Use the Cortex XDR Agent for Linux - Administrator Guide - 8.3 - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Cortex XDR
Cortex XDR Agent
Creation date
Last date published
Administrator Guide

Learn how to effectively use the Cortex XDR agent for Linux by the different options described in this topic.

After you install Cortex XDR agent for Linux, the agent operates transparently in the background as a system process. Typically, it is not necessary to interact with the agent; however, to perform common actions, such as initiating a manual check in with Cortex XDR, you can use the command-line utility (also available for Mac and Windows) named Cytool. Cytool is available in the /opt/traps/bin/cytool directory and must be run as root or with root permissions.

  1. Display the Cytool help.

    From the Linux server, run the cytool command without any arguments or with -h or --help options.

    root@ubuntu:~$ /opt/traps/bin/cytool
    Usage: cytool<options>
    cytool - Support tool
    -h --help                                           Display help information.
    enum                                                List processes protected by Cortex XDR.
    startup query                                       List startup status for Cortex XDR endpoint agent(s) and daemon(s).
    startup <enable | disable> <process_name | all>     Enable/Disable agent(s) and daemon(s) after reboot.
    runtime query                                       List runtime status for agent(s), daemon(s) and kernel extensions.
    runtime <start | stop> <process_name | all>         Start/Stop agent(s), daemon(s) and kernel extensions immediately.
    persist list                                        Display list of persistent databases.
    persist export <db_name | db_path>                  Export database(s) to the file(s) in JSON format.
    persist import <db_name | db_path> <file_name>      Import data into the database from the given JSON file.
    persist print <db_name | db_path> [csv]             Print database to the command prompt.
    log <log_level> <process_name | all>                Set log level for the desired process.
    log collect                                         Generate support file archive.
    dump <enable | disable | restore>                   Enable/Disable dump generation or restore policy settings.
    checkin                                             Initiate Check In Now (send heartbeat to ESM).

    Follow the usage guidelines to run additional Cytool commands.

  2. List processes protected by the agent.

    Enter the cytool enum command.

    root@ubuntu:~$ cytool
    Cortex XDR list of protected processes:
      PID CMD                           UID
     1098 /usr/sbin/cron -f               0
     1131 /usr/sbin/rsyslogd -n         104

    To view processes for all users including those initiated by the operating system, specify the /a option.


    If you change the action mode for protected processes in the Exploit Security Profile in Cortex XDR, you must restart the protected processes for the security policy to be enforced on the processes and its forked processes, and only then you will see them on this list.

  3. Start or stop Cortex XDR agent daemons.

    The agent comprises the pmd, dypd, analyzerd and lted processes. pmd is the main process and it automatically starts/stops dypd, analyzerd and lted. To start or stop all daemons, enter either the cytool runtime [start | stop] all command or the cytool startup [enable | disable] all command. The behavior of both commands changes both the current running state and the startup registration status of the daemons when the server boots.

    For example:

    root@ubuntu16:~# /opt/traps/bin/cytool runtime stop all
             Name    PID         User              Status           Command
              pmd    N/A          N/A             STOPPED           N/A
        analyzerd    N/A          N/A             STOPPED           N/A
             dypd    N/A          N/A             STOPPED           N/A
             lted    N/A          N/A             STOPPED           N/A
    root@ubuntu16:~# /opt/traps/bin/cytool runtime start all
             Name    PID         User              Status           Command
              pmd  20798         root             Running           /opt/traps/bin/pmd
        analyzerd  21027     cortexu+             Running           /opt/traps/analyzerd/analyzerd 109 111 113
             dypd  20999         root             Running           /opt/traps/bin/dypd -a  -- 99
             lted  20982     cortexu+             Running           /opt/traps/ltee/lted -type 2 -config ltee_decryptor.json
  4. View the Cortex XDR agent security policy.

    The agent stores policy and security event information such as the list of trusted signers, local verdicts, and one-time actions in local databases in the /opt/traps/persist/ directory. To troubleshoot policy issues and security events, you can use Cytool to import, export, and view information stored in the local database.

    To view a list of all local databases, use the cytool persist list command.

    root@ubuntu:~$ /opt/traps/bin/cytool
    persist list
    Persistent database list:
          post_detection.db      Database of post-detection candidates
           agent_actions.db      Database of one time actions
          cloud_frontend.db      Database of Cloud frontend settings
              hashes_lru.dbLeastrecently used verdicts database
           cloud_reports.db      Database of Cloud reports
                  hashes.db      Database of the verdicts received from WildFire
            esm_frontend.db     Database of ESM frontend settings
                  policy.db      Policy database
                  fvhash.db      Database of blacklisted fvhashes
         trusted_signers.db      Database of trusted signers
              hash_paths.db      Database of file paths
           hash_override.db      Database of hashes override (Admin exeptions)
             esm_reports.db      Database of ESM reports
         security_events.db      Database of security events (preventions)
             file_upload.db      Database of files being uploaded to ESM
       hashes_retransmit.db      Database of hashes to be retransmitted
          agent_settings.db      Database of agent settings

    To view the records of a database, use the cytool persistprint [<database_name> | <database_path>] command where you specify either the name of database (see the cytoolpersist list command) or the path to the database. Or, to export the records of a database to a JSON file, use the cytoolpersist export [<database_name> | <database_path>] command. For example:

    root@ubuntu:~$ /opt/traps/bin/cytool
    persist print security_events.db
    Database security_events:
    persistence::DB: /opt/traps/persist/security_events.db: Open
    persistence::DB: /opt/traps/persist/security_events.db: Open: IO error: lock /opt/traps/persist/security_events.db/LOCK: Resource temporarily unavailable
    Prevention ID: 3c34dcc1-bc37-ffef-ed55-f5512df05884
    Time: 2018-05-02T10:31:51Z
    Timezone offset (min): 240
    Module ID (CyveraComponent): 277
    Module status (CyStatus): 0xC0400015
    Blocked: false
    Source process ID: 14818
    Source process terminated: true
    Source process command line: /root/Desktop/Linux_testers/ROP/lighttpd system 0
    Source process file index: 0
    Target process ID: 0
    Target process terminated: false
    Target process command line: 
    Target process file index: 0
    User ID: 0
    User name: 
    Cortex XDR version:
    OS name: Linux
    OS version: Red Hat Enterprise Linux Server release 6.9 (Santiago)
    Machine name: Saar_redhat64x64
    Dump path: /opt/traps/forensics/3c34dcc1-bc37-ffef-ed55-f5512df05884/
    Content version: 17-3805
    IP Address:
    Verdict (WildFire/Hash Control): 0
    1 Files:
                    Name: lighttpd
                    Path: /root/Desktop/Linux_testers/ROP
                    Size: 0
                    Hash: 8630c9e57ca58fb7966c80525c36f572416e0a8db617b8a43c946d4fa966a71c
                    Quarantine ID: 
                    Signers: ''
    ---------- END Security Event Files ----------
    root@ubuntu:~$ /opt/traps/bin/cytool persist export security_events.db                 
    persistence::DB: /opt/traps/persist/security_events.db: Open
    -rw-r--r-- 1 ubuntu root 25824 Jan  2 18:10 /home/ubuntu/traps/cytool/security_events.db_18.10.04.427_02.01.2018.json

    To add records to the database, use the cytoolpersist import [<database_name> | <database_path>] <input_filename> command where <input_filename> is a JSON file.

  5. Collect logs.

    Use the cytool log set_level <log_level> [<process_name> |all] command to change the log level of an agent component where:

    • <log_level> is an integer value corresponding to the log level:

      • 1—Fatal

      • 2—Critical

      • 3—Error

      • 4—Warning

      • 5—Notice

      • 6—Information

      • 7—Debug

      • 8—Trace

    • <process_name> is the Cortex XDR agent component: trapsd, authorized, pmd, or dypd.

    Then use the cytoollog collect command to collect all logs in a TGZ file.

    root@ubuntu:~$ /opt/traps/bin/cytool log
    1 trapsd
    root@ubuntu:~$ /opt/traps/bin/cytool log collect
    -rw-r--r-- 1 root root 1651939 Dec 30 20:33 /tmp/Traps_log_2017-12-30_20-33-22/Traps_log_2017-12-30_20-33-22.tgz
  6. Manually initiate a check in with the server.

    Use the cytool checkin command to initiate the manual check-in. To verify the status of the check-in on Cortex XDR, view the LAST SEEN date from the additional details view of an endpoint on the Endpoints page.

  7. Configure proxy communication.


    To configure system-wide proxy settings for your endpoints, follow the instructions below. You can also configure a Cortex XDR agent specific proxy.Install the Cortex XDR Agent for Linux

    If defined, the agent uses the proxy settings defined in the system environment in /etc/environment. If proxy settings are not defined, you can add the proxy server to the system environment by specifying the following setting in the environment file:



    • <proxyserver> is the IP address of the proxy server

    • <port> is the port number used for proxy communication.

    For example: https_proxy=""

  8. View the version of the Cortex XDR agent.

    To view the version of the agent on the Linux server, open or read the version.txt file in the /opt/traps/ directory. For example:

    root@ubuntu:~$ cat /opt/traps/version.txt