Traps Endpoint Security Manager New Features Guide
    : Traps for Linux
    Focus
    Focus
    1. Home
    2. Traps
    3. Traps Endpoint Security Manager New Features Guide
    4. Supported Platforms
    5. Traps for Linux

    Traps Endpoint Security Manager New Features Guide

    Traps for Linux

    Table of Contents

    Traps for Linux

    The Traps agent protects Linux servers by preventing attackers from leveraging software exploits or vulnerabilities to compromise an endpoint. The Traps agent enforces your organization’s security policy as defined in the ESM Console. When a security event occurs on an endpoint, Traps collects forensic information about that event which you can use to analyze the incident further.
    Traps for Linux supports the following features in the 4.2 release:
    FeatureSupport
    Anti-exploit protection using the following EPMs:
    • Brute Force Protection
    • ROP Mitigation
    • Shellcode Protection
    • Kernel Privilege Escalation Protection
    Local analysis
    Anti-malware execution using restriction rules
    Quarantine and remediation
    Centralized management of Traps agents from the ESM Console including ability to:
    • Update agent software
    • Configure Traps for Linux settings
    • View security event history for Linux servers
    • View agent status history for Linux servers
    Language support
    (English only)
    Agent Query
    The following topics describe how to install, use, and manage the Traps for Linux:

    Set Up Traps for Linux

    Use the following instructions to create and install the package directly on the endpoint:
    1. Ensure the Linux server meets the Traps for Linux Requirements.
    2. Download the Traps for Linux software from the Customer Support Portal (https://support.paloaltonetworks.com).
    3. From the ESM Console, Create the Linux installation package using the Traps for Linux software version you downloaded in the previous step.
      To generate the installation package you must be assigned a role which enables the Installation Package privilege. Otherwise, this feature is disabled (hidden completely from view) or read-only.
      The ESM Console creates a new installation package based the IP address and port settings the agent will use to connect to the ESM Server.
    4. Download the installation package to a location accessible by the Linux server.
    5. Install Traps for Linux.

    Manage Linux Settings for Traps

    1. Select SettingsAgentSettings.
    2. Select the action menu and Add a new rule.
    3. Select the type of rule and configure the associated settings.
      • Event Logging—Specify log quota for local log storage on the endpoint.
      • Heartbeat Settings—Configure reporting and check-in frequency.
      • Communication Settings—Configure communication settings between the Traps agents and the ESM Servers.
      • Process Management—Collect information about new processes when they run on an endpoint and report them to the Endpoint Security Manager.
    4. Save or Apply the rule immediately.

    Monitor Linux Endpoints

    To monitor Linux endpoints:
    • View the distribution of agents by OS
      On the Dashboard, view the COMPUTER DISTRIBUTION AND VERSION chart. This chart displays the number of endpoints by OS and Traps version.
    • View security events that occur on Linux endpoints
      To filter any of the security events pages by Linux endpoints:
      1. Select Security Events and then select a type of event.
      2. Select the filter
        to the right of the OS column heading.
      3. Specify the match criteria. Use the Is equal to, Contains, or Starts with operator and specify the OS name and release number.
      4. Select Filter. The ESM Console displays the security events that match the OS type (and optionally OS version).
      To clear the filter, select the applied filter icon
      and then select Clear.
    • Monitor the health of the Traps agent on Linux endpoints:
      1. Select MonitorAgentHealth.
      2. Select the filter
        to the right of the OS column heading.
      3. Select the operator and filter criteria as described in the previous task (View security events that occur on Linux endpoints).
      4. Select Filter. The ESM Console displays the agents that match the OS type (and optionally OS version).
      To clear the filter, select the applied filter icon
      and then select Clear.

    Upgrade or Uninstall Traps for Linux

    After you install Traps for Linux, you can upgrade or uninstall the Traps software on the endpoint at any time. To upgrade the software you must first download the upgrade package from the Support portal. To automatically distribute either action instruction to your Linux endpoints, you can create an action rule from the ESM Console.
    1. Review the Upgrade/Downgrade Considerations for Linux endpoints.
    2. Download the client upgrade package from the Support portal. This package contains installers for all supported operating systems.
    3. From the ESM Console, select SettingsAgentActionsLinux.
    4. From the action menu
      , Add a new agent action rule.
    5. Select an action: Uninstall the Traps agent from the endpoint, or Upgrade from path to Browse to the client upgrade package you downloaded and Upload it for distribution to Linux endpoints. By default the rule applies to all Linux endpoints, but you can narrow the scope by configuring Conditions or specific target Objects.
    6. Save the rule without applying it to endpoints, or Apply the rule immediately. At the next heartbeat communication with the agent, Traps performs the rule action.

    © 2024 Palo Alto Networks, Inc. All rights reserved.