Skip to content

Repackaging Sophos Linux Sensor

Sophos Linux Sensor (SLS) is a statically linked Go application built on a minimal scratch image. You can repackage SLS into a base image of your choosing.

These instructions provide an outline for deploying the sensor as a container on a host running Docker. You can use the guidance here to configure the SLS Docker image to run in your environment.

Prerequisites

To repackage SLS, you must have Docker installed and running. You must also have pulled the Sophos Linux Sensor Docker images. See Pull the Docker images. The output of the docker image ls command should look like the following example:

# docker image ls
REPOSITORY                                                               TAG         IMAGE ID       CREATED             SIZE
...
registry.sophosupd.com/release/sophos-linux-sensor                       5.8.1.10    821473d98e09   6 weeks ago         91.9MB
registry.sophosupd.com/release/sophos-linux-content                      5.6.1.2     bc76b3048e4d   6 months ago        7.9MB

Build the Docker image file

This example uses Alpine Linux as the new container.

Copy /sophoslinuxsensor and /var/lib/sophos from the SLS container to the newly created docker image. Do as follows:

  1. Create a new file. The name doesn't matter. Note it because you'll need it in the following steps.
  2. Enter the following lines into the file, replacing <SENSOR REPOSITORY> with the name of the SLS sensor repository and <TAG> with the tag you want to use for your image:

    FROM <SENSOR REPOSITORY>:<TAG> AS sophos-linux-sensor
    FROM alpine:latest AS alpine-base
    COPY --from=sophos-linux-sensor /sophoslinuxsensor /sophoslinuxsensor
    COPY --from=sophos-linux-sensor /var/lib/sophos /var/lib/sophos
    CMD /sophoslinuxsensor
    
  3. Create the new image in your registry by running the following command, replacing <DOCKERFILE> with the name of the file you created, <REPOSITORY NAME> with the name you want to give your image, and <TAG> with the tag you want to give your image:

    docker build -f <DOCKERFILE> . -t <REPOSITORY NAME>:<TAG>
    

    Here's an example:

    # docker build -f my-docker-file.txt . -t sophoslinuxsensor-alpine:latest
    [+] Building 0.2s (9/9) FINISHED                                                                                                         docker:default
    => [internal] load build definition from my-docker-file.txt                                                                                        0.0s
    => => transferring dockerfile: 384B                                                                                                                0.0s
    => [internal] load metadata for docker.io/library/alpine:latest                                                                                    0.1s
    => [internal] load metadata for registry.sophosupd.com/release/sophos-linux-sensor:5.8.1.10                                                        0.0s
    => [internal] load .dockerignore                                                                                                                   0.0s
    => => transferring context: 2B                                                                                                                     0.0s
    => [alpine-base 1/3] FROM docker.io/library/alpine:latest@sha256:77726ef6b57ddf65bb551896826ec38bc3e53f75cdde31354fbffb4f25238ebd                  0.0s
    => [sophos-linux-sensor 1/1] FROM registry.sophosupd.com/release/sophos-linux-sensor:5.8.1.10                                                      0.0s
    => CACHED [alpine-base 2/3] COPY --from=sophos-linux-sensor /sophoslinuxsensor /sophoslinuxsensor                                                  0.0s
    => CACHED [alpine-base 3/3] COPY --from=sophos-linux-sensor /var/lib/sophos /var/lib/sophos                                                        0.0s
    => exporting to image                                                                                                                              0.0s
    => => exporting layers                                                                                                                             0.0s
    => => writing image sha256:df3bc6be7b338037d1ca53eb905f9f59d5fdbc0921937a19b6faa5db9794aeb7                                                        0.0s
    => => naming to docker.io/library/sophoslinuxsensor-alpine:latest                                                                                  0.0s
    

    You can confirm the image was created successfully with the docker image ls command. Here's an example:

    # docker image ls
    REPOSITORY                                                               TAG         IMAGE ID       CREATED             SIZE
    sophoslinuxsensor-alpine                                                 latest      df3bc6be7b33   About an hour ago   99.4MB
    registry.sophosupd.com/release/sophos-linux-sensor                       5.8.1.10    821473d98e09   6 weeks ago         91.9MB
    registry.sophosupd.com/release/sophos-linux-content                      5.6.1.2     bc76b3048e4d   6 months ago        7.9MB
    

Deploy the new image

Deploying your custom image follows the same process as deploying SLS as a Docker image. The only change is the reference to the image being used. For detailed instructions, see Deployment.

  1. Run the following command, replacing <REPOSITORY NAME> with the name of your image and <TAG> with the tag of your image:

    docker run \
    --pid=host \
    --privileged \
    --user=0 \
    --detach \
    -v /etc/sophos:/etc/sophos:rw \
    -v /tmp/sophos-content:/var/lib/sophos/content:rw \
    -v /tmp/sophos-log:/var/log/sophos-log:rw \
    -v /sys/fs/cgroup:/var/run/sophos/mnt/sys/fs/cgroup:ro \
    -v /sys/kernel/debug:/var/run/sophos/mnt/sys/kernel/debug:rw \
    -v /etc/hostname:/var/run/sophos/mnt/hostname:ro \
    -v /proc:/var/run/sophos/mnt/proc:ro \
    -v /var/lib/docker:/var/lib/docker:ro \
    -v /var/run/docker:/var/run/docker:ro \
    -v /var/run/containerd:/var/run/containerd:rw \
    -v /var/run/crio:/var/run/crio:rw \
    --cap-add SYS_ADMIN --cap-add SETUID --cap-add SETGID --cap-add SETPCAP \
    --cap-add SYS_PTRACE --cap-add KILL --cap-add DAC_OVERRIDE --cap-add IPC_LOCK \
    --cap-add FOWNER --cap-add CHOWN --cap-add SYSLOG \
    --cap-add NET_RAW --cap-add SYS_RESOURCE \
    <REPOSITORY NAME>:<TAG>
    

    You'll see the hash of the new container that confirms the command is successful.

  2. Run the docker ps command to confirm the image is running. Here's an example:

    # docker ps
    CONTAINER ID   IMAGE                             COMMAND                  CREATED         STATUS         PORTS     NAMES
    4a015bebf4d3   sophoslinuxsensor-alpine:latest   "/bin/sh -c /sophosl…"   5 seconds ago   Up 4 seconds             upbeat_ellis
    

    You can now run different commands since you're running both the sensor image and the additional packages accessible via the Alpine base image. Here's an example:

    docker exec -it
    # docker exec -it 4a015bebf4d3 sh
    / # ls -l
    total 87656
    drwxr-xr-x    2 root     root         16384 May 22 09:47 bin
    drwxr-xr-x   11 root     root          2800 May 23 19:48 dev
    drwxr-xr-x    1 root     root            20 May 23 19:48 etc
    drwxr-xr-x    2 root     root             6 May 22 09:47 home
    drwxr-xr-x    6 root     root         16384 May 22 09:47 lib
    drwxr-xr-x    5 root     root            44 May 22 09:47 media
    drwxr-xr-x    2 root     root             6 May 22 09:47 mnt
    drwxr-xr-x    2 root     root             6 May 22 09:47 opt
    dr-xr-xr-x  177 root     root             0 May 23 19:48 proc
    drwx------    1 root     root            26 May 23 19:51 root
    drwxr-xr-x    1 root     root            64 May 23 19:48 run
    drwxr-xr-x    2 root     root         16384 May 22 09:47 sbin
    -rwxr-xr-x    1 root     root      89706632 Apr  8 15:51 sophoslinuxsensor
    drwxr-xr-x    2 root     root             6 May 22 09:47 srv
    dr-xr-xr-x   13 root     root             0 May 23 17:41 sys
    drwxrwxrwt    2 root     root             6 May 22 09:47 tmp
    drwxr-xr-x    7 root     root            66 May 22 09:47 usr
    drwxr-xr-x    1 root     root            28 May 22 09:47 var
    / # cd /etc/sophos/
    /etc/sophos # ls -l
    total 8
    -rw-r--r--    1 root     root          1879 May 23 19:14 runtimedetections-rules.yaml
    -rw-r--r--    1 root     root           262 May  6 15:38 runtimedetections.yaml
    /etc/sophos # exit
    

More resources