Skip to content

How to install Sophos Linux Sensor from the Sophos package repository.

Sophos Linux Sensor (SLS) is a lightweight agent installed on Linux hosts, collecting events from the hosts to trigger alert generation or automated response. SLS integrates with your existing logging and alerting infrastructure. You can install SLS wherever you have Linux, in a public or private cloud, containers or VMs, on-prem bare metal, and across different kernel versions and Linux distributions.

System requirements

  • At least 1 vCPUs
  • At least 2 GB RAM (recommended) or 256 MB RAM (minimum)
  • At least 2 GB of free disk space
  • A supported Linux distribution. See Sophos Linux Sensor Linux distribution and kernel support.
  • Turn on Linux debug subsystem. We use this to instrument kernel and userspace events.
    • Newer kernels have it turned on by default.
    • To turn on the debug subsystem, use the following command: 

      sudo mount -t debugfs nodev /sys/kernel/debug
      

      You should see the following output:

      mount: /sys/kernel/debug: nodev already mounted or mount point busy. 
      

Prerequisites

Before you can install Sophos Linux Sensor (SLS) from the Sophos package repository, you need to do the following:

Obtain the Sophos GPG key

You will need the Sophos GPG key to allow your system to access the Sophos package repository. Do the following:

  1. Open a command prompt
  2. Run the following command, replacing {LINUX_REPO_API_KEY} with your Sophos Linux repository token:

    curl -f https://{LINUX_REPO_API_KEY}@packages.sophos.com/sophos-linux-sensor/release/sophos-linux-sensor-archive-keyring.gpg > /etc/sophos-linux-sensor.gpg
    

    This outputs the Sophos GPG key to the /etc/sophos-linux-sensor.gpg file.

    Sample output:

      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100   907  100   907    0     0   1455      0 --:--:-- --:--:-- --:--:--  1453
    

    Warning

    If you see the following line, or similar, in your output, then your curl command failed to get the Sophos GPG key:

    curl: (22) The requested URL returned error: 401
    

Configure your system to access the Sophos Linux repository

  1. Create a file with the .list extension in the /etc/apt/sources.list.d/ directory. The name does not matter.

  2. Enter the following information into the file, replacing {LINUX_REPO_API_KEY} with your Sophos Linux repository token:

    deb [signed-by=/etc/sophos-linux-sensor.gpg arch=amd64] https://{LINUX_REPO_API_KEY}@packages.sophos.com/sophos-linux-sensor/release/ stable main
    

    Warning

    If you stored the Sophos GPG key in a file other than /etc/sophos-linux-sensor.gpg in the previous section, you will need to enter the path to your file after `signed-by=' in this step.

  3. Save your changes.

  4. Run the following command. If successful, you should see no errors.

    apt-get update
    

    Here's an example:

    $ apt-get update
    
    Hit:2 https://artifactory.sophos-ops.com/esg-debian-dirty-remote-ubuntu bionic InRelease 
    Hit:3 https://artifactory.sophos-ops.com/esg-debian-dirty-remote-ubuntu bionic-updates InRelease 
    Hit:4 https://artifactory.sophos-ops.com/esg-debian-dirty-remote-ubuntu bionic-backports InRelease 
    Hit:1 https://artifactory.sophos-ops.com:443/esg-debian-dirty-remote-ubuntu bionic-security InRelease 
    Hit:5 https://packages.sophos.com/sophos-linux-sensor/release stable InRelease 
    Reading package lists... Done 
    
  1. Create a file with the .repo extension in the /etc/yum.repos.d/ directory. The name does not matter.

  2. Enter the following information into the file, replacing {LINUX_REPO_API_KEY} with your Sophos Linux repository token:

    #sls.repo 
    [sls] 
    name=CentOS-7 - sls 
    baseurl=https://{LINUX_REPO_API_KEY}@packages.sophos.com/sophos-linux-sensor/release/ 
    gpgcheck=1 
    enabled=1 
    gpgkey=file:///etc/sophos-linux-sensor.gpg 
    

    Warning

    If you stored the Sophos GPG key in a file other than /etc/sophos-linux-sensor.gpg in the previous section, you will need to enter the path to your file after `gpgkey=file://' in this step.

  3. Save your changes.

Install Sophos Linux Sensor

  1. To install SLS, run the following command:

    apt install sophoslinuxsensor-systemd
    

    Here's an example:

    $ apt install sophoslinuxsensor-systemd
    
    Reading package lists... Done 
    Building dependency tree        
    Reading state information... Done 
    The following NEW packages will be installed: 
    sophoslinuxsensor-systemd 
    0 upgraded, 1 newly installed, 0 to remove and 18 not upgraded. 
    Need to get 30.3 MB of archives. 
    After this operation, 78.4 MB of additional disk space will be used. 
    Get:1 https://packages.sophos.com/sophos-linux-sensor/release stable/main amd64 sophoslinuxsensor-systemd amd64 5.0.0.68 [30.3 MB] 
    Fetched 30.3 MB in 2s (13.9 MB/s)                     
    Selecting previously unselected package sophoslinuxsensor-systemd. 
    (Reading database ... 111121 files and directories currently installed.) 
    Preparing to unpack .../sophoslinuxsensor-systemd_5.0.0.68_amd64.deb ... 
    Unpacking sophoslinuxsensor-systemd (5.0.0.68) ... 
    Setting up sophoslinuxsensor-systemd (5.0.0.68) ... 
    2022-06-23T17:46:10.033Z    INFO    config ".." has been read 
    Sophos Linux Runtime Detections Agent version 5.0.0.68 (Build: 2032) 
    2022-06-23T17:46:10.034Z    INFO    Successfully set capabilities. 
    --------------------------- 
    Sophos 
    * https://sophos.com/ 
    
    User & group created: 
    * sophos-spl-user 
    * sophos-spl-group 
    
    Services installed: 
    * Sensor (sophoslinuxsensor) 
    --------------------------- 
    
  2. To install the default content, run the following command:

    apt-get install sophoslinuxcontent
    

    Here's an example:

    $ apt-get install sophoslinuxcontent
    
    Reading package lists... Done 
    Building dependency tree        
    Reading state information... Done 
    The following NEW packages will be installed: 
    sophoslinuxcontent 
    0 upgraded, 1 newly installed, 0 to remove and 18 not upgraded. 
    Need to get 27.2 kB of archives. 
    After this operation, 224 kB of additional disk space will be used. 
    Get:1 https://packages.sophos.com/sophos-linux-sensor/release stable/main amd64 sophoslinuxcontent all 4.9.1.19 [27.2 kB] 
    Fetched 27.2 kB in 2s (14.7 kB/s)        
    Selecting previously unselected package sophoslinuxcontent. 
    (Reading database ... 111131 files and directories currently installed.) 
    Preparing to unpack .../sophoslinuxcontent_4.9.1.19_all.deb ... 
    Unpacking sophoslinuxcontent (4.9.1.19) ... 
    Setting up sophoslinuxcontent (4.9.1.19) ... 
    
  3. Run the following command to confirm the installation:

    apt list –installed | grep -i sophos
    
  4. To provide telemetry to Sophos Labs, add {tenant-id} to /etc/sophos/runtimedetections-rules.yaml as customer_id.

    Here's an example:

    send_labs_telemetry: true
    # Set your customer id:
    customer_id: "{tenant-id}"
    alert_output:
    outputs:
    - type: stdout
        enabled: true
        template: 'Alert triggered: {{ .StrategyName}}'
    

    Note

    If you don't want to send telemetry data to Sophos, set send_labs_telemetry to false.

  5. Start SLS with the following command:

    sudo systemctl start sophoslinuxsensor
    
  1. To install SLS, run the following command:

    yum install sophoslinuxsensor-systemd
    

    Here's an example:

    $ yum install sophoslinuxsensor-systemd
    
    Loaded plugins: fastestmirror, langpacks 
    Loading mirror speeds from cached hostfile 
    Resolving Dependencies 
    --> Running transaction check 
    ---> Package sophoslinuxsensor-systemd.x86_64 0:5.0.0.68-1 will be installed 
    --> Finished Dependency Resolution 
    
    Dependencies Resolved 
    
    =================================================================== 
    Package                      Arch      Version       Repository 
                                                                Size 
    =================================================================== 
    Installing: 
    sophoslinuxsensor-systemd    x86_64    5.0.0.68-1    E2E     29 M 
    
    Transaction Summary 
    =================================================================== 
    Install  1 Package 
    
    Total size: 29 M 
    Installed size: 75 M 
    Is this ok [y/d/N]: y 
    Downloading packages: 
    warning: /var/cache/yum/x86_64/7.7.1908/E2E/packages/sophoslinuxsensor-systemd-5.0.0.68-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID e503a54e: NOKEY 
    Retrieving key from file:///tmp/key.gpg 
    Importing GPG key 0xE503A54E: 
    Userid     : "linux_release_2022 <sophosca@sophos.com>" 
    Fingerprint: f41d 7750 b5eb af51 8ea3 c5b6 6ff2 1324 e503 a54e 
    From       : /tmp/key.gpg 
    Is this ok [y/N]: y 
    Running transaction check 
    Running transaction test 
    Transaction test succeeded 
    Running transaction 
    Installing : sophoslinuxsensor-systemd-5.0.0.68-1.x86_64     1/1  
    2022-06-24T18:42:17.803Z    INFO    config ".." has been read 
    Sophos Linux Runtime Detections Agent version 5.0.0.68 (Build: 2032) 
    2022-06-24T18:42:17.803Z    INFO    Successfully set capabilities. 
    --------------------------- 
    Sophos 
    * https://sophos.com/ 
    
    User & group created: 
    * sophos-spl-user 
    * sophos-spl-group 
    
    Services installed: 
    * Sensor (sophoslinuxsensor) 
    --------------------------- 
    Verifying  : sophoslinuxsensor-systemd-5.0.0.68-1.x86_64     1/1  
    
    Installed: 
    sophoslinuxsensor-systemd.x86_64 0:5.0.0.68-1                     
    
    Complete!
    
  2. To install the default content, run the following command:

    yum install sophoslinuxcontent
    

    Here's an example:

    $ yum install sophoslinuxcontent
    
    Loaded plugins: fastestmirror, langpacks 
    Loading mirror speeds from cached hostfile 
    Resolving Dependencies 
    --> Running transaction check 
    ---> Package sophoslinuxcontent.noarch 0:4.9.1.19-1 will be installed 
    --> Finished Dependency Resolution 
    
    Dependencies Resolved 
    
    =================================================================== 
    Package                Arch       Version           Repository 
                                                                Size 
    =================================================================== 
    Installing: 
    sophoslinuxcontent     noarch     4.9.1.19-1        E2E      30 k 
    
    Transaction Summary 
    =================================================================== 
    Install  1 Package 
    
    Total download size: 30 k 
    Installed size: 219 k 
    Is this ok [y/d/N]: y 
    Downloading packages: 
    sophoslinuxcontent-4.9.1.19-1.noarch.rpm      |  30 kB   00:00      
    Running transaction check 
    Running transaction test 
    Transaction test succeeded 
    Running transaction 
    Installing : sophoslinuxcontent-4.9.1.19-1.noarch            1/1  
    Verifying  : sophoslinuxcontent-4.9.1.19-1.noarch            1/1  
    
    Installed: 
    sophoslinuxcontent.noarch 0:4.9.1.19-1                            
    
    Complete!
    
  3. Run the following command to confirm the installation:

    yum list installed | grep -i sophos
    

    Here's an example:

    $ yum list installed | grep -i sophos
    
    Loaded plugins: fastestmirror, langpacks 
    Determining fastest mirrors 
    ======================= N/S matched: sophos ======================= 
    sophoslinuxcontent.noarch : Sophos Platform 
    sophoslinuxsensor-runit.x86_64 : Sophos Platform 
    sophoslinuxsensor-sysV.x86_64 : Sophos Platform 
    sophoslinuxsensor-systemd.x86_64 : Sophos Platform 
    sophoslinuxsensor-upstart.x86_64 : Sophos Platform
    
  4. To provide telemetry to Sophos Labs, add {tenant-id} to /etc/sophos/runtimedetections-rules.yaml as customer_id.

    Here's an example:

    send_labs_telemetry: true
    # Set your customer id:
    customer_id: "{tenant-id}"
    alert_output:
    outputs:
    - type: stdout
        enabled: true
        template: 'Alert triggered: {{ .StrategyName}}'
    

    Note

    If you don't want to send telemetry data to Sophos, set send_labs_telemetry to false.

  5. Start SLS with the following command:

    sudo systemctl start sophoslinuxsensor
    

Next steps

Check the status of the installation

Run the following command to check the SLS log for errors:

sudo journalctl -u sophoslinuxsensor

Run the following command to check the status of your SLS installation:

sudo systemctl status sophoslinuxsensor

Warning

If you see the following line, it means that SLS default content isn't installed.

sophoslinuxsensor[12650]: 2022-07-19T14:24:22.762Z        WARN        Zero policies configured

You must install both SLS and the default content for detections and alerts to function. See Install Sophos Linux Sensor.

Trigger a test alert

Run the following command to trigger the Test Alert policy:

sophoslinuxsensor -test-alert

Sample output:

2022-05-17T15:28:31.470Z        INFO    config "/etc/sophos/runtimedetections-rules.yaml" has been read
Sophos Linux Runtime Detections Agent version 5.0.0.28 (Build: 1917)
2022-05-17T15:28:31.472Z        INFO    using sensor configuration file "/etc/sophos/runtimedetections-rules.yaml"
2022-05-17T15:28:31.474Z        INFO    Alert testing command executed, exiting

You should see the following alert:

$ May 17 15:28:31 vagrant sophoslinuxsensor[26137]: Alert triggered: Alert Tester

You will also see the alert in your configured alert output. SLS outputs alerts to stdout by default.

Tip

You can trigger any alert to test the default content. See Testing default detections.

Checking capability error log

As part of your installation, SLS should have the CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE, and CAP_KILL capabilities. This is necessary since the supervisor process executes SLS as an unprivileged user.

If get "permission denied" errors, you can verify these capabilities are set with getcap. Run the following command:

getcap /usr/local/bin/sophoslinuxsensor

To set the necessary capabilities, run the following command:  

setcap cap_sys_admin,cap_dac_override,cap_sys_ptrace,cap_kill=+epi /usr/local/bin/sophoslinuxsensor
Back to top