In addition to importing AWS tags, local tags can be added to agents. Agent tags can be very helpful for security teams as they provide search flexibility. For example, tags can be used to identify critical assets, and filters can be used to review just these assets or applications running on these assets. Native AWS tags can also be used to organize data, but a fixed AWS tag schema may already be in place, preventing the security team from making changes.
To add agent tags, you will need to edit the config.json file, which is located in the /var/lib/lacework/config directory. You probably do not want to be editing config.json on each and every server. You may want to make changes on a test machine, verify the results and then push config.json using AMIs, Ansible, Chef or something else.
- On your test machine, open config.json using your favorite editor.
$ sudo nano /var/lib/lacework/config/config.json
- Add your locally significant tags to config.json as shown below. If you have previously edited your config.json, you may see more lines than indicated below.
{ "tokens" : { "AccessToken" : "YourAgentAccessToken" }, "tags": { "test_01": "Value_01", "test_02" : "Value_02"} }
- On your test machine, you can check for valid JSON using jq.
$ cat /var/lib/lacework/config/config.json | jq { "tokens": { "AccessToken": "YourAccessToken" }, "tags": { "test_01": "Value_01", "test_02": "Value_02" } }
- Once the tag or tags appear, run a test filter in the 'Machines' dossier. After confirming that the tag or tags are visible and working as expected, you can distribute the new config.json file using your method of choice.
Filtering by tag also works in other Dossiers. For example, you can filter by tag in the 'Applications' Dossier, which would limit information in the 'Applications' dossier to those machines with the specific tag.