Kolide is a popular choice for organizations that want to gain visibility into their endpoints running Linux and ensure they meet the organization's compliance and security standards. As "Linux" may refer to any number of distributions, this article offers clarification and precision around Kolide's support for the platform.

Kolide's Agent & Installation

The Kolide Agent entirely consists of open-source code centering around two executable components, launcher and osquery. These components are compiled for x86 architectures and distributed in both .deb and .rpm installation packages. These packages install correctly on most popular Debian-based (Ubuntu, Mint, etc.) and RPM-based (RHEL, CentOS) distributions of Linux.

Customers may also request Arch pacman packages or a simple tarball of Kolide's agent. Please reach out to support if you need any alternatives.

Kolide's Linux Inventory

Kolide enumerates the following information from Linux Devices:

  • Atom Packages

  • BIOS Platforms

  • Chrome (and other Chromium Based Browser) Extensions

  • Amazon AWS metadata

  • Crontab Entries

  • Debian Packages

  • DNS Resolvers

  • Docker Instance information

  • AWS EC2 Metadata

  • /etc/hosts entries

  • Firefox Add-ons

  • Kernel Info

  • Listening Ports

  • Network Interfaces

  • Network Names

  • Operating System Info

  • Python Packages

  • RPM Packages

  • SSH Keys (fingerprints, encryption status)

  • Storage Devices

  • Sudoers Rules

  • USB Devices

  • Users/Groups

  • VSCode Extensions

Kolide's Linux Checks

Checks are a feature of Kolide that enables admins to ensure a device meets compliance and security requirements regularly. When a device fails a Check, it creates an issue in the Kolide system and can notify end-users via Slack for remediation.

Today, Kolide offers a variety of Linux Checks that cover a variety of common compliance scenarios:

Disk Encryption

Kolide can check if the disk mounted at the root path / is encrypted. Additionally, Kolide can detect disk-based encryption based on ZFS, LUKS, encryptFS, encfs, and other encryption modes that report through dm-crypt.

Screen Lock

Kolide can read the settings of Gnome, Mate, and Cinnamon desktop managers to ensure that the user is prompted for a password when the screen is turned off and that the screen turns off in a reasonable amount of time.

Firewall

Kolide can assess the state of the iptables and ufw firewalls to ensure that they are enabling and operating correctly.

BIOS

Kolide can detect if EFI Secureboot is enabled and if the "No Execute (NX) / Execute Disabled (EX)" is enabled on the CPU.

Ubuntu Specific Checks

Kolide can determine if the device is running a no-longer supported version of Ubuntu Linux and if the current version has unattended upgrades currently enabled.

Security Software (Anti-virus / EDR / VPN)

Kolide can detect the presence of the following security software:

  • BitDefender

  • ClamAV

  • CrowdStrike

  • F5 VPN

  • Rapid7

Remote Daemons

Kolide can detect the running processes and common package names associated with the following remote access daemons:

  • DirectVNC

  • LinuxVNC

  • teamviewerd

  • TigerVNC

  • Vino (VNC Server)

  • x11VNC

  • xrdp

  • tinySSHD

  • OpenSSH / SSHD


Kolide offers these Linux Checks in addition to our standard catalog of cross-platform Checks, which look for things like evil browser extensions, shadow IT apps, unencrypted SSH keys, 2FA backup codes, and more. As always, customers of Kolide can request their own checks if Kolide doesn't offer coverage in the listing above.

Did this answer your question?