CLOUD SOLUTIONS

Bitdefender Endpoint Security Tools for Linux quick start guide

System requirements

For more information on BEST for Linux installation requirements refer to security agent requirements on Linux.

Hardware requirements

Configure the guest operating systems where you are deploying BEST as follows:

General

Resource

Minimum

Recommended

Processor

2 vCPUs

4 vCPUs

Memory (RAM)

2 GB RAM

4 GB RAM

Free Disk Space

1.5 GB (up to 3 GB disk with debug logs enabled)

3 GB

Public Cloud

Cloud Service Provider (CSPs)

Minimum (instance type)

Recommended (instance type)

Amazon Web Services (AWS)

T3 small

Any instance ≥ 4 vCPUs, 4 GB RAM, min 3 GB SSD

Microsoft Azure

Standard B2s

Any instance ≥ 4 vCPUs, 4 GB RAM, min 3 GB SSD

Google Cloud Platform (GCP)

E2 small or custom

Any instance ≥ 4 vCPUs, 4 GB RAM, min 3 GB SSD

Fully Supported Linux Modern Distributions

Distribution

Kernel versions

RHEL 7.x & 8.x

3.10.0-957 - 4.18.0

Oracle Linux 7.x (UEK +RHCK)

3.10.0-957 - 4.18.0

Oracle Linux 8.x (UEK +RHCK)

3.10.0-957 - 4.18.0

CentOS 7.x

3.10.0-957 - 4.18.0

CentOS 8.x

3.10.0-957 - 4.18.0

Debian 9

4.9.0

Debian 10

4.19

Debian 11

5.10

Ubuntu 16.04.x

4.4.x

Ubuntu 18.04.x

5.0/5.3

Ubuntu 20.04.x

5.4

Ubuntu 21.04.x

5.11

Ubuntu 21.10.x

5.13

SLES 12 SP4

4.12.14-x

SLES 12 SP5

4.12.14-x

SLES 15 SP1

4.12.14-x

SLES 15 SP2

5.3.18-x

SLES 15 SP3

5.3.18-x

openSUSE Leap 15.2

5.3.18

AWS Bottlerocket 2020.03

5.4.x, 5.10.x

Amazon Linux v2

4.14.x / 4.19.x

Google COS 

Milestones 77, 81, 85

4.19.112 / 5.4.49

Azure Mariner

5.4, 5.10

Fedora 31 - 34

Supported until it expires.

AlmaLinux 8.x

4.18.0

Rocky Linux 8.x

4.18.0

CloudLinux 8.x

4.18.0

CloudLinux 7.x

3.10

Pardus 21

5.10

Supported Linux Legacy Distributions

Distribution

Kernel versions

RHEL 6.x

2.6.32-x

Oracle Linux 6.x (6.3 or newer)

2.6.32-x

Ubuntu 14.04 LTS

4.4.x  (14.04.5)

SLES 11, SP4

3.0.x

Amazon Linux v1 2018.03

4.14.x

Software requirements

GravityZone requirements

BEST for Linux is compatible with GravityZone Cloud and GravityZone On-Premises versions 6.13.1-1 or newer.

Additional software requirements

  • On-access scanning is available for supported operating systems as follows:

    • Kernel 2.6.38 or higher - Supports all Linux distributions. The fanotify kernel option must be enabled.

    • Kernel 2.6.32 - 2.6.37 - CentOS 6.x Red Hat Enterprise Linux 6.x - Bitdefender provides support via DazukoFS with prebuilt kernel modules.

  • You need auditd as a fallback mechanism in case kProbes are not available for your Kernel version.

  • You need to disable Selinux before installing BEST for Linux.

Licensing

Linux operating systems are considered Server operating systems by Bitdefender agent and will use server license seats from your pool of licenses.

Although deploying the software has no direct license requirement, depending on your license some functionality might not be available. For protection layers availability refer to Features by endpoint type

Installing

For more information on stalling BEST for Linux refer to Install security agents - standard procedure

There are several options to install BEST on a Linux machine:

  1. An installation task from the GravityZone Control Center > Network inventory section.

  2. Manual installation via a installation package downloaded from the Control Center.

    Example:

    1. Go to Network > Packages and select the install package to be downloaded.

    2. Select Send Download Links to expand the provided links.

    3. Copy the Linux string and paste it into the shell on your target endpoint to download the installation package.

    4. Unpack the installation file:

      # tar-xvf Bitdefender_for_Linux.tar
    5. Change permissions to the installation file so that you can execute it:

      # chmod +x installer
    6. Run the installation file:

      # ./installer

To check that the agent has been installed on the endpoint, run this command:

$ systemctl status bdsec

Scanning

Bitdefender Endpoint Security Tools for Linux provides on-access scanning for a number of preconfigured system directories. To review this list or add other directories to be scanned:

  1. Choose a policy from the Control Center Policies page.

  2. Go to the Antimalware > On-Access section.

  3. Next to On-access Scanning, click Settings.

  4. Click Advanced.

  5. Configure which folders the agent should scan constantly.

Additionally, you can schedule Full / Custom / Quick Scan tasks by using these steps:

  1. Choose a policy from the Control Center Policies page.

  2. Go to the Antimalware > On-Demand section.

  3. Click the +Add button.

  4. Select a scan type. With the Custom Scan type you can configure scan options and folders to be scanned in detail.

  5. Configure the scan task scheduling options as needed.

  6. Configure scan options and target as needed.

  7. Click the Save button.

To manually scan Linux endpoints:

  • Run the task from the Control Center Network inventory, by right-clicking the target machine and selecting Tasks > Scan.

  • Start the scan task locally using the command line interface. For more information, refer to Scanning for malware

Troubleshooting

You can check Bitdefender Endpoint Security Tools services by running the following commands:

bd status - to check services status

bd start - to start services

bd stop - to stop services

bd restart - to restart services

Other commands:

To detect any system proxy:

/opt/BitDefender/bin/bdconfigure getsystemproxy

To check all of the versions that were previously installed on the machine as well as the current one, open vhist.dat:

/opt/BitDefender/etc/vhist.dat

Deploying EDR using Linux AuditD

Note

We recommend this method to be used only when neither KProbes nor eBPF methods are not available. The AuditD subsystem was not designed to be used in this manner and may cause increased CPU usage.

Some operating systems require you to take additional steps before deployment. These changes ensure that AudtiD will perform on par with previously available methods. Follow the steps below:

OS

Version

Required steps

Alma Linux

X86

N/A

X64

Edit the /etc/default/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to NOLOG.

Centos 6

X86

Edit the /etc/sysconfig/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to NOLOG.

X64

Edit the /etc/sysconfig/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to NOLOG.

Centos 7

X86

Edit the /etc/audit/auditd.conf file and set log_format to RAW.

X64

Edit the /etc/audit/auditd.conf file and set log_format to RAW.

Centos 8

X86

N/A

X64

Edit the /etc/audit/auditd.conf file and set log_format to NOLOG.

Debian 9

X86

Edit the /etc/default/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to RAW.

X64

Edit the /etc/default/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to RAW.

Debian 10

x86

Edit the /etc/default/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to RAW.

X64

Edit the /etc/default/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to RAW.

Debian 11

X86

Edit the /etc/default/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to RAW.

X64

Edit the /etc/default/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to RAW.

Oracle 6

X86

N/A

X64

Edit the /etc/sysconfig/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to NOLOG.

Oracle 7

X86

N/A

X64

Edit the /etc/audit/auditd.conf file and set log_format to RAW.

Oracle 8

X86

N/A

X64

Edit the /etc/audit/auditd.con file and set log_format to NOLOG.

Pardus 21

X86

N/A

X64

Edit the /etc/default/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to NOLOG.

RHEL 6

X86

Edit the /etc/sysconfig/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to NOLOG.

X64

Edit the /etc/sysconfig/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to NOLOG.

RHEL 7

X86

N/A

X64

Edit the /etc/audit/auditd.conf file and set log_format to RAW.

RHEL 8

X86

N/A

X64

Edit the /etc/audit/auditd.conf file and set log_format to NOLOG.

Rocky Linux 8

X86

N/A

X64

Edit the /etc/audit/auditd.conf file and set log_format to NOLOG.

Ubuntu 14.04

X86

Edit the /etc/default/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to RAW.

X64

Edit the /etc/default/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to RAW.

Ubuntu 18.04

X86

N/A

X64

Edit the /etc/default/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to RAW.

Ubuntu 20.04

X86

N/A

X64

Edit the /etc/default/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to RAW.

Ubuntu 21.04

X86

N/A

X64

Edit the /etc/default/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to NOLOG.

Ubuntu 21.10

X86

N/A

X64

Edit the /etc/default/auditd file and set USE_AUGENRULES to yes.

Edit the /etc/audit/auditd.conf file and set log_format to NOLOG.

Warning

EDR requests information from the operating system that is not available via the AuditD subsystem. Expect a decreased detection rate.