Download a custom profile from Sophos Central
You can download custom detection profiles from Sophos Central and use them with Sophos Linux Sensor (SLS). This is an alternative to creating a new policy from scratch.
Warning
Creating custom profiles leverages the Cloud Native Security Linux runtime detection profile in Sophos Central. This allows you to create overrides for default content and rules created by SophosLabs. Sophos supports only unmodified default detection content files but allows for users to apply overrides using the runtimedetections-rules.yaml
file. For assistance with modified content and custom detections, contact Sophos Professional Services.
Requirements
You must have a Cloud Native Security Linux runtime detection profile in Sophos Central. If you don't have any profiles, you must create a new one and configure the profile to suit your environment. See the following links:
Download the custom profile
- Sign in to Sophos Central.
- Go to My Products > Cloud Native Security > Profiles.
- Click the Actions button
.
-
Select Export Latest Version to save the profile to your device.
Tip
You can also click the profile you want to use and click the download arrow
to download the profile to your device.
-
Rename the file to
runtimedetections-rules.yaml
. You can now add your custom policy to your sensors.Example
runtimedetections-rules.yaml
file.Chmod of SSH Authorized Keys: enabled: true Chown of SSH Authorized Keys: enabled: true Suspicious_Interactive_Shell-parentProgramName-allowList: operations: - behavior: remove list: - /usr/bin/sshd - /usr/sbin/sshd Suspicious_Interactive_Shell-parentProgramName-blockList: operations: - behavior: add list: - /bin/sh
Add the file to SLS
Once you've created and downloaded the custom policy, you must add it to your sensors so that they can apply the custom configuration to the existing content. See Before you start.
Click the appropriate tab for instructions.
To use custom detection policies with SLS on a Linux device, add runtimedetections-rules.yaml
to the /etc/sophos/
directory. Do as follows:
- Place the
runtimedetections-rules.yaml
file in the/etc/sophos/
directory on your Linux devices. -
Run the following command to restart SLS:
sudo systemctl restart sophoslinuxsensor
When you run the sensor container (see Run the Sensor container), you run commands that mount file paths to be accessible in the container. This includes /etc/sophos
. Do as follows:
- Place the
runtimedetections-rules.yaml
file in the/etc/sophos/
directory created during deployment. See Deployment. - Restart the Docker container.
If you're running a single manifest file and want to add or update runtimedetections-rules.yaml
, you can add the configuration to the manifest file created during the installation process.
Note
If you don't want to edit the manifest file, click the "Kubernetes ConfigMap" tab to create a ConfigMap instead.
To edit the manifest file, do as follows:
- Open
runtimedetections-rules.yaml
in a text editor. - Copy the contents.
- Open
kubernetes-manifest.yaml
in a text editor. -
Locate the following lines:
data: runtimedetections-rules.yaml: | # Blank, no custom rules. sophos-linux-content will still be used. # This file must be present when policy_input is unavailable
-
Paste the content from
runtimedetections-rules.yaml
after these lines.Warning
When you paste the content, make sure the indentation and alignment matches the
#
on the preceding lines. You must also be careful not to overwrite theruntimedetections.yaml
section that follows these lines. -
Save your changes to
kubernetes-manifest.yaml
. -
Apply the new manifest file by running the following command, replacing
<filepath>
with the path to your manifest file:kubectl apply -f <filepath>/kubernetes-manifest.yaml
If you don't want to edit kubernetes-manifest.yaml
, you can create a ConfigMap based on the runtimedetections.yaml
and runtimedetections-rules.yaml
files. Do as follows.
- Open
kubernetes-manifest.yaml
in a text editor. -
Locate the following line:
runtimedetections.yaml: |
-
Copy all of the content that follows it.
- Create a file named
runtimedetections.yaml
. The location doesn't matter. - Paste the content copied from
kubernetes-manifest.yaml
into the newruntimedetections.yaml
file. - Save your changes.
- Go back to
kubernetes-manifest.yaml
. -
Locate the following line:
data:
-
Delete that line and all the content that follows it.
Example
The last lines of
kubernetes-manifest.yaml
are now as follows:--- apiVersion: v1 kind: ConfigMap metadata: name: sensor-linux-sensor-config
-
Save your changes.
-
Run the following command to create the ConfigMap, referencing the
runtimedetections.yaml
file you created earlier and theruntimedetections-rules.yaml
file you created from the downladed Sophos Central profile:kubectl create configmap sensor-linux-sensor-config --from-file runtimedetections.yaml --from-file runtimedetections-rules.yaml
Note
You can use
kubectl
commands to verify the ConfigMap content or delete your ConfigMap before making changes. See kubectl (Kubernetes).
More resources