Cortex XDR Agent 7.8 for Linux - Administrator Guide - 7.8 - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Product
Cortex XDR
Cortex XDR Agent
Version
7.8
Creation date
2022-08-31
Last date published
2023-04-30
End_of_Life
EoL
Category
Administrator Guide

The Cortex XDR agent protects Linux servers by preventing known and unknown malware from running by halting any attempts to leverage software exploits and vulnerabilities to compromise the server. The agent also extends exploit and malware protection to processes that run in Linux containers. When you install the agent on a Linux server that uses containers, it automatically protects any new and existing containerized processes regardless of the container solution (for example, docker). Because Cortex XDR issues the license per Linux server, each container does not consume any additional licenses.

The protection capabilities and features that the Cortex XDR agent for Linux provide depend on the operation modes you choose to deploy the Cortex XDR agent on your Linux server:

  • Kernel Mode

    Cortex XDR agent runs in the supported kernel version itself. The Palo Alto Networks Compatibility Matrix provides more information about supported versions.

  • User Space Mode

    Allows you to leverage the protection provide by Cortex XDR agent on Linux distributions running kernel 5.0 and above without loading a kernel module.

    To enable the User Space mode, make sure you:

    • Configure in your Add a New Agent Settings Profile the Agent Operation Mode as User Space.Add a New Agent Settings Profile

    • For new Cortex XDR agents and Cortex XDR agents running on versions earlier than 7.8, the current YAML file is incompatible. You must create and deploy the new YAML installer for Kubernetes based installations.

    Note

    User Space mode is available for machines running kernel 5.0 and above.

The following table details protection capabilities provided according to each operation mode.

Protection Capabilities

Kernel

User Space

Exploit Protection

x

x

Malware Protection

x

x

Endpoint EDR Data Collection

x

x

Event Monitoring

x

x

File Execution

  • ELF File Analysis

  • Local Privilege Escalation (LPE)

x

x

Kernel Integrity Monitoring

x

Local Privilege Escalation Protection

x

The following topics describe how to install and use the Cortex XDR agent for Linux: