Use the Traps Agent for Linux

After you install Traps for Linux, Traps operates transparently in the background as a system process. Typically, it is not necessary to interact with the Traps agent; however, to perform common actions, such as initiating a manual check in with the Traps management service, you can use the command-line utility (also available for Mac and Windows) named Cytool. Cytool is available in the

/opt/traps/bin/cytool

directory and must be run as root or with root permissions.

To use the Traps agent for Linux:

Display the Cytool help.

List processes protected by Traps.

Start or stop Traps daemons.

View the Traps security policy.

Collect logs.

Manually initiate a check in with the server.

Configure proxy communication.

View the version of Traps.

Display the Cytool help.

From the Linux server, run the

cytool

command without any arguments or with

-h

--help

options.

root@ubuntu:~$ /opt/traps/bin/cytool

Usage: cytool<options>
cytool - Support tool

Options:
-h --help                                           Display help information.
enum                                                List processes protected by Traps.
startup query                                       List startup status for traps endpoint agent(s) and daemon(s).
startup <enable | disable> <process_name | all>     Enable/Disable agent(s) and daemon(s) after reboot.
runtime query                                       List runtime status for agent(s), daemon(s) and kernel extensions.
runtime <start | stop> <process_name | all>         Start/Stop agent(s), daemon(s) and kernel extensions immediately.
persist list                                        Display list of persistent databases.
persist export <db_name | db_path>                  Export database(s) to the file(s) in JSON format.
persist import <db_name | db_path> <file_name>      Import data into the database from the given JSON file.
persist print <db_name | db_path> [csv]             Print database to the command prompt.
log <log_level> <process_name | all>                Set log level for the desired process.
log collect                                         Generate support file archive.
dump <enable | disable | restore>                   Enable/Disable dump generation or restore policy settings.
checkin                                             Initiate Check In Now (send heartbeat to ESM).

Follow the usage guidelines to run additional Cytool commands.

List processes protected by Traps.

Enter the

cytool enum

command.

root@ubuntu:~$ cytool
enum
-----------------------------------
Traps list of protected processes:
-----------------------------------
  PID CMD                           UID
 1098 /usr/sbin/cron -f               0
 1131 /usr/sbin/rsyslogd -n         104

To view processes for all users including those initiated by the operating system, specify the

option.

Start or stop Traps daemons.

The Traps agent comprises the trapsd, authorized, and pmd daemons. To start or stop one or all daemons, enter either the

cytool runtime [start | stop] [<process_name> | all]

command or the

cytool startup [enable | disable] [<process_name> | all]

command. The behavior of both commands changes both the current running state and the startup registration status of the daemons when the server boots.

For example:

root@ubuntu:~$ /opt/traps/bin/cytool
runtime stop trapsd
         Name    PID       User       Status       Command
       trapsd    N/A       N/A        STOPPED      N/A
   authorized   2179       root       Running      /opt/traps/bin/authorized
          pmd   2164       root       Running      /opt/traps/bin/pmd
root@ubuntu:~$ /opt/traps/bin/cytool runtime start all
         Name    PID       User       Status       Command
       trapsd  26427       root       Running      /opt/traps/bin/trapsd
   authorized   2179       root       Running      /opt/traps/bin/authorized
          pmd   2164       root       Running      /opt/traps/bin/pmd

View the Traps security policy.

Traps stores policy and security event information such as the list of trusted signers, local verdicts, and one-time actions in local databases in the

/opt/traps/persist/

directory. To troubleshoot policy issues and security events, you can use Cytool to import, export, and view information stored in the local database.

To view a list of all local databases, use the

cytool persist list

command.

root@ubuntu:~$ /opt/traps/bin/cytool
persist list
Persistent database list:
      post_detection.db      Database of post-detection candidates
       agent_actions.db      Database of one time actions
      cloud_frontend.db      Database of Cloud frontend settings
          hashes_lru.db      Least recently used verdicts database
       cloud_reports.db      Database of Cloud reports
              hashes.db      Database of the verdicts received from WildFire
        esm_frontend.db     Database of ESM frontend settings
              policy.db      Policy database
              fvhash.db      Database of blacklisted fvhashes
     trusted_signers.db      Database of trusted signers
          hash_paths.db      Database of file paths
       hash_override.db      Database of hashes override (Admin exeptions)
         esm_reports.db      Database of ESM reports
     security_events.db      Database of security events (preventions)
         file_upload.db      Database of files being uploaded to ESM
   hashes_retransmit.db      Database of hashes to be retransmitted
      agent_settings.db      Database of agent settings

To view the records of a database, use the

cytool persist print [<database_name> | <database_path>]

command where you specify either the name of database (see the

cytool persist list

command) or the path to the database. Or, to export the records of a database to a JSON file, use the

cytool persist export [<database_name> | <database_path>]

command. For example:

root@ubuntu:~$ /opt/traps/bin/cytool
persist print security_events.db
Database security_events:
persistence::DB: /opt/traps/persist/security_events.db: Open
persistence::DB: /opt/traps/persist/security_events.db: Open: IO error: lock /opt/traps/persist/security_events.db/LOCK: Resource temporarily unavailable
3c34dcc1-bc37-ffef-ed55-f5512df05884,
Prevention ID: 3c34dcc1-bc37-ffef-ed55-f5512df05884
Time: 2018-05-02T10:31:51Z
Timezone offset (min): 240
Module ID (CyveraComponent): 277
Module status (CyStatus): 0xC0400015
Blocked: false
Source process ID: 14818
Source process terminated: true
Source process command line: /root/Desktop/Linux_testers/ROP/lighttpd system 0
Source process file index: 0
Target process ID: 0
Target process terminated: false
Target process command line: 
Target process file index: 0
User ID: 0
User name: 
Traps version: 5.0.0.601
OS name: Linux
OS version: Red Hat Enterprise Linux Server release 6.9 (Santiago)

Machine name: Saar_redhat64x64
Dump path: /opt/traps/forensics/3c34dcc1-bc37-ffef-ed55-f5512df05884/
Content version: 17-2805
IP Address: 10.200.0.55
Verdict (WildFire/Hash Control): 0
1 Files:
                Name: lighttpd
                Path: /root/Desktop/Linux_testers/ROP
                Size: 0
                Hash: 8630c9e57ca58fb7966c80525c36f572416e0a8db617b8a43c946d4fa966a71c
                Version: 
                Publisher: 
                Quarantine ID: 
                Signers: ''
                ------------------------------------------------
---------- END Security Event Files ----------

root@ubuntu:~$ /opt/traps/bin/cytool persist export security_events.db                 
persistence::DB: /opt/traps/persist/security_events.db: Open
-rw-r--r-- 1 ubuntu root 25824 Jan  2 18:10 /home/ubuntu/traps/cytool/security_events.db_18.10.04.427_02.01.2018.json

To add records to the database, use the

cytool persist import [<database_name> | <database_path>] <input_filename>

command where

<input_filename>

is a JSON file.

Collect logs.

Use the

cytool log <log_level> [<process_name> | all]

command to change the log level of a Traps component where:

<log_level>

is an integer value corresponding to the log level:

1—Fatal

2—Critical

3—Error

4—Warning

5—Notice

6—Information

7—Debug

8—Trace

<process_name>

is the traps component:

trapsd

authorized

, or

pmd

Then use the

cytool log collect

command to collect all logs in a TGZ file.

root@ubuntu:~$ /opt/traps/bin/cytool log
1 trapsd
root@ubuntu:~$ /opt/traps/bin/cytool log collect
-rw-r--r-- 1 root root 1651939 Dec 30 20:33 /tmp/Traps_log_2017-12-30_20-33-22/Traps_log_2017-12-30_20-33-22.tgz

Manually initiate a check in with the server.

Use the

cytool checkin

command to initiate the manual check-in. To verify the status of the check-in on the Traps management service, view the

LAST SEEN

date from the additional details view of an endpoint on the

Endpoints

page.

Configure proxy communication.

If defined, the Traps agent uses the proxy settings defined in the system environment in

/etc/environment

. If proxy settings are not defined, you can add the proxy server to the system environment by specifying the following setting in the

environment

file:

https_proxy=”https://<proxyserver>:<port>"

where:

<proxyserver>

is the IP address of the proxy server

<port>

is the port number used for proxy communication.

For example:

https_proxy="https://10.196.20.244:8080"

View the version of Traps.

To view the version of Traps on the Linux server, open or read the

version.txt

file in the

/opt/traps/

directory. For example:

root@ubuntu:~$ cat /opt/traps/version.txt
traps_linux-5.0.0.1040
ce1707dadbbb67effb7bf08cd4edee60d9508377

Document:Traps™ Agent Administrator's Guide

Use the Traps Agent for Linux

Table of Contents

Use the Traps Agent for Linux

Most Popular

Recommended For You

Document:Traps™ Agent Administrator's Guide

Use the Traps Agent for Linux

Table of Contents

Use the Traps Agent for Linux

Most Popular

Recommended For You

Recommended Videos