Installer command-line options for Linux
The Sophos Protection for Linux (SPL) installer allows you to use command-line options and environment variables to modify the installation.
Tip
Environment variables go before the installer command and command-line options go after it. See Linux examples.
Prerequisites
Before you install SPL, you must download SophosSetup.sh
from Sophos Central and make the file executable. See Download and run the Linux Server installer.
Your Linux devices must be able to communicate with Sophos Central Admin during installation and while the Server Protection agent is running. See Domains and ports to allow.
Environment variables
You can use environment variables to customize your environment during installation.
Note
You must enter environment variables before running the installer. See Linux examples.
TMPDIR
Sets a different temporary directory for the installer to use during the installation process. You can use this while running SophosSetup.sh
when /tmp
on a device isn't mounted as executable.
TMPDIR=<path to directory>
Note
This environment variable only sets the path to a temporary directory for the installer. It doesn't change the installation directory. See Installation directory.
Debug thin installer
Run SophosSetup.sh
in debug mode for troubleshooting. Use this when Sophos Support asks for logs. 1
is on, and 0
is off.
DEBUG_THIN_INSTALLER={1 | 0}
To collect the output in a log file, you must redirect the output to a file or set OVERRIDE_INSTALLER_CLEANUP
to 1
. See Linux examples.
Tip
For help resolving installation errors, see Troubleshooting Sophos Protection for Linux.
Override installer cleanup
Prevents the installer from deleting /tmp/SophosCentralInstall_<uuid>
after installation. You can use the installation logs in this directory for troubleshooting. 1
is on, and 0
is off.
OVERRIDE_INSTALLER_CLEANUP={1 | 0}
Basic Linux command-line options
Tip
You enter command-line options after the sophossetup.sh
command.
Help
Shows the SophosSetup.sh
help text.
--help
Version
Shows the version of SophosSetup.sh
.
--version
Force
Forces the installation even if the installer detected that Sophos products are already on the device. You can use this command to attempt to fix a broken installation.
--force
Group
Adds the device to a specific group in Sophos Central. You can also use this option to add the device to a subgroup.
--group=<Central group>
--group=<Central group>\<Central subgroup>
Trailing arguments
The group or subgroup to join. If it doesn't exist, the installer creates it.
Test
Runs the pre-installation checks and prints the results. Doesn't install SPL.
--test
Tip
You can get more details by running the installer in debug mode. See Debug thin installer.
No test
Installs SPL without running any pre-installation checks. You can use this when the pre-installation checks prevent the installer from running in an environment that meets the system requirements.
--notest
Advanced Linux command-line options
The Server Protection for Linux installer supports advanced command-line options. You can use these to customize your installation.
Products
Specifies a list of products to install. If you specify a product you don't have a license for, it isn't installed.
--products=<comma-separated list of products>
Trailing arguments
A list of products to install, separated by commas.
Available options are antivirus
, mdr
, and xdr
.
Installation directory
By default, SPL installs to /opt/sophos-spl/
. This command creates /sophos-spl/
in the specified directory and installs SPL to that location.
--install-dir=<path to installation directory>
Trailing arguments
The path where you want the installer to create the /sophos-spl
directory.
Note
If the /sophos-spl
directory already exists in that location or SPL is installed in another location on the Linux device, the installation will fail.
User ID
Sets the User IDs (UID) for the Sophos user accounts created during installation.
--user-ids-to-configure=<username>:<uid>
Trailing arguments
Comma-separated list of user IDs you want to configure in the following format:
<user1>:<uid1>,<user2>:<uid2>,<user3>:<uid3>
, and so on.
Restriction
This command only affects the Sophos user accounts, sophos-spl-av
, sophos-spl-local
, sophos-spl-threat-detector
, sophos-spl-updatescheduler
, and sophos-spl-user
. The command ignores all other user accounts.
Group ID
Sets the group ID (GID) for the Sophos groups created during installation.
--group-ids-to-configure=<group name>:<gid>
Trailing arguments
Comma-separated list of GIDs you want to assign in the following format:
<group1>:<gid1>,<group2>:<gid2>
Restriction
This command only affects the Sophos groups, sophos-spl-group
and sophos-spl-ipc
. The command ignores all other groups.
Override hostname
Overrides the name of the Linux device to be used in Sophos Central.
--override-hostname=<name>
Trailing argument
Replace <name>
with the host name you want Sophos Central to show.
Linux examples
Uninstall Sophos Anti-Virus for Linux and install Sophos Protection for Linux:
sudo ./SophosSetup.sh --uninstall-sav
Install into a subgroup:
sudo ./SophosSetup.sh --group=LinuxServers\MailServers
Set the temporary directory to /sophostmp
and install SPL into the /serverprotection/sophos-spl/
directory:
sudo TMPDIR=/sophostmp ./SophosSetup.sh --install-dir=/serverprotection
Run the pre-installation checks and print the output without installing SPL:
sudo ./SophosSetup.sh --test
Turn off installer cleanup, turn debug mode on, run the installer using the verbose shell option, combine stderr
and stdout
into the stdout
stream, and write the output to install.log
:
sudo OVERRIDE_INSTALLER_CLEANUP=1 DEBUG_THIN_INSTALLER=1 bash -x ./SophosSetup.sh 2>&1 | tee install.log
Message relays and update caches
SophosSetup.sh
includes a list of all relays and caches configured in Sophos Central.
During installation, the Linux device compares the IP addresses of all the message relay and update cache servers to the device's IP address and orders them according to how closely they match. For example, if the Linux device is 192.168.1.10
, and the message relays are 192.168.1.154
and 192.168.1.228
, the device will contact 192.168.1.154
first because it's numerically closer. The installer uses the closest cache to install Sophos Protection for Linux and the closest relay to communicate with Sophos Central. If the Linux device can't reach any cache or relay, it contacts Sophos Central directly.
You can override this behavior using the --message-relays
and --update-caches
commands. These commands change the behavior during installation and force the installer to use the message relays and update caches you specify. After installation, the agent will leverage the closest message relay and update cache for communications.
You can also manually assign a Linux device to a message relay or update cache in Central. See Assign computers to a cache/relay.
Message relay
You can use this command to override the installer's built-in list of message relays.
--message-relays={none | <ipaddress:port>...}
Here's an example:
--message-relays=IPADDRESS:8190
Note
The default port for message relays is 8190.
Trailing arguments
Comma-separated list of message relay IP addresses, including the port, in the following format:
<ipaddress1:port>,<ipaddress2:port>,
Use none
if you want the Linux device to contact Sophos Central directly.
Update cache
You can use this command to override the installer's built-in list of update caches.
--update-caches={none | <ipaddress:port>...}
Here's an example:
--update-caches=IPADDRESS:8191
Note
The default port for update caches is 8191.
Trailing arguments
Comma-separated list of update cache IP addresses, including the port, in the following format:
<ipaddress1:port>,<ipaddress2:port>,
Use none
if you want the Linux device to contact Sophos Central directly.
Sophos Protection for Linux and auditd
By default, we turn off auditd
. This means that you can query historical event data in Live Discover. However, if you turn off auditd
, you won't receive audit events in your systemd
journal logs. You normally access these logs using the journalctl
command.
Turning off auditd
can affect third-party tools that utilize audit events in the system journal logs. If needed, you can turn on auditd
using --do-not-disable-auditd
. However, this reduces the data you can query, as it won't contain historical event data. Some examples of historical event data that this affects are as follows:
- Some evented tables when running endpoint queries with Live Discover.
- Some Data Lake queries that leverage event information may also be affected.
Turning off auditd
doesn't affect all historical data. Non-evented tables are still accessible on the endpoint. In addition, AV runtime detection event data and other Data Lake queries in Live Discover will still function.
Uninstalling Sophos Protection for Linux doesn't change your auditd
setting. If you've turned off auditd
, it remains turned off. Re-registering the product won't change the auditd
settings.
You can use the following commands to manage auditd settings during installation:
Disable auditd
Turns off auditd
on the device so that Sophos Protection for Linux can subscribe to the audit netlink and provide historical event data for Live Discover. This is set by default.
--disable-auditd
Do not disable auditd
Turns auditd
on or leaves it on if it's already on. Using this option reduces the data you can query because it won't contain historical event data.
--do-not-disable-auditd