OneView offers the Endpoint Agent for Linux machines. The Downloads page in the OneView console has instructions on setting up your repository source to point to the Linux repository. Then, download and install the ThreatDown Endpoint Agent using standard Linux commands, apt-get/apt install or yum install.
For minimum requirements to install on Linux machines, see Minimum requirements for OneView.
Linux Endpoint Installer Notes
- Endpoints are assigned to the Default Group and use the Default Policy unless you specify a different group. To automatically assign endpoints to a group during installation:
- On the left navigation menu, click Download Center.
- Under Advanced tools, click the Specify group assignment link.
- The Deployment tab has two options available for your Linux endpoints:
- Install: Use these commands to download and install the endpoint agent on the endpoint.
- Upgrades: For applicable Linux distros. Use these commands to upgrade the endpoint agent on the endpoint.
Install the endpoint agent on a Linux device
To manually add an endpoint to OneView, select your Linux distro and copy the commands displayed in OneView.
Endpoints are assigned to the Default Group and use the Default Policy unless you specify a different group as a parameter.
- On the left navigation menu, click Download Center.
- Select the site.
- Select Linux from the platform drop-down menu.
- Choose the distribution you are using in the installer version drop-down menu.
- After selecting your distro, copy the text in the Install field and paste the text into your Linux command line. Your Account Token is automatically populated in the field for convenience.
- Run the script in your Linux environment.
When the installation process completes, the Endpoint Agent registers and the Linux endpoint shows up in the Endpoints page of OneView and the agent begins logging events and errors on the endpoint. For information on gathering logs, see Collect Endpoint Agent diagnostic logs.
NOTICE - All Linux endpoints are counted as Servers.
Endpoint Detection and Response for Linux
Dynamic Kernel Module Support (DKMS) is a Linux utility used to build the Endpoint Detection and Response (EDR) driver on Linux devices. Ensure DKMS is installed on the endpoints before enabling EDR in the policies for Linux devices. Additionally, verify the kernel headers package is installed and matches the kernel version running on the endpoint.
- To identify the exact kernel version in use, run the $uname -r command.
- Installing DKMS with the standard package management tools may not install the proper version of the kernel headers package.
- On older distributions such as CentOS, it may be necessary to manually add older or archived repositories beforehand, or to download and install the proper kernel headers .rpm package manually.
- On Ubuntu-based distros, an attempt to install DKMS is automatically made during the Endpoint Agent install.
Manually install DKMS and the correct kernel headers for the following Linux distros:
Linux Distribution | Commands |
CentOS 7 |
|
Amazon Linux 2 Red Hat Enterprise Linux 7 CentOS 8 |
|
Red Hat Enterprise Linux 8 |
|
Debian |
|
Once the proper kernel header version and DKMS are installed, enable EDR for Linux in the policy.
For any issues enabling EDR on Linux systems, see Kernel module not running in Endpoint Detection and Response.
Run endpoint agent on startup
To confirm your Linux server starts the endpoint agent when it boots up, run the following command:
- root@linux:~# systemctl is-enabled mbdaemon
If the output reads disabled, then run the following command to enable the agent:
- root@linux:~# systemctl enable mbdaemon
Created symlink /etc/systemd/system/multi-user.target.wants/mbdaemon.service → /lib/systemd/system/mbdaemon.service
Rerun the following command and verify the output now reads enabled.
- root@linux:~# systemctl is-enabled mbdaemon
Proxy Server Settings
You can use the variables listed below during installation or the mblinux command-line options to configure the Endpoint Agent for Linux to use a proxy server. If you need to use a password for proxy server authentication, you must use the mblinux command-line options to configure it.
Variable Name | Description |
NEBULA_PROXY_SERVER | The address to the proxy server |
NEBULA_PROXY_PORT | The port for the proxy server |
NEBULA_PROXY_USER | The username for proxy server authentication |
NEBULA_PROXY_BYPASS_LOCAL | Set if proxy should be bypassed for local addresses |