Skip to content
For help with the Sophos Protection for Linux agent on your devices, see Sophos Protection for Linux help.

Installer command-line options for Linux

The Sophos Protection for Linux (SPL) installer allows you to use command-line options and environment variables to modify the installation.

Tip

Environment variables go before the installer command and command-line options go after it. See Linux examples.

Prerequisites

Before you install SPL, you must download SophosSetup.sh from Sophos Central and make the file executable. See Download and run the Linux Server installer.

Your Linux devices must be able to communicate with Sophos Central Admin during installation and while the Server Protection agent is running. See Domains and ports to allow.

Environment variables

You can use environment variables to customize your environment during installation.

Note

You must enter environment variables before running the installer. See Linux examples.

TMPDIR

Sets a different temporary directory for the installer to use during the installation process. You can use this while running SophosSetup.sh when /tmp on a device isn't mounted as executable.

TMPDIR=<path to directory>

Note

This environment variable only sets the path to a temporary directory for the installer. It doesn't change the installation directory. See Installation directory.

Debug thin installer

Run SophosSetup.sh in debug mode for troubleshooting. Use this when Sophos Support asks for logs. 1 is on, and 0 is off.

DEBUG_THIN_INSTALLER={1 | 0}

To collect the output in a log file, you must redirect the output to a file or set OVERRIDE_INSTALLER_CLEANUP to 1. See Linux examples.

Tip

For help resolving installation errors, see Troubleshooting Sophos Protection for Linux.

Override installer cleanup

Prevents the installer from deleting /tmp/SophosCentralInstall_<uuid> after installation. You can use the installation logs in this directory for troubleshooting. 1 is on, and 0 is off.

OVERRIDE_INSTALLER_CLEANUP={1 | 0}

Basic Linux command-line options

Tip

You enter command-line options after the sophossetup.sh command.

Help

Shows the SophosSetup.sh help text.

--help

Version

Shows the version of SophosSetup.sh.

--version

Force

Forces the installation even if the installer detected that Sophos products are already on the device. You can use this command to attempt to fix a broken installation.

--force

Group

Adds the device to a specific group in Sophos Central. You can also use this option to add the device to a subgroup.

  • --group=<Central group>
  • --group=<Central group>\<Central subgroup>

Trailing arguments

The group or subgroup to join. If it doesn't exist, the installer creates it.

Test

Runs the pre-installation checks and prints the results. Doesn't install SPL.

--test

Tip

You can get more details by running the installer in debug mode. See Debug thin installer.

No test

Installs SPL without running any pre-installation checks. You can use this when the pre-installation checks prevent the installer from running in an environment that meets the system requirements.

--notest

Advanced Linux command-line options

The Server Protection for Linux installer supports advanced command-line options. You can use these to customize your installation.

Products

Specifies a list of products to install. If you specify a product you don't have a license for, it isn't installed.

--products=<comma-separated list of products>

Trailing arguments

A list of products to install, separated by commas.

Available options are antivirus, mdr, and xdr.

Installation directory

By default, SPL installs to /opt/sophos-spl/. This command creates /sophos-spl/ in the specified directory and installs SPL to that location.

--install-dir=<path to installation directory>

Trailing arguments

The path where you want the installer to create the /sophos-spl directory.

Note

If the /sophos-spl directory already exists in that location or SPL is installed in another location on the Linux device, the installation will fail.

User ID

Sets the User IDs (UID) for the Sophos user accounts created during installation.

--user-ids-to-configure=<username>:<uid>

Trailing arguments

Comma-separated list of user IDs you want to configure in the following format:

<user1>:<uid1>,<user2>:<uid2>,<user3>:<uid3>, and so on.

Restriction

This command only affects the Sophos user accounts, sophos-spl-av, sophos-spl-local, sophos-spl-threat-detector, sophos-spl-updatescheduler, and sophos-spl-user. The command ignores all other user accounts.

Group ID

Sets the group ID (GID) for the Sophos groups created during installation.

--group-ids-to-configure=<group name>:<gid>

Trailing arguments

Comma-separated list of GIDs you want to assign in the following format:

<group1>:<gid1>,<group2>:<gid2>

Restriction

This command only affects the Sophos groups, sophos-spl-group and sophos-spl-ipc. The command ignores all other groups.

Override hostname

Overrides the name of the Linux device to be used in Sophos Central.

--override-hostname=<name>

Trailing argument

Replace <name> with the host name you want Sophos Central to show.

Linux examples

Uninstall Sophos Anti-Virus for Linux and install Sophos Protection for Linux:

sudo ./SophosSetup.sh --uninstall-sav

Install into a subgroup:

sudo ./SophosSetup.sh --group=LinuxServers\MailServers

Set the temporary directory to /sophostmp and install SPL into the /serverprotection/sophos-spl/ directory:

sudo TMPDIR=/sophostmp ./SophosSetup.sh --install-dir=/serverprotection

Run the pre-installation checks and print the output without installing SPL:

sudo ./SophosSetup.sh --test

Turn off installer cleanup, turn debug mode on, run the installer using the verbose shell option, combine stderr and stdout into the stdout stream, and write the output to install.log:

sudo OVERRIDE_INSTALLER_CLEANUP=1 DEBUG_THIN_INSTALLER=1 bash -x ./SophosSetup.sh 2>&1 | tee install.log

Message relays and update caches

SophosSetup.sh includes a list of all relays and caches configured in Sophos Central.

During installation, the Linux device compares the IP addresses of all the message relay and update cache servers to the device's IP address and orders them according to how closely they match. For example, if the Linux device is 192.168.1.10, and the message relays are 192.168.1.154 and 192.168.1.228, the device will contact 192.168.1.154 first because it's numerically closer. The installer uses the closest cache to install Sophos Protection for Linux and the closest relay to communicate with Sophos Central. If the Linux device can't reach any cache or relay, it contacts Sophos Central directly.

You can override this behavior using the --message-relays and --update-caches commands. These commands change the behavior during installation and force the installer to use the message relays and update caches you specify. After installation, the agent will leverage the closest message relay and update cache for communications.

You can also manually assign a Linux device to a message relay or update cache in Central. See Assign computers to a cache/relay.

Message relay

You can use this command to override the installer's built-in list of message relays.

--message-relays={none | <ipaddress:port>...}

Here's an example:

--message-relays=IPADDRESS:8190

Note

The default port for message relays is 8190.

Trailing arguments

Comma-separated list of message relay IP addresses, including the port, in the following format:

<ipaddress1:port>,<ipaddress2:port>,

Use none if you want the Linux device to contact Sophos Central directly.

Update cache

You can use this command to override the installer's built-in list of update caches.

--update-caches={none | <ipaddress:port>...}

Here's an example:

--update-caches=IPADDRESS:8191

Note

The default port for update caches is 8191.

Trailing arguments

Comma-separated list of update cache IP addresses, including the port, in the following format:

<ipaddress1:port>,<ipaddress2:port>,

Use none if you want the Linux device to contact Sophos Central directly.

Sophos Protection for Linux and auditd

By default, we turn off auditd. This means that you can query historical event data in Live Discover. However, if you turn off auditd, you won't receive audit events in your systemd journal logs. You normally access these logs using the journalctl command.

Turning off auditd can affect third-party tools that utilize audit events in the system journal logs. If needed, you can turn on auditd using --do-not-disable-auditd. However, this reduces the data you can query, as it won't contain historical event data. Some examples of historical event data that this affects are as follows:

  • Some evented tables when running endpoint queries with Live Discover.
  • Some Data Lake queries that leverage event information may also be affected.

Turning off auditd doesn't affect all historical data. Non-evented tables are still accessible on the endpoint. In addition, AV runtime detection event data and other Data Lake queries in Live Discover will still function.

Uninstalling Sophos Protection for Linux doesn't change your auditd setting. If you've turned off auditd, it remains turned off. Re-registering the product won't change the auditd settings.

You can use the following commands to manage auditd settings during installation:

Disable auditd

Turns off auditd on the device so that Sophos Protection for Linux can subscribe to the audit netlink and provide historical event data for Live Discover. This is set by default.

--disable-auditd

Do not disable auditd

Turns auditd on or leaves it on if it's already on. Using this option reduces the data you can query because it won't contain historical event data.

--do-not-disable-auditd