Use the Traps Agent for Linux
Table of Contents
4.2 (EoS)
Expand all | Collapse all
Use the Traps Agent for Linux
After you install Traps for Linux, Traps operates
transparently in the background as a system process. Typically,
it is not necessary to interact with the Traps agent; however, to
perform common actions, such as initiating a manual check in with
the ESM Server, you can use the command-line utility (also available
for Mac and Windows) named Cytool. Cytool is available in the /opt/traps/bin/cytool directory
and must be run as root or with root permissions.
To use the
Traps agent for Linux:
- Display the Cytool
help.From the Linux server, run the cytool command without any arguments or with -h or --help options.
root@ubuntu:~$ /opt/traps/bin/cytool Usage: cytool<options> cytool - Support tool Options: -h --help Display help information. enum List processes protected by Traps. startup query List startup status for traps endpoint agent(s) and daemon(s). startup <enable | disable> <process_name | all> Enable/Disable agent(s) and daemon(s) after reboot. runtime query List runtime status for agent(s), daemon(s) and kernel extensions. runtime <start | stop> <process_name | all> Start/Stop agent(s), daemon(s) and kernel extensions immediately. persist list Display list of persistent databases. persist export <db_name | db_path> Export database(s) to the file(s) in JSON format. persist import <db_name | db_path> <file_name> Import data into the database from the given JSON file. persist print <db_name | db_path> [csv] Print database to the command prompt. log set-level <log_level> <process_name | all> Set log level for the desired process. log collect Generate support file archive. dump <enable | disable | restore> Enable/Disable dump generation or restore policy settings. checkin Initiate Check In Now (send heartbeat to ESM). esm <connect | disconnect> [address=hostname:port] Connect/Disconnect Traps to/from ESM.Follow the usage guidelines to run additional Cytool commands. - List current running processes protected
by Traps.Enter the cytool enum command.
root@ubuntu:~$ cytool enum ----------------------------------- Traps list of protected processes: ----------------------------------- PID CMD UID 1098 /usr/sbin/cron -f 0 1131 /usr/sbin/rsyslogd -n 104To view processes for all users including those initiated by the operating system, specify the /a option. - Start or stop Traps daemons.The Traps agent comprises the trapsd, authorized, and pmd daemons. To start or stop one or all daemons, enter either the cytool runtime [start | stop] [<process_name> | all] command or the cytool startup [enable | disable] [<process_name> | all] command. The behavior of both commands changes both the current running state and the startup registration status of the daemons when the server boots.For example:
root@ubuntu:~$ /opt/traps/bin/cytool runtime stop trapsd Name PID User Status Command trapsd N/A N/A STOPPED N/A authorized 2179 root Running /opt/traps/bin/authorized pmd 2164 root Running /opt/traps/bin/pmd root@ubuntu:~$ /opt/traps/bin/cytool runtime start all Name PID User Status Command trapsd 26427 root Running /opt/traps/bin/trapsd authorized 2179 root Running /opt/traps/bin/authorized pmd 2164 root Running /opt/traps/bin/pmd
- View the Traps security policy.Traps stores policy and security event information such as the list of trusted signers, local verdicts, and one-time actions in local databases in the /opt/traps/persist/ directory. To troubleshoot policy issues and security events, you can use Cytool to import, export, and view information stored in the local database.To view a list of all local databases, use the cytool persist list command.
root@ubuntu:~$ /opt/traps/bin/cytool persist list Persistent database list: post_detection.db Database of post-detection candidates agent_actions.db Database of one time actions cloud_frontend.db Database of Cloud frontend settings hashes_lru.db Least recently used verdicts database cloud_reports.db Database of Cloud reports hashes.db Database of the verdicts received from WildFire esm_frontend.db Database of ESM frontend settings policy.db Policy database fvhash.db Database of blacklisted fvhashes trusted_signers.db Database of trusted signers hash_paths.db Database of file paths hash_override.db Database of hashes override (Admin exeptions) esm_reports.db Database of ESM reports security_events.db Database of security events (preventions) file_upload.db Database of files being uploaded to ESM hashes_retransmit.db Database of hashes to be retransmitted agent_settings.db Database of agent settingsTo view the records of a database, use the cytool persist print [<database_name> | <database_path>] command where you specify either the name of database (see the cytool persist list command) or the path to the database. Or, to export the records of a database to a JSON file, use the cytool persist export [<database_name> | <database_path>] command. For example:root@ubuntu:~$ /opt/traps/bin/cytool persist print security_events.db Database security_events: persistence::DB: /opt/traps/persist/security_events.db: Open persistence::DB: /opt/traps/persist/security_events.db: Open: IO error: lock /opt/traps/persist/security_events.db/LOCK: Resource temporarily unavailable 3c34dcc1-bc37-ffef-ed55-f5512df05884, Prevention ID: 3c34dcc1-bc37-ffef-ed55-f5512df05884 Time: 2018-05-02T10:31:51Z Timezone offset (min): 240 Module ID (CyveraComponent): 277 Module status (CyStatus): 0xC0400015 Blocked: false Source process ID: 14818 Source process terminated: true Source process command line: /root/Desktop/Linux_testers/ROP/lighttpd system 0 Source process file index: 0 Target process ID: 0 Target process terminated: false Target process command line: Target process file index: 0 User ID: 0 User name: Traps version: 4.2.0.601 OS name: Linux OS version: Red Hat Enterprise Linux Server release 6.9 (Santiago) Machine name: ubuntu Dump path: /opt/traps/forensics/3c34dcc1-bc37-ffef-ed55-f5512df05884/ Content version: 17-2805 IP Address: 10.200.0.55 Verdict (WildFire/Hash Control): 0 1 Files: Name: lighttpd Path: /root/Desktop/Linux_testers/ROP Size: 0 Hash: 8630c9e57ca58fb7966c80525c36f572416e0a8db617b8a43c946d4fa966a71c Version: Publisher: Quarantine ID: Signers: '' ------------------------------------------------ ---------- END Security Event Files ---------- root@ubuntu:~$ /opt/traps/bin/cytool persist export security_events.db persistence::DB: /opt/traps/persist/security_events.db: Open -rw-r--r-- 1 ubuntu root 25824 Jan 2 18:10 /home/ubuntu/traps/cytool/security_events.db_18.10.04.427_02.01.2018.json
To add records to the database, use the cytool persist import [<database_name> | <database_path>] <input_filename> command where <input_filename> is a JSON file. - Collect logs.Use the cytool log set_level <log_level> [<process_name> | all] command to change the log level of a Traps component where:
- <log_level> is an integer value corresponding to the log level:
- 1—Fatal
- 2—Critical
- 3—Error
- 4—Warning
- 5—Notice
- 6—Information
- 7—Debug
- 8—Trace
- <process_name> is the traps component: trapsd, authorized, or pmd.
Then use the cytool log collect command to collect all logs in a TGZ file.root@ubuntu:~$ /opt/traps/bin/cytool log 1 trapsd root@ubuntu:~$ /opt/traps/bin/cytool log collect -rw-r--r-- 1 root root 1651939 Dec 30 20:33 /tmp/Traps_log_2017-12-30_20-33-22/Traps_log_2017-12-30_20-33-22.tgz
- Manually initiate a check in with
the server.Use the cytool checkin command to initiate the manual check-in. To verify the status of the check-in on the ESM Console, view the LAST SEEN date from the additional details view of an endpoint on the Endpoints page.
- Connect or disconnect from an ESM Server.Use the cytool disconnect command to disconnect from an ESM Server or cytool connect <hostname|IP address>:<port> command to connect to a specific ESM Server and port. Use http or https depending on the communication settings of the ESM Server.For example:
root@ubuntu:~$ /opt/traps/bin/cytool esm disconnect root@ubuntu:~$ /opt/traps/bin/cytool esm connect http://203.0.113.35:2125
- View the version of Traps.To view the version of Traps on the Linux server, open or read the version.txt file in the /opt/traps/ directory. To read the version, you must run the command run as root or with root permissions.For example:
root@ubuntu:~$ cat /opt/traps/version.txt traps_linux-4.2.0.1040 ce1707dadbbb67effb7bf08cd4edee60d9508377