Lacework provides repositories for both Debian-based (APT) and RPM-based (YUM) distributions. When installing via the repositories, each host requires a config.json file for the agent to be able to communicate with Lacework. config.json can be created locally or copied from a centralized server using your orchestration tool of choice.
APT Installation
Download and install the Public Signing Key.
$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 18E76630
Extract the Linux distribution.
$ lsb_distro=$(lsb_release -i | cut -f2 | tr '[:upper:]' '[:lower:]')
Extract the version number, which will be dependent on your distribution. If you don't know your distribution, you can display it using the echo command.
$ echo $lsb_distro
If your distribution is 'debian', you will need to omit the trailing 0 from the version. If your distribution is anything else, you will use the entire version number.
debian
$ lsb_ver=$(lsb_release -r | cut -f2 | cut -d. -f1)
other distributions
$ lsb_ver=$(lsb_release -r | cut -f2)
If automating the installation, you can omit the manual echo $lsb_distro check described above and add a conditional.
$ if [ "$lsb_distro" = "debian" ]; then lsb_ver=$(lsb_release -r | cut -f2 | cut -d. -f1); else lsb_ver=$(lsb_release -r | cut -f2); fi
You can also use the above in the shell in place of the manual check, but the manual check provides visual validation.
Extract the release name.
$ lsb_rel=$(lsb_release -c | cut -f2)
Add the repository to sources.list.
$ sudo add-apt-repository 'deb [arch=amd64] https://packages.lacework.net/DEB/'"$lsb_distro"'/'"$lsb_ver"' '"$lsb_rel"' main'
[Optional] Check to see if the repository has been added to sources.list.
$ less /etc/apt/sources.list ... $ deb [arch=amd64] https://packages.lacework.net/DEB/debian/8 jessie main
...
The above is an example - distribution, release & version will be specific to your host
Update the cache.
$ sudo apt-get update
Install Lacework agent.
$ sudo apt-get install lacework
You should now have a running Lacework agent, which you can check using the ps command.
$ ps aux | grep lacework
root 8873 0.0 0.0 4328 752 ? Ss 21:38 0:00 /bin/sh -c /var/lib/lacework/datacollector
root 8874 0.0 2.3 241468 23960 ? Sl 21:38 0:00 /var/lib/lacework/datacollector
root 8884 0.1 4.6 710656 47964 ? Sl 21:38 0:03 /var/lib/lacework/datacollector -r=collector
admin 9007 0.0 0.2 12720 2172 pts/0 S+ 22:15 0:00 grep lacework
After installing the agent, you must add config.json to each host using your preferred method. This example uses vi and creates the file directly on the host.
$ sudo vi /var/lib/lacework/config/config.json
Get an Agent access token. For more information, see Download Agent Installers and Get the Agent Access Token. Minimally, substitute your Agent access token into the configuration below, paste into vi and save:
{
"tokens" : { "AccessToken" : "YourAccessToken" }
}
After 10 minutes, verify that the Lacework console's Monitor > Agents page displays the new host.
YUM Installation
Download the YUM repository configuration file
$ curl -O -sSL https://packages.lacework.net/RPMS/x86_64/lacework-prod.repo
Move the file into the yum.repos.d directory
$ sudo mv lacework-prod.repo /etc/yum.repos.d
Install Lacework
$ sudo yum install -y lacework
In rare cases, a bug in the epel repos could cause Lacework installation to fail. If this occurs, run the installation with the epel repos disabled.
$ sudo yum --disablerepo=epel,epel-testing -y install lacework
NOTE: If you want to be prompted to complete the installation, omit -y from the yum install command.
You should now have a running Lacework agent, which you can check using the ps command.
$ ps aux | grep lacework
root 4947 0.0 2.3 316196 24124 ? Ssl 05:51 0:01 /var/lib/lacework/datacollector
root 4955 0.1 4.9 713764 50136 ? Sl 05:51 1:08 /var/lib/lacework/datacollector -r=collector
ec2-user 8071 0.0 0.0 110516 768 pts/0 R+ 17:02 0:00 grep --color=auto lacework
After installing the agent, you will need to add config.json to each host using your preferred method. This example uses vi and creates the file directly on the host.
$ sudo vi /var/lib/lacework/config/config.json
Get the Agent access token. Minimally, paste the following text and save the file. Replace Your_Agent_Access_Token with your Agent access token. For more information, see Download Agent Installers and Get the Agent Access Token.
{
"tokens" : { "AccessToken" : "Your_Agent_Access_Token" }
}
After 10 minutes, verify that the Lacework console's Monitor > Agents page displays the new host.