|Description||This article describes what features application mode offers on Linux collectors, as well as its limitations.|
|Scope||Linux Collector 4.5.x., 5.1.1
Linux Collector 4.5.1 has two modes of operation:
When the Collector starts, it reads the Linux kernel on the machine. If the Linux kernel is supported, the Collector enters into a full kernel mode of operation (kernel).
Otherwise, instead of going into a degraded state, the Collector runs as a Linux application with limited functionality (application-only).
The following is a summary of existing Linux Collector versions and their operation modes:
Linux Application features summary:
Main supported functions of the Linux Collector application mode:
- Pre-execution Prevention.
- Communication Control visibility.
- Installation, revision upgrades, uninstallation.
- Analysis: File retrieval.
- IR: File remediation.
Known limitations of the Linux Collector application mode:
1) Communication Control blocks are not possible.
2) IR: Device isolation with Collector is not possible.
3) Limited Forensics visibility is available.
4) Threat-hunting is not possible.
5) Upgrades from Collector v3.1 or 4.1 to v4.5 are not possible. v4.5 is application only.
6) Hardening of the Collector files is not possible.
7) The Request Custom installers feature in the Manager Console is not available.
v5.1.1 What's Included:
- This collector version can run on any supported Linux distributions: CentOS/RHEL, Ubuntu, Oracle, AMI, and SLES.
- Threat hunting data collection is available in user space mode.