Skip to content

Installing Sophos Linux Sensor on Kubernetes


The Sophos Linux Sensor (SLS) is a lightweight agent installed on Linux hosts, collecting events from the hosts to trigger alert generation or automated response. SLS integrates with your existing logging and alerting infrastructure. You can deploy SLS wherever you have Linux – in a public or private cloud, containers or VMs, on-premise bare metal, and across different kernel versions and Linux distributions.


The Kubernetes manifest yaml file contains a configmap and a daemonset for SLS. The configmap is mounted into /etc/sophos, containing the runtimedetections.yaml and runtimedetections-rules.yaml files. The daemonset creates one Sensor pod per node.


1. Initial setup verification

Before starting, verify that kubectl is configured to point to your target installation cluster by running the following command:

$ kubectl config current-context


If you don't have a test cluster already, we recommend using eksctl to create an EKS cluster. This can be as simple as running the command: eksctl create cluster. See Getting started with Amazon EKS – eksctl.

2. Create Kubernetes Secret

Set an environment variable in the terminal that you plan on using. Run the following command:


Replace ${SERVICE_ACCOUNT_EMAIL} with the email from your service account key file before running the following kubectl command to create a new Kubernetes Secret. SLS uses this secret to authenticate your kubelet so that it can pull from our private container registry. You can also use other registries.

$ kubectl create secret docker-registry capsule8-registry-secret  \
  --docker-username=_json_key                                     \
  --docker-server=                               \
  --docker-email=$CAPSULE8_SERVICE_ACCOUNT_EMAIL                  \
  --docker-password="$(cat ~/.capsule8/service-account.json)"

Run the following command to see your new secret:

$ kubectl get secrets


Access is granted specifically for our manifests which references the K8's docker-registry capsule8-registry-secret.

3. Apply the Manifest

Download a copy of the manifest provided by Sophos and apply it. Run the following command:

$ kubectl apply -f

Wait for the pods to come online, then run the following command:

$ kubectl get pods -l app=sensor-noconsole

The manifest creates a sensor-noconsole DaemonSet and standalone-sensor-config ConfigMap.

If you don't see SLS pods starting up, check your cluster’s pod security policy and, if necessary, grant exceptions for the capabilities required by SLS. For a full list of these capabilities, please see the DaemonSet or reach out to Sophos support.

4. Generate an Alert

The logs for the sensor pods should list all the configured policies:

$ kubectl logs $SENSOR_POD_NAME

To generate a quick test alert, exec into one of the sensor pods and create an interactive shell:

$ kubectl exec -it $SENSOR_POD_NAME -- /bin/sh
 root@$SENSOR_POD_NAME: $ /bin/sh -i 

Starting an interactive shell in the container (except with sshd or screen ) violates the interactiveShell policy, which will trigger an alert. Currently, SLS is configured to print alerts out to standard out, which can be seen if you view the logs from the pod that generated the alert:

$ kubectl logs $SENSOR_POD_NAME

Alerts can also be sent out to webhooks, written directly to cloud blob storage buckets, written to local files on the file system with log rotation, and sent to syslog. See Exporting Alerts.

Back to top