0

Was anyone able to install MDATP on a Linux Docker image?

We tried CentOS, Debian, and Ubuntu and all have the same issue. I installed MDATP successful when the Linux box is a full host but not in Docker.

I am following these instructions: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually

I preceded the installation with:

apt-get -y install curl libplist-utils gpg apt-transport-https libseccomp2 libuuid1 libatomic1 libc6 python3 uuid-runtime dmidecode auditd libselinux1 systemd

This page says MDATP requires systemd: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux

I was able to get systemd and audit working with an image that supported it (centos/systemd) and these lines in the Dockerfile:

VOLUME [ "/sys/fs/cgroup" ]
CMD [ "/usr/sbin/init" ]

Now am I stuck loading libraries:

[root@7061463d26f5 src]# systemctl status mdatp
    ● mdatp.service - Microsoft Defender ATP
      Loaded: loaded (/usr/lib/systemd/system/mdatp.service; enabled; vendor preset: disabled)
      Active: deactivating (stop-sigterm) (Result: exit-code) since Sat 2021-03-13 00:54:54 PST; 4s ago
     Process: 1389 ExecStart=/opt/microsoft/mdatp/sbin/wdavdaemon (code=exited, status=111)
    Main PID: 1389 (code=exited, status=111)
      CGroup: /docker/7061463d26f5ea10a880ad4209ea11b1a7c05349cb5a9641a0ac12245c51b674/system.slice/mdatp.service
              └─1412 /opt/microsoft/mdatp/sbin/wdavdaemon edr 11 10 3
    Mar 13 00:54:54 7061463d26f5 systemd[1]: Started Microsoft Defender ATP.
    Mar 13 00:54:54 7061463d26f5 systemd[1]: mdatp.service: main process exited, code=exited, status=111/n/a
    [root@7061463d26f5 src]# /opt/microsoft/mdatp/sbin/wdavdaemon &
    [1] 1654
    [root@7061463d26f5 src]# /opt/microsoft/mdatp/sbin/crashpad_handler: error while loading shared libraries: libc++.so.1: cannot open shared object file: No such file or directory
    [root@7061463d26f5 src]# ll /opt/microsoft/mdatp/lib/libc++.so.1
    -rw-r--r-- 1 root root 879240 Mar  8 05:56 /opt/microsoft/mdatp/lib/libc++.so.1
[root@7061463d26f5 src]# grep LD /usr/lib/systemd/system/mdatp.service
Environment=LD_LIBRARY_PATH=/opt/microsoft/mdatp/lib/

As you can see, the "missing" library exists and is seemingly configured correctly. Perhaps the env variable is incorrect?

This person may have been using a Linux Docker image: https://dawnbringer.net/blog/1085/msatp_debian10

Our enterprise MS support said that Docker isn't supported and closed the case.

Any ideas on how I can continue?

Dave M
  • 4,494
  • 21
  • 30
  • 30
qc_234578909
  • 1
  • try adding env variable `LD_LIBRARY_PATH=/opt/microsoft/mdatp/lib:$LD_LIBRARY_PATH` to your Docker start script, check if library error still occurs. – mforsetti Mar 17 '21 at 04:11
  • Your command line invocation does not reproduce the systemd service environment (LD_LIBRARY_PATH), which makes the error you get rather normal. Moreover, you will certainly get errors later on, either because it can't talk to the kernel netlink or because nothing is as the kernel reports (since you share your host's kernel but run chrooted). Use it on the host or in a full-fledged VM. – Ginnungagap Mar 17 '21 at 07:08
  • @mforsetti - Thank you, that did get me to the next stage. – qc_234578909 Mar 19 '21 at 14:29
  • @Guinnungagap - I don't understand your first sentence. Systemd was working fine after these steps and I was able to get /usr/sbin/init as PID 1, thus giving me a working systemctl. I certainly received errors later on though. Now I require auditd to get the mdatp service running. As you said about the kernel netlink, the MDATP error log: privileged_process_kernel_connection.cpp - Operation not permitted. X – qc_234578909 Mar 19 '21 at 14:43
  • The person behind the dawnbringer.net site was able to get this working supposedly. The idea is that people can run apps on someone else's docker server(so no access to host) and this particular app receives files that need to be scanned. I guess MDATP has too many tentacles in everything and is too greedy to yield and run with less power :/ ClamAV works, but we get no central management. I wish MS made a lightweight version of MDATP. – qc_234578909 Mar 19 '21 at 14:44

0 Answers0