Skip to content

Installing the Sophos Linux Sensor on RHEL, CentOS, Fedora, and Amazon Linux

Sophos Linux Sensor (SLS) is a lightweight agent installed on Linux hosts, collecting events from the hosts to trigger alert generation or automated response. SLS integrates with your existing logging and alerting infrastructure. You can install SLS on RHEL, CentOS, Fedora, or Amazon Linux distributions. After you install SLS, you can deploy a sensor configuration.

Sophos distributes SLS releases as deb and rpm packages hosted in Sophos Central.

System requirements

  • At least 1 vCPUs
  • At least 2 GB RAM (recommended) or 256 MB RAM (minimum)
  • At least 2 GB of free disk space
  • Linux debug subsystem must be turned on. We use this to instrument kernel and userspace events.
    • Newer kernels have it turned on by default.
    • To turn on the debug subsystem, use the following command: 

      sudo mount -t debugfs nodev /sys/kernel/debug
      

Step-by-step installation

You can install SLS on RHEL, CentOS, Fedora, or Amazon Linux distributions using the rpm package available in Sophos Central.

In Sophos Central

  1. Sign in to Sophos Central.
  2. Click your account name and select Account Details.
  3. Click Sophos Support.
  4. Note the unique ID for your Sophos Central account.
  5. Go to Protect Devices > Sophos Linux Sensor.
  6. Click Download Linux Sensor rpm package.
  7. Optional: The SLS installation package doesn't install with any detections. Click Download Linux Sensor Content rpm package to download the default detection content.
  8. Optional: Verify the packages. See Verify the installation package.

In your Linux system

Warning

The commands and files used to install SLS will change depending on the service manager you use, for example sysV, systemd, upstart, or runit. The files within the installation package use the following manner naming convention:

sophoslinuxsensor-<service_manager>-<sensor_version>.x86_64.rpm

Note

In to following steps, you must replace <path_to_install_package> and <path_to_content_package> with the path and file name of the packages you've downloaded.

  1. Locate the installation and content packages on your system.
  2. Unzip the packages.

    unzip <path_to_install_package>
    unzip <path_to_content_package>
    
  3. Install SLS using the following example command.

    sudo yum install 
    
  4. Optional: Install the content package using the following example command:

    sudo yum install <path_to_content_package>
    
  5. Add your unique Sophos Central account ID to /etc/sophos/runtimedetections-rules.yaml as customer_id.

    Here's an example:

    send_labs_telemetry: true
    # Set your customer id:
    customer_id: "<unique_sophos_central_account_id>"
    alert_output:
      outputs:
      - type: stdout
        enabled: true
        template: 'Alert triggered: {{ .StrategyName}}'
    
  6. Start SLS with the following command:

    sudo systemctl start sophoslinuxsensor
    

Check for successful installation

You can use the following commands to check the status of your SLS installation and manage the sensor:

Command Description
apt list --installed | grep sophos Show SLS and content info for Debian-based distros.
sudo systemctl enable sophoslinuxsensor Turn SLS on.
sudo systemctl start sophoslinuxsensor Start SLS.
sudo systemctl status sophoslinuxsensor Display the status of SLS.
sudo journalctl -efu sophoslinuxsensor View the SLS logs.
sudo systemctl restart sophoslinuxsensor Restart SLS.
sudo apt-get install sophoslinuxsensor-systemd Upgrade SLS to the most recent version.

More information

Back to top