Scanning requirements for Linux devices
This article summarizes scanning requirements for Linux devices in Movere.
Supported Linux distros
The table summarizes Linux distributions for which scanning is tested in Movere.
| Distribution | Version |
|---|---|
| Amazon Linux AMI | 2016.x onwards. |
| CentOS Linux | 5.x onwards. |
| Debian GNU/Linux | 7 onwards. |
| Fedora | 22 onwards. |
| Oracle Linux | 6.x onwards. |
| Red Hat Enterprise Linux | 5.x onwards. |
| SUSE Linux Enterprise | 11 onwards. |
| Ubuntu | 12.x onwards. |
| Photon | vCenter 6.5, 6.7 and 7.0 |
| Unix | Not supported. |
| Solaris | Not supported. |
Note
The Minimum versions for GLIBC and Kernel Glibc - 2.5 (Command: ldd --version) Kernel - 2.6.18 series (Command: uname -a)
URL access
The table summarizes internet access requirements for Linux devices you want to scan. Windows devices have the same access requirements.
| Scan | Details |
|---|---|
| Internet access | Scanned devices that upload data directly to Movere need internet access. |
| URL access | Scanned devices that directly upload data must be able to reach Movere URLs, specific to the region in which the Movere customer tenant is located. |
Scanning permissions
Review the permissions that an account needs to scan target devices.
| Device | Permissions |
|---|---|
| SSH | The Linux account needs SSH access on target Linux devices you want to scan. |
| Permissions | In order to collect a complete set of information, Movere recommends to run Linux scan using root account. Movere can scan a Linux device using non-root account with sudo access or with priviledges equivalent to root account. If you don't wish to use a root account or a non-root account with sudo access, then you can scan using a non-root account. To do this, in Movere.Service.exe.config, set the LinuxSkipSudo to True. An active directory domain-based user account can be used if the Linux devices support active directory domain authentication. Movere can scan Linux devices with an SSH private key, and supports RSA header private key such as ---BEGIN RSA PRIVATE KEY--- or a OpenSSH header private key such as ---BEGIN OPENSSH PRIVATE KEY---. |
| SQL Server | SQL Server on Linux requires the same Linux permissions described above. |
| Home directory | The Linux account must have a local home directory on all target devices. Home directories housed on a distributed filesystem (for example NFS) that's used to mount storage to multiple systems, won't work. |
| BASH | The Linux account used must be able to run these BASH commands from the Movere Console device. |
| vCenter Server Appliance | For scanning a vCenter Server Appliance, Movere will leverage the permissions associated with the Linux account used during scanning. We recommend that you scan using the root account. You can also scan vCSA using non-root account. Make sure the Linux account has access to both the Linux operating system running the appliance, and has permission to query the Postgres database storing the VCSA data. Make sure the user running the scan has an account stored on the server hosting the appliance, with both SSH and BASH SHELL enabled. |
| XenServer | For scanning XenServer, Movere will leverage the permissions associated with the Linux account used during scanning. |
Allow Movere binaries
Allow these Movere binary files on Linux devices you want to scan. Allow in any anti-virus or security software running on the device. By default, during scanning, the Linux bot is installed on target device in the Home Directory of the user account running the Linux scan. There's only one bot for both inventory and actual resource consumption scanning on Linux.
| Binary file | Details |
|---|---|
| Movere.Arc.Linux.Bootstrap.x64 | Supporting file for inventory and actual resource consumption scanning of 64-bit Linux devices. For manual scanning, or scanning via a third-party system. |
| Movere.Arc.Linux.Bootstrap.x86 | Supporting file for inventory and actual resource consumption scanning of 32-bit Linux devices. For manual scanning, or scanning via a third-party system. |
| Movere.Arc.Linux.Bot.x64 | Bot for inventory and actual resource consumption scanning of 64-bit Linux devices. |
| Movere.Arc.Linux.Bot.x86 | Bot for inventory and actual resource consumption scanning of 32-bit Linux devices. |
| Movere.gpg.x64 | GPG encryption library for 64 bit linux devices. Support files required to fulfill minimum requirements for movere bots to work. |
| Movere.gpg.x86 | GPG encryption library for 32 bit linux devices. Support files required to fulfill minimum requirements for movere bots to work. |
| Movere.tsql.x64 | SQL client connectivity library for 64 bit. |
Port access
The table summarizes the ports used by Movere when scanning devices. You can't customize the ports.
| Port | Direction | Location | Details |
|---|---|---|---|
| TCP 22 (Secure Shell SSH Protocol) | Inbound internal | Target machine | Used for SSH connection to all target Linux devices. Used for SSH connection to the target Linux devices housing a vCenter Server Appliance database. |
| TCP 443 | Outbound internal | Target machine | Used to upload Inventory and ARC payloads back to the Console and for all internal communication between target devices and the Console. |
| TCP 443 | Outbound external | Target machine | Used to upload scans directly to the Movere portal from the target device. |
| TCP 443 | Outbound external | Console machine | Used to upload payloads via the Console to the cloud. |
| TCP 443 | Outbound internal | Console machine | Used to download the token.txt file. Query VMware ESXi and XenServer. |
| TCP 389 | Outbound internal | Console machine | Used to query Active Directory (LDAP). |
| TCP 3268 | Outbound internal | Console machine | Used to query the Global Catalog. |
| TCP/UDP 53, TCP/UDP 88 | Outbound internal | Console machine | Used to locate the domain controllers and authenticate prior to object enumeration. |
| TCP 636 | Outbound internal | Console machine | Used to communicate with the domain controller in the customer’s environment if secure LDAP is enabled. |
| TCP 22 | Outbound internal | Console machine | Used to query VMware vCenter Server Appliance. Used to connect to Linux devices during scanning. |
| TCP 443 | Inbound internal | Console machine | Used for all internal traffic between the targeted endpoints and the Console. Used for all requests from the Movere bots for secondary credentials and token refresh, and for routing payloads back to the Console for uploading. |
| Ephemeral port 49152 - 65535 | Inbound internal | Console machine | Used to receive return traffic at the console. |
Next steps
- Deploy the Movere Console.
- Run a Linux scan.