Harmony Endpoint for Linux Overview

Note - Starting in R81, the on-premises Endpoint Security Server supports Harmony Endpoint for Linux. To enable Harmony Endpoint for Linux, you must enable the Linux installation package flag as described in sk177250.

Prerequisites

• Available Internet access for the protected device.

• For RHEL/CentOS, it is necessary to have access to EPEL (Extra Packages for Enterprise Linux) repository.

• If the device has no internet access, you must enable access to certain URLs. For more information, see sk116590.

Minimum Hardware Requirements

• x86 processor, 64-bit (32-bit is not supported)

• 2 GHz Dual-core CPU

• 4 GB RAM

• 10 GB free disk space

Key Threat Prevention Technologies

Anti-Malware

• The Anti-Malware A component of the Endpoint Security client that protects against known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers. security engine detects trojans, viruses, malware, and other malicious threats.

• The engine is implemented as a multi-threaded flexible scanner daemon. It is managed centrally through a web-console.

• In addition, it supports command line utilities for on-demand file scans, access functionality, and automatic signature updates.

• Managed centrally through a web-console and also supports Command Line Utilities for on-demand file/folder scans, detection lists and file restorations

Endpoint Detection and Response (EDR) / Threat Hunting

• Harmony Endpoint for Linux, updates ThreatCloud with Indicator of Compromise (IoC) and Indicator of Attack (IoA) events.

• Threat Hunting technology lets the administrators proactively search for cyber threats that made it through the first line of defense to the Linux Endpoint device.

• Threat Hunting uses advanced detection capabilities, such as queries and automation, to find malicious activities and extract hunting leads of data.

• Supporting events:

  • Process - start / stop

  • Files - create / delete / rename / open

  • Network - local connections, ports, DNS

Behavioral Guard

• Dynamic analysis of malware executed on the Endpoint Client is performed based on the behavioral patterns of various attack types, including ransomware, cryptominers, and trojans.

• Centrally managed via the web management platform.

• Leverages a large set of constantly updated signatures to detect, prevent, and remediate modern attacks.

• Features automatic signature updates powered by the latest intelligence, ensuring adaptation to emerging threats

Anti-Ransomware

Scans the endpoint for any encryption actions and blocks the action before encryption.

Forensics

Generates detailed analytics and interactive reports from threats and incidents, providing a comprehensive view of attack flows and actionable insights for effective remediation.

Note - It is available from version 1.20.7 and you must enable it manually. To do that, run: For fresh installation: SBA_ENABLE_EFR=1 ./<installation_script_name>.sh install For already installed client: sudo cpla install_blade -b efr sudo systemctl restart cpla

Minimum Hardware Requirements

• x86 processor, 64-bit (32-bit is not supported)

• 2 GHz Dual-core CPU

• 4 GB RAM

• 10 GB free disk space

Supported Linux Versions

Distribution / OS Version	1.22.12	1.20.7	1.18.16	1.18.12	1.15.10	1.15.7	1.13.3	1.13.2
Ubuntu 24.04 (64-bit)
Ubuntu 22.04 (64-bit) (Supported versions: 22.04 - 22.04.3)
Ubuntu 20.04 (64-bit) (Supported versions: 20.04 - 20.04.6)
Ubuntu 18.04* (64-bit) (Supported versions: 18.04 - 18.04.6)
Ubuntu 16.04 (64-bit)
Alma Linux 9 (64-bit) (Supported versions: 9.0 - 9.3)
Alma Linux 8 (64-bit) (Supported versions: 8.9 and 8.10)
Amazon Linux 2023
Amazon Linux 2 (64-bit)
CentOS 8* (64-bit) (Supported versions : 8.0 - 8.5)
CentOS 7 (64-bit) (Supported versions: 7.8 - and 7.9)
Debian Linux 12 (64-bit) (Supported versions: 12.0 - 12.5)
Debian Linux 11* (64-bit)
Debian Linux 10* (64-bit)
Debian Linux 9* (64-bit)
Fedora 39¹
Fedora 38¹
Fedora 37
Fedora 36
Fedora 35
Fedora 34
OpenSUSE 15.4 and OpenSUSE 15.5
OpenSUSE 42.3
Oracle Linux 8 (64-bit) (Supported versions: 8.0 - 8.10)
Oracle Linux 7.9 (64-bit)
Red Hat Enterprise Linux (RHEL) 9 ¹ (64-bit) (Supported versions: 9.0 - 9.5)
Red Hat Enterprise Linux (RHEL) 8 (64-bit) (Supported versions: 8.0 - 8.9)
Red Hat Enterprise Linux (RHEL) 8.10 (64-bit)
Red Hat Enterprise Linux (RHEL) 7 (64-bit) (Supported versions: 7.8 and 7.9)
Rocky 8.10
Rocky 9.5
SUSE Linux Enterprise Server (SLES) 15 (64-bit) (Supported versions: 15SP2 and 15SP3)
SUSE Linux Enterprise Server (SLES) 12 (64-bit) (Supported versions: 12SP5)

¹ Only Anti-Malware support.

Linux Kernel Support

Harmony Endpoint for Linux supports the general-purpose Linux kernels included in standard Linux distributions. These kernels come by default with Linux distribution.

This excludes kernels that are:

• Non default kernels

• Unbreakable kernels

• Appliance, for example, Exadata

• Community based, for example, ELRepo

• Custom Compiled kernels

• Desktop and Gaming kernels

Installation on Semi-Isolated Environments with Super Node Proxy

Prerequisite

1. Make sure that Harmony Endpoint for Linux version 1.22.12 or higher is installed on client devices.

2. Make sure that Harmony Endpoint for Windows version E88.70 or higher is installed on super node devices.

3. The Linux devices must be able to resolve the Fully Qualified Domain Name (FQDN) of the Windows super node machine. This can be achieved through an organizational name server.

Notes: Before exporting the package, make sure that a Windows super-node is properly configured in the server policy for each virtual group of Linux devices. For more information, see General.

Installation Procedure

1. Export and Download the Offline Package: Download the appropriate universal offline package (rpm or deb) that matches your distribution. Transfer the package to all endpoint devices.

2. For Red Hat Enterprise Linux (RHEL), run this command before installing the package:

   subscription-manager config --rhsm.manage_repos=0

3. Run the installation package.

4. Verify communication with the Management Server:

   1. To verify the status, run:

      cpla info

      

      The output displays:

      Connection status: Connected - Supernode

      The client appears in the server's asset information.

Note - If communication is not established, perform these: Verify Windows device FQDN is resolvable from the Linux device and that super-node device proxy functionality is working, for example, curl --proxy http://<super-node fqdn>:3128 https://www.checkpoint.com Verify super-node policy is configured and installed prior to exporting a package. Verify SBA_SEMI_ISOLATED_ENV environment variable is correctly applied: The file /etc/checkpoint/cpla/env should contain the line SBA_SEMI_ISOLATED_ENV=1 Verify that the default policy is detected during installation. If not, contact Check Point Support and verify that the support for semi-isolated environment is active. See step 4 in Prerequisites: If the default policy is processed correctly, these lines should appear in /var/log/checkpoint/common/sbalinux-install.log: