Skip to content

Download a custom profile from Sophos Central

You can download custom detection profiles from Sophos Central and use them with Sophos Linux Sensor (SLS). This is an alternative to creating a new policy from scratch.

Warning

Creating custom profiles leverages the Cloud Native Security Linux runtime detection profile in Sophos Central. This allows you to create overrides for default content and rules created by SophosLabs. Sophos supports only unmodified default detection content files but allows for users to apply overrides using the runtimedetections-rules.yaml file. For assistance with modified content and custom detections, contact Sophos Professional Services.

Requirements

You must have a Cloud Native Security Linux runtime detection profile in Sophos Central. If you don't have any profiles, you must create a new one and configure the profile to suit your environment. See the following links:

Download the custom profile

  1. Sign in to Sophos Central.
  2. Go to My Products > Cloud Native Security > Profiles.
  3. Click the Actions button Actions button..
  4. Select Export Latest Version to save the profile to your device.

    Tip

    You can also click the profile you want to use and click the download arrow Download arrow. to download the profile to your device.

  5. Rename the file to runtimedetections-rules.yaml. You can now add your custom policy to your sensors.

    Example runtimedetections-rules.yaml file.

    Chmod of SSH Authorized Keys:
      enabled: true
    Chown of SSH Authorized Keys:
      enabled: true
    Suspicious_Interactive_Shell-parentProgramName-allowList:
      operations:
        - behavior: remove
          list:
            - /usr/bin/sshd
            - /usr/sbin/sshd
    Suspicious_Interactive_Shell-parentProgramName-blockList:
      operations:
        - behavior: add
          list:
            - /bin/sh
    

Add the file to SLS

Once you've created and downloaded the custom policy, you must add it to your sensors so that they can apply the custom configuration to the existing content. See Before you start.

Click the appropriate tab for instructions.

To use custom detection policies with SLS on a Linux device, add runtimedetections-rules.yaml to the /etc/sophos/ directory. Do as follows:

  1. Place the runtimedetections-rules.yaml file in the /etc/sophos/ directory on your Linux devices.
  2. Run the following command to restart SLS:

    sudo systemctl restart sophoslinuxsensor
    

When you run the sensor container (see Run the Sensor container), you run commands that mount file paths to be accessible in the container. This includes /etc/sophos. Do as follows:

  1. Place the runtimedetections-rules.yaml file in the /etc/sophos/ directory created during deployment. See Deployment.
  2. Restart the Docker container.

If you're running a single manifest file and want to add or update runtimedetections-rules.yaml, you can add the configuration to the manifest file created during the installation process.

Note

If you don't want to edit the manifest file, click the "Kubernetes ConfigMap" tab to create a ConfigMap instead.

To edit the manifest file, do as follows:

  1. Open runtimedetections-rules.yaml in a text editor.
  2. Copy the contents.
  3. Open kubernetes-manifest.yaml in a text editor.
  4. Locate the following lines:

    data:
      runtimedetections-rules.yaml: |
        # Blank, no custom rules. sophos-linux-content will still be used.
        # This file must be present when policy_input is unavailable
    
  5. Paste the content from runtimedetections-rules.yaml after these lines.

    Warning

    When you paste the content, make sure the indentation and alignment matches the # on the preceding lines. You must also be careful not to overwrite the runtimedetections.yaml section that follows these lines.

  6. Save your changes to kubernetes-manifest.yaml.

  7. Apply the new manifest file by running the following command, replacing <filepath> with the path to your manifest file:

    kubectl apply -f <filepath>/kubernetes-manifest.yaml
    

If you don't want to edit kubernetes-manifest.yaml, you can create a ConfigMap based on the runtimedetections.yaml and runtimedetections-rules.yaml files. Do as follows.

  1. Open kubernetes-manifest.yaml in a text editor.
  2. Locate the following line:

      runtimedetections.yaml: |
    
  3. Copy all of the content that follows it.

  4. Create a file named runtimedetections.yaml. The location doesn't matter.
  5. Paste the content copied from kubernetes-manifest.yaml into the new runtimedetections.yaml file.
  6. Save your changes.
  7. Go back to kubernetes-manifest.yaml.
  8. Locate the following line:

    data:
    
  9. Delete that line and all the content that follows it.

    Example

    The last lines of kubernetes-manifest.yaml are now as follows:

    ---
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: sensor-linux-sensor-config
    
  10. Save your changes.

  11. Run the following command to create the ConfigMap, referencing the runtimedetections.yaml file you created earlier and the runtimedetections-rules.yaml file you created from the downladed Sophos Central profile:

    kubectl create configmap sensor-linux-sensor-config --from-file runtimedetections.yaml --from-file runtimedetections-rules.yaml
    

    Note

    You can use kubectl commands to verify the ConfigMap content or delete your ConfigMap before making changes. See kubectl (Kubernetes).

More resources