Install the Traps Agent for Linux - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Traps Agent Administrator Guide
Product
Cortex XDR
Cortex XDR Agent
Version
5.0
Creation date
2022-09-01
Last date published
2023-01-04
Category
Administrator Guide

Traps for Linux is designed to protect Linux servers and operates transparently in the background as a system process. After you install Traps for Linux, it is typically not necessary to interact with the Traps agent; however, to perform common actions, such as initiating a manual check in with the Traps management service, you can use the command-line utility (also available for Mac and Windows) named Cytool. Cytool is available in the /opt/traps/bin/cytool directory and must be run as root or with root permissions.

Before installing Traps on a Linux server, verify that the system meets the requirements described in Traps for Linux Requirements.

Note

If you intend to use SELinux, make sure to enable it before you proceed with the Traps installation. This ensures that Traps disables any injection-based modules which cause compatibility issues. If you later enable SELinux, you must reinstall Traps to avoid any compatibility issues.

You can then install Traps using software distribution tools that support Linux such as Satellite or Chef, or you can manually install Traps using the following workflow:

  1. Download the Traps installation script from the Traps management service.

    The Traps management service saves the installation script using the name you provided to identify the package.

  2. Copy the installation package to the Linux server on which you want to install the Traps software.

    For example, to copy the file securely from a local machine to the Linux server:

    user@local ~
$ scp linux.sh root@ubuntu.example.com:/tmp 
linux.sh                                100%   21MB   1.2MB/s   00:18

  3. Log on to the Linux server and install the Traps software.

    1. Run the install script as root or with root permissions.

      For example:

      user@local ~
$ ssh root@ubuntu.example.com
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-1041-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.


Last login: Tue Dec 26 22:14:15 2017 from 192.168.1.100
root@ubuntu:/$ cd /tmp
root@ubuntu:/tmp$ ls
linux.sh
root@ubuntu:/tmp$ ./linux.sh
Verifying archive integrity... All good.
Uncompressing Traps 634e4d93bb3fb87a Installer for Cloud  100%
[*] Extracting Traps Installer
Verifying archive integrity... All good.
Uncompressing Traps traps_linux-0.7.0-dbg installer  100%
[1] Checking prerequisites
Verifying Debian (dpkg) packages:
  * openssl ... OK
  * ca-certificates ... OK
Done
[2] Installing Traps at /opt/traps
Done
[3] Creating logger directory
Done
[4] Installing AppArmor policies
Done
[5] Defining Traps local services (systemd)
Created symlink from /etc/systemd/system/multi-user.target.wants/traps_trapsd.service to /etc/systemd/system/traps_trapsd.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/traps_pmd.service to /etc/systemd/system/traps_pmd.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/traps_authorized.service to /etc/systemd/system/traps_authorized.service.
Done
[*] Starting Traps security services (systemd)
Done

      The script installs the files for the Traps app for Linux in the /opt/traps folder with the Cytool utility available at /opt/traps/bin/cytool.

      After the Traps agent successfully connects to the server for the first time and retrieves a valid license, the agent begins protecting the Linux server.

      Note

      If the Traps agent cannot register with the Traps management service, the agent does not retry registration. To retry, reinstall the Traps agent on the server.

  4. Configure a Traps specific proxy on the endpoint (Requires Traps agent 5.0.9 supported by Cortex XDR only) .

    If you are deploying Traps in an environment where Traps agents communicate with the Cortex XDR server through a proxy, you must assign the proxy IP address and port number during the Traps agent installation on the endpoint. You can assign the proxy IP during the installation process.

    1. Add the --proxy_list ”<proxyserver>:<port> variable to the installation command line.

      You can assign up to five different proxies per agent (use commas to separate multiple addresses), and the proxy for communication is selected randomly with equal probability. Use commas to separate multiple addresses. For example:

      --proxy_list "10.196.20.244:8080,10.196.20.245:8080"

      Note

      To install a Traps agent communicating through the Palo Alto Networks Broker Service, you must enter the broker VM IP address and port number 8888 only.

    2. After the initial installation, you can change the proxy settings in Traps management serviceEndpoints.

  5. Use the Traps Agent for Linux.

    For a list of available options, enter the cytool command without any arguments or with -h or --help.