Bitdefender Endpoint Security Tools for Linux quick start guide
Requirements
For more information on BEST for Linux installation requirements, refer to security agent requirements on Linux.
Hardware requirements
Configure the guest operating systems where you are deploying BEST as follows:
General
Resource | Minimum | Recommended |
---|---|---|
Processor | 2 vCPUs | 4 vCPUs |
Memory (RAM) | 4 GB RAM | 6 GB RAM |
Free Disk Space | 2.5 GB (up to 4 GB disk with debug logs enabled) | 4 GB |
Public Cloud
Cloud Service Provider (CSPs) | Minimum (instance type) | Recommended (instance type) |
---|---|---|
Amazon Web Services (AWS) | T2 medium | Any instance ≥ 4 vCPUs, 4 GB RAM, min 4 GB SSD |
Microsoft Azure | Standard B2s | Any instance ≥ 4 vCPUs, 4 GB RAM, min 4 GB SSD |
Google Cloud Platform (GCP) | E2-medium or E2-standard-2 | Any instance ≥ 4 vCPUs, 4 GB RAM, min 4 GB SSD |
Supported distributions
Fully Supported Linux Modern Distributions
Distribution | Architecture | Kernel Versions | Cloud Platform Availability |
---|---|---|---|
RPM-based | |||
RHEL 7.x | 64bit | 3.10.0.x (starting from build 957) | AWS, AZURE, GCP |
RHEL 8.x | 64bit | 4.18.0.x | AWS, AZURE, GCP |
RHEL 9.x | 64bit | 5.14.0.x | AWS |
Oracle Linux 7.x UEK | 64bit | 4.18.0.x | AWS, AZURE |
Oracle Linux 7.x RHCK | 64bit | 3.10.0.x (starting from build 957) | AWS, AZURE |
Oracle Linux 8.x UEK | 64bit | 5.4.17.x / 5.15.0.x | AWS |
Oracle Linux 8.x RHCK | 64bit | 4.18.0.x | AWS |
Oracle Linux 9.x UEK | 64bit | 5.15.0.x | AWS |
Oracle Linux 9.x RHCK | 64bit | 5.14.0.x | AWS |
CentOS 7.x | 32bit, 64bit | 3.10.0.x (starting from build 957) | AWS, AZURE, GCP |
CentOS 8 Stream | 64bit | 4.18.0.x | AWS, AZURE, GCP |
CentOS 9 Stream | 64bit | 5.14.0.x | AWS, AZURE, GCP |
Fedora 36 - 38 | 64bit | Supported until it expires. | AWS |
AlmaLinux 8.x | 64bit | 4.18.0.x | AWS, AZURE, GCP |
AlmaLinux 9.x | 64bit | 5.14.0.x | AWS |
Rocky Linux 8.x | 64bit | 4.18.0.x | AWS, AZURE, GCP |
Rocky Linux 9.x | 64bit | 5.14.0.x | AWS, AZURE, GCP |
CloudLinux 7.x | 64bit | 3.10.0.x (starting from build 957) | AWS, AZURE, GCP |
CloudLinux 8.x | 64bit | 4.18.0.x | AWS, AZURE, GCP |
Miracle Linux 8.x | 64bit | 4.18.0.x | |
Kylinv10 RHEL | 64bit | 4.19.90.x | |
Debian-based | |||
Debian 9 | 32bit, 64bit | 4.9.0.x | AWS, AZURE, GCP |
Debian 10 | 32bit, 64bit | 4.19.x | AWS, AZURE, GCP |
Debian 11 | 32bit, 64bit | 5.10.x | AWS, AZURE, GCP |
Debian 12 | 64bit | 6.1.0.x | |
Ubuntu 16.04.x | 32bit, 64bit | 4.8.x / 4.10.x / 4.13.x / 4.15.x | AWS, AZURE, GCP |
Ubuntu 18.04.x | 64bit | 5.0.x / 5.3.x / 5.4.x | AWS, AZURE, GCP |
Ubuntu 20.04.x | 64bit | 5.4.x / 5.8.x / 5.11.x / 5.13.x / 5.15.x | AWS, AZURE, GCP |
Ubuntu 22.04.x | 64bit | 5.15.x / 5.19.x | AWS, AZURE, GCP |
Ubuntu 23.04.x | 64bit | 6.2.0.x | AWS, AZURE, GCP |
PopOS 22.04.x | 64bit | 6.2.6.x | AWS, AZURE, GCP |
Pardus 21 | 64bit | 5.10.0.x | |
Mint 20.x | 64bit | 5.4.0.x | |
Mint 21.x | 64bit | 5.15.0.x | |
SUSE-based | |||
SLES 12 SP4 | 64bit | 4.12.14-x | AWS |
SLES 12 SP5 | 64bit | 4.12.14-x | AWS, AZURE, GCP |
SLES 15 SP1 | 64bit | 4.12.14-x | AWS, AZURE |
SLES 15 SP2 | 64bit | 5.3.18-x | AWS, AZURE, GCP |
SLES 15 SP3 | 64bit | 5.3.18-x | AWS, AZURE, GCP |
SLES 15 SP4 | 64bit | 5.14.21.x | AWS, AZURE, GCP |
SLED 15 SP4 | 64bit | 5.14.21.x | |
openSUSE Leap 15.2-15.4 | 64bit | 5.3.18 / 5.14.x | AWS |
Cloud-based | |||
AWS Bottlerocket 2020.03 | 64bit | 5.4.x / 5.10.x | AWS |
Amazon Linux v2 | 64bit | 4.14.x / 4.19.x / 5.10 | AWS |
Amazon Linux 2023 | 64bit | 6.1.0.x | AWS |
Google COS Milestones 77, 81, 85 | 64bit | 4.19.112 / 5.4.49 | GCP |
Azure Mariner 2 | 64bit | 5.15.x | AZURE |
Fully Supported Linux Modern Distributions for ARM architecture
Distribution | Kernel versions | Cloud Platform Availability |
---|---|---|
RPM-based | ||
RHEL 8.x | 4.18.0-x | AZURE |
RHEL 9.x | 5.14.x | GCP, AZURE, AWS |
AlmaLinux 9.x | 5.14.x | AZURE |
Rocky Linux 9.x | 5.14.x | GCP, AZURE, AWS |
Debian-based | ||
Debian 11 | 5.10.x/6.1.x | GCP, AZURE, AWS |
Ubuntu 20.04.x | 5.15.x | GCP, AZURE, AWS |
Ubuntu 22.04.x | 5.15.x/5.19.x | GCP, AZURE, AWS |
SUSE-based | ||
SLES 15 SP4 | 5.14.21-x | GCP, AZURE, AWS |
openSUSE Leap 15.4 | 5.14.21-x | AZURE |
Cloud-based only | ||
Amazon Linux v2 | 5.10.x | AWS |
Amazon Linux 2023 | 6.1.x | AWS |
Supported Linux Legacy Distributions
Distro | Architecture | Kernel Versions |
---|---|---|
RPM-based | ||
RHEL 6.10 | 32bit, 64bit | 2.6.32-754 |
CentOS 6.10 | 32bit, 64bit | 2.6.32-754 |
Oracle Linux 6.10 UEK | 64bit | 4.1.12-124 |
Amazon Linux v1 2018.03 | 64bit | 4.14.x |
Debian-based | ||
Ubuntu 14.04 LTS | 32bit, 64bit | 4.4 |
Ubuntu 16.04.x | 32bit, 64bit | 4.15 |
Software requirements
GravityZone requirements
BEST for Linux is compatible with GravityZone Cloud and GravityZone On-Premises versions 6.13.1-1 or newer.
Additional software requirements
On-access scanning is available for supported operating systems as follows:
Kernel 2.6.38 or higher - Supports all Linux distributions. The fanotify kernel option must be enabled.
Kernel 2.6.32 - 2.6.37 - CentOS 6.x Red Hat Enterprise Linux 6.x - Bitdefender provides support via DazukoFS with prebuilt kernel modules.
You need auditd as a fallback mechanism in case kProbes are not available for your Kernel version.
Licensing
Linux operating systems are considered Server operating systems by Bitdefender agent and will use server license seats from your pool of licenses.
Although deploying the software has no direct license requirement, depending on your license some functionality might not be available. For protection layers availability refer to Features by endpoint type.
Installing
For additional information on installing BEST for Linux refer to Install security agents - standard procedure.
There are several options to install BEST on a Linux machine:
An installation task from the GravityZone Control Center > Network inventory section.
Manual installation via a installation package downloaded from the Control Center.
Example:
Go to Network > Packages and select the install package to be downloaded.
Select Send Download Links to expand the provided links.
Copy the Linux string and paste it into the shell on your target endpoint to download the installation package.
Unpack the installation file:
# tar -xvf setup_downloader.tar
Change permissions to the installation file so that you can execute it:
# chmod +x installer
Run the installation file:
# ./installer
To check that the agent has been installed on the endpoint, run this command:
$ systemctl status bdsec*
Scanning
Bitdefender Endpoint Security Tools for Linux provides on-access scanning for a number of preconfigured system directories.
To review this list or add other directories to be scanned, use the following steps:
Choose a policy from the Control Center Policies page.
Go to the Antimalware > On-Access section.
Next to On-access Scanning, click Settings.
Click Advanced.
Configure which folders the agent should scan constantly.
Additionally, you can schedule Full / Custom / Quick Scan tasks by using these steps:
Choose a policy from the Control Center Policies page.
Go to the Antimalware > On-Demand section.
Click the +Add button.
Select a scan type. With the Custom Scan type you can configure scan options and folders to be scanned in detail.
Configure the scan task scheduling options as needed.
Configure scan options and target as needed.
Click the Save button.
To manually scan Linux endpoints:
Run the task from the Control Center Network inventory, by right-clicking the target machine and selecting Tasks > Scan.
Start the scan task locally using the command line interface. For more information, refer to Scanning for malware.
Troubleshooting
You can check Bitdefender Endpoint Security Tools services by running the following commands:
bd status
- to check services statusbd start
- to start servicesbd stop
- to stop servicesbd restart
- to restart services
Other commands:
To detect any system proxy:
/opt/bitdefender-security-tools/bin/bdconfigure getsystemproxy
To check all of the versions that were previously installed on the machine as well as the current one, open vhist.dat
:
/opt/bitdefender-security-tools/etc/vhist.dat
Deploying EDR using Linux AuditD
Note
We recommend this method to be used only when neither KProbes nor eBPF methods are not available. The AuditD subsystem was not designed to be used in this manner and may cause increased CPU usage.
When deploying EDR using Linux AuditD, BEST for Linux automatically modifies several specific files. These changes ensure that AudtiD will perform on par with previously available methods. The changes are specified below:
Note
Make sure you have AuditD installed on your endpoint before deploying the EDR module.
/etc/audit/rules.d/
BEST will backup all files from
/etc/audit/rules.d/
(for example,/etc/audit/rules.d/audit.rules
will become/etc/audit/rules.d/audit.rules.bak
).BEST will create a rules file:
/etc/audit/rules.d/bd_ausecd.rules
.BEST will restart the auditd service, which includes regenerating
/etc/audit/audit.rules
from/etc/audit/rules.d/*.rules
.When EDR is disabled or BEST is stopped,
/etc/audit/rules.d/bd_ausecd.rules
will be removed and backed-up files will be restored.
/etc/default/auditd
Note
These modifications will only occur for specific operating systems. Refer to this table for more information.
BEST will backup
/etc/default/auditd
to/etc/default/auditd.bdsec-bak
in order to have a copy of the original file content.BEST will modify the content of
/etc/default/auditd
.When EDR is disabled or BEST is stopped, file content will be restored to previous state.
/etc/sysconfig/auditd
Note
These modifications will only occur for specific operating systems. Refer to this table for more information.
BEST will backup
/etc/sysconfig/auditd
to/etc/sysconfig/auditd.bdsec-bak
in order to have a copy of the original file content.BEST will modify the content of
/etc/sysconfig/auditd
.When EDR is disabled or BEST is stopped, file content will be restored to previous state.
/etc/audit/auditd.conf
Note
These modifications will only occur for specific operating systems. Refer to this table for more information.
BEST will backup
/etc/audit/auditd.conf
to/etc/audit/auditd.conf.bdsec-bak
in order to have a copy of the original file content.BEST will modify the content of
/etc/audit/auditd.conf
.When EDR is disabled (or BEST is stopped), file content will be restored to previous state.
/lib/systemd/system/auditd.service
Note
These modifications will only occur for specific operating systems. Refer to this table for more information.
BEST will backup
/lib/systemd/system/auditd.service
to/lib/systemd/system/auditd.service.bdsec-bak
in order to have a copy of the original file content.BEST will modify the content of
/lib/systemd/system/auditd.service
.When EDR is disabled or BEST is stopped, file content will be restored to previous state.
/usr/lib/systemd/system/auditd.service
Note
These modifications will only occur for specific operating systems. Refer to this table for more information.
BEST will backup
/usr/lib/systemd/system/auditd.service
to/usr/lib/systemd/system/auditd.service.bdsec-bak
in order to have a copy of the original file content.BEST will modify the content of
/usr/lib/systemd/system/auditd.service
.When EDR is disabled or BEST is stopped, file content will be restored to previous state.
/etc/systemd/system/auditd.service
Note
These modifications will only occur for specific operating systems. Refer to this table for more information.
When BEST enables the audit backend for the first time, it will backup
/etc/systemd/system/auditd.service
to/etc/systemd/system/auditd.service.bdsec-bak
in order to have a copy of the original file content.If the file does not exist, a dummy backup will be created:
/etc/systemd/system/auditd.service.bak-missing
.If the file exists, its contents will be copied to
/etc/systemd/system/auditd.service.bak
.BEST will copy the modified file
/lib/systemd/system/auditd.service
(or/usr/lib/systemd/system/auditd.service
, depending on the distro according to the table below) to/etc/systemd/system/auditd.service
.When EDR is disabled or BEST is stopped, file content will be restored to previous state from
/etc/systemd/system/auditd.service.bak
(or deleted, if onlyauditd.service.bak-missing
exists).
OS | Version | Changes performed |
---|---|---|
Alma Linux 8 | X86 | N/A |
X64 | Edits the Ensures that | |
Alma Linux v1 | X86 | N/A |
X64 | Edits the Edits the /etc/audit/auditd.conf file and sets log_format to RAW. | |
Alma Linux v2 | X86 | N/A |
X64 | Edits the Ensures that Copies Runs Restarts the | |
Centos 6 | X86 | Edits the Edits the |
X64 | Edits the Edits the | |
Centos 7 | X86 | Edits the |
X64 | Edits the | |
Centos 8 | X86 | N/A |
X64 | Edits the | |
Cloud Linux 7 | X86 | N/A |
X64 | Edits the Ensures that | |
Cloud Linux 8 | X86 | N/A |
X64 | Edits the Ensures that | |
Debian 9 | X86 | Edits the Edits the Ensures that |
X64 | Edits the Edits the Ensures that | |
Debian 10 | x86 | Edits the Edits the Ensures that |
X64 | Edits the Edits the Ensures that | |
Debian 11 | X86 | Edits the Edits the Ensures that |
X64 | Edits the Edits the Ensures that | |
Fedora 31 | X86 | N/A |
X64 | Edits the Ensures that | |
Fedora 34 | X86 | N/A |
X64 | Edits the Ensures that | |
Linux Mint 20.3 | X86 | N/A |
X64 | Edits the Edits the Ensures that | |
Miracle Linux 8.4 | X86 | N/A |
X64 | Edits the Ensures that | |
OpenSUSE 15.2 | X86 | N/A |
X86 | Edits the Ensures that Copies Runs Restarts the | |
Oracle 6 | X86 | N/A |
X64 | Edits the Edits the | |
Oracle 7 | X86 | N/A |
X64 | Edits the | |
Oracle 8 | X86 | N/A |
X64 | Edits the | |
Pardus 21 | X86 | N/A |
X64 | Edits the Edits the Ensures that | |
RHEL 6 | X86 | Edits the Edits the |
X64 | Edits the Edits the | |
RHEL 7 | X86 | N/A |
X64 | Edits the | |
RHEL 8 | X86 | N/A |
X64 | Edits the | |
Rocky Linux 8 | X86 | N/A |
X64 | Edits the | |
SLES 12 SP4 | X86 | N/A |
X64 | Edits the Ensures that Copies Runs Restarts the | |
SLES 12 SP5 | X86 | N/A |
X64 | Edits the Ensures that Copies Runs Restarts the | |
SLES 15 SP2 | X86 | N/A |
X64 | Edits the Ensures that Copies Runs Restarts the | |
SLES 15 SP2 | X86 | N/A |
X64 | Edits the Ensures that Copies Runs Restarts the | |
SLES 15 SP3 | X86 | N/A |
X64 | Edits the Ensures that Copies Runs Restarts the | |
SLES 12 SP4 | X86 | N/A |
X64 | Edits the Ensures that Copies Runs Restarts the | |
SLES 12 SP5 | X86 | N/A |
X64 | Edits the Ensures that Copies Runs Restarts the | |
Ubuntu 14.04 | X86 | Edits the Edits the Set Copy / Runs Restarts the |
X64 | Edits the Edits the Set Copies Runs Restarts the | |
Ubuntu 16.04 | X86 | Edits the Edits the Set Copies Runs Restarts the |
X64 | Edits the Edits the Set Copies Runs Restarts the | |
Ubuntu 18.04 | X86 | N/A |
X64 | Edits the Edits the Ensures that | |
Ubuntu 20.04 | X86 | N/A |
X64 | Edits the Edits the Ensures that | |
Ubuntu 21.04 | X86 | N/A |
X64 | Edits the Edits the Ensures that | |
Ubuntu 21.10 | X86 | N/A |
X64 | Edits the Edits the Ensures that |
Warning
EDR requests information from the operating system that is not available via the AuditD subsystem. Expect a decreased detection rate.