Microsoft Defender for Endpoint on Linux - Implementation, Insights and Considerations
In today's article, we will explore Microsoft Defender for Endpoint on Linux devices. Microsoft Defender for Endpoint on Linux provides comprehensive security features for Linux servers, including preventive antivirus (AV), endpoint detection and response (EDR) and vulnerability management capabilities.
Prerequisites:
Microsoft states that the prerequisites for Microsoft Defender for Endpoint on Linux are the below:
Installation Steps & Onboarding:
For this article, we will be using a CentOS machine. Follow the steps below for the CentOS to install mdatp and onboard the machine.
Install yum-utils:
First, if it isn’t already installed on the device:
sudo yum install yum-utils
Choose Repo:
Next we will need to choose the repository. Replace [distro] and [version] with your VM information. The [channel] parameter determines the update frequency. Insider-fast is the earliest, followed by insider-slow, and finally prod, which is the most stable.
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
Note: Browse packages for the correct explorer and data structure.
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/8/prod.repo
Add Microsoft GPG public key:
To install the Microsoft GPG public key:
sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
Make all the metadata?usable for the currently enabled yum repositories, as Microsoft states:??
sudo yum?makecache?
Install MDATP:
sudo yum install mdatp
Note: For other Linux variants, check the link provided.
Run the onboarding script:
Now, onboard Defender for Endpoint using the Python script. First, download the onboarding package from the Microsoft Defender for Endpoint portal. To do this:
unzip WindowsDefenderATPOnboardingPackage.zip
sudo python MicrosoftDefenderATPOnboardingLinuxServer.py
After a few minutes, run the command "mdatp health" and the parameter "healthy" should be true. If you issue the command before running the onboarding script, then you should see a message like "ATTENTION: No license found. Contact your administrator for help."
Commands for CentOS:
sudo yum install yum-utils
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/8/prod.repo
sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
sudo yum makecache
sudo yum install mdatp
unzip WindowsDefenderATPOnboardingPackage.zip
sudo python MicrosoftDefenderATPOnboardingLinuxServer.py
Note: If there is a proxy between the machine and the internet, configure your proxy to allow the necessary URLs for endpoint communication with Microsoft. You can select the connectivity type when downloading the onboarding package. For Streamlined connectivity, follow this URL and for Standard connectivity, follow this URL. Additionally, configure the mdatp service to forward traffic to the proxy:
mdatp config proxy set --value https://IP:PORT
Config and Checking health:
If you are not using the integration between MDE and Intune to manage endpoints and push centralized policies, here is an example configuration for mdatp:
mdatp config passive-mode --value disabled
mdatp config cloud --value enabled
mdatp config cloud-automatic-sample-submission --value enabled
mdatp config automatic-definitions-update --value enabled
mdatp config behavior-monitoring --value enabled
mdatp config real-time-protection --value enabled
mdatp threat policy set --type potentially_unwanted_application --action block
mdatp threat policy set --type archive_bomb --action audit
systemctl restart mdatp
After few minutes, issue the "mdatp health" command to verify that the above options have been applied.
Centralized Policy using Intune:
If you have enabled the integration between MDE and Intune and the devices are onboarded and managed by MDE, you can configure Anti-Virus for Linux Devices. To enable this integration follow the below steps:
领英推荐
Note: If you select "on tagged devices" then you should manually tag the devices that you would like to be enrolled.
From Intune:
Intune Linux Anti-Virus Policy:
Notes: Network Protection is not available yet for prod rings, if you want it you should use insiderSlow. In addition, pay attention to Threat type settings merge, specify the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (merge) or only administrator-defined settings (admin_only). This setting can be used to restrict local users from defining their own settings for different threat types.
Assign the Policy to a manual or dynamic Group (see bonus section) that contains LinuxOS devices. After that you should see that the device on Defender XDR is managed by MDE and the MDE Enrollment status is Success:
The first sync will take some time to get applied after successful enrollment and management of a device by MDE. As soon as it finishes its enrollment, the frequency of sync starts at about 10-minute cadences. So, the very first policy sync in about 10 minutes later from the time of enrollment. Then it goes to a 90-minute interval with Microsoft Intune to continue doing subsequent policy syncs. You can manually force a policy refresh and apply new policies by using the Policy Sync button on the MDE device page. This will normally sync in 5-10 minutes at most.
Finally, running the "mdatp health" command on the Linux machine will show that most options are now marked as [managed]. If you try to change settings enforced by MDE, you'll receive a message like "This setting is managed by your organization."
Updates and Maintenance:
Security intelligence updates can be configured to be automatically retrieved daily using the mdatp as showed above (with the command "mdatp config automatic-definitions-update --value enabled"). However, if Real-Time Protection (RTP) is not enabled, security intelligence updates will not be received even if the setting is configured. So, if the mdatp is on passive mode then there are three ways to trigger the security intelligence updates.
Platform (mdatp) updates must be done manually. Microsoft states on this article that you can configure automatically updates using cronjobs.
An indicative configuration as it mentioned already from Microsoft can be the below:
sudo crontab -e
CRON_TZ=Europe/Greece
0 6 * * sun [ $(date +%d) -le 15 ] && sudo yum update mdatp -y >> ~/mdatp_cron_job.log
We should keep our platform updated so for us to receive all available fixes and enhancements. Each version of Defender for Endpoint on Linux is set to expire automatically after 9 months. To check the expiration date, run:
mdatp health --field product_expiration
Expired clients will report a health issue. You might see the message "ATTENTION: No license found. Contact your administrator for help." with the following attributes, as Microsoft states:
ATTENTION: No license found. Contact your administrator for help.
healthy : false
health_issues : ["missing license"]
licensed : false
Last but not least a list of mdatp Commands can be found here.
Bonus Section (Dynamic Security Group):
In the Intune portal, click on the Groups in the left pane and select the New group button at the top. In the New Group creation wizard, name and describe your group, then select from the Membership type drop-down, choose Dynamic Device.
In the dynamic query, choose "deviceOSType" as the property. Set the Operator to "Equals," enter "Linux" as the value, and then click Save. If you want to control somehow which devices are imported on this group you can also add a filter with "deviceCategory" but you should also create and assign to these device the according device category.
Thank you for taking the time to read this, and I hope you found it informative.
URLs:
Senior Cyber Security Engineer at ERGO Greece
1 个月Useful tips Fedon!
Cyber Security and Governance Advisor at DigiOutsource, Proud member of Super Group (NYSE: SGHC)
1 个月Jacques Henning
Cybersecurity Engineer Associate
1 个月Very informative
Group IT Lead Unified Communications Engineer at Titan Cement Company SA
1 个月Very informative