deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-27 20:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Cleanup

Browse Source
This commit is contained in:
Tudor Dobrila 2020-02-18 21:40:56 -08:00
parent cfb38abb00
commit 62f4f7be96
8 changed files with 152 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 261 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 270 KiB

65
windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
View File

@ -37,6 +37,12 @@ Before you get started, see [the main Microsoft Defender ATP for Linux page](mic
## Configure Microsoft Linux Software Repository
Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use this repository are provided below.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*.
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel.
### RHEL and variants (CentOS and Oracle EL)
- Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`
@ -44,13 +50,13 @@ Before you get started, see [the main Microsoft Defender ATP for Linux page](mic
In the below commands, replace *[distro]* and *[version]* with the information identified in the previous step:
> [!NOTE]
> In case of Oracle EL and CentOS 8, use [distro] as “rhel”.
> In case of Oracle EL and CentOS 8, use *[distro]* as “rhel”.
```bash
$ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/insiders-fast.repo
$ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
For example, if you are running CentOS 7:
For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insider-fast* channel:
```bash
$ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
@ -76,10 +82,10 @@ Before you get started, see [the main Microsoft Defender ATP for Linux page](mic
In the below commands, replace *[distro]* and *[version]* with the information identified in the previous step.
```bash
$ sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/[distro]/[version]/insiders-fast.repo
$ sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
For example, if you are running SLES 12:
For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insider-fast* channel:
```bash
$ sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/sles/12/insiders-fast.repo
@ -105,10 +111,10 @@ Before you get started, see [the main Microsoft Defender ATP for Linux page](mic
In the below command, replace *[distro]* and *[version]* with the information identified in the previous step:
```bash
$ curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/insiders-fast.list
$ curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list
```
For example, if you are running Ubuntu 18.04:
For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insider-fast* channel:
```bash
$ curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
@ -117,7 +123,7 @@ Before you get started, see [the main Microsoft Defender ATP for Linux page](mic
- Install the repository configuration:
```bash
$ sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-fast.list
$ sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list
```
- Install the gpg package if not already installed:
@ -163,7 +169,7 @@ Before you get started, see [the main Microsoft Defender ATP for Linux page](mic
- Ubuntu and Debian system
```bash
sudo apt-get install -t insiders-fast mdatp
sudo apt-get install mdatp
```
## Download onboarding package
@ -171,42 +177,44 @@ Before you get started, see [the main Microsoft Defender ATP for Linux page](mic
Download the onboarding package from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
2. In the first drop down, set operating system to **Windows 10** and in second drop down, Deployment method to **Mobile Device Management / Microsoft Intune**.
3. Click on **Download package**. Save it as WindowsDefenderATPOnboardingPackage.zip.
2. In Section 1 of the page, set operating system to **Linux Server** and Deployment method to **Local script**.
3. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
![Windows Defender Security Center screenshot](images/atp-portal-onboarding-win-intune.png)
![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux.png)
4. From a command prompt, verify that you have the file.
Extract the contents of the .zip file and create mdatp_onboard.json file as follows:
Extract the contents of the archive:
```bash
$ ls -l
total 8
-rw-r--r-- 1 test staff 6287 Oct 21 11:22 WindowsDefenderATPOnboardingPackage.zip
$ unzip -p WindowsDefenderATPOnboardingPackage.zip | python -c 'import sys,json;data={"onboardingInfo":"\n".join(sys.stdin.readlines())};print(json.dumps(data));' >mdatp_onboard.json
-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: WindowsDefenderATPOnboarding.py
```
## Client configuration
1. Copy WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Linux.
1. Copy WindowsDefenderATPOnboarding.py to the target machine.
The client machine is not associated with orgId. Note that the *orgId* attribute is blank.
Initially the client machine is not associated with an organization. Note that the *orgId* attribute is blank.
```bash
$ mdatp --health orgId
```
2. Copy the mdatp_onboard.json created in earlier step to /etc/opt/microsoft/mdatp_onboard.json
2. Run WindowsDefenderATPOnboarding.py (note that in order to run this command you must have `python` installed on the device).
```bash
$ sudo cp mdatp.json /etc/opt/microsoft/mdatp/mdatp_onboard.json
$ python WindowsDefenderATPOnboarding.py
```
3. Verify that the machine is now associated with your organization and reports a valid *orgId*:
3. Verify that the machine is now associated with your organization and reports a valid organization identifier:
```bash
$ mdatp --health orgId
E6875323-A6C0-4C60-87AD-114BBE7439B8
[your organization identifier]
```
4. A few minutes following the completion of the installation, you can see the status by running the following command. A return value of `'1'` denotes that the product is functioning as expected.
@ -216,18 +224,23 @@ Download the onboarding package from Microsoft Defender Security Center:
1
```
5. Run a detection test
To verify that the machine is properly onboarded and reporting to the service, take the following steps on the newly onboarded machine:
5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded machine:
- Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command).
```bash
$ mdatp --health realTimeProtectionEnabled
1
```
- Ensure Real-time protection setting is ON ```mdatp --health realTimeProtectionEnabled```
- Open a Terminal window
Copy and run the command below:
``` bash
curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt
$ curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt
```
6. The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats:
- The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats:
```bash
$ mdatp --threat --list --pretty

175
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
View File

@ -59,19 +59,20 @@ Before you get started, please see [the main Microsoft Defender ATP for Linux pa
Download the onboarding package from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
2. In the first drop down, set operating system to **Windows 10** and in second drop down, Deployment method to **Mobile Device Management / Microsoft Intune**.
2. In the first drop down, set operating system to **Linux Server** and in second drop down, Deployment method to **Your preferred Linux configuration management tool**.
3. Click on **Download package**. Save it as WindowsDefenderATPOnboardingPackage.zip.
![Windows Defender Security Center screenshot](images/atp-portal-onboarding-win-intune.png)
![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png)
4. From a command prompt, verify that you have the file.
Extract the contents of the .zip file and create mdatp_onboard.json file as follows:
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
```bash
$ ls -l
total 8
-rw-r--r-- 1 test staff 6287 Oct 21 11:22 WindowsDefenderATPOnboardingPackage.zip
$ unzip -p WindowsDefenderATPOnboardingPackage.zip | python -c 'import sys,json;data={"onboardingInfo":"\n".join(sys.stdin.readlines())};print(json.dumps(data));' >mdatp_onboard.json
-rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: mdatp_onboard.json
```
## Create Ansible YAML files
@ -91,16 +92,17 @@ Create subtask / role files which contribute to an actual task. Create below fil
mode: '0644'
```
- Create a `setup.sh` script which operates on onboarding blob
- Create a `setup.sh` script which operates on the onboarding file
```bash
$ cat /root/setup.sh
#!/bin/bash
# Unzip the file and creates license blob
# Unzip the file and create license file
mkdir -p /etc/opt/microsoft/mdatp/
unzip -p WindowsDefenderATPOnboardingPackage.zip | python -c 'import sys,json;data={"onboardingInfo":"\n".join(sys.stdin.readlines())};print(json.dumps(data));' > /etc/opt/microsoft/mdatp/mdatp_onboard.json
unzip WindowsDefenderATPOnboardingPackage.zip
cp mdatp_onboard.json /etc/opt/microsoft/mdatp/mdatp_onboard.json
# get the GPG key
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
@ -125,82 +127,96 @@ Create subtask / role files which contribute to an actual task. Create below fil
- Add the Microsoft Defender ATP repository and key
```bash
$ cat add_apt_repo.yml
- name: Add Microsoft repository for MDATP
apt_repository:
repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/16.04/prod insiders-fast main
update_cache: yes
state: present
filename: microsoft-insiders-fast.list
Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository.
- name: Add Microsoft APT key
apt_key:
keyserver: https://packages.microsoft.com/
id: BC528686B50D79E339D3721CEB3E94ADBE1229C
```
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*.
- For Yum based distributions use the following YML file
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel.
```bash
$ cat add_yum_repo.yml
- name: Add Microsoft repository for MDATP
yum_repository:
name: packages-microsoft-com-prod-insiders-fast
description: Microsoft Defender ATP
file: microsoft-insiders-fast
baseurl: https://packages.microsoft.com/centos/7/insiders-fast/
gpgcheck: yes
enabled: Yes
```
Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
- Now create the actual install/uninstall YAML files under /etc/ansible/playbooks
In the below commands, replace *[distro]* and *[version]* with the information identified in the previous step.
```bash
$ cat install_mdatp.yml
- hosts: servers
- For apt-based distributions use the following YAML file
```bash
$ cat add_apt_repo.yml
- name: Add Microsoft repository for MDATP
apt_repository:
repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main
update_cache: yes
state: present
filename: microsoft-[channel].list
- name: Add Microsoft APT key
apt_key:
keyserver: https://packages.microsoft.com/
id: BC528686B50D79E339D3721CEB3E94ADBE1229C
```
- For yum-based distributions use the following YAML file
```bash
$ cat add_yum_repo.yml
- name: Add Microsoft repository for MDATP
yum_repository:
name: packages-microsoft-com-prod-[channel]
description: Microsoft Defender ATP
file: microsoft-[channel]
baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/
gpgcheck: yes
enabled: Yes
```
- Create the actual install / uninstall YAML files under `/etc/ansible/playbooks`
- For apt-based distributions use the following YAML file
```bash
$ cat install_mdatp.yml
- hosts: servers
tasks:
- include: ../roles/download_copy_blob.yml
- include: ../roles/setup_blob.yml
- include: ../roles/add_apt_repo.yml
- apt:
name: mdatp
state: latest
update_cache: yes
```
```bash
$ cat uninstall_mdatp.yml
- hosts: servers
tasks:
- apt:
name: mdatp
state: absent
```
- For yum-based distributions use the following YAML file
```bash
$ cat install_mdatp_yum.yml
- hosts: servers
tasks:
- include: ../roles/download_copy_blob.yml
- include: ../roles/setup_blob.yml
- include: ../roles/add_apt_repo.yml
- apt:
- include: ../roles/add_yum_repo.yml
- yum:
name: mdatp
state: latest
update_cache: yes
```
enablerepo: packages-microsoft-com-prod-insiders-fast
```
```bash
$ cat uninstall_mdatp.yml
- hosts: servers
tasks:
- apt:
name: mdatp
state: absent
```
- For the Yum based distribution
```bash
$ cat install_mdatp_yum.yml
- hosts: servers
tasks:
- include: ../roles/download_copy_blob.yml
- include: ../roles/setup_blob.yml
- include: ../roles/add_yum_repo.yml
- yum:
name: mdatp
state: latest
enablerepo: packages-microsoft-com-prod-insiders-fast
```
```bash
$ cat uninstall_mdatp_yum.yml
- hosts: servers
tasks:
- yum:
name: mdatp
state: absent
```
```bash
$ cat uninstall_mdatp_yum.yml
- hosts: servers
tasks:
- yum:
name: mdatp
state: absent
```
## Deployment
@ -221,7 +237,10 @@ Now run the tasks files under `/etc/ansible/playbooks/`
## References
[Add or remove YUM repositories](https://docs.ansible.com/ansible/2.3/yum_repository_module.html)<br/>
[Manage packages with the yum package manager](https://docs.ansible.com/ansible/latest/modules/yum_module.html)<br/>
[Add and remove APT repositories](https://docs.ansible.com/ansible/latest/modules/apt_repository_module.html)<br/>
[Manage apt-packages](https://docs.ansible.com/ansible/latest/modules/apt_module.html)
- [Add or remove YUM repositories](https://docs.ansible.com/ansible/2.3/yum_repository_module.html)
- [Manage packages with the yum package manager](https://docs.ansible.com/ansible/latest/modules/yum_module.html)
- [Add and remove APT repositories](https://docs.ansible.com/ansible/latest/modules/apt_repository_module.html)
- [Manage apt-packages](https://docs.ansible.com/ansible/latest/modules/apt_module.html)

12
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
View File

@ -42,19 +42,19 @@ In addition, for Puppet deployment, you need to be familiar with Puppet administ
Download the onboarding package from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
2. In the first drop down, set operating system to **Windows 10** and in second drop down, Deployment method to **Mobile Device Management / Microsoft Intune**.
2. In the first drop down, set operating system to **Linux Server** and in second drop down, Deployment method to **Your preferred Linux configuration management tool**.
3. Click on **Download package**. Save it as WindowsDefenderATPOnboardingPackage.zip.
![Windows Defender Security Center screenshot](images/atp-portal-onboarding-win-intune.png)
![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png)
4. From a command prompt, verify that you have the file.
Extract the contents of the .zip file and create mdatp_onboard.json file as follows:
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
```bash
$ ls -l
total 8
-rw-r--r-- 1 test staff 6287 Oct 21 11:22 WindowsDefenderATPOnboardingPackage.zip
$ unzip -p WindowsDefenderATPOnboardingPackage.zip | python -c 'import sys,json;data={"onboardingInfo":"\n".join(sys.stdin.readlines())};print(json.dumps(data));' >mdatp_onboard.json
-rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: mdatp_onboard.json
```
## Create Puppet manifest

6
windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
View File

@ -254,7 +254,7 @@ The following configuration profile will:
},
"cloudService":{
"automaticSampleSubmission":true,
"enabled":true,
"enabled":true
}
}
```
@ -303,11 +303,11 @@ The following configuration profile contains entries for all settings described
"cloudService":{
"enabled":true,
"diagnosticLevel":"optional",
"automaticSampleSubmission":true,
"automaticSampleSubmission":true
}
}
```
## Configuration profile deployment
Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Microsoft M reads the managed configuration from the file */etc/opt/microsoft/mdatp/managed/mdatp_managed.json*
Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Microsoft Defender ATP for Linux reads the managed configuration from the file */etc/opt/microsoft/mdatp/managed/mdatp_managed.json*

2
windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
View File

@ -60,7 +60,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
If an error occurs during installation, the installer will only report a general failure.
The detailed log will be saved to /var/log/microsoft/mdatp_install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
The detailed log will be saved to `/var/log/microsoft/mdatp_install.log`. If you experience issues during installation, send us this file so we can help diagnose the cause.
## Uninstalling

25
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
View File

@ -59,8 +59,8 @@ In general you need to take the following steps:
- Oracle Enterprise Linux 7
- Minimum kernel version 2.6.38
- The **fanotify** kernel option must be enabled
- Disk space: 650 MB.
- The *fanotify* kernel option must be enabled
- Disk space: 650 MB
After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
@ -96,23 +96,14 @@ The output from this command should be similar to the following:
> `OK https://x.cp.wd.microsoft.com/api/report`
> `OK https://cdn.x.cp.wd.microsoft.com/ping`
You can also use ```mdatp --connectivity-test``` to verify the connectivity.
Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal:
```bash
$ mdatp --connectivity-test
Running connectivity test
Testing connection with https://cdn.x.cp.wd.microsoft.com/ping ... [OK]
Testing connection with https://eu-cdn.x.cp.wd.microsoft.com/ping ... [OK]
Testing connection with https://wu-cdn.x.cp.wd.microsoft.com/ping ... [OK]
Testing connection with https://unitedstates.x.cp.wd.microsoft.com/api/report ... [OK]
Testing connection with https://ussus1eastprod.blob.core.windows.net ... [OK]
Testing connection with https://ussus1westprod.blob.core.windows.net ... [OK]
```
## How to update Microsoft Defender ATP for Linux
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Linux, refer to [Deploy updates for Microsoft Defender ATP for Linux](linux-updates.md)
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Linux, refer to [Deploy updates for Microsoft Defender ATP for Linux](linux-updates.md).
## How to configure Microsoft Defender ATP for Linux
@ -120,17 +111,13 @@ Guidance for how to configure the product in enterprise environments is availabl
## Known Issues
- When a large volume of threats are encountered on the device, the product might exhibit increasingly large memory consumption (until the next product restart / system reboot). The engineering team is actively working on a mitigation for this
- Logged on users do not appear in the ATP portal
- While we are working on creating a better onboarding experience for Linux in the Microsoft Defender Security Center portal, the steps below temporarily point to the Windows section of the portal for getting the onboarding package
- In SUSE distributions, if thelibatomic1 failed to beinstalledplease validate that your OS is registered by typing the following command in theterminal:
- In SUSE distributions, if installation of *libatomic1* fails, validate that your OS is registered:
```bash
sudoSUSEConnect --status-text
$ sudoSUSEConnect --status-text
```
## Resources
- For more information about logging, uninstalling, or other topics, see the [Resources](linux-resources.md) page.
- [Privacy for Microsoft Defender ATP for Linux](linux-privacy.md)