Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Single Node Deployment

Manual installation of Aquilon DLP on individual workstations. This guide covers both Linux (Basic Edition) and macOS (Enterprise Edition) deployments.

Overview

Single node deployment is ideal for:

  • Evaluating Aquilon DLP before enterprise rollout
  • Small teams with fewer than 10 machines
  • Development and testing environments
  • Personal data protection

Linux Deployment

Prerequisites

  • Operating System: Ubuntu 20.04+, RHEL 8+, Debian 11+
  • Architecture: x86_64
  • Memory: 2GB RAM minimum
  • Disk Space: 500MB for application and database
  • Permissions: Root or sudo access

Installation Steps

Step 1: Download

Download the Basic Edition package for your distribution from your organization’s portal:

  • Ubuntu/Debian: aquilon-dlp-basic_VERSION_amd64.deb
  • RHEL/CentOS: aquilon-dlp-basic-VERSION.x86_64.rpm

Step 2: Verify Checksum

# Verify checksum (SHA256 file provided with download)
sha256sum -c aquilon-dlp-basic-linux.sha256

Expected output: aquilon-dlp-basic-linux: OK

Step 3: Install Binary

# Make executable
chmod +x aquilon-dlp-basic

# Move to system path
sudo mv aquilon-dlp-basic /usr/local/bin/

# Verify installation
aquilon-dlp-basic --version

Step 4: Create Configuration

# Create config directory
sudo mkdir -p /etc/aquilon-dlp

# Download sample configuration
sudo curl -o /etc/aquilon-dlp/aquilon_dlp_config.toml \
  https://raw.githubusercontent.com/aquilonsecurity/aquilon-dlp/main/docs/config-examples/aquilon_dlp_config_basic.toml

# Set permissions
sudo chmod 644 /etc/aquilon-dlp/aquilon_dlp_config.toml

Step 5: Configure Watch Paths

Edit /etc/aquilon-dlp/aquilon_dlp_config.toml:

# Monitor these directories
watch_paths = [
    "/home/%%",           # All user home directories
    "/var/www/%%",        # Web server files
    "/data/%%"            # Data directory
]

# Exclude unnecessary paths
exclude_paths = [
    "/home/*/.cache/%%",  # User caches
    "/home/*/.local/%%"   # Local application data
]

# Enable policies (Basic Edition: GDPR, CCPA only)
[policies]
enabled_policies = ["gdpr", "ccpa"]

[policies.policy_configs.gdpr]
enabled = true

[policies.policy_configs.ccpa]
enabled = true

Step 6: Validate Configuration

aquilon-dlp-basic --validate-config /etc/aquilon-dlp/aquilon_dlp_config.toml

Expected output: Configuration is valid.

Running as a Service

Create systemd service file /etc/systemd/system/aquilon-dlp.service:

[Unit]
Description=Aquilon DLP Basic Edition
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/aquilon-dlp-basic --config /etc/aquilon-dlp/aquilon_dlp_config.toml
Restart=on-failure
RestartSec=10s
User=root
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target

Enable and start:

sudo systemctl daemon-reload
sudo systemctl enable aquilon-dlp
sudo systemctl start aquilon-dlp
sudo systemctl status aquilon-dlp

Verification

# Check service status
sudo systemctl status aquilon-dlp

# View logs
sudo journalctl -u aquilon-dlp -f

# Query OSQuery tables (if OSQuery installed)
osqueryi "SELECT * FROM aquilon_dlp_alerts LIMIT 10;"

macOS Deployment

Note: macOS requires Enterprise Edition for native Endpoint Security monitoring.

Prerequisites

  • Operating System: macOS 11.0 (Big Sur) or later
  • Architecture: x86_64 or Apple Silicon
  • Memory: 2GB RAM minimum, 4GB recommended
  • Disk Space: 1GB for application and database
  • Permissions: Full Disk Access, Administrator privileges

Installation Steps

Step 1: Download

Download the Enterprise Edition package for macOS from your organization’s portal:

  • macOS: aquilon-dlp-enterprise-VERSION.pkg

Step 2: Verify Code Signature

# Verify Apple Developer ID signature
codesign -dvv aquilon-dlp-enterprise

# Expected output should include:
# Authority=Developer ID Application: Aquilon Security, LLC

Step 3: Install Binary

# Make executable
chmod +x aquilon-dlp-enterprise

# Move to system path
sudo cp aquilon-dlp-enterprise /usr/local/bin/

# Verify installation
aquilon-dlp-enterprise --version

Step 4: Grant Full Disk Access

  1. Open System Settings > Privacy & Security > Full Disk Access
  2. Click + to add /usr/local/bin/aquilon-dlp-enterprise
  3. Enable the checkbox for Aquilon DLP

Important: Full Disk Access is required for Endpoint Security file monitoring. Without it, the application cannot scan protected directories.

Step 5: Create Configuration

# Create config directory
sudo mkdir -p /etc/aquilon-dlp

# Download sample configuration
sudo curl -o /etc/aquilon-dlp/aquilon_dlp_config.toml \
  https://raw.githubusercontent.com/aquilonsecurity/aquilon-dlp/main/docs/config-examples/aquilon_dlp_config_enterprise.toml

# Set permissions
sudo chmod 644 /etc/aquilon-dlp/aquilon_dlp_config.toml

Step 6: Configure Watch Paths

Edit /etc/aquilon-dlp/aquilon_dlp_config.toml:

# Monitor these directories
watch_paths = [
    "/Users/%%",          # All user home directories
    "/Volumes/%%",        # External drives
    "/data/%%"            # Data directories
]

# Exclude unnecessary paths
exclude_paths = [
    "/Users/*/.cache/%%",     # User caches
    "/Users/*/Library/%%"     # Library (optional)
]

# Enable all Enterprise policy frameworks
[policies]
enabled_policies = ["gdpr", "ccpa", "hipaa", "pci_dss", "sox", "iso27001"]

[policies.policy_configs.gdpr]
enabled = true

[policies.policy_configs.ccpa]
enabled = true

[policies.policy_configs.hipaa]
enabled = true

[policies.policy_configs.pci_dss]
enabled = true

[policies.policy_configs.sox]
enabled = true

[policies.policy_configs.iso27001]
enabled = true

Running as a LaunchDaemon

Create /Library/LaunchDaemons/com.aquilonsecurity.dlp.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.aquilonsecurity.dlp</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/aquilon-dlp-enterprise</string>
        <string>--config</string>
        <string>/etc/aquilon-dlp/aquilon_dlp_config.toml</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>KeepAlive</key>
    <true/>
    <key>StandardOutPath</key>
    <string>/var/log/aquilon-dlp/stdout.log</string>
    <key>StandardErrorPath</key>
    <string>/var/log/aquilon-dlp/stderr.log</string>
</dict>
</plist>

Load and start:

# Create log directory
sudo mkdir -p /var/log/aquilon-dlp

# Load daemon
sudo launchctl load /Library/LaunchDaemons/com.aquilonsecurity.dlp.plist

# Check status
sudo launchctl list | grep aquilon

# View logs
tail -f /var/log/aquilon-dlp/stderr.log

Verification

# Check if running
sudo launchctl list | grep aquilon

# Expected log output (in /var/log/aquilon-dlp/stderr.log):
# Attempting to initialize Endpoint Security monitoring...
# Full Disk Access verified
# Endpoint Security client created successfully
# Endpoint Security monitoring active

# Query OSQuery tables (if OSQuery installed)
osqueryi "SELECT * FROM aquilon_dlp_alerts LIMIT 10;"

OSQuery Integration

Both editions integrate with OSQuery for monitoring and alerting.

Install OSQuery

Linux (Ubuntu/Debian):

curl -L https://pkg.osquery.io/deb/osquery_5.x_1.0.0_amd64.deb -o osquery.deb
sudo dpkg -i osquery.deb

Linux (RHEL/CentOS):

sudo yum install https://pkg.osquery.io/rpm/osquery-5.x-1.0.0.x86_64.rpm

macOS:

# Using Homebrew
brew install --cask osquery

# Or download PKG
curl -L https://pkg.osquery.io/darwin/osquery-5.x.pkg -o osquery.pkg
sudo installer -pkg osquery.pkg -target /

Configure Extension

Add to /etc/osquery/extensions.load:

/usr/local/bin/aquilon-dlp-basic --socket /var/osquery/osquery.em

(Replace aquilon-dlp-basic with aquilon-dlp-enterprise for macOS)

Query DLP Tables

-- Query alerts by severity
SELECT severity, COUNT(*) as count
FROM aquilon_dlp_alerts
GROUP BY severity;

Troubleshooting

Linux: Service Won’t Start

Check logs:

sudo journalctl -u aquilon-dlp -n 50

Common causes:

  • Invalid configuration file (run –validate-config)
  • Missing permissions on watch directories
  • Database lock (only one instance can run)

macOS: Full Disk Access Not Working

Symptoms: “Operation not permitted” errors

Solutions:

  1. Verify FDA in System Settings > Privacy & Security > Full Disk Access

  2. Remove and re-add the binary

  3. Restart the LaunchDaemon:

    sudo launchctl unload /Library/LaunchDaemons/com.aquilonsecurity.dlp.plist
sudo launchctl load /Library/LaunchDaemons/com.aquilonsecurity.dlp.plist

Policy Not Available (Basic Edition)

Symptom: “Unknown policy ‘hipaa’, skipping”

Cause: Basic Edition only includes GDPR and CCPA

Solution: Remove enterprise policies from configuration:

[policies]
enabled_policies = ["gdpr", "ccpa"]  # Only these available in Basic Edition

For enterprise policies (HIPAA, PCI DSS, SOX, ISO 27001), upgrade to Enterprise Edition.

High Resource Usage

Symptoms: High CPU or memory consumption

Solutions:

  1. Add exclusions for high-churn directories
  2. Exclude large binary files (.app, .dmg, .iso)
  3. Reduce num_workers in configuration
  4. Adjust max_scan_size_mb to skip large files

Next Steps