Install the Cortex XDR Agent for Linux - 7.7 - Cortex XDR - Cortex XDR Agent - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Product
Cortex XDR
Cortex XDR Agent
Version
7.7
Creation date
2022-08-31
Last date published
2023-01-04
End_of_Life
EoL
Category
Administrator Guide

The Cortex XDR agent for Linux is designed to protect Linux servers and operates transparently in the background as a system process. The agent also extends exploit and malware protection to processes that run in Linux containers. When you install the Cortex XDR agent on a Linux server, running either on Kernel or User Space mode, the agent automatically protects any new and existing containerized processes regardless of the container solution (for example, Docker). Each Linux server receives a single license which includes protection for container processes.

You can also deploy Cortex XDR agents on virtual Linux servers as temporary sessions, to ensure the Cortex XDR agent license returns to the license pool after 90 minutes of session inactivity and to improve your network temporary workloads.

After you install the Cortex XDR agent for Linux, it is typically not necessary to interact with the agent; however, to perform common actions, such as initiating a manual check-in with Cortex XDR, you can use the command-line utility named Cytool. Cytool is available in the /opt/traps/bin/cytool directory and must be run as root or with root permissions.

Before installing the agent on a Linux server, verify that the system meets the requirements described in Cortex XDR Agent for Linux Requirements.

Note

If you intend to use SELinux, make sure to enable it before you proceed with the Cortex XDR agent installation. This ensures that the agent disables any injection-based modules that cause compatibility issues. If you later enable SELinux or change its operation mode, you must reinstall the agent to avoid any compatibility issues.

  1. Download the Cortex XDR agent Linux installer from Cortex XDR.

  2. Copy the installer to the Linux server on which you want to install the Cortex XDR agent software.

    For example, to copy the file securely from a local machine to the Linux server:

    user@local ~
    										scp linux.sh.tar.gz root@centos.example.com:/tmp
    						linux.sh.tar.gz                                100%   52MB   95.2MB/s   00:00
    					
  3. Log on to the Linux server.

    For example:

    user@local ~
           ssh root@centos.example.com
    root@centos.example.com's password:
    Last login: Thu May 19 05:17:04 2022 from 192.168.0.181
  4. Install the Cortex XDR agent software.

    You can install the Cortex XDR agent on the endpoint manually using the shell installer or using the Linux package manager for .rpm and .deb installers.

    • Unpack the installation archive by running.

      tar xf filename.tar.gz

    • Copy the configuration file into /etc/panw directory.

      sudo mkdir -p /etc/panw

      sudo cp cortex.conf /etc/panw/

    To deploy using package manager:

    1. (Optional) For Linux distributions RHEL, CentOS, Oracle, or SUSE that have signature-checking configured or you would like to manually check the integrity of the Cortex XDR package:

      1. Download the Cortex XDR Public Key.

      2. Unzip the public key by running unzip cortex-xdr-agent.zip.

      3. Import the public key by running rpm --import cortex-xdr-agent.asc.

    2. Depending on your Linux distribution, install the Cortex XDR agent using one of the following commands:

      Distribution

      Install Command

      RHEL, CentOS, or Oracle

      yum install ./filename.rpm or rpm -i ./filename.rpm

      Ubuntu or Debian

      apt-get install ./filename.deb or dpkg -i ./filename.deb

      SUSE

      zypper install ./filename.rpm or rpm -i ./filename.rpm

    3. Verify the agent was installed on the endpoint.

      Enter the following command on the endpoint:

      dpkg -l | grep cortex-agent or rpm -qa | grep cortex-agent.

    To deploy the shell installer:

    1. Enable execution of the script using the chmod +x filename command.

    2. Run the install script as root or with root permissions.

      For example on CentOS 7:

      [root@centos]#
       cd /tmp
      [root@centos tmp]#
       ls
      cortex-7.7.0.59559.sh
      cortex.conf
      linux.sh.tar.gz 
      README.md
      [root@centos tmp]#
       chmod +x cortex-7.7.0.59559.sh
      [root@centos tmp]#
       ./cortex-7.7.0.59559.sh
      Verifying archive integrity... All good.
      Uncompressing Cortex XDR 7.7.0.59559 installer  100%
      [!] Path '/bin' is not in PATH
      [!] Path '/sbin' is not in PATH
      [ 1] Checking prerequisites
      Verifying RHEL/CentOS 7 (rpm) packages:
        * openssl ... OK
        * ca-certificates ... OK
        * policycoreutils-python ... OK
        * selinux-policy-devel ... OK
      Done
      [ 2] Installing Cortex XDR [7.7.0.59559] at /opt/traps
      Using packaged compatibility libraries
      Done
      [ 3] Creating runtime directory
      Done
      [ 4] Installing SELinux policies
        Compiling ... OK
        Installing ... OK
        Updating contexts ... OK
      Done
      [ 5] Verifying iptables prerequisite
      Done
      [ 6] Defining Cortex XDR local services (systemd)
      Created symlink from /etc/systemd/system/multi-user.target.wants/traps_pmd.service to /etc/systemd/system/traps_pmd.service.
      Done
      [ 7] Creating/Verifying Cortex XDR auxiliary user
      Done
      [ 8] Configuring connection to server
      Done
      [ 9] Starting Cortex XDR security services
      Redirecting to /bin/systemctl start traps_pmd.service
      	      Name       PID           User                Status               Command
                     pmd      6072           root               Running               /opt/traps/bin/pmd
               analyzerd       N/A            N/A               STOPPED               N/A
                    dypd      6138           root               Running               /opt/traps/bin/dypd  -s -- 175
                    lted       N/A            N/A               STOPPED               N/A
      Done							

      Additional options are available to help you customize your installation if needed. The following table describes common options and parameters that you can use but does not provide an exhaustive list. Use the --help option to print the help for the installer.

      Note

      If you are using rpm, deb or sh installers, you must also add these parameters to the /etc/panw/cortex.conf file prior to installation.

      Make sure to remove the first couple of leading double dashes. For example, instead of :-- --proxy-list ”<proxyserver>:<port>, add this: --proxy-list="10.196.21.223:808".

      Applies to:

      --proxy-list="10.196.21.223:808" --no-km --restrict=live_terminal

      Option

      Description

      --no-km

      Without Kernel Module Installation

      Use the --no-km option if you do not want to install the Cortex XDR agent kernel module. If you install the agent without the Cortex XDR kernel module or your Linux server runs an unsupported kernel version, the Cortex XDR agent will operate in asynchronous mode.

      --install-path=</custom/path>

      Custom Agent Installation Directory (Requires Cortex XDR agent 7.6 or a later release)

      Install the Cortex XDR agent in a custom directory on the endpoint instead of using the default ./opt directory. Custom installation directory is a persistent change, and after you install the Cortex XDR to the custom path, all following upgrades and the removal of the agent from the endpoint are executed in the same location.

      Before you start, ensure the custom directory exists on the endpoint and has user and group executable permissions.

      • SH installer—Run the following command for example:

        root@ubuntu:/tmp# ./linuxshell.sh -- --install-path=/home/customDir

      • RPM and DEB installers

        1. Create a cortex.conf file on the endpoint, under /ect/panw/

        2. Add to the cortex.conf your custom directory parameter, for example:

          --install-path=/home/customDir

      -- --proxy-list ”<proxyserver>:<port>

      Proxy Communication

      Configure the Cortex XDR agent to communicate through an intermediary such as a proxy or the Palo Alto Networks Broker Service.

      To enable the agent to direct communication to an intermediary, you use this installation option to assign the IP address and port number you want the Cortex XDR agent to use. You can also configure the proxy by entering the FQDN and port number. When you enter the FQDN, you can use both lowercase and uppercase letters. Avoid using special characters or spaces.

      Use commas to separate multiple addresses. For example:

      -- --proxy-list "My.Network.Name:808, 10.196.20.244:8080"

      You can assign up to five different proxies per agent, and the proxy for communication is selected randomly with equal probability.

      To enable the agent to use the Broker Service, you must set up broker VM in your network and use this option to assign the agent the Broker VM IP address with port number 8888.

      After the initial installation, you can change the proxy settings from Cortex XDR.

      Note

      The Cortex XDR agent does not support proxy communication in environments where proxy authentication is required.

      VM Template

      --vm-template

      Temporary session

      --temporary-session

      Virtual Installation

      Deploy Cortex XDR agents on virtual Linux endpoints as temporary instances, ensuring the Cortex XDR agent license returns back to the license pool after 90 minutes of session inactivity and improving your network temporary workloads. Choose your preferred workflow:

      Pre-install—Install the Cortex XDR agent only on the Linux endpoint you are using to create the VM template. Every instance you create using this template, will include the pre-installed Cortex XDR agent. For example:

      $ ./installer.sh -- --vm-template

      Fresh install—Install the Cortex XDR agent on the Linux VM after creating the VM template, as part of provisioning. For example:

      $ ./installer.sh -- --temporary-session

      -- --restrict=<flag>

      Disable Live Terminal, script execution, and file retrieval on the endpoint

      Use to permanently disable the option for Cortex XDR to perform all, or a combination, of the following actions on endpoints running a Cortex XDR agent: initiate a Initiate a Live Terminal Session remote session on the endpoint, Run Scripts on an Endpoint on the endpoint, and from the endpoint to Cortex XDR. Disabling any of these actions is an irreversible action, so if you later want to enable the action on the endpoint, you must uninstall the Cortex XDR agent and install a new package without this flagInitiate a Live Terminal SessionRun Scripts on an Endpoint

      To disable all actions, use the corresponding flag: --restrict=all

      To disable a specific action, use the corresponding flag:

      • --restrict=live_terminal—Use to disable Live Terminal.

      • --restrict=script_execution—Use to disable script execution.

      • --restrict=file_retrieval—Use to disable file retrieval.

      To disable more than one option, use any combination of these flags.

      -- --endpoint-tags <tag>

      Add Endpoint Tags

      Add tags to the endpoint tags list.

      • SH installer—Run the following command for example:

        traps_linux.sh -- --endpoint-tags tag1,tag2,tag3

        Note

        The double dash (--) before the --endpoint-tags argument is mandatory, and the argument and the value must be separated by a space.

      • RPM and DEB installers

        1. Create a cortex.conf file on the endpoint, under /ect/panw/

        2. Add to the cortex.conf your custom directory parameter, for example:

          --endpoint-tags tag1,tag2,tag3

      Note

      If one or more tags contains spaces, the entire tags string must be enclosed in quotes ("), for example: --endpoint-tags "tag1,tag multi word2,tag3".

      The script installs the files for the Cortex XDR agent for Linux in the /opt/traps folder with the Cytool utility available at /opt/traps/bin/cytool.

      After the agent successfully connects to the server for the first time and retrieves a valid license, the agent begins protecting the Linux server.

      Note

      If the Cortex XDR agent does not connect to Cortex XDR, verify your internet connection and perform a check-in on the endpoint. If the agent still does not connect, verify the installation package has not been removed from the Cortex XDR management console.

  5. (Optional for Kernel Mode only) Load SecureBoot Certificates.

    If you enabled the SecureBoot kernel, define the following in order to load the Cortex XDR kernel module certificates available for:

    • Redhat 8, Redhat 9

    • Ubuntu 18, Ubuntu 20, Ubuntu 22

    • SUSE 15

    • Oracle 8

    • AlmaLinux 8

    • RockyLinux 8

    1. On your server, navigate to /opt/traps/download/content/km/modules/<os_name>/ and locate key name xdr_kernel_cert.der to access the public key.

    2. Load the key to the MOK by running the command:

      mokutil --import xdr_kernel_cert.der

    3. Set a password.

    4. Reboot the system.

      During the machine reboot, the Unified Extensible Firmware Interface (UEFI) will ask you to Enroll MOK. When prompted whether to download the key, select Yes and enter the password you defined.

    5. Verify the key was loaded by running the command mokutil --list-enrolled and locating the key with the Palo Alto Networks issuer.

  6. See the Use the Cortex XDR Agent for Linux section for a list of available options, enter the cytool command without any arguments or with -h or --help..