MinusNowDocumentation
Website
Getting Started ▾
OS & PrerequisitesAgent InstallationService Accounts
Deployment ▾
Cloud DeploymentLinux DeploymentWindows DeploymentSingle-Node InstallTwo-Node InstallHA & ClusteringGCP Deployment
Reference ▾
Module GuideSaaS ArchitectureTroubleshooting
Downloads
Deployment Guide

Agent Installation

Step-by-step instructions to install, configure, and verify the MinusNow agent on Linux, Windows, and macOS endpoints.

On This Page

Architecture Overview

The MinusNow agent architecture uses a hub-and-spoke model. The application server (hub) communicates with client servers (spokes) through two complementary channels:

Channel 1 — SSH (Deployment & Management)

The application server connects to client servers via SSH (port 22) for initial agent deployment, configuration pushes, ad-hoc command execution, and remote troubleshooting. This is the administrative control channel.

DirectionPortPurpose
App Server → Client22 (SSH)Agent install, config push, remote exec
App Server → Client22 (SSH)Patching, runbook execution, diagnostics

Channel 2 — HTTPS mTLS (Agent Telemetry)

Once installed, the agent establishes a persistent HTTPS/mTLS connection (port 8443) to the application server for metrics, heartbeats, auto-healing commands, and CMDB sync. This is the runtime data channel.

DirectionPortPurpose
Agent → Server8443 (mTLS)Telemetry, heartbeat, CMDB sync
Server → Agent9100 (HTTPS)Push commands, auto-healing

Connection Flow Diagram

┌─────────────────────────────────────────────────────────────────────┐
│                     MinusNow Application Server                     │
│                                                                     │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────────────────┐  │
│  │  Web Portal   │  │  Agent Hub   │  │  SSH Management Engine   │  │
│  │  (port 443)   │  │ (port 8443)  │  │                          │  │
│  └──────────────┘  └──────┬───────┘  └────────────┬─────────────┘  │
│                           │ mTLS                   │ SSH (port 22)  │
└───────────────────────────┼────────────────────────┼────────────────┘
                            │                        │
              ┌─────────────┼────────────────────────┼─────────────┐
              │             │                        │             │
              ▼             ▼                        ▼             ▼
┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐
│  Client Server 1 │ │  Client Server 2 │ │  Client Server N │
│                  │ │                  │ │                  │
│  ┌────────────┐  │ │  ┌────────────┐  │ │  ┌────────────┐  │
│  │ mnow-agent │  │ │  │ mnow-agent │  │ │  │ mnow-agent │  │
│  │ (running)  │  │ │  │ (running)  │  │ │  │ (running)  │  │
│  └────────────┘  │ │  └────────────┘  │ │  └────────────┘  │
│                  │ │                  │ │                  │
│  mnow-agent user │ │  mnow-agent user │ │  mnow-agent user │
│  SSH authorized  │ │  SSH authorized  │ │  SSH authorized  │
└──────────────────┘ └──────────────────┘ └──────────────────┘
Both Channels Required

SSH is required for initial agent deployment, configuration management, and remote execution of runbooks/patches. The mTLS channel is required for ongoing monitoring, auto-healing, and CMDB telemetry. All MinusNow features (monitoring, auto-healing, vulnerability scanning, patching, capacity planning) require both channels to be operational. Without SSH connectivity, the application server cannot deploy or manage agents on client servers.

Prerequisites

Before installing the agent, ensure the target host meets these requirements. See the full OS Compatibility & Prerequisites page for detailed specifications.

Minimum Host Requirements

RequirementSpecification
CPU1 core available
RAM256 MB free (512 MB recommended)
Disk200 MB for agent + 500 MB for local data cache
NetworkHTTPS (port 8443) outbound to MinusNow server
OSAny supported OS

Firewall / Network

DirectionPortProtocolPurpose
App Server → Client22SSHAgent deployment, config push, remote execution, patching
Agent → Server8443HTTPS (mTLS)Command & control, telemetry push
Agent → Server443HTTPSAgent download, update checks
Server → Agent9100HTTPSRemote execution (optional, push model)
Network Tip

If direct connectivity to the central server is not available (air-gapped environments), deploy a satellite server in the local network. Agents communicate with the satellite, which syncs to the central server when connectivity allows.

Linux Installation

Ubuntu / Debian
RHEL / CentOS / Rocky
SUSE SLES
Amazon Linux

Ubuntu / Debian

  1. Download the Agent Package 
    # Download the latest .deb package
wget https://<your-minusnow-server>/downloads/mnow-agent_latest_amd64.deb

# Or for ARM64 architecture:
wget https://<your-minusnow-server>/downloads/mnow-agent_latest_arm64.deb
  2. Install the Package 
    # Install with dpkg
sudo dpkg -i mnow-agent_latest_amd64.deb

# Install any missing dependencies
sudo apt-get install -f -y
  3. Configure the Agent 
    # Edit configuration file
sudo nano /etc/mnow-agent/agent.conf
    Set the following values: 
    [server]
host = <your-minusnow-server-ip-or-fqdn>
port = 8443
use_tls = true

[agent]
hostname = $(hostname -f)
tags = env:production, role:webserver, dc:us-east-1

[monitoring]
interval = 30
collect_processes = true
collect_services = true

[autohealing]
enabled = true
max_attempts = 3
cooldown_minutes = 15
  4. Start the Agent Service 
    # Enable and start the service
sudo systemctl enable mnow-agent
sudo systemctl start mnow-agent

# Verify it's running
sudo systemctl status mnow-agent
  5. Register with Server 
    # Register using the enrollment token from the MinusNow portal
sudo mnow-agent register --token <ENROLLMENT_TOKEN>

RHEL / CentOS Stream / Rocky / AlmaLinux

  1. Download the Agent Package 
    # Download the latest .rpm package
curl -O https://<your-minusnow-server>/downloads/mnow-agent-latest.x86_64.rpm

# Or for ARM64:
curl -O https://<your-minusnow-server>/downloads/mnow-agent-latest.aarch64.rpm
  2. Install the Package 
    # Install with dnf (RHEL 9 / Rocky 9 / AlmaLinux 9)
sudo dnf install -y mnow-agent-latest.x86_64.rpm

# Or with yum (RHEL 7/8, CentOS Stream)
sudo yum install -y mnow-agent-latest.x86_64.rpm
  3. Configure the Agent 
    # Edit configuration file
sudo vi /etc/mnow-agent/agent.conf
# (Same configuration as Ubuntu — see above)
  4. Start and Register 
    sudo systemctl enable mnow-agent
sudo systemctl start mnow-agent
sudo mnow-agent register --token <ENROLLMENT_TOKEN>
SELinux

On RHEL-based systems with SELinux enforcing, the agent installer configures the necessary SELinux policies automatically. If you encounter permission issues, run: sudo setsebool -P mnow_agent_connect_any 1

SUSE Linux Enterprise Server (SLES)

  1. Download and Install 
    # Download RPM
curl -O https://<your-minusnow-server>/downloads/mnow-agent-latest.x86_64.rpm

# Install with zypper
sudo zypper install --allow-unsigned-rpm mnow-agent-latest.x86_64.rpm
  2. Configure, Start, and Register 
    sudo vi /etc/mnow-agent/agent.conf
sudo systemctl enable mnow-agent
sudo systemctl start mnow-agent
sudo mnow-agent register --token <ENROLLMENT_TOKEN>

Amazon Linux 2 / 2023

  1. Download and Install 
    # Download RPM
curl -O https://<your-minusnow-server>/downloads/mnow-agent-latest.x86_64.rpm

# Install with yum
sudo yum install -y mnow-agent-latest.x86_64.rpm
  2. Configure, Start, and Register 
    sudo vi /etc/mnow-agent/agent.conf
sudo systemctl enable mnow-agent
sudo systemctl start mnow-agent
sudo mnow-agent register --token <ENROLLMENT_TOKEN>
EC2 Metadata

On AWS, the agent automatically detects the instance ID, region, availability zone, VPC, and security groups via the EC2 metadata service. These are added as CMDB attributes.

Windows Installation

GUI Installer

  1. Download the Installer Download MinusNow-Agent-Setup.exe from the MinusNow portal (Admin → Downloads) or from: 
    https://<your-minusnow-server>/downloads/MinusNow-Agent-Setup.exe
  2. Run the Installer Right-click → Run as Administrator. The installer wizard will prompt for:
    • MinusNow server address (IP or FQDN)
    • Server port (default: 8443)
    • Enrollment token
    • Agent tags (optional)
    • Installation directory (default: C:\Program Files\MinusNow\Agent)
  3. Complete Installation Click Install. The installer will:
    • Install agent files
    • Create the MinusNowAgent Windows service
    • Configure firewall rules
    • Register with the server
    • Start the agent service
  4. Verify Open Services (services.msc) and confirm MinusNow Agent is running. Or open PowerShell: 
    Get-Service -Name MinusNowAgent

Silent (Unattended) Installation

For mass deployment via Group Policy, SCCM, or Intune:

# PowerShell — Silent install
.\MinusNow-Agent-Setup.exe /S /SERVER=<server-ip> /PORT=8443 /TOKEN=<ENROLLMENT_TOKEN> /TAGS="env:production,role:webserver"

# MSI alternative (for Group Policy deployment)
msiexec /i MinusNow-Agent.msi /qn SERVER=<server-ip> PORT=8443 TOKEN=<ENROLLMENT_TOKEN> TAGS="env:production"
Windows Service Account

The agent service runs as NT AUTHORITY\SYSTEM by default. For auto-healing actions that require domain credentials (e.g., restarting domain-joined services), configure the service to run as a domain account with local admin rights.

macOS Installation

  1. Download the Package 
    # Download the .pkg installer
curl -O https://<your-minusnow-server>/downloads/MinusNow-Agent-latest.pkg
  2. Install the Package 
    # Install via command line
sudo installer -pkg MinusNow-Agent-latest.pkg -target /

# Or double-click the .pkg file for GUI installation
  3. Configure and Register 
    # Edit configuration
sudo nano /etc/mnow-agent/agent.conf

# Start the agent
sudo launchctl load /Library/LaunchDaemons/com.minusnow.agent.plist

# Register with server
sudo mnow-agent register --token <ENROLLMENT_TOKEN>
  4. Grant Full Disk Access (Optional) For monitoring all file system metrics, grant Full Disk Access to the agent in System Settings → Privacy & Security → Full Disk Access. Add /usr/local/bin/mnow-agent.
macOS Limitations

Due to macOS security restrictions (SIP, TCC), auto-healing capabilities are limited on macOS. The agent operates in monitoring + recommendations mode unless Full Disk Access and Accessibility permissions are granted.

Server Registration

How Registration Works

  1. Generate Enrollment TokenIn the MinusNow portal, navigate to Admin → Agent Management → Enrollment. Click Generate Token. Tokens can be scoped to: specific environments (production, staging), CI types, or organizational units. Tokens expire after 24 hours by default (configurable).
  2. Agent Sends Registration RequestWhen you run mnow-agent register --token <TOKEN>, the agent sends its hostname, IP addresses, OS information, and the enrollment token to the server over HTTPS (mTLS).
  3. Server Validates and EnrollsThe server validates the token, checks for duplicate hostnames, and creates a CI record in the CMDB. The agent receives: a unique agent ID, a client certificate for mTLS, and its initial configuration profile.
  4. Auto-Discovery BeginsAfter registration, the agent immediately runs a full discovery scan: hardware inventory, installed software, running services, open ports, and network configuration. Results appear in the CMDB within 60 seconds.

Bulk Registration

For large deployments, use the bulk registration script:

# generate-enrollment.sh — Run on MinusNow server
# Creates a single token valid for N registrations, valid for 7 days
mnow-admin create-enrollment-token \
  --max-uses 500 \
  --expires-in 7d \
  --tags "env:production,dc:us-east-1" \
  --output token.txt

# Deploy via Ansible, Puppet, Chef, or shell loop
ansible all -m shell -a "mnow-agent register --token $(cat token.txt)"

SSH Remote Deployment

The MinusNow application server uses SSH to connect to client servers for agent deployment, configuration management, patching, runbook execution, and remote diagnostics. SSH connectivity between the application server and all client servers is required for all features to work.

Critical Requirement

Without SSH access from the application server to client servers, the following features will not function: remote agent installation, automated patching, runbook/automation execution, vulnerability remediation, capacity scanner, and remote diagnostics. The agent mTLS channel handles telemetry only — all management operations require SSH.

Step 1 — Create the SSH Service Account on the Application Server

The MinusNow application server uses a dedicated service account (minusnow) for all SSH operations:

# On the MinusNow Application Server
# This account is created during MinusNow installation — verify it exists:
id minusnow
# Expected: uid=1001(minusnow) gid=1001(minusnow) groups=1001(minusnow)

# Generate an SSH key pair (if not already created during installation)
sudo -u minusnow ssh-keygen -t ed25519 -C "minusnow-app-server" -f /home/minusnow/.ssh/id_ed25519 -N ""

# View the public key (you'll distribute this to all client servers)
cat /home/minusnow/.ssh/id_ed25519.pub

Step 2 — Prepare Client Servers for SSH Access

On each client server, create the mnow-agent user and authorize the application server's SSH key:

# On each Client Server — Run as root or via sudo

# 1. Create the mnow-agent user (if not yet created by agent installer)
useradd -r -m -s /bin/bash -c "MinusNow Agent" mnow-agent

# 2. Create .ssh directory with correct permissions
mkdir -p /home/mnow-agent/.ssh
chmod 700 /home/mnow-agent/.ssh

# 3. Add the application server's public key to authorized_keys
echo "ssh-ed25519 AAAA...your-public-key... minusnow-app-server" >> /home/mnow-agent/.ssh/authorized_keys
chmod 600 /home/mnow-agent/.ssh/authorized_keys
chown -R mnow-agent:mnow-agent /home/mnow-agent/.ssh

# 4. Configure sudoers for the mnow-agent user (see Auto-Healing Permissions section)
# This grants the scoped privileges needed for patching, service management, etc.
cp /path/to/mnow-agent-sudoers /etc/sudoers.d/mnow-agent
chmod 440 /etc/sudoers.d/mnow-agent
visudo -cf /etc/sudoers.d/mnow-agent   # Validate syntax

Step 3 — Configure SSH on the Application Server

Edit the SSH client config on the application server to define connection parameters for managed hosts:

# /home/minusnow/.ssh/config — SSH client configuration

# Default settings for all managed client servers
Host *
    User mnow-agent
    IdentityFile /home/minusnow/.ssh/id_ed25519
    StrictHostKeyChecking accept-new
    ServerAliveInterval 30
    ServerAliveCountMax 3
    ConnectTimeout 10
    ConnectionAttempts 3

# Example: specific host overrides
Host db-server-01
    HostName 10.50.10.20
    Port 22

Host web-cluster-*
    HostName 10.50.20.%h
    Port 2222

Step 4 — Verify SSH Connectivity

# From the MinusNow Application Server, test SSH to each client:
sudo -u minusnow ssh mnow-agent@<client-server-ip> "hostname && whoami && uptime"

# Expected output:
# client-server-01
# mnow-agent
# 10:30:00 up 45 days, ...

# Bulk verification (all managed hosts):
sudo -u minusnow mnow-admin ssh-test --all
# Expected: All hosts reachable ✓

Step 5 — Remote Agent Deployment via SSH

Once SSH connectivity is verified, deploy agents remotely from the portal or CLI:

# Deploy agent to a single host
sudo -u minusnow mnow-admin deploy-agent \
  --host 10.50.10.20 \
  --token <ENROLLMENT_TOKEN> \
  --tags "env:production,role:database"

# Deploy agent to multiple hosts from a CSV
sudo -u minusnow mnow-admin deploy-agent \
  --hosts-file /etc/mnow/hosts.csv \
  --token <ENROLLMENT_TOKEN> \
  --parallel 10

# hosts.csv format:
# ip,hostname,tags
# 10.50.10.20,db-server-01,"env:production,role:database"
# 10.50.10.21,web-server-01,"env:production,role:webserver"
# 10.50.10.22,app-server-01,"env:production,role:application"
What happens during remote deployment

The application server SSHs into the client server as mnow-agent, copies the agent package, installs it, writes agent.conf with the server address and enrollment token, starts the agent service, and triggers registration. The entire process takes <60 seconds per host.

Windows Client Servers — SSH/WinRM

For Windows client servers, the application server can connect via OpenSSH (Windows 10+/Server 2019+) or WinRM:

# Option A: Enable OpenSSH Server on Windows clients
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Start-Service sshd
Set-Service -Name sshd -StartupType Automatic

# Option B: Enable WinRM (for older Windows)
winrm quickconfig -force
Enable-PSRemoting -Force

# On the MinusNow app server, deploy via:
sudo -u minusnow mnow-admin deploy-agent \
  --host 10.50.10.30 \
  --os windows \
  --auth winrm \
  --credential <stored-credential-id>
SSH Key Security

The application server's private key is stored at /home/minusnow/.ssh/id_ed25519 with 0600 permissions, owned by the minusnow service account. This key should be rotated every 90 days. Use mnow-admin rotate-ssh-keys to automate key rotation across all managed hosts.

Auto-Healing Permissions

Important

Auto-healing requires elevated privileges. Without proper configuration, the agent operates in monitoring-only mode and cannot execute remediation actions.

Linux — Sudoers Configuration

The agent installer creates the mnow-agent user. To enable auto-healing, grant scoped sudo access:

# /etc/sudoers.d/mnow-agent
# Scoped privilege escalation for MinusNow auto-healing

# Service management
mnow-agent ALL=(root) NOPASSWD: /usr/bin/systemctl restart *
mnow-agent ALL=(root) NOPASSWD: /usr/bin/systemctl start *
mnow-agent ALL=(root) NOPASSWD: /usr/bin/systemctl stop *
mnow-agent ALL=(root) NOPASSWD: /usr/bin/systemctl status *

# Package management (for patching)
mnow-agent ALL=(root) NOPASSWD: /usr/bin/apt-get update
mnow-agent ALL=(root) NOPASSWD: /usr/bin/apt-get install *
mnow-agent ALL=(root) NOPASSWD: /usr/bin/apt-get upgrade *
mnow-agent ALL=(root) NOPASSWD: /usr/bin/dnf update *
mnow-agent ALL=(root) NOPASSWD: /usr/bin/dnf install *
mnow-agent ALL=(root) NOPASSWD: /usr/bin/yum update *
mnow-agent ALL=(root) NOPASSWD: /usr/bin/yum install *

# Disk cleanup
mnow-agent ALL=(root) NOPASSWD: /usr/bin/journalctl --vacuum-size=*
mnow-agent ALL=(root) NOPASSWD: /usr/bin/find /tmp -type f -mtime +7 -delete
mnow-agent ALL=(root) NOPASSWD: /usr/bin/find /var/log -name "*.gz" -mtime +30 -delete

# Process management
mnow-agent ALL=(root) NOPASSWD: /usr/bin/kill *
mnow-agent ALL=(root) NOPASSWD: /usr/bin/renice *

# System reboot (use with caution)
mnow-agent ALL=(root) NOPASSWD: /usr/sbin/reboot
mnow-agent ALL=(root) NOPASSWD: /usr/sbin/shutdown -r *

# Log access
mnow-agent ALL=(root) NOPASSWD: /usr/bin/journalctl *
mnow-agent ALL=(root) NOPASSWD: /usr/bin/cat /var/log/*
Security Best Practice

Never grant unrestricted NOPASSWD: ALL to the agent. The scoped approach above limits the agent to specific commands. Audit the sudoers file with your security team. All agent-executed commands are logged in the MinusNow audit trail and in /var/log/mnow-agent/actions.log.

Windows — Agent Service Account

ScenarioService AccountCapabilities
Monitoring OnlyNT AUTHORITY\NETWORK SERVICEMetric collection, process listing, service status
Basic Auto-HealingNT AUTHORITY\SYSTEM (default)Service restart, disk cleanup, process management
Full Auto-HealingDomain account with local adminAll of the above + Windows Update, IIS management, AD operations

To change the service account:

# PowerShell — Change service account
$cred = Get-Credential -Message "Enter domain service account"
Set-Service -Name MinusNowAgent -Credential $cred
Restart-Service -Name MinusNowAgent

Feature-to-Agent Mapping

The following table maps each MinusNow application feature to the agent capabilities and connectivity channels it requires. Features marked "SSH+Agent" require both SSH connectivity from the app server and a running agent on the client server.

Application FeatureRequires AgentRequires SSHAgent Capabilities Used
Infrastructure MonitoringYesDeployCPU, RAM, disk, network, process collection (mTLS)
Auto-HealingYesYesService restart, process kill, disk cleanup (sudo)
Vulnerability ScanningYesYesPackage enumeration, CVE matching, remediation exec
Patch ManagementYesYesapt/yum/dnf update execution, reboot scheduling
Capacity PlanningYesDeployResource trend data, growth forecasting metrics
Capacity ScannerYesYesDeep scan: storage, IOPS, network throughput profiling
CMDB / Asset DiscoveryYesDeployHW/SW inventory, service map, port scan
Server Build & ProvisioningOptionalYesSSH-based provisioning, post-config, hardening
Automation & RunbooksOptionalYesSSH remote execution of scripts/runbooks on targets
Alerts & NotificationsYesDeployThreshold monitoring, event correlation
Application Health MonitorYesDeployApp process monitoring, memory/CPU per-process
Shift HandoverNoNoPortal-only feature (reads agent data)
Incident / Change / ProblemNoNoPortal-only (enriched by agent CMDB data)
KPI Dashboard / ReportsNoNoPortal-only (aggregates agent metrics)
Feature Activation

Features are activated via Settings → Feature Management in the application. However, features that depend on agent connectivity will show "No Data" or limited functionality until agents are deployed on the target client servers via SSH and registered via mTLS. Deploy agents first, then enable features.

Required Users & Permissions

The MinusNow agent system requires specific user accounts on both the application server and client servers. All accounts follow the principle of least privilege.

Application Server Users

UserPurposeShellHome DirKey Permissions
minusnow Application service owner. Runs the MinusNow web app, API server, and SSH management engine. /bin/bash /home/minusnow Owns app files, SSH private key for remote access to all client servers, manages agent deployments, runs patching and runbook operations.
mnow_backup Automated backup operations. Runs scheduled database backups and file-system snapshots. /usr/sbin/nologin /home/mnow_backup Read access to database, write access to backup directory, cron scheduling.
mnow_monitor Self-monitoring of the application server. Collects health metrics for the MinusNow app itself. /usr/sbin/nologin /home/mnow_monitor Read-only access to logs, /proc, and systemd service status.

Client Server Users

UserPurposeShellHome DirKey Permissions
mnow-agent Agent runtime user. Runs the mnow-agent daemon, collects metrics, executes auto-healing actions. /bin/bash /home/mnow-agent
  • SSH authorized_keys: app server's minusnow public key
  • Scoped sudo: systemctl, apt/dnf/yum, journalctl, kill, renice, reboot
  • Read access: /proc, /sys, /var/log, installed package lists
  • Write access: /var/log/mnow-agent/, /etc/mnow-agent/
  • mTLS client cert: /etc/mnow-agent/certs/

Creating Users — Quick Reference

Application Server Setup

# Create the minusnow service account
useradd -r -m -s /bin/bash -c "MinusNow App" minusnow

# Create backup account (no login)
useradd -r -m -s /usr/sbin/nologin -c "MinusNow Backup" mnow_backup

# Create monitor account (no login)
useradd -r -m -s /usr/sbin/nologin -c "MinusNow Monitor" mnow_monitor

# Generate SSH key for remote management
sudo -u minusnow ssh-keygen -t ed25519 \
  -C "minusnow-app" \
  -f /home/minusnow/.ssh/id_ed25519 -N ""

# Set ownership on app directory
chown -R minusnow:minusnow /opt/minusnow

Client Server Setup

# Create the mnow-agent user
useradd -r -m -s /bin/bash -c "MinusNow Agent" mnow-agent

# Set up SSH authorized_keys
mkdir -p /home/mnow-agent/.ssh
# Paste the minusnow public key:
echo "<minusnow-pub-key>" > \
  /home/mnow-agent/.ssh/authorized_keys
chmod 700 /home/mnow-agent/.ssh
chmod 600 /home/mnow-agent/.ssh/authorized_keys
chown -R mnow-agent:mnow-agent /home/mnow-agent/.ssh

# Install sudoers (see Auto-Healing section)
cp mnow-agent-sudoers /etc/sudoers.d/mnow-agent
chmod 440 /etc/sudoers.d/mnow-agent

Windows Client Permissions

AccountTypeRequired Permissions
NT AUTHORITY\SYSTEM Default agent service account Built-in; no additional config needed. Supports service management, process control, WMI queries.
DOMAIN\svc-mnow-agent Domain service account (for full auto-healing) Local Administrator group on each client. Required for: Windows Update, IIS/AD management, GPO operations. Password managed via AD and stored encrypted in MinusNow vault.
DOMAIN\svc-mnow-ssh SSH service account (for remote deployment) OpenSSH authorized key from the app server. Local Administrator on target. Used for remote agent installation and config push.
Credential Storage

All passwords and SSH private keys are stored in the MinusNow encrypted vault (/opt/minusnow/vault/), encrypted at rest with AES-256-GCM. Access is restricted to the minusnow service account. Credentials are never written to logs or transmitted in plaintext.

agent.conf Full Reference

The agent configuration file is located at /etc/mnow-agent/agent.conf (Linux/macOS) or C:\ProgramData\MinusNow\Agent\agent.conf (Windows).

# ============================================================
# MinusNow Agent Configuration — agent.conf
# ============================================================

[server]
# MinusNow application server address (IP or FQDN)
host = minusnow.example.com
# mTLS port for agent communication (default: 8443)
port = 8443
# Enable TLS (always true in production)
use_tls = true
# Path to server CA certificate (for mTLS validation)
ca_cert = /etc/mnow-agent/certs/ca.pem

[agent]
# Fully qualified hostname of this client server
hostname = $(hostname -f)
# Comma-separated tags for organizing hosts in the portal
tags = env:production, role:webserver, dc:us-east-1, team:platform
# Unique agent ID (auto-populated after registration)
agent_id =
# Log level: debug, info, warn, error
log_level = info
# Log file location
log_file = /var/log/mnow-agent/agent.log
# Max log file size before rotation (MB)
log_max_size = 50
# Number of rotated log files to keep
log_max_files = 10

[monitoring]
# Metric collection interval in seconds (min: 10, max: 300)
interval = 30
# Collect running process list
collect_processes = true
# Collect service/daemon status
collect_services = true
# Collect network interface statistics
collect_network = true
# Collect disk I/O metrics
collect_disk_io = true
# Collect container metrics (Docker/Podman)
collect_containers = true
# Process name exclusion patterns (regex, comma-separated)
exclude_processes = kworker/*, ksoftirqd/*

[autohealing]
# Enable auto-healing actions (requires sudoers config)
enabled = true
# Maximum auto-healing attempts per issue before escalation
max_attempts = 3
# Cooldown between retry attempts (minutes)
cooldown_minutes = 15
# Auto-healing actions allowed (comma-separated)
# Options: service_restart, disk_cleanup, process_kill, log_rotate, reboot
allowed_actions = service_restart, disk_cleanup, process_kill, log_rotate
# Require portal approval before executing (true = manual approval)
require_approval = false

[security]
# mTLS client certificate (received during registration)
client_cert = /etc/mnow-agent/certs/agent.pem
# mTLS client private key
client_key = /etc/mnow-agent/certs/agent-key.pem
# Enable vulnerability scanning
vuln_scan_enabled = true
# Vulnerability scan schedule (cron format)
vuln_scan_schedule = 0 2 * * *
# Enable file integrity monitoring
fim_enabled = false
# FIM monitored paths (comma-separated)
fim_paths = /etc, /usr/bin, /usr/sbin

[updates]
# Enable automatic agent updates
auto_update = true
# Update channel: stable, beta, or nightly
update_channel = stable
# Maintenance window for agent restarts (UTC, HH:MM-HH:MM)
maintenance_window = 02:00-04:00
# Maximum percentage of fleet updating simultaneously
max_concurrent_updates = 10%

[proxy]
# HTTP proxy for agent-to-server communication (optional)
# http_proxy = http://proxy.example.com:3128
# https_proxy = http://proxy.example.com:3128
# no_proxy = localhost,127.0.0.1,10.0.0.0/8

Certificate Lifecycle (mTLS)

Agent-to-server communication is secured with mutual TLS (mTLS). Each agent receives a unique client certificate during registration.

Certificate Flow

  1. Registration — During mnow-agent register, the server generates a unique X.509 client certificate signed by the MinusNow internal CA. The certificate is returned securely over the initial TLS handshake and stored locally.
  2. Runtime — Every request from the agent to the server includes the client certificate. The server validates the certificate against its CA, verifies the agent ID embedded in the Subject CN, and checks for revocation.
  3. Renewal — Certificates are valid for 365 days. The agent automatically requests renewal 30 days before expiry. Renewal is transparent — no downtime or manual action required.
  4. Revocation — If an agent is decommissioned or compromised, revoke its certificate from the portal: Admin → Agent Management → Revoke Certificate. The agent is immediately blocked from connecting.

Certificate Storage

FileLocation (Linux)Location (Windows)Purpose
ca.pem/etc/mnow-agent/certs/C:\ProgramData\MinusNow\Agent\certs\Server CA certificate (validates server identity)
agent.pem/etc/mnow-agent/certs/C:\ProgramData\MinusNow\Agent\certs\Agent client certificate (proves agent identity)
agent-key.pem/etc/mnow-agent/certs/C:\ProgramData\MinusNow\Agent\certs\Agent private key (0600 permissions, agent-only)
Private Key Protection

The agent private key (agent-key.pem) must have 0600 permissions and be owned by the mnow-agent user. Never copy this key to other hosts. If a key is compromised, revoke the certificate immediately from the portal and re-register the agent.

Verification Checklist

After installation, verify these items to confirm the agent is fully operational:

Linux Verification

# 1. Service status
sudo systemctl status mnow-agent
# Expected: Active (running)

# 2. Agent version
mnow-agent --version
# Expected: MinusNow Agent v2.x.x

# 3. Registration status
mnow-agent status
# Expected: Registered: true, Server: connected, Last heartbeat: <timestamp>

# 4. Test connectivity to server
mnow-agent connectivity-test
# Expected: All checks passed ✓

# 5. Check agent logs
sudo tail -50 /var/log/mnow-agent/agent.log
# Look for: "Successfully registered", "Heartbeat sent", "Discovery complete"

# 6. Verify in the portal
# Navigate to Admin → Agent Management
# The new host should appear with status "Online"

Windows Verification

# 1. Service status
Get-Service -Name MinusNowAgent | Format-List Name, Status, StartType

# 2. Agent version
& "C:\Program Files\MinusNow\Agent\mnow-agent.exe" --version

# 3. Registration status
& "C:\Program Files\MinusNow\Agent\mnow-agent.exe" status

# 4. Check logs
Get-Content "C:\ProgramData\MinusNow\Agent\logs\agent.log" -Tail 50

# 5. Test connectivity
& "C:\Program Files\MinusNow\Agent\mnow-agent.exe" connectivity-test
Success Indicators

Within 60 seconds of registration, you should see: (1) Host appears in Admin → Agent Management with "Online" status. (2) Basic metrics (CPU, RAM, Disk) appear in Monitoring dashboard. (3) A new CI record is created in CMDB → All Assets with full hardware and software inventory.

Agent Upgrades

Automatic Upgrades (Recommended)

Agents auto-update by default. When a new version is published, agents download and install the update during the next maintenance window. Configure in agent.conf:

[updates]
auto_update = true
update_channel = stable   # stable | beta
maintenance_window = 02:00-04:00   # UTC, agent restarts within this window
max_concurrent_updates = 10%   # % of fleet updating simultaneously

Manual Upgrades

Linux

# Ubuntu/Debian
sudo dpkg -i mnow-agent_v2.5.0_amd64.deb

# RHEL/CentOS/Rocky
sudo dnf upgrade -y mnow-agent-2.5.0.x86_64.rpm

# Restart agent
sudo systemctl restart mnow-agent

Windows

# Run new installer (detects existing install)
.\MinusNow-Agent-Setup-v2.5.0.exe /S

# Or via MSI
msiexec /i MinusNow-Agent-v2.5.0.msi /qn REINSTALL=ALL

Fleet-Wide Upgrade via Portal

  1. Upload New Agent VersionNavigate to Admin → Agent Management → Versions. Upload the new agent package. The server validates the package signature and checksum.
  2. Create Upgrade CampaignSelect target hosts by filter (OS, tags, environment) or select all. Set rollout strategy: immediate, staged (10% → 50% → 100%), or maintenance-window only.
  3. Monitor RolloutTrack the upgrade progress in the campaign dashboard. The system automatically pauses if error rate exceeds the configured threshold (default: 5%). Failed upgrades are automatically rolled back.

Troubleshooting

SymptomPossible CauseResolution
Agent fails to start Port conflict, missing dependencies Check logs: /var/log/mnow-agent/agent.log. Verify port 9100 is available. Install missing libraries: sudo apt install libssl3
Registration fails Invalid token, network blocked, cert mismatch Verify token hasn't expired. Check firewall allows outbound 8443. Run mnow-agent connectivity-test for detailed diagnostics.
"Disconnected" in portal Agent stopped, network issue, server unreachable Check systemctl status mnow-agent. Verify network path. Check server health at https://<server>:8443/health
High CPU usage by agent Too frequent collection interval, large process list Increase collection interval in agent.conf. Exclude noisy process monitoring. Check for discovery loops.
Auto-healing not executing Missing sudo permissions, healing disabled Verify /etc/sudoers.d/mnow-agent exists. Check [autohealing] enabled = true in agent.conf. Review actions.log for permission errors.
Windows agent permission errors Service running as NETWORK SERVICE Change service to run as SYSTEM or a domain admin account. See Auto-Healing Permissions.
SELinux blocking agent (RHEL) SELinux policy not applied Run: sudo setsebool -P mnow_agent_connect_any 1 and sudo restorecon -Rv /opt/mnow-agent/
Metrics not appearing Agent registered but monitoring profile not assigned Assign a monitoring profile in Monitoring → Profiles or use the default profile. Metrics appear within 60 seconds of profile assignment.

Collecting Debug Logs

# Enable debug logging temporarily
sudo mnow-agent set-log-level debug

# Reproduce the issue, then collect logs
sudo mnow-agent collect-diagnostics --output /tmp/mnow-diag.tar.gz

# This bundle includes: agent.log, config (redacted), system info, connectivity test, last 100 actions

# Reset logging level
sudo mnow-agent set-log-level info

Uninstallation

Ubuntu / Debian

sudo systemctl stop mnow-agent
sudo systemctl disable mnow-agent
sudo dpkg --purge mnow-agent
sudo rm -rf /etc/mnow-agent
sudo rm -rf /var/log/mnow-agent
sudo userdel mnow-agent

RHEL / CentOS / Rocky

sudo systemctl stop mnow-agent
sudo systemctl disable mnow-agent
sudo dnf remove mnow-agent
sudo rm -rf /etc/mnow-agent
sudo rm -rf /var/log/mnow-agent
sudo userdel mnow-agent

Windows

# Via installer
MinusNow-Agent-Setup.exe /S /UNINSTALL

# Or via Control Panel
# Programs → MinusNow Agent → Uninstall

# Clean up data
Remove-Item "C:\ProgramData\MinusNow" -Recurse -Force
Portal Cleanup

After uninstalling, decommission the agent in the portal: Admin → Agent Management → select host → Decommission. This archives the CI record and releases the license seat.