Traps for Linux
Table of Contents
4.2
Expand all | Collapse all
Traps for Linux
The Traps agent protects Linux servers by
preventing attackers from leveraging software exploits or vulnerabilities
to compromise an endpoint. The Traps agent enforces your organization’s
security policy as defined in the ESM Console. When a security event
occurs on an endpoint, Traps collects forensic information about
that event which you can use to analyze the incident further.
Traps
for Linux supports the following features in the 4.2 release:
Feature | Support |
---|---|
Anti-exploit protection using the following
EPMs:
| ![]() |
Local analysis | — |
Anti-malware execution using restriction
rules | — |
Quarantine and remediation | — |
Centralized management of Traps agents from
the ESM Console including ability to:
| ![]() |
Language support | ![]() |
Agent Query | — |
The following topics describe how to install,
use, and manage the Traps for Linux:
Set Up Traps for Linux
Use the following instructions to create and
install the package directly on the endpoint:
- Ensure the Linux server meets the Traps for Linux Requirements.
- Download the Traps for Linux software from the Customer Support Portal (https://support.paloaltonetworks.com).
- From the ESM Console, Create the Linux installation package using
the Traps for Linux software version you downloaded in the previous
step.To generate the installation package you must be assigned a role which enables the Installation Package privilege. Otherwise, this feature is disabled (hidden completely from view) or read-only.The ESM Console creates a new installation package based the IP address and port settings the agent will use to connect to the ESM Server.
- Download the installation package to a location accessible by the Linux server.
- Install Traps for Linux.
Manage Linux Settings for Traps
- Select SettingsAgentSettings.
- Select the action menu and Add a new rule.
- Select the type of rule and configure the associated
settings.
- Event Logging—Specify log quota for local log storage on the endpoint.
- Heartbeat Settings—Configure reporting and check-in frequency.
- Communication Settings—Configure communication settings between the Traps agents and the ESM Servers.
- Process Management—Collect information about new processes when they run on an endpoint and report them to the Endpoint Security Manager.
- Save or Apply the rule immediately.
Monitor Linux Endpoints
To monitor Linux endpoints:
- View the distribution of agents by OSOn the Dashboard, view the COMPUTER DISTRIBUTION AND VERSION chart. This chart displays the number of endpoints by OS and Traps version.
- View security events that occur on Linux endpointsTo filter any of the security events pages by Linux endpoints:
- Select Security Events and then select a type of event.
- Select the filter
- Specify the match criteria. Use the Is equal to, Contains, or Starts with operator and specify the OS name and release number.
- Select Filter. The ESM Console displays the security events that match the OS type (and optionally OS version).
To clear the filter, select the applied filter icon - Monitor the health of the Traps agent on Linux endpoints:
- Select MonitorAgentHealth.
- Select the filter
- Select the operator and filter criteria as described in the previous task (View security events that occur on Linux endpoints).
- Select Filter. The ESM Console displays the agents that match the OS type (and optionally OS version).
To clear the filter, select the applied filter icon
Upgrade or Uninstall Traps for Linux
After you install Traps for Linux, you can
upgrade or uninstall the Traps software on the endpoint at any time.
To upgrade the software you must first download the upgrade package
from the Support portal. To automatically distribute either action
instruction to your Linux endpoints, you can create an action rule from
the ESM Console.
- Review the Upgrade/Downgrade Considerations for Linux endpoints.
- Download the client upgrade package from the Support portal. This package contains installers for all supported operating systems.
- From the ESM Console, select SettingsAgentActionsLinux.
- From the action menu
- Select an action: Uninstall the Traps agent from the endpoint, or Upgrade from path to Browse to the client upgrade package you downloaded and Upload it for distribution to Linux endpoints. By default the rule applies to all Linux endpoints, but you can narrow the scope by configuring Conditions or specific target Objects.
- Save the rule without applying it to endpoints, or Apply the rule immediately. At the next heartbeat communication with the agent, Traps performs the rule action.