Repackaging Sophos Linux Sensor
Sophos Linux Sensor (SLS) is a statically linked Go application built on a minimal scratch image. You can repackage SLS into a base image of your choosing.
These instructions provide an outline for deploying the sensor as a container on a host running Docker. You can use the guidance here to configure the SLS Docker image to run in your environment.
Prerequisites
To repackage SLS, you must have Docker installed and running. You must also have pulled the Sophos Linux Sensor Docker images. See Pull the Docker images. The output of the docker image ls command should look like the following example:
# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
...
registry.sophosupd.com/release/sophos-linux-sensor 5.8.1.10 821473d98e09 6 weeks ago 91.9MB
registry.sophosupd.com/release/sophos-linux-content 5.6.1.2 bc76b3048e4d 6 months ago 7.9MB
Build the Docker image file
This example uses Alpine Linux as the new container.
Copy /sophoslinuxsensor and /var/lib/sophos from the SLS container to the newly created docker image. Do as follows:
- Create a new file. The name doesn't matter. Note it because you'll need it in the following steps.
-
Enter the following lines into the file, replacing <SENSOR REPOSITORY> with the name of the SLS sensor repository and <TAG> with the tag you want to use for your image:
FROM <SENSOR REPOSITORY>:<TAG> AS sophos-linux-sensor FROM alpine:latest AS alpine-base COPY --from=sophos-linux-sensor /sophoslinuxsensor /sophoslinuxsensor COPY --from=sophos-linux-sensor /var/lib/sophos /var/lib/sophos CMD /sophoslinuxsensor -
Create the new image in your registry by running the following command, replacing <DOCKERFILE> with the name of the file you created, <REPOSITORY NAME> with the name you want to give your image, and <TAG> with the tag you want to give your image:
docker build -f <DOCKERFILE> . -t <REPOSITORY NAME>:<TAG>Here's an example:
# docker build -f my-docker-file.txt . -t sophoslinuxsensor-alpine:latest [+] Building 0.2s (9/9) FINISHED docker:default => [internal] load build definition from my-docker-file.txt 0.0s => => transferring dockerfile: 384B 0.0s => [internal] load metadata for docker.io/library/alpine:latest 0.1s => [internal] load metadata for registry.sophosupd.com/release/sophos-linux-sensor:5.8.1.10 0.0s => [internal] load .dockerignore 0.0s => => transferring context: 2B 0.0s => [alpine-base 1/3] FROM docker.io/library/alpine:latest@sha256:77726ef6b57ddf65bb551896826ec38bc3e53f75cdde31354fbffb4f25238ebd 0.0s => [sophos-linux-sensor 1/1] FROM registry.sophosupd.com/release/sophos-linux-sensor:5.8.1.10 0.0s => CACHED [alpine-base 2/3] COPY --from=sophos-linux-sensor /sophoslinuxsensor /sophoslinuxsensor 0.0s => CACHED [alpine-base 3/3] COPY --from=sophos-linux-sensor /var/lib/sophos /var/lib/sophos 0.0s => exporting to image 0.0s => => exporting layers 0.0s => => writing image sha256:df3bc6be7b338037d1ca53eb905f9f59d5fdbc0921937a19b6faa5db9794aeb7 0.0s => => naming to docker.io/library/sophoslinuxsensor-alpine:latest 0.0sYou can confirm the image was created successfully with the
docker image lscommand. Here's an example:# docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE sophoslinuxsensor-alpine latest df3bc6be7b33 About an hour ago 99.4MB registry.sophosupd.com/release/sophos-linux-sensor 5.8.1.10 821473d98e09 6 weeks ago 91.9MB registry.sophosupd.com/release/sophos-linux-content 5.6.1.2 bc76b3048e4d 6 months ago 7.9MB
Deploy the new image
Deploying your custom image follows the same process as deploying SLS as a Docker image. The only change is the reference to the image being used. For detailed instructions, see Deployment.
-
Run the following command, replacing <REPOSITORY NAME> with the name of your image and <TAG> with the tag of your image:
docker run \ --pid=host \ --privileged \ --user=0 \ --detach \ -v /etc/sophos:/etc/sophos:rw \ -v /tmp/sophos-content:/var/lib/sophos/content:rw \ -v /tmp/sophos-log:/var/log/sophos-log:rw \ -v /sys/fs/cgroup:/var/run/sophos/mnt/sys/fs/cgroup:ro \ -v /sys/kernel/debug:/var/run/sophos/mnt/sys/kernel/debug:rw \ -v /etc/hostname:/var/run/sophos/mnt/hostname:ro \ -v /proc:/var/run/sophos/mnt/proc:ro \ -v /var/lib/docker:/var/lib/docker:ro \ -v /var/run/docker:/var/run/docker:ro \ -v /var/run/containerd:/var/run/containerd:rw \ -v /var/run/crio:/var/run/crio:rw \ --cap-add SYS_ADMIN --cap-add SETUID --cap-add SETGID --cap-add SETPCAP \ --cap-add SYS_PTRACE --cap-add KILL --cap-add DAC_OVERRIDE --cap-add IPC_LOCK \ --cap-add FOWNER --cap-add CHOWN --cap-add SYSLOG \ --cap-add NET_RAW --cap-add SYS_RESOURCE \ <REPOSITORY NAME>:<TAG>You'll see the hash of the new container that confirms the command is successful.
-
Run the
docker pscommand to confirm the image is running. Here's an example:# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4a015bebf4d3 sophoslinuxsensor-alpine:latest "/bin/sh -c /sophosl…" 5 seconds ago Up 4 seconds upbeat_ellisYou can now run different commands since you're running both the sensor image and the additional packages accessible via the Alpine base image. Here's an example:
docker exec -it
# docker exec -it 4a015bebf4d3 sh / # ls -l total 87656 drwxr-xr-x 2 root root 16384 May 22 09:47 bin drwxr-xr-x 11 root root 2800 May 23 19:48 dev drwxr-xr-x 1 root root 20 May 23 19:48 etc drwxr-xr-x 2 root root 6 May 22 09:47 home drwxr-xr-x 6 root root 16384 May 22 09:47 lib drwxr-xr-x 5 root root 44 May 22 09:47 media drwxr-xr-x 2 root root 6 May 22 09:47 mnt drwxr-xr-x 2 root root 6 May 22 09:47 opt dr-xr-xr-x 177 root root 0 May 23 19:48 proc drwx------ 1 root root 26 May 23 19:51 root drwxr-xr-x 1 root root 64 May 23 19:48 run drwxr-xr-x 2 root root 16384 May 22 09:47 sbin -rwxr-xr-x 1 root root 89706632 Apr 8 15:51 sophoslinuxsensor drwxr-xr-x 2 root root 6 May 22 09:47 srv dr-xr-xr-x 13 root root 0 May 23 17:41 sys drwxrwxrwt 2 root root 6 May 22 09:47 tmp drwxr-xr-x 7 root root 66 May 22 09:47 usr drwxr-xr-x 1 root root 28 May 22 09:47 var / # cd /etc/sophos/ /etc/sophos # ls -l total 8 -rw-r--r-- 1 root root 1879 May 23 19:14 runtimedetections-rules.yaml -rw-r--r-- 1 root root 262 May 6 15:38 runtimedetections.yaml /etc/sophos # exit
More resources