Comprehensive guide for Linux Local MDE onboarding: retrieving the MDE onboarding package from the Defender portal, installing the Agent utilizing the embedded scripts, and validating connectivity and security functionality post-implementation.
Gather Linux MDE Local Package
- Navigate to Endpoint Onboarding – Microsoft Defender portal, from this page specify the Operating System as Linux Server, Connectivity Type as Streamlined, and the Deployment Method as Local Script (Python).
- Once the proper selections have been made, locate, and select Download onboarding package, the GatewayWindowsDefenderATPOnboardingPackage.zip file will be stored to the Downloads folder on the User account.
- We will need to extract the contents of the package, the extracted .zip folder should house a file named MicrosoftDefenderATPOnboardingLinuxServer.py.
- After the extraction process has been completed, we will want to relocate the MicrosoftDefenderATPOnboardingLinuxServer.py file to a location where the file can be accessed by the desired Linux machines that are wishing to MDE join, this can be done by uploading the file to a trusted SharePoint, Outlook email, or USB. After the onboarding package has been extracted and transferred, we will move onto creating an automated bash script to simplify the Linux MDE onboarding process.
Creating the Automated Linux MDE Script
- Microsoft has provided a curated automated bash installer script that simplifies the installation process of the MDE agent and licensure onboarding for the Linux Machine to the Microsoft Defender portal. You can either provision this script on the Linux device itself or you can create and transfer the .sh file to a trusted repository for the Linux Machines to access. For this example, we will be utilizing the later.
- Open a preferred Text Editing software, in this example we will be using Notepad++ but you can utilize any utility that allows creation and saving of custom file types.
- From the software window we will want to initiate a Save As action since we will be leveraging this script later in the article. For the file location specify somewhere easily accessible such as the Downloads or Desktop folder, we will want to specify the Save as type as All Types (*.*) and for the File name supply mde_installer. sh. Once the .sh file has been specified at the desired directory, select Save to begin script creation.
- After the saving process has been conducted, we will access the Microsoft GitHub repository for the automated bash script code, here we will copy all of the contents provided in the repository window and paste it into our text editing software window.
- After copying and pasting the desired contents from the table into the software window, the newly configured mde_installer.sh script should be ready to be uploaded to a location where the script can be accessed by the desired Linux machines that are wishing to MDE join, this can be done by uploading the script to a trusted SharePoint, Outlook email, or USB. After the automated bash script has been created and uploaded, we will move onto onboarding the desired Linux Machines for MDE joining.
Deploy Linux MDE Local Package
- On the desired Linux Device, we will first want to verify that both the mde_installer.sh file and the MicrosoftDefenderATPOnboardingLinuxServer.py file are housed on a desired directory on the machine.
- Once we have verified that both files are present on the device, we will want to initiate a command line session. This can be done by leveraging the Activities functionality and within the search field providing Terminal, this should return the utility in the list below the field, and we will want to select it to execute the mde_installer.sh script. For this demonstration we are using Ubuntu 20.04 Jamming Jellyfish, if the UI or functionality is different depending on your flavor of Linux, please leverage the utility based on your distribution that allows you to search for applications to initiate a Command Line session on the machine.
- Once the CLI session has been initiated we will want to access the file directory where the two scripts are currently housed, this can be done by leveraging the native ls and cd commands to traverse the directories.
- Once we are in the desired directory, we will want to add executable functionality to both files, this can be achieved by leveraging the chmod command, the two commands will look something like chmod +x <.sh file> and chmod +x <.py file>. If done successfully, utilizing ls should show these two files highlighted green which indicates executable.
- After the two files have been made executables, we will want to leverage the one-liner provided in the table below to initiate the installation of the MDE agent and provide the necessary license onboarding to allow the device to communicate with Microsoft Defender services. We will need to execute this command with administrative privileges, you will need to fulfill the authentication prompt that is generated in the session.
One-Liner
sudo ./mde_installer.sh --install --channel insiders-fast --onboard ./MicrosoftDefenderATPOnboardingLinuxServer.py --min_req -y
- Execution of the one-liner should result in an exiting (0) return which indicates successful execution, if you encounter any errors during this run you will need to determine if the minimum system requirements have been met for the device or execute the script in debugging mode to determine hiccups before you attempt to onboard again.
- Prior to moving to Assessing the MDE agent on the device, we will want to execute one final command, which will be provided below. This command will make sure that the real time protection security functionality is being leveraged by the agent and will promptly quarantine execution of malicious files. We will need to execute this command with administrative privileges, you will need to fulfill the authentication prompt that is generated in the session.
Command
sudo mdatp config real-time-protection --value enabled
Assessing a Linux MDE Deployment
- Utilizing the Activities functionality provide Terminal within the search field, this should return the utility in the list below the field, and we will want to select it to execute our desired commands to verify connectivity with the onboarded device and Microsoft Defender services. For this demonstration we are using Ubuntu 20.04 Jamming Jellyfish, if the UI or functionality is different depending on your flavor of Linux, please leverage the utility based on your distribution that allows you to search for other applications to initiate a Command Line session on the device.
- Once the CLI session is initiated, supply the following one-liner to evaluate if the MDE agent is communicating to your Organizations Microsoft Defender portal and has the proper security functionality enabled. The list below will describe what values should be returned upon execution.
- The Org ID field should return a unique orgid attribute, if the result is blank that indicates that the onboarding script leveraged in the previous section was not executed properly and will need to be redeployed.
- The Healthy field should return true, if not you will need to initiate the scripts in the previous section again to attempt to reconfigure the deployment of the agent.
- The Definitions field should return “up_to_date”, if not the system might be on the wrong channel for receiving agent updates on a timely manner and might need to be reconfigured.
- The RTP Enabled field should return true, if not you will need to initiate the command in the previous section above once again to attempt to reconfigure this critical security control.
One-Liner
echo -e "Org ID: $(mdatp health --field org_id)\nHealthy: $(mdatp health --field healthy)\nDefinitions: $(mdatp health --field definitions_status)\nRTP Enabled: $(mdatp health --field real_time_protection_enabled)"
- Lastly, supply the following commands to evaluate the connectivity with the MDE agent and Microsoft Defender Servers.
Commands
curl -o /tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt
curl -o /tmp/eicar_com.zip https://secure.eicar.org/eicar_com.zip
- If done correctly, the files should be quarantined by the MDE agent running on the device, this can be checked by leveraging the command below to list all detected threats.
Command
mdatp threat list
Need Assistance?
Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.