Traps for Linux

The Traps agent protects Linux servers by preventing attackers from leveraging software exploits or vulnerabilities to compromise an endpoint. The Traps agent enforces your organization’s security policy as defined in the ESM Console. When a security event occurs on an endpoint, Traps collects forensic information about that event which you can use to analyze the incident further.
Traps for Linux supports the following features in the 4.2 release:
FeatureSupport
Anti-exploit protection using the following EPMs:
  • Brute Force Protection
  • ROP Mitigation
  • Shellcode Protection
  • Kernel Privilege Escalation Protection
check-mark.png
Local analysis
Anti-malware execution using restriction rules
Quarantine and remediation
Centralized management of Traps agents from the ESM Console including ability to:
  • Update agent software
  • Configure Traps for Linux settings
  • View security event history for Linux servers
  • View agent status history for Linux servers
check-mark.png
Language support
check-mark.png
(English only)
Agent Query
The following topics describe how to install, use, and manage the Traps for Linux:

Set Up Traps for Linux

Use the following instructions to create and install the package directly on the endpoint:
  1. Ensure the Linux server meets the Traps for Linux Requirements.
  2. Download the Traps for Linux software from the Customer Support Portal (https://support.paloaltonetworks.com).
  3. From the ESM Console, Create the Linux installation package using the Traps for Linux software version you downloaded in the previous step.
    To generate the installation package you must be assigned a role which enables the Installation Package privilege. Otherwise, this feature is disabled (hidden completely from view) or read-only.
    The ESM Console creates a new installation package based the IP address and port settings the agent will use to connect to the ESM Server.
  4. Download the installation package to a location accessible by the Linux server.
  5. Install Traps for Linux.

Manage Linux Settings for Traps

  1. Select SettingsAgentSettings.
  2. Select the action menu and Add a new rule.
  3. Select the type of rule and configure the associated settings.
    • Event Logging—Specify log quota for local log storage on the endpoint.
    • Heartbeat Settings—Configure reporting and check-in frequency.
    • Communication Settings—Configure communication settings between the Traps agents and the ESM Servers.
    • Process Management—Collect information about new processes when they run on an endpoint and report them to the Endpoint Security Manager.
  4. Save or Apply the rule immediately.

Monitor Linux Endpoints

To monitor Linux endpoints:
  • View the distribution of agents by OS
    On the Dashboard, view the COMPUTER DISTRIBUTION AND VERSION chart. This chart displays the number of endpoints by OS and Traps version.
  • View security events that occur on Linux endpoints
    To filter any of the security events pages by Linux endpoints:
    1. Select Security Events and then select a type of event.
    2. Select the filter filter.png to the right of the OS column heading.
    3. Specify the match criteria. Use the Is equal to, Contains, or Starts with operator and specify the OS name and release number.
    4. Select Filter. The ESM Console displays the security events that match the OS type (and optionally OS version).
    To clear the filter, select the applied filter icon icon-applied-filter.png and then select Clear.
  • Monitor the health of the Traps agent on Linux endpoints:
    1. Select MonitorAgentHealth.
    2. Select the filter filter.png to the right of the OS column heading.
    3. Select the operator and filter criteria as described in the previous task (View security events that occur on Linux endpoints).
    4. Select Filter. The ESM Console displays the agents that match the OS type (and optionally OS version).
    To clear the filter, select the applied filter icon icon-applied-filter.png and then select Clear.

Upgrade or Uninstall Traps for Linux

After you install Traps for Linux, you can upgrade or uninstall the Traps software on the endpoint at any time. To upgrade the software you must first download the upgrade package from the Support portal. To automatically distribute either action instruction to your Linux endpoints, you can create an action rule from the ESM Console.
  1. Review the Upgrade/Downgrade Considerations for Linux endpoints.
  2. Download the client upgrade package from the Support portal. This package contains installers for all supported operating systems.
  3. From the ESM Console, select SettingsAgentActionsLinux.
  4. From the action menu manage-hidden-menu-icon.png , Add a new agent action rule.
  5. Select an action: Uninstall the Traps agent from the endpoint, or Upgrade from path to Browse to the client upgrade package you downloaded and Upload it for distribution to Linux endpoints. By default the rule applies to all Linux endpoints, but you can narrow the scope by configuring Conditions or specific target Objects.
  6. Save the rule without applying it to endpoints, or Apply the rule immediately. At the next heartbeat communication with the agent, Traps performs the rule action.

Related Documentation