Install Sophos Linux Sensor on Kubernetes using Helm Charts
Helm is a package manager for the Kubernetes ecosystem. Helm Charts function similarly to RPM or DEB packages for Linux software installation. Helm Charts streamline the deployment of applications in Kubernetes, making the process straightforward and more convenient. You can install Sophos Linux Sensor (SLS) on Kubernetes using Helm Charts.
Helm Charts have the following advantages over pure Kubernetes deployments:
- Less repetition: Instead of copying YAML files for different environments, Helm lets you define reusable templates.
- Easier management: You can deploy, update, and delete applications with a single
helm install
orhelm upgrade
command. - Version control and rollbacks: Helm tracks changes, making it easy to roll back to a previous version.
- Install dependencies: Automatically install all dependencies.
- Flexible version control: Select a specific version and stay on it, or automatically deploy the latest version of the chart and sensor.
Requirements
- We recommend that you have a good understanding of Kubernetes, Docker, and command-line tools, such as kubectl before following this guide.
- You must have kubetcl v1.18 or higher. See Kubernetes Install Tools.
-
Get
<LINUX_REPO_API_KEY>
and<TENANT-ID>
by following How to generate the Sophos Linux Sensor package repository API token.<LINUX_REPO_API_KEY>
is a short string that starts with "SLS-".-
<TENANT-ID>
is a string in the following format:1a2345b6-78c9-012d-ef34-5a6b789c0de1
-
Get your Sophos Central MCS URL by following Finding your MCS URL.
-
Authenticate with the Helm registry by running the following command, replacing
<LINUX_REPO_API_KEY>
with your Sophos Linux repository API key:helm registry login https://registry.sophosupd.com -u <LINUX_REPO_API_KEY> -p <LINUX_REPO_API_KEY>
Warning
Without authentication, the
helm
commands in this guide won't succeed.
Installation
We recommend that you deploy SLS using the latest version of the charts. This guarantees you always have the latest capabilities, security fixes, performance improvements, and detections.
To deploy SLS with the recommended settings, do as follows:
- Create a file named
values.yaml
. The location doesn't matter. -
Enter the following lines into the file, replacing
<TENANT-ID>
with your Sophos Central customer ID,<CENTRAL-URL>
with your Sophos Central MCS URL, and<LINUX_REPO_API_KEY>
with your Sophos Linux repository API key:endpoint: sensor: params: customerID: <TENANT-ID> mcsURL: "<CENTRAL-URL>" mcsToken: "<LINUX_REPO_API_KEY>"
-
Run the following command, replacing
<RELEASE_NAME>
with a name you want to use for your deployment, such assophos-sensor-latest
:helm install <RELEASE_NAME> oci://registry.sophosupd.com/release/helm-sophos-linux-sensor \ --values values.yaml
This command automatically gets the latest version of SLS every time you run it. If you want to install a specific version, use the
--version
argument and specify the version you want to install. You can use this argument to apply version constraints that keep you on the same major version while updating to the latest patch or minor version of a chart.Example
The following command installs the latest 1.X.X verion but doesn't update to 2.X.X:
helm install <RELEASE_NAME> oci://registry.sophosupd.com/release/helm-sophos-linux-sensor \ --version ^1.0.0 --values values.yaml
Upgrade
If your cluster is permanent and you want to perform periodic upgrades on the version of the sensor used, you can use helm upgrade
. You can also use the --version
argument to upgrade your chart to the latest version and reuse your existing configuration.
Example
The following command upgrades the existing chart to 1.2.0-679:
helm upgrade <RELEASE_NAME> oci://registry.sophosupd.com/release/helm-sophos-linux-sensor \
--version ^1.2.0-679 --reuse-values
Add custom profiles from Sophos Central
You can apply a custom profile downloaded from Sophos Central to values.yaml
. See Download the custom profile.
Example
This is a sample values.yaml
file that includes a custom profile downloaded from Sophos Central.
endpoint:
sensor:
params:
customerID: ########-####-####-####-############
mcsURL: "mcs2-cloudstation-us-west-2.prod.hydra.sophos.com"
mcsToken: "SLS-########"
rules: |
Chmod of SSH Authorized Keys:
enabled: true
Chown of SSH Authorized Keys:
enabled: true
Suspicious_Interactive_Shell-parentProgramName-allowList:
operations:
- behavior: remove
list:
- /usr/bin/sshd
- /usr/sbin/sshd
Suspicious_Interactive_Shell-parentProgramName-blockList:
operations:
- behavior: add
list:
- /bin/sh
Advanced configuration
Using Helm, you can configure some advanced options without making changes to the runtimedetections.yaml
file. Run the following command to see all advanced configuration options available:
helm show values <sophos-registry> <chart version>
Warning
These options may change over time. We recommend that you always run this command before making any changes to verify the available options.
Example
This is a sample output showing the available advanced configuration options at the time the command was run.
Pulled: registry.sophosupd.com/release/helm-sophos-linux-sensor:5.11.0-520
Digest: sha256:f161798ee035b5d061d559680a05d5a342c27269824cfcdce8e6665777ba5211
config:
customConfigMapName: ""
endpoint:
resources:
limits:
memory: 2Gi
cpu: 200m
requests:
memory: 1Gi
cpu: 100m
image:
registry:
url: registry.sophosupd.com/release
#This value is base64 encoded string of docker config.json to authenticate to registry
# Example: cat ~/.docker/config.json | base64
authConfigJson:
pullSecret:
sensor:
tag: sensor_tag
digest:
pullPolicy: Always
content:
tag: content_tag
digest:
pullPolicy: Always
sensor:
params:
customerID:
cloudMeta: auto
criSensorEnabled: true
monitorPort: 9010
mcsURL: ""
mcsToken: ""
rules: ""
To add advanced configuration options, add the options you want to values.yaml
. If you have other settings under endpoint.sensor.params
, make sure to include them under the same section.
Example
This is a sample values.yaml
file that includes the option to override the default monitoring port of 9010
with port 1111
.
endpoint:
sensor:
params:
monitorPort: 1111
customerID: ########-####-####-####-############
mcsURL: "mcs2-cloudstation-us-west-2.prod.hydra.sophos.com"
mcsToken: "SLS-########"
Uninstall SLS
To uninstall SLS using Helm, do as follows:
-
Run the following command, replacing
<RELEASE_NAME>
with the name you selected during installation:helm uninstall <RELEASE_NAME>
-
Run the following command to confirm SLS was removed:
kubectl get pods