diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 8208331b97..103d64f6d8 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -341,6 +341,19 @@ #### [Privacy](microsoft-defender-atp/mac-privacy.md) #### [Resources](microsoft-defender-atp/mac-resources.md) +### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md) +#### [Deploy]() +##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md) +##### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md) +##### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md) +#### [Update](microsoft-defender-atp/linux-updates.md) +#### [Configure]() +##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md) +##### [Set preferences](microsoft-defender-atp/linux-preferences.md) +#### [Resources](microsoft-defender-atp/linux-resources.md) + +### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard.md) + ### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md) ### [Management and API support]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png new file mode 100644 index 0000000000..7dd1c6d0e6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png new file mode 100644 index 0000000000..232b46993b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-win-intune.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-win-intune.png new file mode 100644 index 0000000000..f5c2853226 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-win-intune.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md new file mode 100644 index 0000000000..24930516c6 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -0,0 +1,255 @@ +--- +title: Deploy Microsoft Defender ATP for Linux manually +ms.reviewer: +description: Describes how to deploy Microsoft Defender ATP for Linux manually from the command line. +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Deploy Microsoft Defender ATP for Linux manually + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +This topic describes how to deploy Microsoft Defender ATP for Linux manually. A successful deployment requires the completion of all of the following tasks: + +- [Configure the Linux software repository](#configure-the-linux-software-repository) +- [Application installation](#application-installation) +- [Download the onboarding package](#download-the-onboarding-package) +- [Client configuration](#client-configuration) + +## Prerequisites and system requirements + +Before you get started, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. + +## Configure the Linux software repository + +Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below. + +The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*. + +In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel. + +### RHEL and variants (CentOS and Oracle EL) + +- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`. + + In the below commands, replace *[distro]* and *[version]* with the information you've identified: + + > [!NOTE] + > In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”. + + ```bash + $ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo + ``` + + For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insider-fast* channel: + + ```bash + $ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo + ``` + +- Install the Microsoft GPG public key: + + ```bash + $ curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc + $ sudo rpm --import microsoft.asc + ``` + +- Download and make usable all the metadata for the currently enabled yum repositories: + + ```bash + $ yum makecache + ``` + +### SLES and variants + +- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`. + + In the following commands, replace *[distro]* and *[version]* with the information you've identified: + + ```bash + $ sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo + ``` + + For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insider-fast* channel: + + ```bash + $ sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/sles/12/insiders-fast.repo + ``` + +- Install the Microsoft GPG public key: + + ```bash + $ curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc + $ rpm --import microsoft.asc + ``` + +### Ubuntu and Debian systems + +- Install `curl` if it is not already installed: + + ```bash + $ sudo apt-get install curl + ``` + +- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config`. + + In the below command, replace *[distro]* and *[version]* with the information you've identified: + + ```bash + $ curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list + ``` + + For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insider-fast* channel: + + ```bash + $ curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list + ``` + +- Install the repository configuration: + + ```bash + $ sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list + ``` + +- Install the gpg package if not already installed: + + ```bash + $ sudo apt-get install gpg + ``` + +- Install the Microsoft GPG public key: + + ```bash + $ curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg + $ sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/ + + ``` + +- Install the https driver if it's not already present: + + ```bash + $ sudo apt-get install apt-transport-https + ``` + +- Update the repository metadata: + + ```bash + $ sudo apt-get update + ``` + +## Application installation + +- RHEL and variants (CentOS and Oracle EL): + + ```bash + sudo yum install mdatp + ``` + +- SLES and variants: + + ```bash + sudo zypper install mdatp + ``` + +- Ubuntu and Debian system: + + ```bash + sudo apt-get install mdatp + ``` + +## Download the onboarding package + +Download the onboarding package from Microsoft Defender Security Center: + +1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Local Script (for up to 10 machines)** as the deployment method. +3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip. + + ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux.png) + +4. From a command prompt, verify that you have the file. + Extract the contents of the archive: + + ```bash + $ ls -l + total 8 + -rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip + + $ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: WindowsDefenderATPOnboarding.py + ``` + +## Client configuration + +1. Copy WindowsDefenderATPOnboarding.py to the target machine. + + Initially the client machine is not associated with an organization. Note that the *orgId* attribute is blank: + + ```bash + $ mdatp --health orgId + ``` + +2. Run WindowsDefenderATPOnboarding.py, and note that, in order to run this command, you must have `python` installed on the device: + + ```bash + $ python WindowsDefenderATPOnboarding.py + ``` + +3. Verify that the machine is now associated with your organization and reports a valid organization identifier: + + ```bash + $ mdatp --health orgId + [your organization identifier] + ``` + +4. A few minutes after you complete the installation, you can see the status by running the following command. A return value of `1` denotes that the product is functioning as expected: + + ```bash + $ mdatp --health healthy + 1 + ``` + +5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded machine: + + - Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command): + + ```bash + $ mdatp --health realTimeProtectionEnabled + 1 + ``` + + - Open a Terminal window. Copy and execute the following command: + + ``` bash + $ curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt + ``` + + - The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats: + + ```bash + $ mdatp --threat --list --pretty + ``` + +## Log installation issues + +See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md new file mode 100644 index 0000000000..8eae3591a3 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -0,0 +1,261 @@ +--- +title: Deploy Microsoft Defender ATP for Linux with Ansible +ms.reviewer: +description: Describes how to deploy Microsoft Defender ATP for Linux using Ansible. +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Deploy Microsoft Defender ATP for Linux with Ansible + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +This topic describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks: + +- [Download the onboarding package](#download-the-onboarding-package) +- [Create Ansible YAML files](#create-ansible-yaml-files) +- [Deployment](#deployment) +- [References](#references) + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. + +- Ansible needs to be installed on at least on one computer (we will call it the master). +- Passwordless SSH must be configured for the root user between the master and all clients. +- The following software must be installed on all clients: + - Python-apt + - Curl + - Unzip + +- All host must be listed in the following format in the `/etc/ansible/hosts` file: + + ```bash + [servers] + host1 ansible_ssh_host=10.171.134.39 + host2 ansible_ssh_host=51.143.50.51 + ``` + +- Ping test: + + ```bash + $ ansible -m ping all + ``` + +## Download the onboarding package + +Download the onboarding package from Microsoft Defender Security Center: + +1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method. +3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip. + + ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png) + +4. From a command prompt, verify that you have the file. Extract the contents of the archive: + + ```bash + $ ls -l + total 8 + -rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip + $ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: mdatp_onboard.json + ``` + +## Create Ansible YAML files + +Create subtask or role files that contribute to an actual task. Create the following files under the `/etc/ansible/roles` directory. + +- Copy the onboarding package to all client machines: + + ```bash + $ cat /etc/ansible/roles/copy_onboarding_pkg.yml + - name: Copy the zip file + copy: + src: /root/WindowsDefenderATPOnboardingPackage.zip + dest: /root/WindowsDefenderATPOnboardingPackage.zip + owner: root + group: root + mode: '0644' + ``` + +- Create a `setup.sh` script that operates on the onboarding file: + + ```bash + $ cat /root/setup.sh + + #!/bin/bash + + # Unzip the archive and create the onboarding file + mkdir -p /etc/opt/microsoft/mdatp/ + unzip WindowsDefenderATPOnboardingPackage.zip + cp mdatp_onboard.json /etc/opt/microsoft/mdatp/mdatp_onboard.json + + # get the GPG key + curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg + sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/ + ``` + +- Create the onboarding file: + + ```bash + $ cat setup_blob.yml + - name: Copy the setup script file + copy: + src: /root/setup.sh + dest: /root/setup.sh + owner: root + group: root + mode: '0744' + + - name: Run a script to create the onboarding file + script: /root/setup.sh + ``` + +- Add the Microsoft Defender ATP repository and key. + + Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository. + + The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*. + + In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel. + + Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`. + + In the following commands, replace *[distro]* and *[version]* with the information you've identified. + + > [!NOTE] + > In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”. + + - For apt-based distributions use the following YAML file: + + ```bash + $ cat add_apt_repo.yml + - name: Add Microsoft repository for MDATP + apt_repository: + repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main + update_cache: yes + state: present + filename: microsoft-[channel].list + + - name: Add Microsoft APT key + apt_key: + keyserver: https://packages.microsoft.com/ + id: BC528686B50D79E339D3721CEB3E94ADBE1229C + ``` + + - For yum-based distributions use the following YAML file: + + ```bash + $ cat add_yum_repo.yml + - name: Add Microsoft repository for MDATP + yum_repository: + name: packages-microsoft-com-prod-[channel] + description: Microsoft Defender ATP + file: microsoft-[channel] + baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/ + gpgcheck: yes + enabled: Yes + ``` + +- Create the actual install/uninstall YAML files under `/etc/ansible/playbooks`. + + - For apt-based distributions use the following YAML file: + + ```bash + $ cat install_mdatp.yml + - hosts: servers + tasks: + - include: ../roles/download_copy_blob.yml + - include: ../roles/setup_blob.yml + - include: ../roles/add_apt_repo.yml + - apt: + name: mdatp + state: latest + update_cache: yes + ``` + + ```bash + $ cat uninstall_mdatp.yml + - hosts: servers + tasks: + - apt: + name: mdatp + state: absent + ``` + + - For yum-based distributions use the following YAML file: + + ```bash + $ cat install_mdatp_yum.yml + - hosts: servers + tasks: + - include: ../roles/download_copy_blob.yml + - include: ../roles/setup_blob.yml + - include: ../roles/add_yum_repo.yml + - yum: + name: mdatp + state: latest + enablerepo: packages-microsoft-com-prod-[channel] + ``` + + ```bash + $ cat uninstall_mdatp_yum.yml + - hosts: servers + tasks: + - yum: + name: mdatp + state: absent + ``` + +## Deployment + +Now run the tasks files under `/etc/ansible/playbooks/`. + +- Installation: + + ```bash + $ ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts + ``` + +- Validation/configuration: + + ```bash + $ ansible -m shell -a 'mdatp --connectivity-test' all + $ ansible -m shell -a 'mdatp --health' all + ``` + +- Uninstallation: + + ```bash + $ ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts + ``` + +## Log installation issues + +See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## References + +- [Add or remove YUM repositories](https://docs.ansible.com/ansible/2.3/yum_repository_module.html) + +- [Manage packages with the yum package manager](https://docs.ansible.com/ansible/latest/modules/yum_module.html) + +- [Add and remove APT repositories](https://docs.ansible.com/ansible/latest/modules/apt_repository_module.html) + +- [Manage apt-packages](https://docs.ansible.com/ansible/latest/modules/apt_module.html) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md new file mode 100644 index 0000000000..a27c84b264 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -0,0 +1,189 @@ +--- +title: Deploy Microsoft Defender ATP for Linux with Puppet +ms.reviewer: +description: Describes how to deploy Microsoft Defender ATP for Linux using Puppet. +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Deploy Microsoft Defender ATP for Linux with Puppet + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks: + +- [Download the onboarding package](#download-the-onboarding-package) +- [Create Puppet manifest](#create-a-puppet-manifest) +- [Deployment](#deployment) +- [Check onboarding status](#check-onboarding-status) + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. + +In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Please refer to the [Puppet documentation](https://puppet.com/docs) for details. + +## Download the onboarding package + +Download the onboarding package from Microsoft Defender Security Center: + +1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method. +3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip. + + ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png) + +4. From a command prompt, verify that you have the file. Extract the contents of the archive: + + ```bash + $ ls -l + total 8 + -rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip + $ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: mdatp_onboard.json + ``` + +## Create a Puppet manifest + +You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* module available from puppetlabs, and assumes that the apt module has been installed on your Puppet server. + +Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions: + +```bash +$ pwd +/etc/puppetlabs/code/environments/production/modules + +$ tree install_mdatp +install_mdatp +├── files +│   └── mdatp_onboard.json +└── manifests + └── init.pp +``` + +### Contents of `install_mdatp/manifests/init.pp` + +Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository. + +The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*. + +In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel. + +Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`. + +In the below commands, replace *[distro]* and *[version]* with the information you've identified: + +> [!NOTE] +> In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”. + +```puppet +class install_mdatp { + + if ($osfamily == 'Debian') { + apt::source { 'microsoftpackages' : + location => 'https://packages.microsoft.com/[distro]/[version]/prod', # change the version and distro based on your OS + release => '[channel]', + repos => 'main', + key => { + 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF', + 'server' => 'https://packages.microsoft.com/keys/microsoft.asc', + }, + } + } + else { + yumrepo { 'microsoftpackages' : + baseurl => 'https://packages.microsoft.com/[distro]/[version]/[channel]', # change the version and distro based on your OS + enabled => 1, + gpgcheck => 1, + gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc' + } + } + + package { 'mdatp': + ensure => 'installed', + } + + file { ['/etc', '/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']: + ensure => directory, + } + file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json': + mode => "0644", + source => 'puppet:///modules/install_mdatp/mdatp_onboard.json', + } +} +``` + +## Deployment + +Include the above manifest in your site.pp file: + +```bash +$ cat /etc/puppetlabs/code/environments/production/manifests/site.pp +node "default" { + include install_mdatp +} +``` + +Enrolled agent devices periodically poll the Puppet Server, and install new configuration profiles and policies as soon as they are detected. + +## Monitor Puppet deployment + +On the agent machine, you can also check the onboarding status by running: + +```bash +$ mdatp --health +... +licensed : true +orgId : "[your organization identifier]" +... +``` + +- **licensed**: This confirms that the device is tied to your organization. + +- **orgId**: This is your Microsoft Defender ATP organization identifier. + +## Check onboarding status + +You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status: + +```bash +$ mdatp --health healthy +``` + +The above command prints `1` if the product is onboarded and functioning as expected. + +If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem: + +- 1 if the device is not yet onboarded. +- 3 if the connection to the daemon cannot be established. + +## Log installation issues + +See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +Create a module *remove_mdatp* similar to *install_mdatp* with the following contents in *init.pp* file: + +```bash +class remove_mdatp { + package { 'mdatp': + ensure => 'purged', + } +} +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md new file mode 100644 index 0000000000..256186213a --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md @@ -0,0 +1,356 @@ +--- +title: Set preferences for Microsoft Defender ATP for Linux +ms.reviewer: +description: Describes how to configure Microsoft Defender ATP for Linux in enterprises. +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Set preferences for Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +>[!IMPORTANT] +>This topic contains instructions for how to set preferences for Microsoft Defender ATP for Linux in enterprise environments. If you are interested in configuring the product on a device from the command-line, see [Resources](linux-resources.md#configure-from-the-command-line). + +In enterprise environments, Microsoft Defender ATP for Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile. + +This topic describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile. + +## Configuration profile structure + +The configuration profile is a .json file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can be simple, such as a numerical value, or complex, such as a nested list of preferences. + +Typically, you would use a configuration management tool to push a file with the name ```mdatp_maanged.json``` at the location ```/etc/opt/microsoft/mdatp/managed/```. + +The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections. + +### Antivirus engine preferences + +The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of the product. + +||| +|:---|:---| +| **Key** | antivirusEngine | +| **Data type** | Dictionary (nested preference) | +| **Comments** | See the following sections for a description of the dictionary contents. | + +#### Enable / disable real-time protection + +Detemines whether real-time protection (scan files as they are accessed) is enabled or not. + +||| +|:---|:---| +| **Key** | enableRealTimeProtection | +| **Data type** | Boolean | +| **Possible values** | true (default)
false | + +#### Enable / disable passive mode + +Detemines whether the antivirus engine runs in passive mode or not. In passive mode: +- Real-time protection is turned off. +- On-demand scanning is turned on. +- Automatic threat remediation is turned off. +- Security intelligence updates are turned on. +- Status menu icon is hidden. + +||| +|:---|:---| +| **Key** | passiveMode | +| **Data type** | Boolean | +| **Possible values** | false (default)
true | +| **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. | + +#### Exclusion merge policy + +Specifies the merge policy for exclusions. It can be a combination of administrator-defined and user-defined exclusions (`merge`) or only administrator-defined exclusions (`admin_only`). This setting can be used to restrict local users from defining their own exclusions. + +||| +|:---|:---| +| **Key** | exclusionsMergePolicy | +| **Data type** | String | +| **Possible values** | merge (default)
admin_only | +| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. | + +#### Scan exclusions + +Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names. + +||| +|:---|:---| +| **Key** | exclusions | +| **Data type** | Dictionary (nested preference) | +| **Comments** | See the following sections for a description of the dictionary contents. | + +**Type of exclusion** + +Specifies the type of content excluded from the scan. + +||| +|:---|:---| +| **Key** | $type | +| **Data type** | String | +| **Possible values** | excludedPath
excludedFileExtension
excludedFileName | + +**Path to excluded content** + +Used to exclude content from the scan by full file path. + +||| +|:---|:---| +| **Key** | path | +| **Data type** | String | +| **Possible values** | valid paths | +| **Comments** | Applicable only if *$type* is *excludedPath* | + +**Path type (file / directory)** + +Indicates if the *path* property refers to a file or directory. + +||| +|:---|:---| +| **Key** | isDirectory | +| **Data type** | Boolean | +| **Possible values** | false (default)
true | +| **Comments** | Applicable only if *$type* is *excludedPath* | + +**File extension excluded from the scan** + +Used to exclude content from the scan by file extension. + +||| +|:---|:---| +| **Key** | extension | +| **Data type** | String | +| **Possible values** | valid file extensions | +| **Comments** | Applicable only if *$type* is *excludedFileExtension* | + +**Process excluded from the scan** + +Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (e.g. `cat`) or full path (e.g. `/bin/cat`). + +||| +|:---|:---| +| **Key** | name | +| **Data type** | String | +| **Possible values** | any string | +| **Comments** | Applicable only if *$type* is *excludedFileName* | + +#### Allowed threats + +List of threats (identified by their name) that are not blocked by the product and are instead allowed to run. + +||| +|:---|:---| +| **Key** | allowedThreats | +| **Data type** | Array of strings | + +#### Disallowed threat actions + +Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface. + +||| +|:---|:---| +| **Key** | disallowedThreatActions | +| **Data type** | Array of strings | +| **Possible values** | allow (restricts users from allowing threats)
restore (restricts users from restoring threats from the quarantine) | +| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. | + +#### Threat type settings + +The *threatTypeSettings* preference in the antivirus engine is used to control how certain threat types are handled by the product. + +||| +|:---|:---| +| **Key** | threatTypeSettings | +| **Data type** | Dictionary (nested preference) | +| **Comments** | See the following sections for a description of the dictionary contents. | + +**Threat type** + +Type of threat for which the behavior is configured. + +||| +|:---|:---| +| **Key** | key | +| **Data type** | String | +| **Possible values** | potentially_unwanted_application
archive_bomb | + +**Action to take** + +Action to take when coming across a threat of the type specified in the preceding section. Can be: + +- **Audit**: The device is not protected against this type of threat, but an entry about the threat is logged. +- **Block**: The device is protected against this type of threat and you are notified in the user interface and the security console. +- **Off**: The device is not protected against this type of threat and nothing is logged. + +||| +|:---|:---| +| **Key** | value | +| **Data type** | String | +| **Possible values** | audit (default)
block
off | + +#### Threat type settings merge policy + +Specifies the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (`merge`) or only administrator-defined settings (`admin_only`). This setting can be used to restrict local users from defining their own settings for different threat types. + +||| +|:---|:---| +| **Key** | threatTypeSettingsMergePolicy | +| **Data type** | String | +| **Possible values** | merge (default)
admin_only | +| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. | + +### Cloud-delivered protection preferences + +The *cloudService* entry in the configuration profile is used to configure the cloud-driven protection feature of the product. + +||| +|:---|:---| +| **Key** | cloudService | +| **Data type** | Dictionary (nested preference) | +| **Comments** | See the following sections for a description of the dictionary contents. | + +#### Enable / disable cloud delivered protection + +Determines whether cloud-delivered protection is enabled on the device or not. To improve the security of your services, we recommend keeping this feature turned on. + +||| +|:---|:---| +| **Key** | enabled | +| **Data type** | Boolean | +| **Possible values** | true (default)
false | + +#### Diagnostic collection level + +Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft. + +||| +|:---|:---| +| **Key** | diagnosticLevel | +| **Data type** | String | +| **Possible values** | optional (default)
required | + +#### Enable / disable automatic sample submissions + +Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are prompted if the submitted file is likely to contain personal information. + +||| +|:---|:---| +| **Key** | automaticSampleSubmission | +| **Data type** | Boolean | +| **Possible values** | true (default)
false | + +## Recommended configuration profile + +To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides. + +The following configuration profile will: + +- Enable real-time protection (RTP). +- Specify how the following threat types are handled: + - **Potentially unwanted applications (PUA)** are blocked. + - **Archive bombs** (file with a high compression rate) are audited to the product logs. +- Enable cloud-delivered protection. +- Enable automatic sample submission. + +### Sample profile + +```JSON +{ + "antivirusEngine":{ + "enableRealTimeProtection":true, + "threatTypeSettings":[ + { + "key":"potentially_unwanted_application", + "value":"block" + }, + { + "key":"archive_bomb", + "value":"audit" + } + ] + }, + "cloudService":{ + "automaticSampleSubmission":true, + "enabled":true + } +} +``` + +## Full configuration profile example + +The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product. + +### Full profile + +```JSON +{ + "antivirusEngine":{ + "enableRealTimeProtection":true, + "passiveMode":false, + "exclusionsMergePolicy":"merge", + "exclusions":[ + { + "$type":"excludedPath", + "isDirectory":false, + "path":"/var/log/system.log" + }, + { + "$type":"excludedPath", + "isDirectory":true, + "path":"/home" + }, + { + "$type":"excludedFileExtension", + "extension":"pdf" + }, + { + "$type":"excludedFileName", + "name":"cat" + } + ], + "allowedThreats":[ + "EICAR-Test-File (not a virus)" + ], + "disallowedThreatActions":[ + "allow", + "restore" + ], + "threatTypeSettingsMergePolicy":"merge", + "threatTypeSettings":[ + { + "key":"potentially_unwanted_application", + "value":"block" + }, + { + "key":"archive_bomb", + "value":"audit" + } + ] + }, + "cloudService":{ + "enabled":true, + "diagnosticLevel":"optional", + "automaticSampleSubmission":true + } +} +``` + +## Configuration profile deployment + +Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Microsoft Defender ATP for Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md new file mode 100644 index 0000000000..388b235ac3 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md @@ -0,0 +1,116 @@ +--- +title: Microsoft Defender ATP for Linux resources +ms.reviewer: +description: Describes resources for Microsoft Defender ATP for Linux, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product. +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Resources + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +## Collect diagnostic information + +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1. Increase logging level: + + ```bash + $ mdatp --log-level verbose + Creating connection to daemon + Connection established + Operation succeeded + ``` + +2. Reproduce the problem. + +3. Run `sudo mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds: + + ```bash + $ sudo mdatp --diagnostic --create + Creating connection to daemon + Connection established + ``` + +4. Restore logging level: + + ```bash + $ mdatp --log-level info + Creating connection to daemon + Connection established + Operation succeeded + ``` + +## Log installation issues + +If an error occurs during installation, the installer will only report a general failure. + +The detailed log will be saved to `/var/log/microsoft/mdatp_install.log`. If you experience issues during installation, send us this file so we can help diagnose the cause. + +## Uninstall + +There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, please follow the package uninstallation instructions for the configuration tool. + +### Manual uninstallation + +- ```sudo yum remove mdatp``` for RHEL and variants(CentOS and Oracle EL). +- ```sudo zypper remove mdatp``` for SLES and variants. +- ```sudo apt-get purge mdatp``` for Ubuntu and Debian systems. + +## Configure from the command line + +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` | +|Health |Check the product's health |`mdatp --health` | +|Protection |Scan a path |`mdatp --scan --path [path]` | +|Protection |Do a quick scan |`mdatp --scan --quick` | +|Protection |Do a full scan |`mdatp --scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` | +|Protection |Request a security intelligence update |`mdatp --definition-update` | + +## Microsoft Defender ATP portal information + +In the Microsoft Defender ATP portal, you'll see two categories of information: + +- Antivirus alerts, including: + - Severity + - Scan type + - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) + - File information (name, path, size, and hash) + - Threat information (name, type, and state) +- Device information, including: + - Machine identifier + - Tenant identifier + - App version + - Hostname + - OS type + - OS version + - Computer model + - Processor architecture + - Whether the device is a virtual machine diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md new file mode 100644 index 0000000000..43330660a0 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md @@ -0,0 +1,77 @@ +--- +title: Microsoft Defender ATP for Linux static proxy discovery +ms.reviewer: +description: Describes how to configure Microsoft Defender ATP for static proxy discovery. +keywords: microsoft, defender, atp, linux, installation, proxy +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Configuring Microsoft Defender ATP for static proxy discovery + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +Microsoft Defender ATP can discover a proxy server using the ```HTTPS_PROXY``` environment variable. This setting must be configured **both** at installation time and after the product has been installed. + +## Installation time configuration + +During installation, the ```HTTPS_PROXY``` environment variable must be passed to the package manager. The package manager can read this variable in any of the following ways: + +- The ```HTTPS_PROXY``` variable is defined in ```/etc/environment``` with the following line: + + ```bash + HTTPS_PROXY=”http://proxy.server:port/” + ``` + +- The `HTTPS_PROXY` variable is defined in the package manager global configuration. For example, in Ubuntu 18.04, you can add the following line to `/etc/apt/apt.conf.d/proxy.conf`: + + ```bash + Acquire::https::Proxy "http://proxy.server:port/"; + ``` + + > [!CAUTION] + > Note that above two methods could define the proxy to use for other applications on your system. Use this method with caution, or only if this is meant to be a generally global configuration. + +- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP: + + ```bash + $ HTTPS_PROXY=”http://proxy.server:port/" apt install mdatp + ``` + + > [!NOTE] + > Do not add sudo between the environment variable definition and apt, otherwise the variable will not be propagated. + +The `HTTPS_PROXY` environment variable may similarly be defined during uninstallation. + +Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take significantly longer due to network timeouts. + +## Post installation configuration + +After installation, the `HTTPS_PROXY` environment variable must be defined in the Microsoft Defender ATP service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways: + +- Uncomment the line `#Environment=HTTPS_PROXY="http://address:port”` and specify your static proxy address. + +- Add a line `EnvironmentFile=/path/to/env/file`. This path can point to `/etc/environment` or a custom file, either of which needs to add the following line: + + ```bash + HTTPS_PROXY=”http://proxy.server:port/” + ``` + +After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands: + +```bash +$ systemctl daemon-reload; systemctl restart mdatp +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md new file mode 100644 index 0000000000..74979b6c15 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md @@ -0,0 +1,47 @@ +--- +title: Deploy updates for Microsoft Defender ATP for Linux +ms.reviewer: +description: Describes how to deploy updates for Microsoft Defender ATP for Linux in enterprise environments. +keywords: microsoft, defender, atp, linux, updates, deploy +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Deploy updates for Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. + +To update Microsoft Defender ATP for Linux manually, execute one of the following commands: + +## RHEL and variants (CentOS and Oracle EL) + +```bash +sudo yum update mdatp +``` + +## SLES and variants + +```bash +sudo zypper update mdatp +``` + +## Ubuntu and Debian systems + +```bash +sudo apt-get install --only-upgrade mdatp +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md new file mode 100644 index 0000000000..6497259a59 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -0,0 +1,124 @@ +--- +title: Microsoft Defender ATP for Linux +ms.reviewer: +description: Describes how to install and use Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Microsoft Defender ATP for Linux + +This topic describes how to install, configure, update, and use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux. + +> [!CAUTION] +> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to cause performance problems and unpredictable system errors. + + +## How to install Microsoft Defender ATP for Linux + +### Prerequisites + +- Access to the Microsoft Defender Security Center portal +- Beginner-level experience in Linux and BASH scripting +- Administrative privileges on the device (in case of manual deployment) + +### Known issues + +- Logged on users do not appear in the ATP portal. +- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered: + +```bash +$ sudo SUSEConnect --status-text +``` + +### Installation instructions + +There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Linux. + +In general you need to take the following steps: + +- Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the Microsoft Defender ATP portal. +- Deploy Microsoft Defender ATP for Linux using one of the following deployment methods: + - The command-line tool: + - [Manual deployment](linux-install-manually.md) + - Third-party management tools: + - [Deploy using Puppet configuration management tool](linux-install-with-puppet.md) + - [Deploy using Ansbile configuration management tool](linux-install-with-ansible.md) + +### System requirements + +- Supported Linux server distributions and versions: + + - Red Hat Enterprise Linux 7 or higher + - CentOS 7 or higher + - Ubuntu 16.04 LTS or higher LTS + - Debian 9 or higher + - SUSE Linux Enterprise Server 12 or higher + - Oracle Enterprise Linux 7 + +- Minimum kernel version 2.6.38 +- The `fanotify` kernel option must be enabled +- Disk space: 650 MB + +After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. + +### Network connections + +The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them. + +| Service location | DNS record | +| ---------------------------------------- | ----------------------- | +| Common URLs for all locations | x.cp.wd.microsoft.com
cdn.x.cp.wd.microsoft.com
eu-cdn.x.cp.wd.microsoft.com
wu-cdn.x.cp.wd.microsoft.com
*.blob.core.windows.net
officecdn-microsoft-com.akamaized.net
crl.microsoft.com
events.data.microsoft.com | +| European Union | europe.x.cp.wd.microsoft.com
eu-v20.events.data.microsoft.com | +| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com
uk-v20.events.data.microsoft.com | +| United States | unitedstates.x.cp.wd.microsoft.com
us-v20.events.data.microsoft.com | + +Microsoft Defender ATP can discover a proxy server by using the following discovery methods: +- Transparent proxy +- Manual static proxy configuration + +If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md). + +## Validating cloud connectivity + +To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser. + +If you prefer the command line, you can also check the connection by running the following command in Terminal: + +```bash +$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping' +``` + +The output from this command should be similar to the following: + +> `OK https://x.cp.wd.microsoft.com/api/report` +> `OK https://cdn.x.cp.wd.microsoft.com/ping` + +Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal: +```bash +$ mdatp --connectivity-test +``` + +## How to update Microsoft Defender ATP for Linux + +Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Linux, refer to [Deploy updates for Microsoft Defender ATP for Linux](linux-updates.md). + +## How to configure Microsoft Defender ATP for Linux + +Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md). + +## Resources + +- For more information about logging, uninstalling, or other topics, see the [Resources](linux-resources.md) page.