Linux Workstation Standards

Managing University of Dayton computers is an important part of UDit's overall "defense-in-depth strategy" (a cybersecurity approach that uses multiple layers of security for holistic protection).  In addition to using Active Directory (AD) on the Microsoft side, we are able to manage Windows and Apple computers through Ivanti and JAMF. While Linux doesn’t have the same numbers across campus, there’s no single preferred distribution. Linux users tend to be our most technical users and in some instances manage our infrastructure. Therefore we want to apply similar standards across all three operating system platforms.

Configuration standards

Registration requirement

Appendix A - CrowdStrike Supported Linux Distributions

Appendix B - Ivanti Supported Linux Distributions
 

Configuration standards

The following configuration standards are for users wanting to use a Linux operating system computer at UD.

NOTE: These standards apply to workstations and are insufficient for server operations and maintenance.


Distribution

There are a variety of ways to differentiate Linux distributions - system architecture, kernel, vendor, etc.  We recommend using one that allows use of our CrowdStrike and Ivanti agents.  Supported distributions will be attached as appendices to this document.  In the event an individual wishes to run a distribution that won’t run, use a distribution that is currently supported by the vendor (with updates) and supports the remainder of the requirements.  In those cases where even this isn’t possible, the workstation should not be used on the network.
 

Asset Management

Ivanti clients are available for a number of different Linux distributions. You’ll find a list in Appendix A. Unlike Windows, Ivanti may not be sufficient to maintain the operating system and installed software.  Ivanti will be used for hardware tracking only. Software updates are covered separately.
 

Antivirus (AV) / Endpoint Detection and Response (EDR)

CrowdStrike sensors are available for a number of different Linux distributions. You’ll find a list in Appendix B. In the event a user wishes to run a distribution that does not support CrowdStrike, the user will install ClamAV or an approved alternative, keep its signature databases current and run monthly scans at a minimum.
 

Software Updates

Users are responsible for updating their Linux distributions at least monthly.
 

Encryption / Key Escrow

Users running Linux on laptops will encrypt all disks/volumes with preboot authentication functionality using LUKS or an approved alternative.  An encryption key shall be escrowed with the Linux user’s supervisor.
 

Local Administrator

Privileged accounts such as root will not be used on a day-to-day basis. Use of SU and SUDO is encouraged.
 

Passwords

Passwords for all local accounts shall be strong and will be 8 or more characters. They will not contain common words (whole or part) or parts of the user’s name or University ID (UDID) and will follow the general guidelines outlined at password.udayton.edu.  All passwords, to include root, shall be changed annually.
 

Firewall

Host firewalls shall be enabled and any ports required to be opened will be documented in the Linux Workstation Registration Form.

NOTE: Labs are a special case.  Exceptions to the guidelines may be required and shall be documented.

 

Registration requirement

Users are expected to maintain Linux workstations to the standards listed above.

Complete the Linux Workstation Registration Form. A workstation record is placed into our asset inventory.

 

Appendix A - CrowdStrike Supported Linux Distributions

This information is not publicly available on CrowdStrike’s website, but is current as of Mar 2, 2022.  We will periodically update this appendix to keep it current, but feel free to reach out to the IT Risk Management Office if you have questions or want the very latest.

This section discusses Linux operating systems only. Linux support is highly dependent on the kernels used, support of which is updated frequently with new Sensor releases. Therefore, while we can list here the general distributions we are supporting, you will need to consult the Falcon Sensor for Linux Deployment Guide's section, Appendix A – Supported Kernels, to ensure your kernel is supported; find this guide in your Falcon console at Support → Documentation → Sensor Deployment and Maintenance. A sensor running on a supported Linux distribution but an unsupported kernel will enter Reduced Functionality Mode (RFM); Linux sensors in RFM will only send SensorHeartBeat events at this time.
 

Supported

We support x86_64 versions of these OSes, with supported kernels:

Linux Distribution

Version

Minimum Sensor Version

Docker Support?5

Alma Linux 8.4 (supported kernels are the same as RHEL) 6.29.12606+ TBD
Amazon Linux 2 (x86) all supported sensor versions Yes
  2 (with Cloud ML support on Graviton1 and Graviton2 ARM processors)6 all supported sensor versions Yes
  AMI 2018.03 all supported sensor versions Yes
  AMI 2017.09 all supported sensor versions ---
CentOS 8.5 6.33.13003+ ---
  8.4 all supported sensor versions ---
  8.3 all supported sensor versions ---
  8.0 - 8.2 all supported sensor versions ---
  7.4 - 7.9 all supported sensor versions Yes
  6.7 - 6.10 all supported sensor versions ---
Debian 11 6.34.13108+ ---
  10 all supported sensor versions ---
  9.1 - 9.4 all supported sensor versions Yes
Oracle Linux 8, UEK 6 all supported sensor versions ---
  7, UEK 6 all supported sensor versions ---
  7, UEK 5 all supported sensor versions ---
  7, UEK 4 all supported sensor versions ---
  7, UEK 3 all supported sensor versions ---
  6, UEK 4 all supported sensor versions ---
  6, UEK 3 all supported sensor versions ---
 

Red Hat Compatible Kernel (RHCK)
(supported RHCK kernels are the same as RHEL)

all supported sensor versions ---
Red Hat Enterprise Linux (RHEL) 8.5 6.33.13003+ ---
  8.4 all supported sensor versions ---
  8.3 all supported sensor versions ---
  8.0 - 8.2 all supported sensor versions ---
  7.4 - 7.9 all supported sensor versions Yes
  6.7 - 6.10 all supported sensor versions ---
Rocky Linux 8.4 (supported kernels are the same as RHEL) 6.29.12606+ TBD
SUSE Linux Enterprise Server (SLES) 15 - 15.3 all supported sensor versions Yes
  12.2 - 12.5 all supported sensor versions Yes, with SP3, SP4, SP5
  11.4 (you must also install OpenSSL version 1.0.1e or greater) all supported sensor versions ---
Ubuntu 20.04 LTS all supported sensor versions Yes
  18-AWS all supported sensor versions ---
  18.04 LTS all supported sensor versions Yes
  16-AWS all supported sensor versions ---
  16.04.5 LTS all supported sensor versions ---
  16.04 LTS all supported sensor versions Yes

5 Docker is supported only on the Linux distributions and versions indicated above.
6 We support the Graviton versions of these Linux server OSes. Cloud Machine Learning (ML) is supported on the Graviton1 and Graviton2 ARM processors beginning with sensor version 6.19.11610+.
 

Unsupported

All other Linux distributions and versions are unsupported, including but not limited to:

  • Amazon 2017.03 - last supported on sensor 5.43.10807 through EOS on May 8, 2021
  • CentOS 7.1-7.3 - last supported on sensor 5.43.10807 through EOS on May 8, 2021
  • CentOS 6.5-6.6 - last supported on sensor 5.43.10807 through EOS on May 8, 2021
  • RHEL 7.1-7.3 - last supported on sensor 5.43.10807 through EOS on May 8, 2021
  • RHEL 6.5-6.6 - last supported on sensor 5.43.10807 through EOS on May 8, 2021
  • SLES 12.1 - last supported on sensor 5.43.10807 through EOS on May 8, 2021
  • Ubuntu 14.04 LTS - last supported on sensor 5.43.10807 through EOS on May 8, 2021
  • We support Linux servers and desktops running supported long term support (LTS) kernels. Other kernel versions, such as custom or hardware enablement (HWE) are unsupported.
  • No other operating systems or containers are currently supported.
  • Desktop OSes are not supported.
  • CrowdStrike does not support community or custom kernels. Only kernels released by the OS vendors, which are currently supported by the OS vendors, are supported.
     

Additional Notes

On RHEL and SLES hosts that are not licensed, it becomes difficult to install any software (such as Falcon) on the host, or successfully perform upgrades. This can also be the case where the distribution or kernel falls out of support by the vendor.
 

Appendix B - Ivanti Supported Linux Distributions

For the most current list, click this link:

https://help.ivanti.com/res/help/en_US/IA/2021/GS/46300.htm

Was this helpful?
0 reviews

Details

Article ID: 137188
Created
Tue 3/22/22 2:29 PM
Modified
Fri 11/18/22 9:43 AM

Related Services / Offerings (1)

Register your University-owned Linux workstation