G DATA 365 | MXDR

Instructions for installing the G DATA 365 | MXDR agent on Linux

This document contains important information for preparing and installing the G DATA 365 | MXDR Linux agent. All installation instructions are the best possible implementation based on our experience, but are not mandatory. Alternative solutions are possible if the same goal is achieved.

Please note that due to the wide range of IT landscapes, not all options are depicted and further procedures may need to be initiated in advance or retrospectively.

How to contact the customer support of G DATA CyberDefense AG for organizational and technical questions, can be seen here.

Our analysis team sends alerts about critical findings to the functional address secmon-analysts@gdata.de. Please note that only service addresses can receive e-mails, while functional addresses can only send e-mails.

For customers with a service level of G5 or G7, e-mails are sent from the address 365@gdata.de.

Prerequisites

Before installing the Linux agent, parts of the IT infrastructure need to be prepared to ensure flawless service. All Linux Agent components require a permanent connection that must already be available for the corresponding system before installation, so that the Linux agent can connect to the G DATA service infrastructure via port 443 (TCP). TLS (Transport Layer Security) is used to ensure an encrypted connection.

System prioritisation

For a minimum level of protection, the Linux agent should be installed on all operationally critical infrastructure elements. Furthermore, to ensure that security monitoring has a noticeable effect on the IT security level, high-priority systems should be monitored. Depending on whether medium-priority systems are exposed on the internet or offer a broad attack surface, they should also be integrated into the service.
The following shows examples of systems that are being categorized according to their respective priorities.

Kritisch

  • Domain Controller

  • Azure AD Connect Server

  • Exchange or alternative E-Mail server

  • Backup-Systems

  • Managementserver of antivirus solution

  • Infrastructure Systems like DNS and DHCP server

  • Privileged Access Workstations (PAW)

  • Operationally critical application server

  • Systems with interactive login exposed on the internet, for example RDP

Hoch

  • File server

  • Systems exposed to the internet

  • Terminal server

  • Software distribution

  • Application server

Mittel

  • Additional server systems such as telephone servers, fax servers, print servers, license servers, internal web servers, etc.

Firewall clearances

All systems under maintenance must be able to establish a permanent connection to the service infrastructure of the Linux Agent through the firewall, independently of explicit proxies.
The following DNS addresses are accessed by the components of the Linux agent and must be released:

  • orchestrator.secmon.de

  • collect.secmon.de

  • file.secmon.de

If your firewall does not support DNS addresses as a destination, please contact our support.

TLS clearances

Should security components such as TLS proxies, deep inspection firewalls or similar be used to break TLS connections, exceptions must be added to the corresponding security component for the following DNS addresses:

  • orchestrator.secmon.de

  • collect.secmon.de

  • file.secmon.de

It is not possible or configurable to break the TLS connections because the components only accept dedicated certificates from the Linux agent infrastructure.

Proxy-Freigaben

If a separate proxy is used in addition to a firewall, all DNS clearances in the firewall must also be carried out in the proxy (see Firewall clearances), to ensure a permanent connection.

Installation procedure

DEB and RPM packages are available for installation of the Linux agent on Linux operating systems. To avoid incompatibility with the Linux agent infrastructure, only the latest version is allowed for installation. If an onboarding is delayed and the installer displays a version error, please contact our support. A completed installation also means that a connection to the Linux agent service infrastructure has been successfully established. To minimize maintenance, after a successful installation, all updates are installed automatically by G DATA and the Linux agent is always kept up to date.

The invoice is based on all system or host names recorded in the service.

Verifying the checksum

To prevent any possibility of compromise, the checksum of the DEB/RPM installer should be checked before installation. You will receive the correct checksum separately by e-mail.
The following bash command generates the checksum of the DEB installer:

sha256sum secmon_installer.deb

The following bash command generates the checksum of the RPM installer:

sha256sum secmon_installer.rpm

Installation of the Linux agent

The installation can be started directly on the host system, via a network drive or from a disk. The DEB/RPM installer must be run on the target system with root permissions.

To install the Linux agent on a Linux operating system using the DPKG package manager, the following command must be executed. Please replace "YOUR_TOKEN" with the value from the e-mail.

sudo TOKEN=YOUR_TOKEN dpkg -i secmon_installer.deb

To install the Linux agent on a Linux operating system using the RPM package manager, the following command must be executed. Please replace "YOUR_TOKEN" with the value from the e-mail.

sudo TOKEN=YOUR_TOKEN rpm -i secmon_installer.rpm