Skip to content

Installing Sophos Linux Sensor on Docker

Overview

Sophos Linux Sensor (SLS) is a lightweight agent installed on Linux hosts, collecting events from the hosts to trigger alert generation and automated response. SLS integrates with your existing logging and alerting infrastructure. You can deploy the Sensor wherever you have Linux – in public or private cloud environments, in containers or VMs, in on-premises bare metal hosts, each supporting a large number of kernel versions and Linux distributions.

Sophos maintains an external Docker registry where Docker images of the SLS components are made available to customers.

You can run this Docker image in your desired environment to protect the host.

Requirements

  • Docker is installed and running.
  • Ensure you have a Google Cloud Platform service account key file, which will be provided to you by your Sophos representative.
    • Save the key file locally to ~/.gcloud/key-file.json.
    • To pull images from the SLS Docker registry, you must install the gcloud CLI. See Installing the gcloud CLI.
  • Kubernetes isn't in use. If it's, see Installing SLS on Kubernetes.

Authorization

The SLS Docker images aren't publicly available. You must first configure authorization.

Service Account Key File

Ask your Sophos representative for a service account key file to begin. Once you have the service account key file, save it to ~/.gcloud/key-file.json on a device that you use to pull and store the SLS images and prepare them for use.

Here's an example:

{
    "type": "service_account",
    "project_id": "SLS-docker",
    "private_key_id": "<>",
    "private_key": "-----BEGIN PRIVATE KEY-----\\abcde12345678910\\abcde12345678910\\n-----END PRIVATE KEY-----\\n",
    "client_email": "< client name >@cap8-build.iam.gserviceaccount.com",
    "client_id": "12345678910111213",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://accounts.google.com/o/oauth2/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/< client name >%40SLS-docker.iam.gserviceaccount.com"
}

GCloud

Once you have saved your service account key file, install gcloud, which will let you pull images from the SLS registry. GCloud is a command-line tool included in the Google Cloud SDK.

Once you install GCloud, you can authorize access to the registry with the following command:

$ gcloud auth activate-service-account <your name>@cap8-docker.iam.gserviceaccount.com --key-file=~/.gcloud/key-file.json

Confirm successful authorization by pulling a Sensor image from our container registry using the gcloud CLI:

$ gcloud docker -- pull us.gcr.io/cap8-docker/capsule8-sensor:4.6.0

Usage

The Sensor won't do anything useful if you just docker run us.gcr.io/cap8-docker/capsule8-sensor:4.10.1. It requires non-default access to the host to protect more than its docker sandbox.

Deployment

  1. On the host, create a folder for the SLS configuration files, and create two files. This documentation uses /etc/sophos, but you can place these in any location, as long as you change the host's mount point in the subsequent docker run command.

    Here's an example:

    mkdir -p /etc/sophos
    touch /etc/runtimedetections-rules.yaml
    echo "debug: false
    alert_output:
    outputs:
    - type: stdout
    enabled: true
    template: 'Fired: {{ .StrategyName}}'" > /etc/sophos/runtimedetections-rules.yaml
    
  2. Create a folder on the host where SLS content yaml rules will go. This documentation uses /tmp/sophos-content but you can place it in any location as long as you change the host's mount point in the subsequent docker run command.

    mkdir /tmp/sophos-content
    
  3. Run the one-shot capsule8-content container; this will copy the detection rules into the new folder:

    docker run \
    -v /tmp/sophos-content:/var/lib/sophos/content:rw \
    us.gcr.io/cap8-docker/capsule8-content:4.9.0
    

    Docker reports this container in a "Exited" state. This is expected behavior.

  4. You can confirm that /tmp/sophos-content/runtimedetections-content.yaml now exists. It should have thousands of lines.

Run the Sensor container

On the host, run the following command:

docker run \
--pid=host \
--privileged \
--user=0 \
--detach \
-v /etc/sophos:/etc/sophos:rw \
-v /tmp/sophos-content:/var/lib/sophos/content:rw \
-v /sys/fs/cgroup:/var/run/sophos/mnt/sys/fs/cgroup:ro \
-v /sys/kernel/debug:/var/run/sophos/mnt/sys/kernel/debug:rw \
-v /etc/hostname:/var/run/sophos/mnt/hostname:ro \
-v /proc:/var/run/sophos/mnt/proc:ro \
-v /var/lib/docker:/var/lib/docker:ro \
-v /var/run/docker:/var/run/docker:ro \
--cap-add SYS_ADMIN --cap-add SETUID --cap-add SETGID --cap-add SETPCAP \
--cap-add SYS_PTRACE --cap-add KILL --cap-add DAC_OVERRIDE --cap-add IPC_LOCK \
--cap-add FOWNER --cap-add CHOWN --cap-add SYSLOG \
us.gcr.io/cap8-docker/capsule8-sensor:4.10.1

Confirm Sensor Functionality

SLS content from the container defaults to a set of protections that include the "Suspicious Interactive Shell" detection. We'll use this to confirm that the sensor can detect activity on the host. To confirm Sensor functionality, do as follows:

  1. Run the following command:

    docker ps
    
  2. Look for a SLS container and Confirm that its STATUS column contains Up.

  3. Copy the CONTAINER ID for the next step.
  4. Run the following command:

    docker logs <containerID>
    

    A typical startup will end with the line "Analytics started processing telemetry".

    Note

    If you see "Zero policies configured" it means that the sensor doesn't have any enabled detection rules. It's likely that SLS is not loading content policies from disk. Contact Sophos technical support to resolve the issue.

  5. Run the following command:

    /bin/sh -i
    exit
    

    This command triggers the Suspicious Interactive Shell detection. If the Sensor is configured correctly, it will report the activity.

    The runtimedetections.yaml file in this documentation contains a "stdout" alert output type with a custom template, allowing us to check the logs to see the alert that was triggered. If you've customized your alert outputs, you may have to look elsewhere. See Getting Started: Exporting Alerts.

    Here's an example:

    docker logs <containerID>
    ...
    Fired: Suspicious Interactive Shell
    
Back to top