Skip to content

How to install Sophos Linux Sensor from the Sophos package repository.

Sophos Linux Sensor (SLS) is a lightweight agent installed on Linux hosts, collecting events from the hosts to trigger alert generation or automated response. SLS integrates with your existing logging and alerting infrastructure. You can install SLS wherever you have Linux, in a public or private cloud, containers or VMs, on-prem bare metal, and across different kernel versions and Linux distributions.

Prerequisites

Before you install Sophos Linux Sensor (SLS) from the Sophos package repository, you must do as follows:

  • Make sure you have a supported Linux distribution and meet the system requirements. See the System requirements section of the Release notes.

  • Get {LINUX_REPO_API_KEY} and {tenant-id} by following How to generate the Sophos Linux Sensor package repository API token.

    • {LINUX_REPO_API_KEY} is a short string that starts with "SLS-".

    • {tenant-id} is a string in the following format:

      1a2345b6-78c9-012d-ef34-5a6b789c0de1

  • Turn on Linux debug subsystem. We use this to instrument kernel and userspace events.

    • Newer kernels have it turned on by default.

    • To turn on the debug subsystem, use the following command: 

      sudo mount -t debugfs nodev /sys/kernel/debug

      You should see the following output:

      mount: /sys/kernel/debug: nodev already mounted or mount point busy.

Obtain the Sophos GPG key

You will need the Sophos GPG key to allow your system to access the Sophos package repository. Do as follows:

  1. Open a command prompt

  2. Run the following command, replacing {LINUX_REPO_API_KEY} with your Sophos Linux repository token:

    curl -f https://{LINUX_REPO_API_KEY}@packages.sophos.com/sophos-linux-sensor/release/sophos-linux-sensor-archive-keyring.gpg > /etc/sophos-linux-sensor.gpg

    This outputs the Sophos GPG key to the /etc/sophos-linux-sensor.gpg file.

    Sample output:

      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   907  100   907    0     0   1455      0 --:--:-- --:--:-- --:--:--  1453

    Warning

    If you see the following line, or similar, in your output, then your curl command failed to get the Sophos GPG key:

    curl: (22) The requested URL returned error: 401

Verify the GPG key

It's important to verify the GPG key before proceeding to ensure you can access the Sophos Linux repository. Run the following command to verify the key:

gpg --list-packets /etc/sophos-linux-sensor.gpg

You'll see the following or similar output if your key is valid:

version 4, algo 1, created 1649376000, expires 0
        pkey[0]: [3072 bits]
        pkey[1]: [17 bits]
        keyid: 6FF21324E503A54E
:user ID packet: "linux_release_2022 <sophosca@sophos.com>"
:signature packet: algo 1, keyid 6FF21324E503A54E
        version 4, created 1649376000, md5len 0, sigclass 0x13
        digest algo 10, begin of digest 55 a3
        hashed subpkt 33 len 21 (?)
        hashed subpkt 2 len 4 (sig created 2022-04-08)
        hashed subpkt 27 len 1 (key flags: 2F)
        hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
        hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (key server preferences: 80)
        subpkt 16 len 8 (issuer key ID 6FF21324E503A54E)
        data: [3072 bits]

Note

If you verify the key, but still see Invalid GPG Key when trying to install it, you may need to perform additional steps. See Installation errors.

Configure your system to access the Sophos Linux repository

  1. Create a file with the .list extension in the /etc/apt/sources.list.d directory. The name doesn't matter.

  2. Enter the following information into the file:

    deb [signed-by=/etc/sophos-linux-sensor.gpg] https://packages.sophos.com/sophos-linux-sensor/release/ stable main

    Warning

    If you stored the Sophos GPG key in a file other than /etc/sophos-linux-sensor.gpg in the previous section, you will need to enter the path to your file after `signed-by=' in this step.

  3. Save your changes.

  4. Create a file with the .conf extension in the /etc/apt/auth.conf.d directory. The name doesn't matter.

  5. Enter the following information into the file:

    machine packages.sophos.com login {LINUX_REPO_API_KEY}

  6. Save your changes.

  7. Run the following command. If successful, you should see no errors.

    apt-get update

    Here's an example:

    $ apt-get update

Hit:2 https://artifactory.sophos-ops.com/esg-debian-dirty-remote-ubuntu bionic InRelease 
Hit:3 https://artifactory.sophos-ops.com/esg-debian-dirty-remote-ubuntu bionic-updates InRelease 
Hit:4 https://artifactory.sophos-ops.com/esg-debian-dirty-remote-ubuntu bionic-backports InRelease 
Hit:1 https://artifactory.sophos-ops.com:443/esg-debian-dirty-remote-ubuntu bionic-security InRelease 
Hit:5 https://packages.sophos.com/sophos-linux-sensor/release stable InRelease 
Reading package lists... Done
  1. Create a file with the .repo extension in the /etc/yum.repos.d/ directory. The name doesn't matter.

  2. Enter the following information into the file:

    #sls.repo 
[sls] 
name=CentOS-7 - sls 
baseurl=https://{LINUX_REPO_API_KEY}@packages.sophos.com/sophos-linux-sensor/release/ 
gpgcheck=1 
enabled=1 
gpgkey=file:///etc/sophos-linux-sensor.gpg

    Warning

    If you stored the Sophos GPG key in a file other than /etc/sophos-linux-sensor.gpg in the previous section, you will need to enter the path to your file after `gpgkey=file://' in this step.

  3. Save your changes.

Install Sophos Linux Sensor

  1. To install SLS, run the following command:

    apt install sophoslinuxsensor-systemd

    Here's an example:

    $ apt install sophoslinuxsensor-systemd

Reading package lists... Done 
Building dependency tree        
Reading state information... Done 
The following NEW packages will be installed: 
sophoslinuxsensor-systemd 
0 upgraded, 1 newly installed, 0 to remove and 18 not upgraded. 
Need to get 30.3 MB of archives. 
After this operation, 78.4 MB of additional disk space will be used. 
Get:1 https://packages.sophos.com/sophos-linux-sensor/release stable/main amd64 sophoslinuxsensor-systemd amd64 5.0.0.68 [30.3 MB] 
Fetched 30.3 MB in 2s (13.9 MB/s)                     
Selecting previously unselected package sophoslinuxsensor-systemd. 
(Reading database ... 111121 files and directories currently installed.) 
Preparing to unpack .../sophoslinuxsensor-systemd_5.0.0.68_amd64.deb ... 
Unpacking sophoslinuxsensor-systemd (5.0.0.68) ... 
Setting up sophoslinuxsensor-systemd (5.0.0.68) ... 
2022-06-23T17:46:10.033Z    INFO    config ".." has been read 
Sophos Linux Runtime Detections Agent version 5.0.0.68 (Build: 2032) 
2022-06-23T17:46:10.034Z    INFO    Successfully set capabilities. 
--------------------------- 
Sophos 
* https://sophos.com/ 

User & group created: 
* sophos-spl-user 
* sophos-spl-group 

Services installed: 
* Sensor (sophoslinuxsensor) 
---------------------------

  2. To install the default content, run the following command:

    apt-get install sophoslinuxcontent

    Here's an example:

    $ apt-get install sophoslinuxcontent

Reading package lists... Done 
Building dependency tree        
Reading state information... Done 
The following NEW packages will be installed: 
sophoslinuxcontent 
0 upgraded, 1 newly installed, 0 to remove and 18 not upgraded. 
Need to get 27.2 kB of archives. 
After this operation, 224 kB of additional disk space will be used. 
Get:1 https://packages.sophos.com/sophos-linux-sensor/release stable/main amd64 sophoslinuxcontent all 4.9.1.19 [27.2 kB] 
Fetched 27.2 kB in 2s (14.7 kB/s)        
Selecting previously unselected package sophoslinuxcontent. 
(Reading database ... 111131 files and directories currently installed.) 
Preparing to unpack .../sophoslinuxcontent_4.9.1.19_all.deb ... 
Unpacking sophoslinuxcontent (4.9.1.19) ... 
Setting up sophoslinuxcontent (4.9.1.19) ...

  3. Run the following command to confirm the installation:

    apt list --installed | grep -i sophos

  4. Open /etc/sophos/runtimedetections.yaml in a text editor and replace {tenant-id} with your unique Sophos Central ID.

    Here's an example:

    send_labs_telemetry: true
endpoint_telemetry_enabled: true
cloud_meta: auto
# Set your customer id:
customer_id: "{tenant-id}"
alert_output:
  outputs:
  - type: stdout
    enabled: true
    template: 'Alert triggered: {{ .StrategyName}}'

    Note

    If you don't want to send telemetry data to Sophos, set send_labs_telemetry to false.

  5. Start SLS with the following command:

    sudo systemctl start sophoslinuxsensor

  1. To install SLS, run the following command:

    yum install sophoslinuxsensor-systemd

    Here's an example:

    $ yum install sophoslinuxsensor-systemd

Loaded plugins: fastestmirror, langpacks 
Loading mirror speeds from cached hostfile 
Resolving Dependencies 
--> Running transaction check 
---> Package sophoslinuxsensor-systemd.x86_64 0:5.0.0.68-1 will be installed 
--> Finished Dependency Resolution 

Dependencies Resolved 

=================================================================== 
Package                      Arch      Version       Repository 
                                                            Size 
=================================================================== 
Installing: 
sophoslinuxsensor-systemd    x86_64    5.0.0.68-1    E2E     29 M 

Transaction Summary 
=================================================================== 
Install  1 Package 

Total size: 29 M 
Installed size: 75 M 
Is this ok [y/d/N]: y 
Downloading packages: 
warning: /var/cache/yum/x86_64/7.7.1908/E2E/packages/sophoslinuxsensor-systemd-5.0.0.68-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID e503a54e: NOKEY 
Retrieving key from file:///tmp/key.gpg 
Importing GPG key 0xE503A54E: 
Userid     : "linux_release_2022 <sophosca@sophos.com>" 
Fingerprint: f41d 7750 b5eb af51 8ea3 c5b6 6ff2 1324 e503 a54e 
From       : /tmp/key.gpg 
Is this ok [y/N]: y 
Running transaction check 
Running transaction test 
Transaction test succeeded 
Running transaction 
Installing : sophoslinuxsensor-systemd-5.0.0.68-1.x86_64     1/1  
2022-06-24T18:42:17.803Z    INFO    config ".." has been read 
Sophos Linux Runtime Detections Agent version 5.0.0.68 (Build: 2032) 
2022-06-24T18:42:17.803Z    INFO    Successfully set capabilities. 
--------------------------- 
Sophos 
* https://sophos.com/ 

User & group created: 
* sophos-spl-user 
* sophos-spl-group 

Services installed: 
* Sensor (sophoslinuxsensor) 
--------------------------- 
Verifying  : sophoslinuxsensor-systemd-5.0.0.68-1.x86_64     1/1  

Installed: 
sophoslinuxsensor-systemd.x86_64 0:5.0.0.68-1                     

Complete!

  2. To install the default content, run the following command:

    yum install sophoslinuxcontent

    Here's an example:

    $ yum install sophoslinuxcontent

Loaded plugins: fastestmirror, langpacks 
Loading mirror speeds from cached hostfile 
Resolving Dependencies 
--> Running transaction check 
---> Package sophoslinuxcontent.noarch 0:4.9.1.19-1 will be installed 
--> Finished Dependency Resolution 

Dependencies Resolved 

=================================================================== 
Package                Arch       Version           Repository 
                                                            Size 
=================================================================== 
Installing: 
sophoslinuxcontent     noarch     4.9.1.19-1        E2E      30 k 

Transaction Summary 
=================================================================== 
Install  1 Package 

Total download size: 30 k 
Installed size: 219 k 
Is this ok [y/d/N]: y 
Downloading packages: 
sophoslinuxcontent-4.9.1.19-1.noarch.rpm      |  30 kB   00:00      
Running transaction check 
Running transaction test 
Transaction test succeeded 
Running transaction 
Installing : sophoslinuxcontent-4.9.1.19-1.noarch            1/1  
Verifying  : sophoslinuxcontent-4.9.1.19-1.noarch            1/1  

Installed: 
sophoslinuxcontent.noarch 0:4.9.1.19-1                            

Complete!

  3. Run the following command to confirm the installation:

    yum list installed | grep -i sophos

    Here's an example:

    $ yum list installed | grep -i sophos

Loaded plugins: fastestmirror, langpacks 
Determining fastest mirrors 
======================= N/S matched: sophos ======================= 
sophoslinuxcontent.noarch : Sophos Platform 
sophoslinuxsensor-runit.x86_64 : Sophos Platform 
sophoslinuxsensor-sysV.x86_64 : Sophos Platform 
sophoslinuxsensor-systemd.x86_64 : Sophos Platform 
sophoslinuxsensor-upstart.x86_64 : Sophos Platform

  4. Open /etc/sophos/runtimedetections.yaml in a text editor and add {tenant-id} as customer_id.

    Here's an example:

    send_labs_telemetry: true
endpoint_telemetry_enabled: true
cloud_meta: auto
# Set your customer id:
customer_id: "{tenant-id}"
alert_output:
  outputs:
  - type: stdout
    enabled: true
    template: 'Alert triggered: {{ .StrategyName}}'

    Note

    If you don't want to send telemetry data to Sophos, set send_labs_telemetry to false.

  5. Start SLS with the following command:

    sudo systemctl start sophoslinuxsensor

Next steps

Check the status of the installation

Run the following command to check the SLS log for errors:

sudo journalctl -u sophoslinuxsensor

Run the following command to check the status of your SLS installation:

sudo systemctl status sophoslinuxsensor

Warning

If you see the following line, it means that SLS default content isn't installed.

sophoslinuxsensor[12650]: 2022-07-19T14:24:22.762Z        WARN        Zero policies configured

You must install both SLS and the default content for detections and alerts to function. See Install Sophos Linux Sensor.

Trigger a test alert

Run the following command to trigger the Test Alert policy:

sophoslinuxsensor -test-alert

Sample output:

2022-05-17T15:28:31.470Z        INFO    config "/etc/sophos/runtimedetections-rules.yaml" has been read
Sophos Linux Runtime Detections Agent version 5.0.0.28 (Build: 1917)
2022-05-17T15:28:31.472Z        INFO    using sensor configuration file "/etc/sophos/runtimedetections-rules.yaml"
2022-05-17T15:28:31.474Z        INFO    Alert testing command executed, exiting

You should see the following alert:

$ May 17 15:28:31 vagrant sophoslinuxsensor[26137]: Alert triggered: Alert Tester

You will also see the alert in your configured alert output. SLS outputs alerts to stdout by default.

Tip

You can trigger any alert to test the default content. See Testing default detections.

Checking capability error log

As part of your installation, SLS should have the CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE, and CAP_KILL capabilities. This is necessary since the supervisor process executes SLS as an unprivileged user.

If you get "permission denied" errors, you can verify these capabilities are set with getcap. Run the following command:

getcap /usr/local/bin/sophoslinuxsensor

To set the necessary capabilities, run the following command:  

setcap cap_sys_admin,cap_dac_override,cap_sys_ptrace,cap_kill=+epi /usr/local/bin/sophoslinuxsensor