Cortex XDR Agent for Linux Requirements - Administrator Guide - 8.2 - Cortex XDR Agent - Cortex XDR - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Product
Cortex XDR Agent
Cortex XDR
Version
8.2
Creation date
2023-06-29
Last date published
2024-07-16
Category
Administrator Guide
Abstract

Linux endpoints must meet the following requirements to install the Cortex XDR agent

The Cortex XDR agent for Linux has the following requirements:

Requirement

Minimum Specification

Processor

Processor 2.3 GHz dual-core processor

RAM

4GB; 8GB recommended

Hard disk space

10 GB

Architecture

x86_64 (x86 64bit)

For aarch64 (ARM 64 bit) see Cortex XDR Agent for Linux Requirements for details.

Operating system versions

See the Cortex XDR Agent Compatibility Matrix.

Kernel version

Kernel Mode

On Linux endpoints, to perform malware analysis of Executable and Linkable Format (ELF) files and collect data for endpoint detection and response (EDR) and behavioral threat analysis, the Cortex XDR agent requires one of the Linux Kernels that are listed in supported Kernel Module Versions.

If you deploy the Cortex XDR agent on a Linux server that is not running one of the kernel versions required for these additional protection capabilities, the agent will operate in asynchronous mode.

User Space Mode

User Space operation mode is supported from Cortex XDR agent version 7.7

User space operation mode requires Kubernetes node to run one of the supported operation systems with Kernel version 5.0 or later.

Software packages

  • Verify that you have standard Unix programs installed.

  • ca-certificates

  • openssl 1.0.0 or a later release

  • Distributions with SELinux in enforcing or permissive mode:

    • Red Hat Enterprise Linux 6, CentOS 6, and Oracle Linux 6—policycoreutils-python

    • Red Hat Enterprise Linux 7, CentOS 7, and Oracle Linux 7—policycoreutils-python and selinux-policy-devel

    • Red Hat Enterprise Linux 8/9, CentOS 8, Oracle Linux 8/9, Alma Linux 8/9 and Rocky Linux 8/9: policycoreutils-python-utils and selinux-policy-devel

    • Amazon Linux: policycoreutils-python and selinux-policy

    • Amazon Linux 2: policycoreutils-python and selinux-policy-devel

    • SUSE and OpenSuse: policycoreutils-python and selinux-policy-devel

    • Debian and Ubuntu—policycoreutils and selinux-policy-dev

  • glibc—Required for exploit protection of containerized processes using the ROP Mitigation and Brute Force Protection modules. If glibc is not installed, the modules are disabled but all other exploit and malware protection functionality work as expected.

  • CentOS 6.10—Enable the dynamic CA instead of the legacy CA:

    1. Enable the dynamic CA configuration: update-ca-trust force-enable

    2. Import the certificates: cp XDR-certificate.crt /etc/pki/ca-trust/source/anchors/.

    3. Rebuild the certificate database: update-ca-trust extract

Networking

  • Allow communication on the TCP port from the Cortex XDR agent to the server (the default is port 443).

  • Allow your Cortex management console and Cortex XDR agent to communicate with external and internal resources required for enforcing endpoint protection. Refer to the Resources Required to Enable Access section of your Cortex Admin Guide.