Managing University of Dayton computers is an important part of UDit's overall "defense-in-depth strategy" (a cybersecurity approach that uses multiple layers of security for holistic protection). In addition to using Active Directory (AD) on the Microsoft side, we are able to manage Windows and Apple computers through Ivanti and JAMF. While Linux doesn’t have the same numbers across campus, there’s no single preferred distribution. Linux users tend to be our most technical users and in some instances manage our infrastructure. Therefore we want to apply similar standards across all three operating system platforms.
Configuration standards
Registration requirement
Appendix A - CrowdStrike Supported Linux Distributions
Appendix B - Ivanti Supported Linux Distributions
Configuration standards
The following configuration standards are for users wanting to use a Linux operating system computer at UD.
NOTE: These standards apply to workstations and are insufficient for server operations and maintenance.
Distribution
There are a variety of ways to differentiate Linux distributions - system architecture, kernel, vendor, etc. We recommend using one that allows use of our CrowdStrike and Ivanti agents. Supported distributions will be attached as appendices to this document. In the event an individual wishes to run a distribution that won’t run, use a distribution that is currently supported by the vendor (with updates) and supports the remainder of the requirements. In those cases where even this isn’t possible, the workstation should not be used on the network.
Asset Management
Ivanti clients are available for a number of different Linux distributions. You’ll find a list in Appendix A. Unlike Windows, Ivanti may not be sufficient to maintain the operating system and installed software. Ivanti will be used for hardware tracking only. Software updates are covered separately.
Antivirus (AV) / Endpoint Detection and Response (EDR)
CrowdStrike sensors are available for a number of different Linux distributions. You’ll find a list in Appendix B. In the event a user wishes to run a distribution that does not support CrowdStrike, the user will install ClamAV or an approved alternative, keep its signature databases current and run monthly scans at a minimum.
Software Updates
Users are responsible for updating their Linux distributions at least monthly.
Encryption / Key Escrow
Users running Linux on laptops will encrypt all disks/volumes with preboot authentication functionality using LUKS or an approved alternative. An encryption key shall be escrowed with the Linux user’s supervisor.
Local Administrator
Privileged accounts such as root will not be used on a day-to-day basis. Use of SU and SUDO is encouraged.
Passwords
Passwords for all local accounts shall be strong and will be 8 or more characters. They will not contain common words (whole or part) or parts of the user’s name or University ID (UDID) and will follow the general guidelines outlined at password.udayton.edu. All passwords, to include root, shall be changed annually.
Firewall
Host firewalls shall be enabled and any ports required to be opened will be documented in the Linux Workstation Registration Form.
NOTE: Labs are a special case. Exceptions to the guidelines may be required and shall be documented.
Registration requirement
Users are expected to maintain Linux workstations to the standards listed above.
Complete the Linux Workstation Registration Form. A workstation record is placed into our asset inventory.
Appendix A - CrowdStrike Supported Linux Distributions
This information is not publicly available on CrowdStrike’s website, but is current as of June 30, 2023. We will periodically update this appendix to keep it current, but feel free to reach out to the IT Risk Management Office if you have questions or want the very latest.
This section discusses Linux operating systems only. Linux support is highly dependent on the kernels used, support of which is updated frequently with new Sensor releases. Therefore, while we can list here the general distributions we are supporting, you will need to consult the Falcon Sensor for Linux Deployment Guide's section, Appendix A – Supported Kernels, to ensure your kernel is supported; find this guide in your Falcon console at Support → Documentation → Sensor Deployment and Maintenance. A sensor running on a supported Linux distribution but an unsupported kernel will enter Reduced Functionality Mode (RFM); Linux sensors in RFM will only send SensorHeartBeat events at this time.
Supported
We support x86_64 and Graviton 64 versions of the Linux OSes listed below, with supported kernels. We also support ARM64 on RHEL/Alma/CentOS/Rocky 8.5-8.6 and on Ubuntu 18.04, 20.04, and 22.04.
Linux Distribution
|
Version
|
Minimum Sensor Version
|
Docker Support?5
|
Alma Linux |
9.1 (User Mode Support Only) |
User Mode: 6.54.15110
Kernel Mode: N/A |
No |
|
9.0 |
all supported versions |
No |
|
8.8 |
6.56.15309 |
No |
|
8.7 |
6.48.14504+ |
No |
|
8.6 |
all supported versions |
No |
|
8.5 |
all supported versions |
No |
|
8.4 |
all supported versions |
TBD |
Amazon Linux |
2023 (User Mode Support Only) |
6.56.15309 |
Yes |
|
2 (with Cloud ML support on Graviton1 and Graviton2 ARM processors)6 |
all supported versions |
Yes |
|
AMI 2018.03 |
all supported versions |
Yes |
|
AMI 2017.09 |
all supported versions |
No |
CentOS |
8.5 |
all supported versions |
No |
|
8.0 - 8.4 |
all supported versions |
No |
|
7.4 - 7.9 |
all supported versions |
Yes |
|
6.7 - 6.10 |
all supported versions |
No |
Debian |
11 |
all supported versions |
No |
|
10 |
all supported versions |
No |
|
9.1 - 9.4 |
all supported versions |
Yes |
ELRepo |
7.x-8.x LT |
all supported versions |
No |
Flatcar Container Linux
(DaemonSet deployment only) |
3227.2.4 and later for ARM64 architecture, 3139.2.2 and later
for x86_64 architecture |
6.49.14064+ |
No |
Google Container-Optimized OS (COS)
(DaemonSet deployment only) |
COS 5.10.176 kernels and later |
6.54.15110+ |
No |
Oracle Linux |
9, UEK 7 |
6.50.14712+ |
No |
|
8, UEK 6 |
all supported versions |
No |
|
7, UEK 5 and UEK 6 |
all supported versions |
No |
|
7, UEK 3 and UEK 4 |
all supported versions |
No |
|
6, UEK 3 and UEK 4 |
all supported versions |
No |
|
Red Hat Compatible Kernel (RHCK)
(supported kernels are the same as SLES 15 SP3) |
all supported versions |
No |
OpenSUSE Leap |
15.3 (supported kernels same as SLES 15 SP3) |
all supported versions |
No |
Red Hat Enterprise Linux (RHEL) |
9.1 (User Mode Support Only) |
User Mode: 6.54.15110
Kernel Mode: N/A |
No |
|
9.0 |
all supported versions |
No |
|
8.8 |
6.56.15309 |
No |
|
8.7 |
6.48.14504+ |
No |
|
8.6 |
all supported versions |
No |
|
8.5 |
all supported versions |
No |
|
8.0 - 8.4 |
all supported versions |
No |
|
7.7 - 7.9 |
all supported versions |
Yes |
|
7.4 - 7.7 |
all supported versions |
Yes |
|
6.7 - 6.10 |
all supported versions |
No |
Red Hat Enterprise Linux CoreOS (RHCOS)
(DaemonSet deployment only) |
4.12 |
6.54.15110+ |
No |
|
4.7 - 4.11 |
|
No |
Rocky Linux |
9.1 (User Mode Support Only) |
User Mode: 6.54.15110
Kernel Mode: N/A |
No |
|
9.0 |
all supported versions |
No |
|
8.8 |
6.56.15309 |
No |
|
8.7 |
6.48.14504+ |
No |
|
8.6 |
all supported versions |
No |
|
8.5 |
all supported versions |
TBD |
|
8.4 (supported kernels are the same as RHEL) |
all supported versions |
TBD |
SUSE Linux Enterprise Server (SLES) |
15.4 |
6.47.14408+ |
TBD |
|
15 - 15.3 |
all supported versions |
Yes |
|
12.2 - 12.5 |
all supported versions |
Yes |
|
12.1 (distro supported on IBM s390X only) |
unsupported |
No |
|
11.4 (you must also install OpenSSL version 1.0.1e or greater) |
all supported versions |
No |
Ubuntu |
22.04 LTS |
all supported versions |
No |
|
20.04 LTS |
all supported versions |
No |
|
18-AWS |
all supported versions |
No |
|
18.04 LTS |
all supported versions |
Yes |
|
16.04 LTS and 16.04.5 LTS |
all supported versions |
No on 16.04.5
Yes on 16.04 |
|
16-AWS |
all supported versions |
No |
|
14.04 LTS |
all supported versions |
No |
Windows Subsystem for Linux 2 (WSL2) |
WSL2 |
6.51.14810 |
--- |
5 Docker is supported only on the Linux distributions and versions indicated above.
6 We support the Graviton versions of these Linux server OSes. Cloud Machine Learning (ML) is supported on the Graviton1 and Graviton2 ARM processors beginning with sensor version 6.19.11610+.
Unsupported
All other Linux distributions and versions are unsupported, including but not limited to:
- Amazon 2017.03 – last supported on sensor 5.43.10807 through EOS on May 8, 2021
- CentOS 8 Stream, all versions
- CentOS 9 Stream, all versions
- CentOS 7.1-7.3 – last supported on sensor 5.43.10807 through EOS on May 8, 2021
- CentOS 6.5-6.6 – last supported on sensor 5.43.10807 through EOS on May 8, 2021
- RHEL 7.1-7.3 – last supported on sensor 5.43.10807 through EOS on May 8, 2021
- RHEL 6.5-6.6 – last supported on sensor 5.43.10807 through EOS on May 8, 2021
- SLES 12.1 – last supported on sensor 5.43.10807 through EOS on May 8, 2021
- We support Linux servers and desktops running supported long term support (LTS) kernels. Other kernel versions, such as custom or hardware enablement (HWE) are unsupported.
- No other operating systems or containers are currently supported.
- Desktop OSes are not supported.
- CrowdStrike does not support community or custom kernels. Only kernels released by the OS vendors, which are currently supported by the OS vendors, are supported.
Additional Notes
As noted in the 6.39.13601 release notes, On-Sensor ML does not work for files/executables running in non-init user namespaces when Security-Enhanced Linux is enabled and enforcing. This applies to all supported sensor versions.
On RHEL and SLES hosts that are not licensed, it becomes difficult to install any software (such as Falcon) on the host, or successfully perform upgrades. This can also be the case where the distribution or kernel falls out of support by the vendor.
Appendix B - Ivanti Supported Linux Distributions
For the most current list, click this link:
https://help.ivanti.com/res/help/en_US/IA/2021/GS/46300.htm