Install Sophos Linux Sensor on Kubernetes using Helm Charts

Helm is a package manager for the Kubernetes ecosystem. Helm Charts function similarly to RPM or DEB packages for Linux software installation. Helm Charts streamline the deployment of applications in Kubernetes, making the process straightforward and more convenient. You can install Sophos Linux Sensor (SLS) on Kubernetes using Helm Charts.

Helm Charts have the following advantages over pure Kubernetes deployments:

Less repetition: Instead of copying YAML files for different environments, Helm lets you define reusable templates.
Easier management: You can deploy, update, and delete applications with a single helm install or helm upgrade command.
Version control and rollbacks: Helm tracks changes, making it easy to roll back to a previous version.
Install dependencies: Automatically install all dependencies.
Flexible version control: Select a specific version and stay on it, or automatically deploy the latest version of the chart and sensor.

Requirements

We recommend that you have a good understanding of Kubernetes, Docker, and command-line tools, such as kubectl before following this guide.
You must have kubetcl v1.18 or higher. See Kubernetes Install Tools.
Get <LINUX_REPO_API_KEY> and <TENANT-ID> by following How to generate the Sophos Linux Sensor package repository API token.
- <LINUX_REPO_API_KEY> is a short string that starts with "SLS-".
- <TENANT-ID> is a string in the following format:
```
1a2345b6-78c9-012d-ef34-5a6b789c0de1
```
Get your Sophos Central MCS URL by following Finding your MCS URL.
Authenticate with the Helm registry by running the following command, replacing <LINUX_REPO_API_KEY> with your Sophos Linux repository API key:
```
helm registry login https://registry.sophosupd.com -u <LINUX_REPO_API_KEY> -p <LINUX_REPO_API_KEY>
```
Warning

Without authentication, the helm commands in this guide won't succeed.

Installation

We recommend that you deploy SLS using the latest version of the charts. This guarantees you always have the latest capabilities, security fixes, performance improvements, and detections.

To deploy SLS with the recommended settings, do as follows:

Create a file named values.yaml. The location doesn't matter.
Enter the following lines into the file, replacing <TENANT-ID> with your Sophos Central customer ID, <CENTRAL-URL> with your Sophos Central MCS URL, and <LINUX_REPO_API_KEY> with your Sophos Linux repository API key:
```
endpoint:
  sensor:
    params:
      customerID: <TENANT-ID>
      mcsURL: "<CENTRAL-URL>"
      mcsToken: "<LINUX_REPO_API_KEY>"
```
Run the following command, replacing <RELEASE_NAME> with a name you want to use for your deployment, such as sophos-sensor-latest:
```
helm install <RELEASE_NAME> oci://registry.sophosupd.com/release/helm-sophos-linux-sensor \ 
--values values.yaml
```
This command automatically gets the latest version of SLS every time you run it. If you want to install a specific version, use the --version argument and specify the version you want to install. You can use this argument to apply version constraints that keep you on the same major version while updating to the latest patch or minor version of a chart.
Example

The following command installs the latest 1.X.X verion but doesn't update to 2.X.X:
```
helm install <RELEASE_NAME> oci://registry.sophosupd.com/release/helm-sophos-linux-sensor \ 
--version ^1.0.0  
--values values.yaml 
```

Upgrade

If your cluster is permanent and you want to perform periodic upgrades on the version of the sensor used, you can use helm upgrade. You can also use the --version argument to upgrade your chart to the latest version and reuse your existing configuration.

Example

The following command upgrades the existing chart to 1.2.0-679:

helm upgrade <RELEASE_NAME> oci://registry.sophosupd.com/release/helm-sophos-linux-sensor \ 
--version ^1.2.0-679 --reuse-values

Add custom profiles from Sophos Central

You can apply a custom profile downloaded from Sophos Central to values.yaml. See Download the custom profile.

Example

This is a sample values.yaml file that includes a custom profile downloaded from Sophos Central.

endpoint:
  sensor:
    params:
      customerID: ########-####-####-####-############
      mcsURL: "mcs2-cloudstation-us-west-2.prod.hydra.sophos.com"
      mcsToken: "SLS-########"
      rules: |
        Chmod of SSH Authorized Keys:
          enabled: true
        Chown of SSH Authorized Keys:
          enabled: true
        Suspicious_Interactive_Shell-parentProgramName-allowList:
          operations:
            - behavior: remove
              list:
                - /usr/bin/sshd
                - /usr/sbin/sshd
        Suspicious_Interactive_Shell-parentProgramName-blockList:
          operations:
            - behavior: add
              list:
                - /bin/sh

Advanced configuration

Using Helm, you can configure some advanced options without making changes to the runtimedetections.yaml file. Run the following command to see all advanced configuration options available:

helm show values <sophos-registry> <chart version>

Warning

These options may change over time. We recommend that you always run this command before making any changes to verify the available options.

Example

This is a sample output showing the available advanced configuration options at the time the command was run.

Pulled: registry.sophosupd.com/release/helm-sophos-linux-sensor:5.11.0-520
Digest: sha256:f161798ee035b5d061d559680a05d5a342c27269824cfcdce8e6665777ba5211
config:
  customConfigMapName: ""
endpoint:
  resources:
    limits:
      memory: 2Gi
      cpu: 200m
    requests:
      memory: 1Gi
      cpu: 100m

  image:
    registry: 
      url: registry.sophosupd.com/release

      #This value is base64 encoded string of docker config.json to authenticate to registry
      # Example: cat ~/.docker/config.json | base64
      authConfigJson: 

      pullSecret:
    sensor:
      tag: sensor_tag
      digest:
      pullPolicy: Always
    content:
      tag: content_tag
      digest:
      pullPolicy: Always
  sensor:
    params:
      customerID:
      cloudMeta: auto
      criSensorEnabled: true
      monitorPort: 9010
      mcsURL: ""
      mcsToken: ""
      rules: ""

To add advanced configuration options, add the options you want to values.yaml. If you have other settings under endpoint.sensor.params, make sure to include them under the same section.

Example

This is a sample values.yaml file that includes the option to override the default monitoring port of 9010 with port 1111.

endpoint:
  sensor:
    params:
      monitorPort: 1111
      customerID: ########-####-####-####-############
      mcsURL: "mcs2-cloudstation-us-west-2.prod.hydra.sophos.com"
      mcsToken: "SLS-########"

Uninstall SLS

To uninstall SLS using Helm, do as follows:

Run the following command, replacing <RELEASE_NAME> with the name you selected during installation:
```
helm uninstall <RELEASE_NAME>
```
Run the following command to confirm SLS was removed:
```
kubectl get pods
```