Best practices for Endpoint Security for Linux
Last Modified: 2022-09-28 04:53:00 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Best practices for Endpoint Security for Linux
Technical Articles ID:
KB95920
Last Modified: 2022-09-28 04:53:00 Etc/GMT Environment
Endpoint Security for Linux Firewall (ENSLFW) 10.x Endpoint Security for Linux Threat Prevention (ENSLTP) 10.x Summary
Below are the recommended best practices when using ENSL. Contents Click to expand the section you want to view: With the kernel module, ENSL hooks on to the system calls to get the events. Later, the Linux kernel itself provides a facility named Fanotify. With Fanotify, any user space application can register to get all filesystem events for processing. This configuration avoids user space applications from writing kernel modules for the same purpose. So, the kernel module and Fanotify have the same purpose of providing all events to the user space ENSLTP to scan. All ENSL customers using Ubuntu/Debian or SUSE use only Fanotify as we don't provide a kernel module for them. Customers can safely use Fanotify or the kernel module as there's no difference in functionality. For more information, see the Fanotify manual page. We observed that in high I/O intensive environments (for example, Hadoop and With Fanotify, ENSL uses a "Deferred Scan" option that enables users to perform the scan in a non-blocking manner to support high I/O intensive applications to run smoothly. NOTE: Deferred Scan is applicable only on Fanotify-based systems. You can enable Deferred Scan while installing ENSL as a parameter: To enable Deferred Scan using the command line: NOTES:
NOTES: For ENSLFW in Adaptive mode:
Splunk is a very I/O intensive application. Its performance is impacted as the Splunk operations are intercepted for OAS scanning. Recommendation: Performance can be improved for I/O intensive trusted applications by configuring OAS exclusions. These OAS exclusions exclude scanning events from these trusted processes. Add the OAS process exclusions as "Low Risk" processes with scan set to "Do not scan" for the Low Risk profile. Steps to add OAS exclusions for Splunk:
Related InformationAffected ProductsLanguages:This article is available in the following languages: |
|