Skip to content

Installing Sophos Linux Sensor from Sophos Central

Sophos Linux Sensor (SLS) is a lightweight agent installed on Linux hosts, collecting events from the hosts to trigger alert generation or automated response. SLS integrates with your existing logging and alerting infrastructure. You can install SLS wherever you have Linux, in a public or private cloud, containers or VMs, on-prem bare metal, and across different kernel versions and Linux distributions.

System requirements

  • At least 1 vCPUs
  • At least 2 GB RAM (recommended) or 256 MB RAM (minimum)
  • At least 2 GB of free disk space
  • A supported Linux distribution. See Sophos Linux Sensor Linux distribution and kernel support.
  • Turn on Linux debug subsystem. We use this to instrument kernel and userspace events.
    • Newer kernels have it turned on by default.
    • To turn on the debug subsystem, use the following command: 

      sudo mount -t debugfs nodev /sys/kernel/debug
      

Prerequisites

Before you begin, you must download the installation and content packages for your Linux distribution. Sophos distributes SLS releases as deb and rpm packages hosted in Sophos Central. See How to download the deb and rpm packages for Sophos Linux Sensor.

You must also get the unique ID for your Sophos Central account. Do the following:

  1. Sign in to Sophos Central.
  2. Click your account name and select Account Details.
  3. Click Sophos Support.
  4. Note the unique ID for your Sophos Central account.

Installation instructions

You can install SLS on RHEL, CentOS, or Amazon Linux using the rpm package. Ubuntu distributions use the deb package.

Note

In the following steps, you must replace {path_to_install_package} and {path_to_content_package} with the path and file name of the packages you've downloaded.

  1. Locate the installation and content packages on your system.

  2. Install SLS using the following command:

    sudo yum install {path_to_install_package}
    
  3. Install the content package using the following command:

    sudo yum install {path_to_content_package}
    
  4. To provide telemetry, add your unique Sophos Central account ID to /etc/sophos/runtimedetections-rules.yaml as customer_id.

    Here's an example:

    send_labs_telemetry: true
    # Set your customer id:
    customer_id: "{unique_sophos_central_account_id}"
    alert_output:
    outputs:
    - type: stdout
        enabled: true
        template: 'Alert triggered: {{ .StrategyName}}'
    

    Note

    If you don't want to send telemetry data to Sophos, set send_labs_telemetry to false.

  5. Start SLS with the following command:

    sudo systemctl start sophoslinuxsensor
    
  1. Locate the installation and content packages on your system.

  2. Install SLS using the following command:

    sudo apt install {path_to_install_package}
    
  3. Install the content package using the following command:

    sudo apt install {path_to_content_package}
    
  4. To provide telemetry, add your unique Sophos Central account ID to /etc/sophos/runtimedetections-rules.yaml as customer_id.

    Here's an example:

    send_labs_telemetry: true
    # Set your customer id:
    customer_id: "{unique_sophos_central_account_id}"
    alert_output:
    outputs:
    - type: stdout
        enabled: true
        template: 'Alert triggered: {{ .StrategyName}}'
    

    Note

    If you don't want to send telemetry data to Sophos, set send_labs_telemetry to false.

  5. Start SLS with the following command:

    sudo systemctl start sophoslinuxsensor
    

Next steps

Check the status of the installation

Run the following command to check the SLS log for errors:

sudo journalctl -u sophoslinuxsensor

Run the following command to check the status of your SLS installation:

sudo systemctl status sophoslinuxsensor

Warning

If you see the following line, it means that SLS default content isn't installed.

sophoslinuxsensor[12650]: 2022-07-19T14:24:22.762Z        WARN        Zero policies configured

You must install both SLS and the default content for detections and alerts to function. See Install Sophos Linux Sensor.

Trigger a test alert

Run the following command to trigger the Test Alert policy:

sophoslinuxsensor -test-alert

Sample output:

2022-05-17T15:28:31.470Z        INFO    config "/etc/sophos/runtimedetections-rules.yaml" has been read
Sophos Linux Runtime Detections Agent version 5.0.0.28 (Build: 1917)
2022-05-17T15:28:31.472Z        INFO    using sensor configuration file "/etc/sophos/runtimedetections-rules.yaml"
2022-05-17T15:28:31.474Z        INFO    Alert testing command executed, exiting

You should see the following alert:

$ May 17 15:28:31 vagrant sophoslinuxsensor[26137]: Alert triggered: Alert Tester

You will also see the alert in your configured alert output. SLS outputs alerts to stdout by default.

Tip

You can trigger any alert to test the default content. See Testing default detections.

Checking capability error log

As part of your installation, SLS should have the CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE, and CAP_KILL capabilities. This is necessary since the supervisor process executes SLS as an unprivileged user.

If get "permission denied" errors, you can verify these capabilities are set with getcap. Run the following command:

getcap /usr/local/bin/sophoslinuxsensor

To set the necessary capabilities, run the following command:  

setcap cap_sys_admin,cap_dac_override,cap_sys_ptrace,cap_kill=+epi /usr/local/bin/sophoslinuxsensor

More information

Back to top