Technical Tip: Linux Application Features and Limitations

Linux Collector 4.5.1 and up has two modes of operation:

- kernel.

- application-only.

When the Collector starts, it reads the Linux kernel on the machine. If the Linux kernel is supported, the Collector enters into a full kernel mode of operation (kernel).

Otherwise, instead of going into a degraded state, the Collector runs as a Linux application with limited functionality (application-only).

The following is a summary of existing Linux Collector versions and their operation modes:

Linux Application features summary:

Main supported functions of the Linux Collector application mode:

- Pre-execution Prevention.

- Communication Control visibility.

- Installation, revision upgrades, uninstallation.

- Analysis: File retrieval.

- IR: File remediation, kill process.

Known limitations of the Linux Collector application mode:

1. Communication Control blocks are not possible.
2. IR: Device isolation with Collector is not possible.
3. Limited Forensics visibility is available.
4. Threat-hunting is not available for Collectors prior to v5.1.1.
5. Upgrades from Collector v3.1 or 4.1 to v4.5 are not possible. v4.5.0 is application only.
6. Hardening of the Collector files is not possible.
7. The Request Custom Installers feature in the Manager Console is not available.

v5.1.1, v5.1.5 What is Included:

• This collector version can run on any supported Linux distributions: CentOS/RHEL, Ubuntu, Oracle, AMI, and SLES.
• Threat-hunting data collection is available in user space mode.
• FortiEDR Linux kernel modules are signed.

v5.1.2 What is Included:

• This collector version supports Ubuntu 22.04 and RHEL 9/Centos 9.