Kolide is a popular choice for organizations that want to gain visibility into their endpoints running Linux and ensure they meet the organization's compliance and security standards. As "Linux" may refer to any number of distributions, this article offers clarification and precision around Kolide's support for the platform.
Kolide's Agent & Installation
The Kolide Agent entirely consists of open-source code centering around two executable components, launcher and osquery. These components are compiled for x86 architectures and distributed in both
.rpm installation packages. These packages install correctly on most popular Debian-based (Ubuntu, Mint, etc.) and RPM-based (RHEL, CentOS) distributions of Linux.
Customers may also request Arch pacman packages or a simple tarball of Kolide's agent. Please reach out to support if you need any alternatives.
Kolide's Linux Inventory
Kolide enumerates the following information from Linux Devices:
Chrome (and other Chromium Based Browser) Extensions
Amazon AWS metadata
Docker Instance information
AWS EC2 Metadata
Operating System Info
SSH Keys (fingerprints, encryption status)
Kolide's Linux Checks
Checks are a feature of Kolide that enables admins to ensure a device meets compliance and security requirements regularly. When a device fails a Check, it creates an issue in the Kolide system and can notify end-users via Slack for remediation.
Today, Kolide offers a variety of Linux Checks that cover a variety of common compliance scenarios:
Kolide can check if the disk mounted at the root path
/ is encrypted. Additionally, Kolide can detect disk-based encryption based on ZFS, LUKS, encryptFS, encfs, and other encryption modes that report through dm-crypt.
Kolide can read the settings of Gnome, Mate, and Cinnamon desktop managers to ensure that the user is prompted for a password when the screen is turned off and that the screen turns off in a reasonable amount of time.
Kolide can assess the state of the
ufw firewalls to ensure that they are enabling and operating correctly.
Kolide can detect if EFI Secureboot is enabled and if the "No Execute (NX) / Execute Disabled (EX)" is enabled on the CPU.
Ubuntu Specific Checks
Kolide can determine if the device is running a no-longer supported version of Ubuntu Linux and if the current version has unattended upgrades currently enabled.
Security Software (Anti-virus / EDR / VPN)
Kolide can detect the presence of the following security software:
Kolide can detect the running processes and common package names associated with the following remote access daemons:
Vino (VNC Server)
OpenSSH / SSHD
Kolide offers these Linux Checks in addition to our standard catalog of cross-platform Checks, which look for things like evil browser extensions, shadow IT apps, unencrypted SSH keys, 2FA backup codes, and more. As always, customers of Kolide can request their own checks if Kolide doesn't offer coverage in the listing above.