Install Sophos Linux Sensor on Kubernetes using Helm Charts
Helm is a package manager for the Kubernetes ecosystem. Helm Charts function similarly to RPM or DEB packages for Linux software installation. Helm Charts streamline the deployment of applications in Kubernetes, making the process straightforward and more convenient. You can install Sophos Linux Sensor (SLS) on Kubernetes using Helm Charts.
Helm Charts have the following advantages over pure Kubernetes deployments:
- Less repetition: Instead of copying YAML files for different environments, Helm lets you define reusable templates.
- Easier management: You can deploy, update, and delete applications with a single
helm installorhelm upgradecommand. - Version control and rollbacks: Helm tracks changes, making it easy to roll back to a previous version.
- Install dependencies: Automatically install all dependencies.
- Flexible version control: Select a specific version and stay on it, or automatically deploy the latest version of the chart and sensor.
Sophos Linux Sensor is currently supported only for Sophos Central customers. Support for Taegis XDR integration will be available in an upcoming release.
Requirements
- We recommend that you have a good understanding of Kubernetes, Docker, and command-line tools, such as kubectl before following this guide.
- You must have kubetcl v1.18 or higher. See Kubernetes Install Tools.
-
Get
<LINUX_REPO_API_KEY>and<TENANT-ID>by following How to generate the Sophos Linux Sensor package repository API token.<LINUX_REPO_API_KEY>is a short string that starts with "SLS-".-
<TENANT-ID>is a string in the following format:1a2345b6-78c9-012d-ef34-5a6b789c0de1
-
Get your Sophos Central MCS URL by following Finding your MCS URL.
-
Authenticate with the Helm registry by running the following command, replacing
<LINUX_REPO_API_KEY>with your Sophos Linux repository API key:helm registry login https://registry.sophosupd.com -u <LINUX_REPO_API_KEY> -p <LINUX_REPO_API_KEY>Warning
Without authentication, the
helmcommands in this guide won't succeed.
Installation
We recommend that you deploy SLS using the latest version of the charts. This guarantees you always have the latest capabilities, security fixes, performance improvements, and detections.
To deploy SLS with the recommended settings, do as follows:
- Create a file named
values.yaml. The location doesn't matter. -
Enter the following lines into the file, replacing
<TENANT-ID>with your Sophos Central customer ID,<CENTRAL-URL>with your Sophos Central MCS URL, and<LINUX_REPO_API_KEY>with your Sophos Linux repository API key:endpoint: sensor: params: customerID: <TENANT-ID> mcsURL: "<CENTRAL-URL>" mcsToken: "<LINUX_REPO_API_KEY>" -
Run the following command, replacing
<RELEASE_NAME>with a name you want to use for your deployment, such assophos-sensor-latest:helm install <RELEASE_NAME> oci://registry.sophosupd.com/release/helm-sophos-linux-sensor \ --values values.yamlThis command automatically gets the latest version of SLS every time you run it. If you want to install a specific version, use the
--versionargument and specify the version you want to install. You can use this argument to apply version constraints that keep you on the same major version while updating to the latest patch or minor version of a chart.Example
The following command installs the latest 1.X.X verion but doesn't update to 2.X.X:
helm install <RELEASE_NAME> oci://registry.sophosupd.com/release/helm-sophos-linux-sensor \ --version ^1.0.0 \ --values values.yaml
Upgrade
If your cluster is permanent and you want to perform periodic upgrades on the version of the sensor used, you can use helm upgrade. You can also use the --version argument to upgrade your chart to the latest version and reuse your existing configuration.
Example
The following command upgrades the existing chart to 1.2.0-679:
helm upgrade <RELEASE_NAME> oci://registry.sophosupd.com/release/helm-sophos-linux-sensor \
--version ^1.2.0-679 --reuse-values
Add custom profiles from Sophos Central
You can apply a custom profile downloaded from Sophos Central to values.yaml. See Download the custom profile.
Example
This is a sample values.yaml file that includes a custom profile downloaded from Sophos Central.
endpoint:
sensor:
params:
customerID: ########-####-####-####-############
mcsURL: "mcs2-cloudstation-us-west-2.prod.hydra.sophos.com"
mcsToken: "SLS-########"
rules:
Chmod of SSH Authorized Keys:
enabled: true
Chown of SSH Authorized Keys:
enabled: true
Suspicious_Interactive_Shell-parentProgramName-allowList:
operations:
- behavior: remove
list:
- /usr/bin/sshd
- /usr/sbin/sshd
Suspicious_Interactive_Shell-parentProgramName-blockList:
operations:
- behavior: add
list:
- /bin/sh
Advanced configuration
Using Helm, you can configure some advanced options without making changes to the runtimedetections.yaml file. Run the following command to see all advanced configuration options available:
helm show values <sophos-registry> <chart version>
Warning
These options may change over time. We recommend that you always run this command before making any changes to verify the available options.
Example
This is a sample output showing the available advanced configuration options at the time the command was run.
Pulled: registry.sophosupd.com/release/helm-sophos-linux-sensor:5.11.0-520
Digest: sha256:f161798ee035b5d061d559680a05d5a342c27269824cfcdce8e6665777ba5211
config:
customConfigMapName: ""
endpoint:
resources:
limits:
memory: 2Gi
cpu: 200m
requests:
memory: 1Gi
cpu: 100m
image:
registry:
url: registry.sophosupd.com/release
#This value is base64 encoded string of docker config.json to authenticate to registry
# Example: cat ~/.docker/config.json | base64
authConfigJson:
pullSecret:
sensor:
tag: sensor_tag
digest:
pullPolicy: Always
content:
tag: content_tag
digest:
pullPolicy: Always
sensor:
params:
customerID:
cloudMeta: auto
criSensorEnabled: true
monitorPort: 9010
mcsURL: ""
mcsToken: ""
rules: ""
To add advanced configuration options, add the options you want to values.yaml. If you have other settings under endpoint.sensor.params, make sure to include them under the same section.
Example
This is a sample values.yaml file that includes the option to override the default monitoring port of 9010 with port 1111.
endpoint:
sensor:
params:
monitorPort: 1111
customerID: ########-####-####-####-############
mcsURL: "mcs2-cloudstation-us-west-2.prod.hydra.sophos.com"
mcsToken: "SLS-########"
Environment variables
You can use SLS Helm chart 1.0.3 and later to configure environment variables natively by setting endpoint.sensor.env in values.yaml.
Example
This is a sample values.yaml file that sets the RUNTIMEDETECTIONS_BLOB_STORAGE_CREATE_BUCKETS_ENABLED and RUNTIMEDETECTIONS_DEBUG environment variables to true.
endpoint:
sensor:
env:
- name: RUNTIMEDETECTIONS_BLOB_STORAGE_CREATE_BUCKETS_ENABLED
value: "true"
- name: RUNTIMEDETECTIONS_DEBUG
value: "true"
Alert and event outputs
You can use SLS Helm chart 1.0.4 and later to configure alerts by setting endpoint.sensor.params.outputs and event outputs by setting endpoint.sensor.params.sinks in values.yaml. The helm show values <sophos-registry> <chart version> command shows more details and up-to-date options for configuring alert and event outputs.
Note
To export alerts with GCP, you must create a Kubernetes secret with the account credentials for the bucket to which you want to export alerts and events. You can point the helm chart to the secret by using the following options:
endpoint:
sensor:
params:
gcpCredentials:
secretName: "<secret_name>"
secretKey: "<secret_key>"
For example, if you added the secret using kubectl create secret generic my-gcp-secret --from-file=gcp.json=key.json, the secret_name is my-gcp-secret and secret_key is gcp.json.
Uninstall SLS
To uninstall SLS using Helm, do as follows:
-
Run the following command, replacing
<RELEASE_NAME>with the name you selected during installation:helm uninstall <RELEASE_NAME> -
Run the following command to confirm SLS was removed:
kubectl get pods