How to install Sophos Linux Sensor from the Sophos package repository.
Sophos Linux Sensor (SLS) is a lightweight agent installed on Linux hosts, collecting events from the hosts to trigger alert generation or automated response. SLS integrates with your existing logging and alerting infrastructure. You can install SLS wherever you have Linux, in a public or private cloud, containers or VMs, on-prem bare metal, and across different kernel versions and Linux distributions.
Prerequisites
Before you install Sophos Linux Sensor (SLS) from the Sophos package repository, you must do as follows:
- Make sure you have a supported Linux distribution and meet the system requirements. See the System requirements section of the Release notes.
-
Get
{LINUX_REPO_API_KEY}
and{tenant-id}
by following How to generate the Sophos Linux Sensor package repository API token.{LINUX_REPO_API_KEY}
is a short string that starts with "SLS-".-
{tenant-id}
is a string in the following format:1a2345b6-78c9-012d-ef34-5a6b789c0de1
-
Turn on Linux debug subsystem. We use this to instrument kernel and userspace events.
- Newer kernels have it turned on by default.
-
To turn on the debug subsystem, use the following command:
sudo mount -t debugfs nodev /sys/kernel/debug
You should see the following output:
mount: /sys/kernel/debug: nodev already mounted or mount point busy.
Obtain the Sophos GPG key
You will need the Sophos GPG key to allow your system to access the Sophos package repository. Do as follows:
- Open a command prompt
-
Run the following command, replacing
{LINUX_REPO_API_KEY}
with your Sophos Linux repository token:curl -f https://{LINUX_REPO_API_KEY}@packages.sophos.com/sophos-linux-sensor/release/sophos-linux-sensor-archive-keyring.gpg > /etc/sophos-linux-sensor.gpg
This outputs the Sophos GPG key to the
/etc/sophos-linux-sensor.gpg
file.Sample output:
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 907 100 907 0 0 1455 0 --:--:-- --:--:-- --:--:-- 1453
Warning
If you see the following line, or similar, in your output, then your curl command failed to get the Sophos GPG key:
curl: (22) The requested URL returned error: 401
Verify the GPG key
It's important to verify the GPG key before proceeding to ensure you can access the Sophos Linux repository. Run the following command to verify the key:
gpg --list-packets /etc/sophos-linux-sensor.gpg
You'll see the following or similar output if your key is valid:
version 4, algo 1, created 1649376000, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
keyid: 6FF21324E503A54E
:user ID packet: "linux_release_2022 <sophosca@sophos.com>"
:signature packet: algo 1, keyid 6FF21324E503A54E
version 4, created 1649376000, md5len 0, sigclass 0x13
digest algo 10, begin of digest 55 a3
hashed subpkt 33 len 21 (?)
hashed subpkt 2 len 4 (sig created 2022-04-08)
hashed subpkt 27 len 1 (key flags: 2F)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
subpkt 16 len 8 (issuer key ID 6FF21324E503A54E)
data: [3072 bits]
Note
If you verify the key, but still see Invalid GPG Key
when trying to install it, you may need to perform additional steps. See Installation errors.
Configure your system to access the Sophos Linux repository
- Create a file with the
.list
extension in the/etc/apt/sources.list.d
directory. The name doesn't matter. -
Enter the following information into the file:
deb [signed-by=/etc/sophos-linux-sensor.gpg] https://packages.sophos.com/sophos-linux-sensor/release/ stable main
Warning
If you stored the Sophos GPG key in a file other than
/etc/sophos-linux-sensor.gpg
in the previous section, you will need to enter the path to your file after `signed-by=' in this step. -
Save your changes.
- Create a file with the
.conf
extension in the/etc/apt/auth.conf.d
directory. The name doesn't matter. -
Enter the following information into the file:
machine packages.sophos.com login {LINUX_REPO_API_KEY}
-
Save your changes.
-
Run the following command. If successful, you should see no errors.
apt-get update
Here's an example:
$ apt-get update Hit:2 https://artifactory.sophos-ops.com/esg-debian-dirty-remote-ubuntu bionic InRelease Hit:3 https://artifactory.sophos-ops.com/esg-debian-dirty-remote-ubuntu bionic-updates InRelease Hit:4 https://artifactory.sophos-ops.com/esg-debian-dirty-remote-ubuntu bionic-backports InRelease Hit:1 https://artifactory.sophos-ops.com:443/esg-debian-dirty-remote-ubuntu bionic-security InRelease Hit:5 https://packages.sophos.com/sophos-linux-sensor/release stable InRelease Reading package lists... Done
- Create a file with the
.repo
extension in the/etc/yum.repos.d/
directory. The name doesn't matter. -
Enter the following information into the file:
#sls.repo [sls] name=CentOS-7 - sls baseurl=https://{LINUX_REPO_API_KEY}@packages.sophos.com/sophos-linux-sensor/release/ gpgcheck=1 enabled=1 gpgkey=file:///etc/sophos-linux-sensor.gpg
Warning
If you stored the Sophos GPG key in a file other than
/etc/sophos-linux-sensor.gpg
in the previous section, you will need to enter the path to your file after `gpgkey=file://' in this step. -
Save your changes.
Install Sophos Linux Sensor
-
To install SLS, run the following command:
apt install sophoslinuxsensor-systemd
Here's an example:
$ apt install sophoslinuxsensor-systemd Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: sophoslinuxsensor-systemd 0 upgraded, 1 newly installed, 0 to remove and 18 not upgraded. Need to get 30.3 MB of archives. After this operation, 78.4 MB of additional disk space will be used. Get:1 https://packages.sophos.com/sophos-linux-sensor/release stable/main amd64 sophoslinuxsensor-systemd amd64 5.0.0.68 [30.3 MB] Fetched 30.3 MB in 2s (13.9 MB/s) Selecting previously unselected package sophoslinuxsensor-systemd. (Reading database ... 111121 files and directories currently installed.) Preparing to unpack .../sophoslinuxsensor-systemd_5.0.0.68_amd64.deb ... Unpacking sophoslinuxsensor-systemd (5.0.0.68) ... Setting up sophoslinuxsensor-systemd (5.0.0.68) ... 2022-06-23T17:46:10.033Z INFO config ".." has been read Sophos Linux Runtime Detections Agent version 5.0.0.68 (Build: 2032) 2022-06-23T17:46:10.034Z INFO Successfully set capabilities. --------------------------- Sophos * https://sophos.com/ User & group created: * sophos-spl-user * sophos-spl-group Services installed: * Sensor (sophoslinuxsensor) ---------------------------
-
To install the default content, run the following command:
apt-get install sophoslinuxcontent
Here's an example:
$ apt-get install sophoslinuxcontent Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: sophoslinuxcontent 0 upgraded, 1 newly installed, 0 to remove and 18 not upgraded. Need to get 27.2 kB of archives. After this operation, 224 kB of additional disk space will be used. Get:1 https://packages.sophos.com/sophos-linux-sensor/release stable/main amd64 sophoslinuxcontent all 4.9.1.19 [27.2 kB] Fetched 27.2 kB in 2s (14.7 kB/s) Selecting previously unselected package sophoslinuxcontent. (Reading database ... 111131 files and directories currently installed.) Preparing to unpack .../sophoslinuxcontent_4.9.1.19_all.deb ... Unpacking sophoslinuxcontent (4.9.1.19) ... Setting up sophoslinuxcontent (4.9.1.19) ...
-
Run the following command to confirm the installation:
apt list --installed | grep -i sophos
-
Open
/etc/sophos/runtimedetections.yaml
in a text editor and replace {tenant-id} with your unique Sophos Central ID.Here's an example:
send_labs_telemetry: true endpoint_telemetry_enabled: true cloud_meta: auto # Set your customer id: customer_id: "{tenant-id}" alert_output: outputs: - type: stdout enabled: true template: 'Alert triggered: {{ .StrategyName}}'
Note
If you don't want to send telemetry data to Sophos, set
send_labs_telemetry
tofalse
. -
Start SLS with the following command:
sudo systemctl start sophoslinuxsensor
-
To install SLS, run the following command:
yum install sophoslinuxsensor-systemd
Here's an example:
$ yum install sophoslinuxsensor-systemd Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package sophoslinuxsensor-systemd.x86_64 0:5.0.0.68-1 will be installed --> Finished Dependency Resolution Dependencies Resolved =================================================================== Package Arch Version Repository Size =================================================================== Installing: sophoslinuxsensor-systemd x86_64 5.0.0.68-1 E2E 29 M Transaction Summary =================================================================== Install 1 Package Total size: 29 M Installed size: 75 M Is this ok [y/d/N]: y Downloading packages: warning: /var/cache/yum/x86_64/7.7.1908/E2E/packages/sophoslinuxsensor-systemd-5.0.0.68-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID e503a54e: NOKEY Retrieving key from file:///tmp/key.gpg Importing GPG key 0xE503A54E: Userid : "linux_release_2022 <sophosca@sophos.com>" Fingerprint: f41d 7750 b5eb af51 8ea3 c5b6 6ff2 1324 e503 a54e From : /tmp/key.gpg Is this ok [y/N]: y Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : sophoslinuxsensor-systemd-5.0.0.68-1.x86_64 1/1 2022-06-24T18:42:17.803Z INFO config ".." has been read Sophos Linux Runtime Detections Agent version 5.0.0.68 (Build: 2032) 2022-06-24T18:42:17.803Z INFO Successfully set capabilities. --------------------------- Sophos * https://sophos.com/ User & group created: * sophos-spl-user * sophos-spl-group Services installed: * Sensor (sophoslinuxsensor) --------------------------- Verifying : sophoslinuxsensor-systemd-5.0.0.68-1.x86_64 1/1 Installed: sophoslinuxsensor-systemd.x86_64 0:5.0.0.68-1 Complete!
-
To install the default content, run the following command:
yum install sophoslinuxcontent
Here's an example:
$ yum install sophoslinuxcontent Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package sophoslinuxcontent.noarch 0:4.9.1.19-1 will be installed --> Finished Dependency Resolution Dependencies Resolved =================================================================== Package Arch Version Repository Size =================================================================== Installing: sophoslinuxcontent noarch 4.9.1.19-1 E2E 30 k Transaction Summary =================================================================== Install 1 Package Total download size: 30 k Installed size: 219 k Is this ok [y/d/N]: y Downloading packages: sophoslinuxcontent-4.9.1.19-1.noarch.rpm | 30 kB 00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : sophoslinuxcontent-4.9.1.19-1.noarch 1/1 Verifying : sophoslinuxcontent-4.9.1.19-1.noarch 1/1 Installed: sophoslinuxcontent.noarch 0:4.9.1.19-1 Complete!
-
Run the following command to confirm the installation:
yum list installed | grep -i sophos
Here's an example:
$ yum list installed | grep -i sophos Loaded plugins: fastestmirror, langpacks Determining fastest mirrors ======================= N/S matched: sophos ======================= sophoslinuxcontent.noarch : Sophos Platform sophoslinuxsensor-runit.x86_64 : Sophos Platform sophoslinuxsensor-sysV.x86_64 : Sophos Platform sophoslinuxsensor-systemd.x86_64 : Sophos Platform sophoslinuxsensor-upstart.x86_64 : Sophos Platform
-
Open
/etc/sophos/runtimedetections.yaml
in a text editor and add{tenant-id}
ascustomer_id
.Here's an example:
send_labs_telemetry: true endpoint_telemetry_enabled: true cloud_meta: auto # Set your customer id: customer_id: "{tenant-id}" alert_output: outputs: - type: stdout enabled: true template: 'Alert triggered: {{ .StrategyName}}'
Note
If you don't want to send telemetry data to Sophos, set
send_labs_telemetry
tofalse
. -
Start SLS with the following command:
sudo systemctl start sophoslinuxsensor
Next steps
Check the status of the installation
Run the following command to check the SLS log for errors:
sudo journalctl -u sophoslinuxsensor
Run the following command to check the status of your SLS installation:
sudo systemctl status sophoslinuxsensor
Warning
If you see the following line, it means that SLS default content isn't installed.
sophoslinuxsensor[12650]: 2022-07-19T14:24:22.762Z WARN Zero policies configured
You must install both SLS and the default content for detections and alerts to function. See Install Sophos Linux Sensor.
Trigger a test alert
Run the following command to trigger the Test Alert policy:
sophoslinuxsensor -test-alert
Sample output:
2022-05-17T15:28:31.470Z INFO config "/etc/sophos/runtimedetections-rules.yaml" has been read
Sophos Linux Runtime Detections Agent version 5.0.0.28 (Build: 1917)
2022-05-17T15:28:31.472Z INFO using sensor configuration file "/etc/sophos/runtimedetections-rules.yaml"
2022-05-17T15:28:31.474Z INFO Alert testing command executed, exiting
You should see the following alert:
$ May 17 15:28:31 vagrant sophoslinuxsensor[26137]: Alert triggered: Alert Tester
You will also see the alert in your configured alert output. SLS outputs alerts to stdout
by default.
Tip
You can trigger any alert to test the default content. See Testing default detections.
Checking capability error log
As part of your installation, SLS should have the CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE, and CAP_KILL capabilities. This is necessary since the supervisor process executes SLS as an unprivileged user.
If you get "permission denied" errors, you can verify these capabilities are set with getcap
. Run the following command:
getcap /usr/local/bin/sophoslinuxsensor
To set the necessary capabilities, run the following command:
setcap cap_sys_admin,cap_dac_override,cap_sys_ptrace,cap_kill=+epi /usr/local/bin/sophoslinuxsensor