Traps for Linux

The Traps agent protects Linux servers by preventing attackers from leveraging software exploits or vulnerabilities to compromise an endpoint. The Traps agent enforces your organization’s security policy as defined in the ESM Console. When a security event occurs on an endpoint, Traps collects forensic information about that event which you can use to analyze the incident further.
Traps for Linux supports the following features in the 4.2 release:
Feature
Support
Anti-exploit protection using the following EPMs:
  • Brute Force Protection
  • ROP Mitigation
  • Shellcode Protection
  • Kernel Privilege Escalation Protection
Local analysis
Anti-malware execution using restriction rules
Quarantine and remediation
Centralized management of Traps agents from the ESM Console including ability to:
  • Update agent software
  • Configure Traps for Linux settings
  • View security event history for Linux servers
  • View agent status history for Linux servers
Language support
(English only)
Agent Query
The following topics describe how to install, use, and manage the Traps for Linux:

Set Up Traps for Linux

Use the following instructions to create and install the package directly on the endpoint:
  1. Ensure the Linux server meets the Traps for Linux Requirements.
  2. Download the Traps for Linux software from the Customer Support Portal (https://support.paloaltonetworks.com).
  3. From the ESM Console, Create the Linux installation package using the Traps for Linux software version you downloaded in the previous step.
    To generate the installation package you must be assigned a role which enables the
    Installation Package
    privilege. Otherwise, this feature is disabled (hidden completely from view) or read-only.
    The ESM Console creates a new installation package based the IP address and port settings the agent will use to connect to the ESM Server.
  4. Download the installation package to a location accessible by the Linux server.

Manage Linux Settings for Traps

  1. Select
    Settings
    Agent
    Settings
    .
  2. Select the action menu and
    Add
    a new rule.
  3. Select the type of rule and configure the associated settings.
    • Event Logging
      —Specify log quota for local log storage on the endpoint.
    • Heartbeat Settings
      —Configure reporting and check-in frequency.
    • Communication Settings
      —Configure communication settings between the Traps agents and the ESM Servers.
    • Process Management
      —Collect information about new processes when they run on an endpoint and report them to the Endpoint Security Manager.
  4. Save
    or
    Apply
    the rule immediately.

Monitor Linux Endpoints

To monitor Linux endpoints:
  • View the distribution of agents by OS
    On the Dashboard, view the
    COMPUTER DISTRIBUTION AND VERSION
    chart. This chart displays the number of endpoints by OS and Traps version.
  • View security events that occur on Linux endpoints
    To filter any of the security events pages by Linux endpoints:
    1. Select
      Security Events
      and then select a type of event.
    2. Select the filter to the right of the OS column heading.
    3. Specify the match criteria. Use the
      Is equal to
      ,
      Contains
      , or
      Starts with
      operator and specify the OS name and release number.
    4. Select
      Filter
      . The ESM Console displays the security events that match the OS type (and optionally OS version).
    To clear the filter, select the applied filter icon and then select
    Clear
    .
  • Monitor the health of the Traps agent on Linux endpoints:
    1. Select
      Monitor
      Agent
      Health
      .
    2. Select the filter to the right of the OS column heading.
    3. Select the operator and filter criteria as described in the previous task (View security events that occur on Linux endpoints).
    4. Select
      Filter
      . The ESM Console displays the agents that match the OS type (and optionally OS version).
    To clear the filter, select the applied filter icon and then select
    Clear
    .

Upgrade or Uninstall Traps for Linux

After you install Traps for Linux, you can upgrade or uninstall the Traps software on the endpoint at any time. To upgrade the software you must first download the upgrade package from the Support portal. To automatically distribute either action instruction to your Linux endpoints, you can create an action rule from the ESM Console.
  1. Review the Upgrade/Downgrade Considerations for Linux endpoints.
  2. Download the client upgrade package from the Support portal. This package contains installers for all supported operating systems.
  3. From the ESM Console, select
    Settings
    Agent
    Actions
    Linux
    .
  4. From the action menu ,
    Add
    a new agent action rule.
  5. Select an action:
    Uninstall
    the Traps agent from the endpoint, or
    Upgrade from path
    to
    Browse
    to the client upgrade package you downloaded and
    Upload
    it for distribution to Linux endpoints. By default the rule applies to all Linux endpoints, but you can narrow the scope by configuring
    Conditions
    or specific target
    Objects
    .
  6. Save
    the rule without applying it to endpoints, or
    Apply
    the rule immediately. At the next heartbeat communication with the agent, Traps performs the rule action.

Recommended For You