COLLECTOR · LINUX
Deploy the Linux collector.
The collector is the read-only internal agent that runs inside your trust boundary and reaches a Domain Controller over private LDAPS — it never exposes the DC and needs only an unprivileged authenticated domain reader.
TUX Linux collector
Internal host · systemd timer · internal LDAPS reachability to a DC
Signed, reproducible Linux builds are produced on release. Verify the SHA-256 and the
minisign signature (docs/RELEASE.md), or reproduce the exact binary yourself with
scripts/build-release.sh. Until a build is deployed, use the zero-install
PowerShell collector below — it is available now.
PS1 PowerShell collector
Zero-install, human-auditable, same read-only attribute allow-list as the native collector. It
is the exact plaintext script — read it before you run it. All parsing, redaction, and
encryption stay in the audited Rust core at ingest, so the guarantees never rest on the script.
Download bastion-collect.ps1
Read-only · no-exploit · no-secrets. Paged, throttled, and schedulable so a large collection never stresses the DC. In connected mode it egresses a single outbound 443 to the suite; air-gapped, nothing leaves the boundary — the deliverable is the encrypted snapshot plus a self-contained HTML attack-path report.