Red Canary supports several Linux distributions. In terms of distribution version support, the Linux Endpoint Detection and Response (EDR) sensor will work with Linux versions that are still supported by their upstream vendor, including Long Term Support versions. The Linux EDR sensor is not supported on upstream vendor-designated “end-of-life” versions.

Supported Linux distributions

Don’t see your distribution on this list? Contact us!

Supported architectures

• x86_64 

• aarch64 

Supported Linux kernel versions

The following kernel versions are required to collect telemetry using Audit:

• 3.2 and above (mainline)

• 3.10 and above (mainline) for the file modification telemetry to be collected

Supported Linux kernel versions for eBPF

The following kernel versions are required to collect telemetry using eBPF:

• For x86_64 machines 4.14 and above (mainline)

• For AArch64 machines: 5.8 and above (mainline)

• In some distributions, including CentOS and RHEL, backports for eBPF support exist on earlier kernels. RHEL supports eBPF in kernels 3.10.0-940 and above.

Networking Requirements

All Linux EDR instances use a static set of IPs, which can be used to connect to a specific subset of addresses:

• https://cwp-ingest.redcanary.io (tcp/443) 

• 35.188.42.15 (tcp/443) (sentry.io)

• 34.120.195.249 (tcp/443) (o1.ingest.sentry.io)

Configuration

Add the following keys to /opt/redcanary/config.json. Both are required for enabling enterprise networking. These values are available in Red Canary under Endpoints > Deploy Sensors.

• outpost_auth_token

• offload_target

Sample config.json

{
   "access_token":"xxxxxxxxxxxxxx",
   "outpost_auth_token":"xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxx",
   "offload_target":"Outpost"
}

Proxy Configuration

Note: This feature is available in v0.4.8+

The agent supports the use of an HTTP Connect proxy. This can be configured through the config.json file.

Precedence

The agent utilizes the following precedence order when determining what proxy settings to utilize, if any at all.

1. config.json’s http_proxy field

2. config.json’s env_http_proxy_disabled field

3. HTTPS_PROXY & HTTP_PROXY environment variables

Configuration

Define proxy settings via config.json:

"http_proxy": "https://HOST:PORT",

This overrides any proxy settings configured via the HTTPS_PROXY or HTTP_PROXY environment variables on the endpoint. Ensure `config.json` is valid JSON. (The comma at the end may not be needed).

To opt out of the use of proxy settings already defined via endpoint environment variables HTTPS_PROXY and/or HTTP_PROXY

"env_http_proxy_disabled": true,

The default value for this is false. When configured as false, this means the agent will utilize the HTTPS_PROXY or HTTP_PROXY environment variable for proxy settings, if set. Ensure `config.json` is valid JSON. (The comma at the end may not be needed).