Skip to content

Installing Sophos Linux Sensor

Sophos Linux Sensor (SLS) is a lightweight agent installed on Linux hosts, collecting events from the hosts to trigger alert generation or automated response. SLS integrates with your existing logging and alerting infrastructure. You can install SLS wherever you have Linux, in a public or private cloud, containers or VMs, on-prem bare metal, and across different kernel versions and Linux distributions.

System requirements

  • At least 1 vCPUs
  • At least 2 GB RAM (recommended) or 256 MB RAM (minimum)
  • At least 2 GB of free disk space
  • A supported Linux distribution. See Sophos Linux Sensor Linux distribution and kernel support.
  • Linux debug subsystem must be turned on. We use this to instrument kernel and userspace events.
    • Newer kernels have it turned on by default.
    • To turn on the debug subsystem, use the following command: 

      sudo mount -t debugfs nodev /sys/kernel/debug
      

Prerequisites

Before you begin, you must download and verify the installation and content packages for your Linux distribution. Sophos distributes SLS releases as deb and rpm packages hosted in Sophos Central. See How to download and verify the deb and rpm packages for Sophos Linux Sensor.

You must also get the unique ID for your Sophos Central account. Do the following:

  1. Sign in to Sophos Central.
  2. Click your account name and select Account Details.
  3. Click Sophos Support.
  4. Note the unique ID for your Sophos Central account.

Installation instructions

You can install SLS on RHEL, CentOS, or Amazon Linux using the rpm package. Ubuntu distributions use the deb package.

Warning

The commands and files used to install SLS will change depending on the service manager you use, for example sysV, systemd, upstart, or runit. The files within the installation package use the following manner naming convention:

sophoslinuxsensor-<service_manager>-<sensor_version>.x86_64

Note

In the following steps, you must replace <path_to_install_package> and <path_to_content_package> with the path and file name of the packages you've downloaded.

  1. Locate the installation and content packages on your system.
  2. Unzip the packages.

    unzip <path_to_install_package>
    unzip <path_to_content_package>
    
  3. Install SLS using the following example command.

    sudo yum install <path_to_install_package>
    
  4. Optional: Install the content package using the following example command:

    sudo yum install <path_to_content_package>
    
  5. Add your unique Sophos Central account ID to /etc/sophos/runtimedetections-rules.yaml as customer_id.

    Here's an example:

    send_labs_telemetry: true
    # Set your customer id:
    customer_id: "<unique_sophos_central_account_id>"
    alert_output:
    outputs:
    - type: stdout
        enabled: true
        template: 'Alert triggered: {{ .StrategyName}}'
    

    Note

    If you don't want to send telemetry data to Sophos, set send_labs_telemetry to false.

  6. Start SLS with the following command:

    sudo systemctl start sophoslinuxsensor
    
  1. Locate the installation and content packages on your system.
  2. Unzip the packages.

    unzip <path_to_install_package>
    unzip <path_to_content_package>
    
  3. Install SLS using the following example command.

    sudo apt install <path_to_install_package>
    
  4. Optional: Install the content package.

    sudo apt install <path_to_content_package>
    
  5. Add your unique Sophos Central account ID to /etc/sophos/runtimedetections-rules.yaml as customer_id.

    Here's an example:

    send_labs_telemetry: true
    # Set your customer id:
    customer_id: "<unique_sophos_central_account_id>"
    alert_output:
    outputs:
    - type: stdout
        enabled: true
        template: 'Alert triggered: {{ .StrategyName}}'
    

    Note

    If you don't want to send telemetry data to Sophos, set send_labs_telemetry to false.

  6. Start SLS with the following command:

    sudo systemctl start sophoslinuxsensor
    

Check for successful installation

Run the following command to check the status of your SLS installation:

sudo systemctl status sophoslinuxsensor

Checking capability error log

As part of your installation, SLS should have the CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE and CAP_KILL capabilities. This is necessary since the supervisor process executes SLS as an unprivileged user.

If you are getting "permission denied" errors, you can verify these capabilities are set with getcap <sensor_binary>. Run the following command:  

setcap cap_sys_admin,cap_dac_override,cap_sys_ptrace,cap_kill=+epi <sensor_binary>

More information

Back to top