Install the Traps Agent for Linux

Traps for Linux is designed to protect Linux servers and operates transparently in the background as a system process. Traps also extends exploit and malware protection to processes that run in Linux containers. When you install Traps on a Linux server, Traps automatically protects any new and existing containerized processes regardless of the container solution (for example, docker). Each Linux server receives a single license which includes protection for container processes.
After you install Traps for Linux, it is typically not necessary to interact with the Traps agent; however, to perform common actions, such as initiating a manual check in with Traps management service, you can use the command-line utility (also available for Mac and Windows) named Cytool. Cytool is available in the
directory and must be run as root or with root permissions.
Before installing Traps on a Linux server, verify that the system meets the requirements described in Traps for Linux Requirements.
If you intend to use SELinux, make sure to enable it before you proceed with the Traps installation. This ensures that Traps disables any injection-based modules which cause compatibility issues. If you later enable SELinux, you must reinstall Traps to avoid any compatibility issues.
You can then install Traps using software distribution tools that support Linux such as Satellite or Chef, or you can manually install Traps using the following workflow:
  1. Download the Traps installation script from the Traps management service.
    Traps management service saves the installation script using the name you provided to identify the package.
  2. Copy the installation package to the Linux server on which you want to install the Traps software.
    For example, to copy the file securely from a local machine to the Linux server:
    user@local ~ $
    scp 100% 21MB 1.2MB/s 00:18
  3. Log on to the Linux server.
    For example:
    user@local ~ $
    Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-1041-aws x86_64) * Documentation: * Management: * Support: Get cloud support with Ubuntu Advantage Cloud Guest: 0 packages can be updated. 0 updates are security updates. Last login: Tue Dec 26 22:14:15 2017 from
  4. Install the Traps software.
    1. Enable execution of the script using the
      chmod +x
    2. Run the install script as root or with root permissions.
      For example:
      cd /tmp
      ls root@ubuntu:/tmp$
      chmod +x
      Verifying archive integrity... All good. Uncompressing Traps 634e4d93bb3fb87a Installer for Cloud 100% [*] Extracting Traps Installer Verifying archive integrity... All good. Uncompressing Traps traps_linux-0.7.0-dbg installer 100% [1] Checking prerequisites Verifying Debian (dpkg) packages: * openssl ... OK * ca-certificates ... OK Done [2] Installing Traps at /opt/traps Done [3] Creating logger directory Done [4] Installing AppArmor policies Done [5] Defining Traps local services (systemd) Created symlink from /etc/systemd/system/ to /etc/systemd/system/traps_trapsd.service. Created symlink from /etc/systemd/system/ to /etc/systemd/system/traps_pmd.service. Created symlink from /etc/systemd/system/ to /etc/systemd/system/traps_authorized.service. Done [*] Starting Traps security services (systemd) Done
      Additional options are available to help you customize your installation as needed. The following table describes common options that you can use but does not provide an exhaustive list. Use the --help option to print the help for the installer.
      Use the
      option if you do not want to install the Traps kernel module. If you install Traps without the Traps kernel module or your Linux server runs an unsupported kernel version, Traps will operate in asynchronous mode where:
      • Continuous event monitoring required for Behavioral Threat Protection is disabled.
      • Sharing endpoint activity data with Cortex apps is disabled.
      • ELF file examination occurs in parallel with the file execution. If the Traps agent obtains a malware verdict for the ELF file, it terminates the file execution. Security events for malware in asynchronous mode are assigned a high severity due to the potential for continued execution during the verdict request while security events in synchronous mode are medium severity.
      • All other exploit and malware protection is enabled per your Linux security policy.
      -- --proxy-list ”
      Optional in Traps 6.1.2 and later releases
      ) Configure Traps to communicate through an intermediary such as a proxy or the Palo Alto Networks Broker Service.
      To enable Traps to direct communication to an intermediary, you use this installation option to assign the IP address and port number you want Traps to use.
      Use commas to separate multiple addresses. For example:
      -- --proxy-list ","
      You can set up to five different IP addresses per agent. With multiple IP addresses, Traps management service randomly chooses which service to use for communication.
      To enable Traps to use the Broker Service, you must set up a Broker VM in your network and use this option to assign Traps the broker VM IP address with port number 8888.
      After the initial installation, you can change the proxy settings on the
      page from Traps management service.
      The script installs the files for the Traps app for Linux in the
      folder with the Cytool utility available at
      After the Traps agent successfully connects to the server for the first time and retrieves a valid license, the agent begins protecting the Linux server.
      If the Traps agent cannot register with the Traps management service, the agent does not retry registration. To retry, reinstall the Traps agent on the server.
  5. For a list of available options, enter the
    command without any arguments or with

Recommended For You