Lacework provides repositories for Debian-based (APT) or RPM-based (YUM) distributions. When installing via the repositories, each host requires a config.json file for the agent to be able to communicate with Lacework. You can create config.json locally or copy it from a centralized server using your orchestration tool of choice.
APT Installation
Download and install the public signing key.
$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EE0CC692
Extract the Linux distribution.
$ lsb_distro=$(lsb_release -i | cut -f2 | tr '[:upper:]' '[:lower:]')
Extract the version number, which is dependent on your distribution. If you don't know your distribution, you can display it using the echo command.
$ echo $lsb_distro
If your distribution is 'debian', omit the trailing 0 from the version and use the following command.
$ lsb_ver=$(lsb_release -r | cut -f2 | cut -d. -f1)
If your distribution is anything else, use the entire version number and enter the following command.
$ lsb_ver=$(lsb_release -r | cut -f2)
If automating the installation, you can omit the manual echo $lsb_distro check shown above and add a conditional. Note: You can also execute the command directly in the shell in place of the manual check, but the manual check provides visual validation.
$ if [ "$lsb_distro" = "debian" ]; then lsb_ver=$(lsb_release -r | cut -f2 | cut -d. -f1); else lsb_ver=$(lsb_release -r | cut -f2); fi
Extract the release name.
$ lsb_rel=$(lsb_release -c | cut -f2)
Add the repository to sources.list.
$ sudo add-apt-repository 'deb [arch=amd64] https://packages.lacework.net/DEB/'"$lsb_distro"'/'"$lsb_ver"' '"$lsb_rel"' main'
[Optional] Check if the repository was added to sources.list. Below is an example - distribution, release, and version is specific to your host.
$ less /etc/apt/sources.list ... $ deb [arch=amd64] https://packages.lacework.net/DEB/debian/8 jessie main ...
Update the cache.
$ sudo apt-get update
Install the Lacework agent.
$ sudo apt-get install lacework
You should now have a running Lacework agent, which you can check using the ps command.
$ ps aux | grep lacework
root 8873 0.0 0.0 4328 752 ? Ss 21:38 0:00 /bin/sh -c /var/lib/lacework/datacollector
root 8874 0.0 2.3 241468 23960 ? Sl 21:38 0:00 /var/lib/lacework/datacollector
root 8884 0.1 4.6 710656 47964 ? Sl 21:38 0:03 /var/lib/lacework/datacollector -r=collector
admin 9007 0.0 0.2 12720 2172 pts/0 S+ 22:15 0:00 grep laceworkAfter installing the agent, you must add config.json to each host using your preferred method. This example uses vi and creates the file directly on the host.
$ sudo vi /var/lib/lacework/config/config.json
Get an agent access token. For more information, see Download Agent Installers and Get the Agent Access Token. Minimally, substitute your agent access token into the configuration below, paste into vi and save. If you are a non-US user, specify the agent server URL. For more information, see Agent Server URL.
{"Tokens": {"Accesstoken": "YourAccessToken"}, "serverurl": "YourAPIEndpoint" }Where Your_API_Endpoint is the endpoint for your region.
After 10 to 15 minutes, verify that the Lacework Console's Resources > Agents page displays the new host.
Upgrade (APT)
Note: If agent auto-upgrade is enabled (which it is by default), you do not need to upgrade Lacework packages.
To upgrade the Lacework APT repository package, use the command:
$ sudo apt-get install lacework
or
$ sudo apt-get --only-upgrade install lacework
Delete a Package (APT)
To delete the Lacework APT repository package, use the command:
$ apt-get remove --purge lacework
YUM Installation
Download the YUM repository configuration file.
$ curl -O -sSL https://packages.lacework.net/RPMS/x86_64/lacework-prod.repo
Move the file into the yum.repos.d directory.
$ sudo mv lacework-prod.repo /etc/yum.repos.d
Install Lacework.
$ sudo yum install -y lacework
In rare cases, a bug in the epel repos could cause Lacework installation to fail. If this occurs, run the installation with the epel repos disabled. NOTE: If you want to be prompted to complete the installation, omit -y from the yum install command.
$ sudo yum --disablerepo=epel,epel-testing -y install lacework
You should now have a running Lacework agent, which you can check using the ps command.
$ ps aux | grep lacework
root 4947 0.0 2.3 316196 24124 ? Ssl 05:51 0:01 /var/lib/lacework/datacollector
root 4955 0.1 4.9 713764 50136 ? Sl 05:51 1:08 /var/lib/lacework/datacollector -r=collector
ec2-user 8071 0.0 0.0 110516 768 pts/0 R+ 17:02 0:00 grep --color=auto laceworkAfter installing the agent, you must add config.json to each host using your preferred method. This example uses vi and creates the file directly on the host.
$ sudo vi /var/lib/lacework/config/config.json
Get an agent access token. For more information, see Download Agent Installers and Get the Agent Access Token. Minimally, substitute your agent access token into the configuration below, paste into vi and save. If you are a non-US user, specify the agent server URL. For more information, see Agent Server URL.
{"Tokens": {"Accesstoken": "YourAccessToken"}, "serverurl": "YourAPIEndpoint" }Where Your_API_Endpoint is the endpoint for your region.
After 10 minutes, verify that the Lacework Console's Resources > Agents page displays the new host.
Upgrade Packages (YUM)
Note: If agent auto-upgrade is enabled (which it is by default), you do not need to upgrade Lacework packages.
To update all YUM repository packages in the system, use the command:
$ yum update
To update the Lacework YUM repository package, use the command:
$ yum update lacework
Delete a Package (YUM)
To delete the Lacework YUM repository package, use the command:
$ yum remove lacework