Use the Traps Agent for Linux

After you install Traps for Linux, Traps operates transparently in the background as a system process. Typically, it is not necessary to interact with the Traps agent; however, to perform common actions, such as initiating a manual check in with the Traps management service, you can use the command-line utility (also available for Mac and Windows) named Cytool. Cytool is available in the
/opt/traps/bin/cytool
directory and must be run as root or with root permissions.
To use the Traps agent for Linux:
  • Display the Cytool help.
    From the Linux server, run the
    cytool
    command without any arguments or with
    -h
    or
    --help
    options.
    root@ubuntu:~$
    /opt/traps/bin/cytool
    Usage: cytool<options> cytool - Support tool Options: -h --help Display help information. enum List processes protected by Traps. startup query List startup status for traps endpoint agent(s) and daemon(s). startup <enable | disable> <process_name | all> Enable/Disable agent(s) and daemon(s) after reboot. runtime query List runtime status for agent(s), daemon(s) and kernel extensions. runtime <start | stop> <process_name | all> Start/Stop agent(s), daemon(s) and kernel extensions immediately. persist list Display list of persistent databases. persist export <db_name | db_path> Export database(s) to the file(s) in JSON format. persist import <db_name | db_path> <file_name> Import data into the database from the given JSON file. persist print <db_name | db_path> [csv] Print database to the command prompt. log <log_level> <process_name | all> Set log level for the desired process. log collect Generate support file archive. dump <enable | disable | restore> Enable/Disable dump generation or restore policy settings. checkin Initiate Check In Now (send heartbeat to ESM).
    Follow the usage guidelines to run additional Cytool commands.
  • List processes protected by Traps.
    Enter the
    cytool enum
    command.
    root@ubuntu:~$
    cytool enum
    ----------------------------------- Traps list of protected processes: ----------------------------------- PID CMD UID 1098 /usr/sbin/cron -f 0 1131 /usr/sbin/rsyslogd -n 104
    To view processes for all users including those initiated by the operating system, specify the
    /a
    option.
  • Start or stop Traps daemons.
    The Traps agent comprises the trapsd, authorized, and pmd daemons. To start or stop one or all daemons, enter either the
    cytool runtime [start | stop] [
    <process_name>
    | all]
    command or the
    cytool startup [enable | disable] [
    <process_name>
    | all]
    command. The behavior of both commands changes both the current running state and the startup registration status of the daemons when the server boots.
    For example:
    root@ubuntu:~$
    /opt/traps/bin/cytool runtime stop trapsd
    Name PID User Status Command trapsd N/A N/A STOPPED N/A authorized 2179 root Running /opt/traps/bin/authorized pmd 2164 root Running /opt/traps/bin/pmd root@ubuntu:~$
    /opt/traps/bin/cytool runtime start all
    Name PID User Status Command trapsd 26427 root Running /opt/traps/bin/trapsd authorized 2179 root Running /opt/traps/bin/authorized pmd 2164 root Running /opt/traps/bin/pmd
  • View the Traps security policy.
    Traps stores policy and security event information such as the list of trusted signers, local verdicts, and one-time actions in local databases in the
    /opt/traps/persist/
    directory. To troubleshoot policy issues and security events, you can use Cytool to import, export, and view information stored in the local database.
    To view a list of all local databases, use the
    cytool persist list
    command.
    root@ubuntu:~$
    /opt/traps/bin/cytool persist list
    Persistent database list: post_detection.db Database of post-detection candidates agent_actions.db Database of one time actions cloud_frontend.db Database of Cloud frontend settings hashes_lru.db Least recently used verdicts database cloud_reports.db Database of Cloud reports hashes.db Database of the verdicts received from WildFire esm_frontend.db Database of ESM frontend settings policy.db Policy database fvhash.db Database of blacklisted fvhashes trusted_signers.db Database of trusted signers hash_paths.db Database of file paths hash_override.db Database of hashes override (Admin exeptions) esm_reports.db Database of ESM reports security_events.db Database of security events (preventions) file_upload.db Database of files being uploaded to ESM hashes_retransmit.db Database of hashes to be retransmitted agent_settings.db Database of agent settings
    To view the records of a database, use the
    cytool persist print [
    <database_name>
    |
    <database_path>
    ]
    command where you specify either the name of database (see the
    cytool persist list
    command) or the path to the database. Or, to export the records of a database to a JSON file, use the
    cytool persist export [
    <database_name>
    |
    <database_path>
    ]
    command. For example:
    root@ubuntu:~$
    /opt/traps/bin/cytool persist print security_events.db
    Database security_events: persistence::DB: /opt/traps/persist/security_events.db: Open persistence::DB: /opt/traps/persist/security_events.db: Open: IO error: lock /opt/traps/persist/security_events.db/LOCK: Resource temporarily unavailable 3c34dcc1-bc37-ffef-ed55-f5512df05884, Prevention ID: 3c34dcc1-bc37-ffef-ed55-f5512df05884 Time: 2018-05-02T10:31:51Z Timezone offset (min): 240 Module ID (CyveraComponent): 277 Module status (CyStatus): 0xC0400015 Blocked: false Source process ID: 14818 Source process terminated: true Source process command line: /root/Desktop/Linux_testers/ROP/lighttpd system 0 Source process file index: 0 Target process ID: 0 Target process terminated: false Target process command line: Target process file index: 0 User ID: 0 User name: Traps version: 4.2.0.601 OS name: Linux OS version: Red Hat Enterprise Linux Server release 6.9 (Santiago) Machine name: Saar_redhat64x64 Dump path: /opt/traps/forensics/3c34dcc1-bc37-ffef-ed55-f5512df05884/ Content version: 17-2805 IP Address: 10.200.0.55 Verdict (WildFire/Hash Control): 0 1 Files: Name: lighttpd Path: /root/Desktop/Linux_testers/ROP Size: 0 Hash: 8630c9e57ca58fb7966c80525c36f572416e0a8db617b8a43c946d4fa966a71c Version: Publisher: Quarantine ID: Signers: '' ------------------------------------------------ ---------- END Security Event Files ---------- root@ubuntu:~$
    /opt/traps/bin/cytool persist export security_events.db
    persistence::DB: /opt/traps/persist/security_events.db: Open -rw-r--r-- 1 ubuntu root 25824 Jan 2 18:10 /home/ubuntu/traps/cytool/security_events.db_18.10.04.427_02.01.2018.json
    To add records to the database, use the
    cytool persist import [
    <database_name>
    |
    <database_path>
    ]
    <input_filename>
    command where
    <input_filename>
    is a JSON file.
  • Collect logs.
    Use the
    cytool log
    <log_level>
    [
    <process_name>
    | all]
    command to change the log level of a Traps component where:
    • <log_level>
      is an integer value corresponding to the log level:
      • 1—Fatal
      • 2—Critical
      • 3—Error
      • 4—Warning
      • 5—Notice
      • 6—Information
      • 7—Debug
      • 8—Trace
    • <process_name>
      is the traps component:
      trapsd
      ,
      authorized
      , or
      pmd
      .
    Then use the
    cytool log collect
    command to collect all logs in a TGZ file.
    root@ubuntu:~$
    /opt/traps/bin/cytool log 1 trapsd
    root@ubuntu:~$
    /opt/traps/bin/cytool log collect
    -rw-r--r-- 1 root root 1651939 Dec 30 20:33 /tmp/Traps_log_2017-12-30_20-33-22/Traps_log_2017-12-30_20-33-22.tgz
  • Manually initiate a check in with the server.
    Use the
    cytool checkin
    command to initiate the manual check-in. To verify the status of the check-in on the Traps management service, view the
    LAST SEEN
    date from the additional details view of an endpoint on the
    Endpoints
    page.
  • Configure proxy communication.
    If defined, the Traps agent uses the proxy settings defined in the system environment in
    /etc/environment
    . If proxy settings are not defined, you can add the proxy server to the system environment by specifying the following setting in the
    environment
    file:
    https_proxy=”https://
    <proxyserver>
    :
    <port>
    "
    where:
    • <proxyserver>
      is the IP address of the proxy server
    • <port>
      is the port number used for proxy communication.
    For example:
    https_proxy="https://10.196.20.244:8080"
  • View the version of Traps.
    To view the version of Traps on the Linux server, open or read the
    version.txt
    file in the
    /opt/traps/
    directory. For example:
    root@ubuntu:~$
    cat /opt/traps/version.txt
    traps_linux-5.0.0.1040 ce1707dadbbb67effb7bf08cd4edee60d9508377

Related Documentation