1. In order to validate whether the '/tmp' partition is hardened on the target machine with 'noexec', use the following command:
   
   

#mount | grep "on /tmp"
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,seclabel,inode64)

2. In order to deploy the custom installer on the hardened target machine, use the custom installer's flag '--target' with a the target folder that the installer will use to extract the collector package's installation.
   Using this flag will cause the installer to create the necessary folder. For example: 
   
   

# ./FortiEDRSilentInstall_5.1.16.1031_{environment}_{organization}.sh --target /home/
Creating directory /home/tmp
Verifying archive integrity... 100% All good.
Uncompressing Installation of FortiEDRCollector 100%
Reading key from key file: /tmp/data.bin
Updating encrypted passwords encryption to use new key...
Checking file: /opt/FortiEDRCollector/Config/Collector/CollectorBootstrap.jsn