Sentinel: Linux Installation
Install and configure the Sentinel Agent on Linux for AI tool monitoring and DLP enforcement.
System Requirements
- OS: Ubuntu 20.04 LTS+, Debian 10+, RHEL 7+, CentOS 7+, Fedora 33+
- Architecture: x86-64, ARM64
- Memory: 256MB minimum, 512MB recommended
- Disk Space: 100MB for installation
- Permissions:
sudoaccess or root privileges for installation
Installation Methods
1. APT (Debian/Ubuntu)
Add Repository:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys <KEY_ID>echo "deb https://apt.truthvouch.io/ focal main" | sudo tee /etc/apt/sources.list.d/truthvouch.listsudo apt updateInstall:
sudo apt install sentinelWith API Key:
SENTINEL_API_KEY="sk-..." sudo apt install sentinelUpgrade:
sudo apt update && sudo apt upgrade sentinelUninstall:
sudo apt remove sentinel2. YUM/DNF (RHEL/CentOS/Fedora)
Add Repository:
sudo rpm --import https://repo.truthvouch.io/RPM-GPG-KEY-truthvouchsudo yum-config-manager --add-repo https://repo.truthvouch.io/sentinel.repoInstall:
sudo yum install sentinelDNF (Fedora):
sudo dnf install sentinelUpgrade:
sudo yum update sentinelUninstall:
sudo yum remove sentinel3. Direct Package Download
Download:
# Ubuntu/Debiancurl -O https://download.truthvouch.io/sentinel/linux/sentinel_latest_amd64.deb
# RHEL/CentOScurl -O https://download.truthvouch.io/sentinel/linux/sentinel-latest.x86_64.rpmInstall:
# Ubuntu/Debiansudo dpkg -i sentinel_latest_amd64.deb
# RHEL/CentOSsudo rpm -i sentinel-latest.x86_64.rpm4. Snap
sudo snap install sentinelFirst-Time Setup
1. Start Service
# Start the servicesudo systemctl start sentinel
# Enable on bootsudo systemctl enable sentinel
# Check statussudo systemctl status sentinel2. Configure API Key
Edit configuration file:
sudo nano /etc/truthvouch/sentinel/config.yamlAdd:
cloud: api_key: sk-... organization_id: org-...3. Reload Configuration
sudo systemctl restart sentinel4. Verify Installation
# Check if service is activesudo systemctl is-active sentinel
# View logssudo journalctl -u sentinel -f
# Check network connectivitycurl -I https://api.truthvouch.ioSystemd Service
Service File Location
/etc/systemd/system/sentinel.service/usr/lib/systemd/system/sentinel.serviceManage Service
# Start servicesudo systemctl start sentinel
# Stop servicesudo systemctl stop sentinel
# Restart servicesudo systemctl restart sentinel
# Reload configurationsudo systemctl reload sentinel
# Enable on bootsudo systemctl enable sentinel
# Disable auto-startsudo systemctl disable sentinel
# View service statussystemctl status sentinel
# View service detailssystemctl show sentinelConfiguration
Config File Location
/etc/truthvouch/sentinel/config.yamlEdit Configuration
# Edit configsudo nano /etc/truthvouch/sentinel/config.yaml
# Validate configsentinel --validate-config /etc/truthvouch/sentinel/config.yaml
# Reload after changessudo systemctl restart sentinelLogs
View Logs
# Real-time logssudo journalctl -u sentinel -f
# Last 50 linessudo journalctl -u sentinel -n 50
# View by severitysudo journalctl -u sentinel -p err
# View since last bootsudo journalctl -u sentinel -b
# Save to filesudo journalctl -u sentinel > sentinel.logLog Files
# Application logs/var/log/truthvouch/sentinel.log
# Database/var/lib/truthvouch/sentinel/sentinel.db
# Policies cache/var/lib/truthvouch/sentinel/policies/Directory Structure
/etc/truthvouch/sentinel/├── config.yaml # Main configuration├── ca.crt # Certificate (if using custom CA)└── sentinel.conf # Additional settings
/var/lib/truthvouch/sentinel/├── sentinel.db # SQLite database├── policies/ # Cached policies└── cache/ # Temporary cache
/var/log/truthvouch/└── sentinel.log # Application logs
/usr/bin/sentinel # Binary executable/usr/local/bin/sentinel # Alternative locationFirewall Rules
UFW (Uncomplicated Firewall)
# Allow outbound HTTPSsudo ufw allow out 443/tcp
# Verify rulesudo ufw statusiptables
# Allow outbound HTTPS to API endpointsudo iptables -A OUTPUT -p tcp -d api.truthvouch.io --dport 443 -j ACCEPT
# Save rulessudo iptables-save > /etc/iptables/rules.v4firewalld
# Allow outbound HTTPSsudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" egress action="accept"'
# Reloadsudo firewall-cmd --reloadSELinux Configuration
If using SELinux (RHEL/CentOS):
# Check SELinux statusgetenforce
# Create policy (optional)sudo semanage fcontext -a -t sentinel_t /etc/truthvouch/sentinel
# Restore contextsudo restorecon -R /etc/truthvouch/sentinelAppArmor Configuration
If using AppArmor (Ubuntu/Debian):
# Load AppArmor profilesudo apparmor_parser -r /etc/apparmor.d/usr.bin.sentinel
# Check statussudo aa-status | grep sentinelAuto-Update
Enable Auto-Update
Edit /etc/truthvouch/sentinel/config.yaml:
advanced: auto_update: true update_check_interval: 24Manual Update
# Check for updatessentinel --check-update
# Install updatesudo apt update && sudo apt upgrade sentinel# orsudo yum update sentinelUninstallation
APT
# Remove packagesudo apt remove sentinel
# Remove configsudo rm -rf /etc/truthvouch/
# Remove datasudo rm -rf /var/lib/truthvouch/YUM/DNF
# Remove packagesudo yum remove sentinel
# Remove configsudo rm -rf /etc/truthvouch/
# Remove datasudo rm -rf /var/lib/truthvouch/Containerized Deployment
Docker
Dockerfile:
FROM ubuntu:22.04
RUN apt-get update && \ apt-get install -y curl && \ echo "deb https://apt.truthvouch.io/ focal main" | tee /etc/apt/sources.list.d/truthvouch.list && \ apt-get update && \ apt-get install -y sentinel && \ rm -rf /var/lib/apt/lists/*
COPY config.yaml /etc/truthvouch/sentinel/config.yaml
CMD ["systemctl", "start", "sentinel"]Run:
docker build -t sentinel:latest .docker run -d \ -e SENTINEL_API_KEY="sk-..." \ -e SENTINEL_ORG_ID="org-..." \ -v sentinel-data:/var/lib/truthvouch/sentinel/ \ sentinel:latestKubernetes
Deployment:
apiVersion: apps/v1kind: DaemonSetmetadata: name: sentinel namespace: defaultspec: selector: matchLabels: app: sentinel template: metadata: labels: app: sentinel spec: hostNetwork: true containers: - name: sentinel image: truthvouch/sentinel:latest env: - name: SENTINEL_API_KEY valueFrom: secretKeyRef: name: sentinel key: api-key volumeMounts: - name: config mountPath: /etc/truthvouch/sentinel - name: lib mountPath: /var/lib/truthvouch/sentinel volumes: - name: config hostPath: path: /etc/truthvouch/sentinel - name: lib hostPath: path: /var/lib/truthvouch/sentinelTroubleshooting
Service Won’t Start
# Check statussudo systemctl status sentinel
# View error logssudo journalctl -u sentinel -n 50 -p err
# Validate configsentinel --validate-config /etc/truthvouch/sentinel/config.yamlNetwork Issues
# Test API connectivitycurl -I https://api.truthvouch.io
# Check DNSnslookup api.truthvouch.io
# View connectionsnetstat -tulpn | grep sentinelss -tulpn | grep sentinelPermission Denied
# Check file permissionsls -la /etc/truthvouch/ls -la /var/lib/truthvouch/
# Fix permissionssudo chown -R sentinel:sentinel /var/lib/truthvouch/sudo chmod 755 /etc/truthvouch/sentinel/High CPU/Memory
# Monitor usagetop -p $(pidof sentinel)
# View process detailsps aux | grep sentinel
# Check for excessive loggingtail -f /var/log/truthvouch/sentinel.log | head -20Performance Tuning
Reduce Overhead
Edit /etc/truthvouch/sentinel/config.yaml:
monitoring: clipboard_monitoring: false network_monitoring: false
reporting: interval: 120 # 2 hours instead of 1
logging: level: WARN # Less verboseIncrease Resource Limits
# Edit systemd servicesudo systemctl edit sentinel
# Add resource limits[Service]MemoryLimit=512MCPUQuota=50%Integration with Company IT
Deploy via Configuration Management
Ansible:
- name: Install Sentinel hosts: all tasks: - name: Add Sentinel repo apt_repository: repo: "deb https://apt.truthvouch.io/ focal main"
- name: Install sentinel apt: name: sentinel state: present
- name: Configure sentinel template: src: config.yaml.j2 dest: /etc/truthvouch/sentinel/config.yaml
- name: Start sentinel systemd: name: sentinel state: started enabled: yesPuppet:
class { 'sentinel': api_key => 'sk-...', organization_id => 'org-...', ensure => present,}See Configuration Reference for detailed options and Policy Sync for managing policies.