| Solution |
Linux Collector 4.5.1 and up has two modes of operation:
- kernel.
- application-only.
When the Collector starts, it reads the Linux kernel on the machine. If the Linux kernel is supported, the Collector enters into a full kernel mode of operation (kernel).
Otherwise, instead of going into a degraded state, the Collector runs as a Linux application with limited functionality (application-only).
The following is a summary of existing Linux Collector versions and their operation modes:
|
Collector version
|
App/Kernel
|
|
5.1.13
|
Adaptive
|
|
5.1.11
|
Adaptive
|
|
5.1.10
|
Adaptive
|
|
v5.1.8
|
Adaptive
|
|
v5.1.2, v5.1.5
|
Adaptive
|
|
v5.1.1
|
Adaptive
|
|
v4.5.1
|
Application/Kernel
|
|
v4.5.0.145+
|
Application
|
|
v4.5.0.139
|
Application
|
|
v4.5.0.137
|
Application
|
|
v4.1 and lower
|
Kernel
|
Review the admin guide for supported OSes:
Linux Application features summary:
Main supported functions of the Linux Collector application mode:
- Pre-execution Prevention.
- Communication Control visibility.
- Installation, revision upgrades, uninstallation.
- Analysis: File retrieval.
- IR: File remediation, kill process.
Known limitations of the Linux Collector application mode:
- Communication Control blocks are not possible.
- IR: Device isolation with Collector is not possible.
- Limited Forensics visibility is available.
- Threat-hunting is not available for Collectors prior to v5.1.1.
- Upgrades from Collector v3.1 or 4.1 to v4.5 are not possible. v4.5.0 is application only.
- Hardening of the Collector files is not possible.
- The Request Custom Installers feature in the Manager Console is not available.
v5.1.1, v5.1.5 What is Included:
- This collector version can run on any supported Linux distributions: CentOS/RHEL, Ubuntu, Oracle, AMI, and SLES.
- Threat-hunting data collection is available in user space mode.
- FortiEDR Linux kernel modules are signed.
v5.1.2 What is Included:
- This collector version supports Ubuntu 22.04 and RHEL 9/Centos 9.
|
