Install the Cortex XDR Agent for Linux

Download the Cortex XDR agent installation script from Cortex XDR.
Copy the installation package to the Linux server on which you want to install the Cortex XDR agent software.
For example, to copy the file securely from a local machine to the Linux server:
user@local ~
						$
						
scp linux.sh root@ubuntu.example.com:/tmp
						linux.sh                                100%   21MB   1.2MB/s   00:18
					
Log on to the Linux server.
For example:
user@local ~
						$
						
ssh root@ubuntu.example.com
						Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-1041-aws x86_64)

						* Documentation:  https://help.ubuntu.com
						* Management:     https://landscape.canonical.com
						* Support:        https://ubuntu.com/advantage

						Get cloud support with Ubuntu Advantage Cloud Guest:
						http://www.ubuntu.com/business/services/cloud

						0 packages can be updated.
						0 updates are security updates.


						Last login: Tue Dec 26 22:14:15 2017 from 192.168.1.100
					
Install the Cortex XDR agent software.
You can install the Cortex XDR agent on the endpoint manually using the shell installer or using the Linux package manager for
.rpm
and
.deb
installers.
To deploy using package manager:
Depending on your Linux distribution, install the Cortex XDR agent using one of the following commands:
Distribution	Install Command
RHEL, CentOS, or Oracle	yum install ./ filename .rpm or rpm -i ./ filename .rpm
Ubuntu or Debian	apt-get install ./ filename .deb or dpkg -i ./ filename .deb
SUSE	zypper install ./ filename .rpm or rpm -i ./ filename .rpm
Verify the agent was installed on the endpoint.
Enter the following command on the endpoint:
dpkg -l | grep cortex-agent
or
rpm -qa | grep cortex-agent
.
To deploy the shell installer:
Enable execution of the script using the
chmod +x
filename
command.
Run the install script as root or with root permissions.
For example:
root@ubuntu:/$
								
cd /tmp
								root@ubuntu:/tmp$
								
ls
								linux.sh
								root@ubuntu:/tmp$
								
chmod +x linux.sh
								root@ubuntu:/tmp$
								
./linux.sh
								Verifying archive integrity... All good.
								Uncompressing Cortex XDR  634e4d93bb3fb87a Installer for Cloud  100%
								[*] Extracting Cortex XDR  Installer
								Verifying archive integrity... All good.
								Uncompressing Cortex XDR agent_linux-0.7.0-dbg installer  100%
								[1] Checking prerequisites
								Verifying Debian (dpkg) packages:
								* openssl ... OK
								* ca-certificates ... OK
								Done
								[2] Installing Cortex XDR at /opt/traps
								Done
								[3] Creating logger directory
								Done
								[4] Installing AppArmor policies
								Done
								[5] Defining Cortex XDR local services (systemd)
								Created symlink from /etc/systemd/system/multi-user.target.wants/traps_trapsd.service to /etc/systemd/system/traps_trapsd.service.
								Created symlink from /etc/systemd/system/multi-user.target.wants/traps_pmd.service to /etc/systemd/system/traps_pmd.service.
								Created symlink from /etc/systemd/system/multi-user.target.wants/traps_authorized.service to /etc/systemd/system/traps_authorized.service.
								Done
								[*] Starting Coretx XDR security services (systemd)
								Done
							
Additional options are available to help you customize your installation if needed. The following table describes common options and parameters that you can use but does not provide an exhaustive list. Use the --help option to print the help for the installer.
If you are using
rpm
or
deb
installers, you must also add these parameters to the
/etc/panw/cortex.conf
file prior to installation, without the leading double dash.
Option	Description
--no-km	Without Kernel Module Installation Use the --no-km option if you do not want to install the Cortex XDR agent kernel module. If you install the agent without the Cortex XDR kernel module or your Linux server runs an unsupported kernel version, the Cortex XDR agent will operate in asynchronous mode where: Continuous event monitoring required for Behavioral Threat Protection is disabled. Sharing endpoint activity data with Cortex apps is disabled. ELF file examination occurs in parallel with the file execution. If the Cortex XDR agent obtains a malware verdict for the ELF file, it terminates the file execution. Security events for malware in asynchronous mode are assigned a high severity due to the potential for continued execution during the verdict request while security events in synchronous mode are medium severity. All other exploit and malware protection is enabled per your Linux security policy.
-- --proxy-list ” <proxyserver> : <port> ”	Proxy Communication Configure the Cortex XDR agent to communicate through an intermediary such as a proxy or the Palo Alto Networks Broker Service. To enable the agent to direct communication to an intermediary, you use this installation option to assign the IP address and port number you want the Cortex XDR agent to use. Use commas to separate multiple addresses. For example: -- --proxy-list "10.196.20.244:8080,10.196.20.245:8080" You can assign up to five different IP addresses per agent, and the proxy for communication is selected randomly with equal probability. To enable the agent to use the Broker Service, you must set up a broker VM in your network and use this option to assign the agent the Broker VM IP address with port number 8888. After the initial installation, you can change the proxy settings from Cortex XDR.
VM Template --vm-template Temporary session --temporary-session	Virtual Installation Deploy Cortex XDR agents on virtual Linux endpoints as temporary instances, ensuring the Cortex XDR agent license returns back to the license pool after 90 minutes of session inactivity and improving your network temporary workloads. Choose your preferred workflow: Pre-install —Install the Cortex XDR agent only on the Linux endpoint you are using to create the VM template. Every instance you create using this template, will include the pre-installed Cortex XDR agent. For example: $ ./installer.sh -- --vm-template Fresh install —Install the Cortex XDR agent on the Linux VM after creating the VM template, as part of provisioning. For example: $ ./installer.sh -- --temporary-session
-- --restrict=restrict_ invasive_response_actions	Disable Live Terminal, script execution, and file retrieval on the endpoint Use to permanently disable the option for Cortex XDR to perform all, or a combination, of the following actions on endpoints running a Cortex XDR agent: initiate a Live Terminal remote session on the endpoint, execute Python scripts on the endpoint, and retrieve files from the endpoint to Cortex XDR. Disabling any of these actions is an irreversible action, so if you later want to enable the action on the endpoint, you must uninstall the Cortex XDR agent and install a new package without this flag To disable all actions, use the corresponding flag: --restrict=all To disable a specific action, use the corresponding flag: --restrict=live_terminal —Use to disable Live Terminal. --restrict=script_execution —Use to disable script execution. --restrict=file_retrieval —Use to disable file retrieval. To disable more than one option, use any combination of these flags.
The script installs the files for the Cortex XDR agent for Linux in the
/opt/traps
folder with the Cytool utility available at
/opt/traps/bin/cytool
.
After the agent successfully connects to the server for the first time and retrieves a valid license, the agent begins protecting the Linux server.
If the Cortex XDR agent does not connect to Cortex XDR, verify your internet connection and perform a check-in on the endpoint. If the agent still does not connect, verify the installation package has not been removed from the Cortex XDR management console.
Use the Cortex XDR Agent for Linux.
For a list of available options, enter the
cytool
command without any arguments or with
-h
or
--help
.