Lacework provides repositories for Debian-based (APT) or RPM-based (YUM) distributions. When installing via the repositories, each host requires a config.json file for the agent to be able to communicate with Lacework. config.json can be created locally or copied from a centralized server using your orchestration tool of choice.
APT Installation
- Download and install the public signing key.
$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 18E76630
- Extract the Linux distribution.
$ lsb_distro=$(lsb_release -i | cut -f2 | tr '[:upper:]' '[:lower:]')
- Extract the version number, which is dependent on your distribution. If you don't know your distribution, you can display it using the echo command.
$ echo $lsb_distro
- If your distribution is 'debian', omit the trailing 0 from the version and use the following command.
$ lsb_ver=$(lsb_release -r | cut -f2 | cut -d. -f1)
- If your distribution is anything else, use the entire version number and enter the following command.
$ lsb_ver=$(lsb_release -r | cut -f2)
- If automating the installation, you can omit the manual echo $lsb_distro check shown above and add a conditional. NOTE: You can also execute the command directly in the shell in place of the manual check, but the manual check provides visual validation.
$ if [ "$lsb_distro" = "debian" ]; then lsb_ver=$(lsb_release -r | cut -f2 | cut -d. -f1); else lsb_ver=$(lsb_release -r | cut -f2); fi
- Extract the release name.
$ lsb_rel=$(lsb_release -c | cut -f2)
- Add the repository to sources.list.
$ sudo add-apt-repository 'deb [arch=amd64] https://packages.lacework.net/DEB/'"$lsb_distro"'/'"$lsb_ver"' '"$lsb_rel"' main'
- [Optional] Check if the repository was added to sources.list. Below is an example - distribution, release, and version is specific to your host.
$ less /etc/apt/sources.list ... $ deb [arch=amd64] https://packages.lacework.net/DEB/debian/8 jessie main ...
- Update the cache.
$ sudo apt-get update
- Install the Lacework agent.
$ sudo apt-get install lacework
- You should now have a running Lacework agent, which you can check using the ps command.
$ ps aux | grep lacework
root 8873 0.0 0.0 4328 752 ? Ss 21:38 0:00 /bin/sh -c /var/lib/lacework/datacollector
root 8874 0.0 2.3 241468 23960 ? Sl 21:38 0:00 /var/lib/lacework/datacollector
root 8884 0.1 4.6 710656 47964 ? Sl 21:38 0:03 /var/lib/lacework/datacollector -r=collector
admin 9007 0.0 0.2 12720 2172 pts/0 S+ 22:15 0:00 grep lacework - After installing the agent, you must add config.json to each host using your preferred method. This example uses vi and creates the file directly on the host.
$ sudo vi /var/lib/lacework/config/config.json
- Get an agent access token. For more information, see Download Agent Installers and Get the Agent Access Token. Minimally, substitute your agent access token into the configuration below, paste into vi and save:
{ "tokens" : { "AccessToken" : "YourAccessToken" } }
- After 10 minutes, verify that the Lacework Console's Monitor > Agents page displays the new host.
YUM Installation
- Download the YUM repository configuration file.
$ curl -O -sSL https://packages.lacework.net/RPMS/x86_64/lacework-prod.repo
- Move the file into the yum.repos.d directory.
$ sudo mv lacework-prod.repo /etc/yum.repos.d
- Install Lacework.
$ sudo yum install -y lacework
- In rare cases, a bug in the epel repos could cause Lacework installation to fail. If this occurs, run the installation with the epel repos disabled. NOTE: If you want to be prompted to complete the installation, omit -y from the yum install command.
$ sudo yum --disablerepo=epel,epel-testing -y install lacework
- You should now have a running Lacework agent, which you can check using the ps command.
$ ps aux | grep lacework
root 4947 0.0 2.3 316196 24124 ? Ssl 05:51 0:01 /var/lib/lacework/datacollector
root 4955 0.1 4.9 713764 50136 ? Sl 05:51 1:08 /var/lib/lacework/datacollector -r=collector
ec2-user 8071 0.0 0.0 110516 768 pts/0 R+ 17:02 0:00 grep --color=auto lacework - After installing the agent, you must add config.json to each host using your preferred method. This example uses vi and creates the file directly on the host.
$ sudo vi /var/lib/lacework/config/config.json
- Get the Agent access token. Minimally, paste the following text and save the file. Replace YourAgentAccessToken with your agent access token. For more information, see Download Agent Installers and Get the Agent Access Token.
{ "tokens" : { "AccessToken" : "YourAgentAccessToken" } }
- After 10 minutes, verify that the Lacework Console's Monitor > Agents page displays the new host.