Skip to main content

CLOUD SOLUTIONS

Bitdefender Endpoint Security Tools for Linux quick start guide

Requirements

For more information on BEST for Linux installation requirements refer to security agent requirements on Linux.

Hardware requirements

Configure the guest operating systems where you are deploying BEST as follows:

General

Resource

Minimum

Recommended

Processor

2 vCPUs

4 vCPUs

Memory (RAM)

4 GB RAM

6 GB RAM

Free Disk Space

2.5 GB (up to 4 GB disk with debug logs enabled)

4 GB

Public Cloud

Cloud Service Provider (CSPs)

Minimum (instance type)

Recommended (instance type)

Amazon Web Services (AWS)

T2 medium

Any instance ≥ 4 vCPUs, 4 GB RAM, min 4 GB SSD

Microsoft Azure

Standard B2s

Any instance ≥ 4 vCPUs, 4 GB RAM, min 4 GB SSD

Google Cloud Platform (GCP)

E2-medium or E2-standard-2

Any instance ≥ 4 vCPUs, 4 GB RAM, min 4 GB SSD

Supported distributions

Fully Supported Linux Modern Distributions

Distribution

Kernel versions

RHEL 7.x

3.10.0 (starting from build 957)

RHEL 8.x

4.18.0

RHEL 9x

5.14.x

Oracle Linux 7.x (UEK +RHCK)

3.10.0-957 - 4.18.0

Oracle Linux 8.x (UEK +RHCK)

3.10.0-957 - 4.18.0

CentOS 7.x

3.10.0 (starting from build 957)

CentOS 8.x

4.18.0

Debian 9

4.9.0

Debian 10

4.19

Debian 11

5.10

Ubuntu 16.04.x

4.8 / 4.10 / 4.13 / 4.15

Ubuntu 18.04.x

5.0 / 5.3 / 5.4

Ubuntu 20.04.x

5.4

Ubuntu 21.04.x

5.11

Ubuntu 21.10.x

5.13

Ubuntu 22.04.x

5.15

SLES 12 SP4

4.12.14-x

SLES 12 SP5

4.12.14-x

SLES 15 SP1

4.12.14-x

SLES 15 SP2

5.3.18-x

SLES 15 SP3

5.3.18-x

openSUSE Leap 15.2 - 15.4

5.3.18 / 5.14.x

AWS Bottlerocket 2020.03

5.4.x, 5.10.x

Amazon Linux v2

4.14.x / 4.19.x, 5.10

Google COS 

Milestones 77, 81, 85

4.19.112 / 5.4.49

Azure Mariner 2

5.15

Fedora 31 - 36

Supported until it expires.

AlmaLinux 8.x

4.18.0

AlmaLinux 9.x

5.14.x

Rocky Linux 8.x

4.18.0

CloudLinux 8.x

4.18.0

CloudLinux 7.x

3.10

Pardus 21

5.10

Linux Mint 20.3

5.4.0

Miracle 8.4

4.18.0

Supported Linux Legacy Distributions

Distribution

Kernel versions

RHEL 6.x

2.6.32-x

CentOS 6.x

2.6.32-x

Ubuntu 16.04.x

4.4.x

Ubuntu 14.04 LTS

4.4.x  (14.04.5)

Amazon Linux v1 2018.03

4.14.x

Software requirements

GravityZone requirements

BEST for Linux is compatible with GravityZone Cloud and GravityZone On-Premises versions 6.13.1-1 or newer.

Additional software requirements

  • On-access scanning is available for supported operating systems as follows:

    • Kernel 2.6.38 or higher - Supports all Linux distributions. The fanotify kernel option must be enabled.

    • Kernel 2.6.32 - 2.6.37 - CentOS 6.x Red Hat Enterprise Linux 6.x - Bitdefender provides support via DazukoFS with prebuilt kernel modules.

  • You need auditd as a fallback mechanism in case kProbes are not available for your Kernel version.

Licensing

Linux operating systems are considered Server operating systems by Bitdefender agent and will use server license seats from your pool of licenses.

Although deploying the software has no direct license requirement, depending on your license some functionality might not be available. For protection layers availability refer to Features by endpoint type

Installing

For more information on stalling BEST for Linux refer to Install security agents - standard procedure

There are several options to install BEST on a Linux machine:

  1. An installation task from the GravityZoneControl Center > Network inventory section.

  2. Manual installation via a installation package downloaded from the Control Center.

    Example:

    1. Go to Network > Packages and select the install package to be downloaded.

    2. Select Send Download Links to expand the provided links.

    3. Copy the Linux string and paste it into the shell on your target endpoint to download the installation package.

    4. Unpack the installation file:

      # tar -xvf setup_downloader.tar
    5. Change permissions to the installation file so that you can execute it:

      # chmod +x installer
    6. Run the installation file:

      # ./installer

To check that the agent has been installed on the endpoint, run this command:

$ systemctl status bdsec*

Scanning

Bitdefender Endpoint Security Tools for Linux provides on-access scanning for a number of preconfigured system directories. To review this list or add other directories to be scanned:

  1. Choose a policy from the Control CenterPolicies page.

  2. Go to the Antimalware > On-Access section.

  3. Next to On-access Scanning, click Settings.

  4. Click Advanced.

  5. Configure which folders the agent should scan constantly.

Additionally, you can schedule Full / Custom / Quick Scan tasks by using these steps:

  1. Choose a policy from the Control CenterPolicies page.

  2. Go to the Antimalware > On-Demand section.

  3. Click the +Add button.

  4. Select a scan type. With the Custom Scan type you can configure scan options and folders to be scanned in detail.

  5. Configure the scan task scheduling options as needed.

  6. Configure scan options and target as needed.

  7. Click the Save button.

To manually scan Linux endpoints:

  • Run the task from the Control CenterNetwork inventory, by right-clicking the target machine and selecting Tasks > Scan.

  • Start the scan task locally using the command line interface. For more information, refer to Scanning for malware

Troubleshooting

You can check Bitdefender Endpoint Security Tools services by running the following commands:

bd status - to check services status

bd start - to start services

bd stop - to stop services

bd restart - to restart services

Other commands:

To detect any system proxy:

/opt/bitdefender-security-tools/bin/bdconfigure getsystemproxy

To check all of the versions that were previously installed on the machine as well as the current one, open vhist.dat:

/opt/bitdefender-security-tools/etc/vhist.dat

Deploying EDR using Linux AuditD

Note

We recommend this method to be used only when neither KProbes nor eBPF methods are not available. The AuditD subsystem was not designed to be used in this manner and may cause increased CPU usage.

When deploying EDR using Linux AuditD, BEST for Linux automatically modifies several specific files. These changes ensure that AudtiD will perform on par with previously available methods. The changes are specified below:

Note

Make sure you have AuditD installed on your endpoint before deploying the EDR module.

  • /etc/audit/rules.d/

    • BEST will backup all files from /etc/audit/rules.d/ (for example, /etc/audit/rules.d/audit.rules will become /etc/audit/rules.d/audit.rules.bak).

    • BEST will create a rules file: /etc/audit/rules.d/bd_ausecd.rules.

    • BEST will restart the auditd service, which includes regenerating /etc/audit/audit.rules from /etc/audit/rules.d/*.rules.

    • When EDR is disabled or BEST is stopped, /etc/audit/rules.d/bd_ausecd.rules will be removed and backed-up files will be restored.

  • /etc/default/auditd

    Note

    These modifications will only occur for specific operating systems. Refer to this table for more information.

    • BEST will backup /etc/default/auditd to /etc/default/auditd.bdsec-bak in order to have a copy of the original file content.

    • BEST will modify the content of /etc/default/auditd.

    • When EDR is disabled or BEST is stopped, file content will be restored to previous state.

  • /etc/sysconfig/auditd

    Note

    These modifications will only occur for specific operating systems. Refer to this table for more information.

    • BEST will backup /etc/sysconfig/auditd to /etc/sysconfig/auditd.bdsec-bak in order to have a copy of the original file content.

    • BEST will modify the content of /etc/sysconfig/auditd.

    • When EDR is disabled or BEST is stopped, file content will be restored to previous state.

  • /etc/audit/auditd.conf

    Note

    These modifications will only occur for specific operating systems. Refer to this table for more information.

    • BEST will backup /etc/audit/auditd.conf to /etc/audit/auditd.conf.bdsec-bak in order to have a copy of the original file content.

    • BEST will modify the content of /etc/audit/auditd.conf.

    • When EDR is disabled (or BEST is stopped), file content will be restored to previous state.

  • /lib/systemd/system/auditd.service

    Note

    These modifications will only occur for specific operating systems. Refer to this table for more information.

    • BEST will backup /lib/systemd/system/auditd.service to /lib/systemd/system/auditd.service.bdsec-bak in order to have a copy of the original file content.

    • BEST will modify the content of /lib/systemd/system/auditd.service.

    • When EDR is disabled or BEST is stopped, file content will be restored to previous state.

  • /usr/lib/systemd/system/auditd.service

    Note

    These modifications will only occur for specific operating systems. Refer to this table for more information.

    • BEST will backup /usr/lib/systemd/system/auditd.service to /usr/lib/systemd/system/auditd.service.bdsec-bak in order to have a copy of the original file content.

    • BEST will modify the content of /usr/lib/systemd/system/auditd.service.

    • When EDR is disabled or BEST is stopped, file content will be restored to previous state.

  • /etc/systemd/system/auditd.service

    Note

    These modifications will only occur for specific operating systems. Refer to this table for more information.

    • when BEST enables the audit backend for the first time, it will backup /etc/systemd/system/auditd.service to /etc/systemd/system/auditd.service.bdsec-bak in order to have a copy of the original file content.

    • If the file does not exist, a dummy backup will be created: /etc/systemd/system/auditd.service.bak-missing.

    • If the file exists, its contents will be copied to /etc/systemd/system/auditd.service.bak.

    • BEST will copy the modified file /lib/systemd/system/auditd.service (or /usr/lib/systemd/system/auditd.service, depending on the distro according to the table below) to /etc/systemd/system/auditd.service.

    • When EDR is disabled or BEST is stopped, file content will be restored to previous state from /etc/systemd/system/auditd.service.bak (or deleted, if only auditd.service.bak-missing exists)

OS

Version

Changes performed

Alma Linux 8

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Ensures that ExecStartPost = -/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Alma Linux v1

X86

N/A

X64

Edits the /etc/sysconfig/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Alma Linux v2

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

Centos 6

X86

Edits the /etc/sysconfig/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

X64

Edits the /etc/sysconfig/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Centos 7

X86

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Centos 8

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Cloud Linux 7

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Cloud Linux 8

X86

N/A

X64

Edits the /etc/audit/auditd.conffile and sets log_format to NOLOG.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Debian 9

X86

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Debian 10

x86

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Debian 11

X86

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Fedora 31

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Fedora 34

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Linux Mint 20.3

X86

N/A

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Miracle Linux 8.4

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

OpenSUSE 15.2

X86

N/A

X86

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

Oracle 6

X86

N/A

X64

Edits the /etc/sysconfig/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Oracle 7

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Oracle 8

X86

N/A

X64

Edits the /etc/audit/auditd.con file and sets log_format to NOLOG.

Pardus 21

X86

N/A

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

RHEL 6

X86

Edits the /etc/sysconfig/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

X64

Edits the /etc/sysconfig/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

RHEL 7

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

RHEL 8

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Rocky Linux 8

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

SLES 12 SP4

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

SLES 12 SP5

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

SLES 15 SP2

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

SLES 15 SP2

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

SLES 15 SP3

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service

SLES 12 SP4

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system

Runs systemctl daemon-reload.

Restarts the auditd service.

SLES 12 SP5

X86

N/A

X64

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /usr/lib/systemd/system/auditd.service.

Copies /usr/lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

Ubuntu 14.04

X86

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Set ExecStartPost=-/sbin/augenrules --load in /lib/systemd/system/auditd.service.

Copy /lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service.

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Set ExecStartPost=-/sbin/augenrules --load in /lib/systemd/system/auditd.service.

Copies /lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service

Ubuntu 16.04

X86

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Set ExecStartPost=-/sbin/augenrules --load in /lib/systemd/system/auditd.service.

Copies /lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Set ExecStartPost=-/sbin/augenrules --load in /lib/systemd/system/auditd.service.

Copies /lib/systemd/system/auditd.service to /etc/systemd/system.

Runs systemctl daemon-reload.

Restarts the auditd service

Ubuntu 18.04

X86

N/A

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Ubuntu 20.04

X86

N/A

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to RAW.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Ubuntu 21.04

X86

N/A

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Ubuntu 21.10

X86

N/A

X64

Edits the /etc/default/auditd file and sets USE_AUGENRULES to yes.

Edits the /etc/audit/auditd.conf file and sets log_format to NOLOG.

Ensures that ExecStartPost=-/sbin/augenrules --load is set in /lib/systemd/system/auditd.service.

Warning

EDR requests information from the operating system that is not available via the AuditD subsystem. Expect a decreased detection rate.