If you run the install.sh script to install a Lacework agent on a machine, the script creates a config.json file in the /var/lib/lacework/config directory. You can add entries to the config.json file to alter the agent behavior as described in the following tables.
General Agent Properties
The config.json file must start with a { parentheses and end with a } parentheses with commas separating each property for example, here are the contents an example config.json file:
{
“Tokens”: { "AccessToken" : "Your_Access_Token"},
“ProxyUrl”:”http://Your_Proxy_Server:Your_Port”
}
This first section describes the general agent properties.
tokens Property
To connect to the Lacework Application, Lacework agents require an access token.For more information, see Agent Access Tokens.
“tokens”: { "accesstoken" : "Your_Access_Token" }
Where Your_Access_Token is an access token generated by Lacework.
proxyurl Property
The Lacework agent can be configured to use a network proxy by adding proxy information to the configuration file or by creating a https_proxy environment variable. For more information, see Required Connectivity, Proxies & Certificates.
“proxyurl”:”http://Your_Proxy_Server:Your_Port”
Where Your_Proxy_Server is the URL for your HTTP or Socks proxy server and Your_Port is the port number of your proxy server.
tags Property
Specify name/value tags to categorize your agents, for example, identifying critical assets. For more information, see Adding Agent Tags.
"tags": { "test_01": "Value_01", "test_02" : "Value_02" }
cpulimit Property
Specify the maximum number of CPU units that the Lacework agent can use on the machine that has the agent installed as shown by the following example. If the agent measures CPU usage over the specified limit during a 5-minute window, the agent restarts.
"cpulimit": "500m"
In this example, the suffix 'm' stands for one hundred millicpu.
memlimit Property
Specify the maximum amount of memory that the Lacework agent can use on the machine that has the agent installed. Specify the size as a suffix as shown in the following example.
- 'm' or 'M' is Megabytes.
- 'g' or 'G' is Gigabytes.
"memlimit": "750M"
In this example, the suffix 'M' stands for Megabytes.
File Integrity Monitoring (FIM) Properties
This section describes the File Integrity Monitoring (FIM) agent properties.
These properties must be specified within a single fim property as shown in the following example:
"fim": { "fileignore": ["/etc/fstab"], "filepath": ["/home/user/.ssh", "/opt/bin"] }
filepath Property
By default, Lacework monitors a set of default paths. You can optionally override these default paths using this property as shown in the following example. For the default paths and more information, see File Integrity Monitoring.
"filepath": ["/home/user/.ssh", "/opt/bin"]
fileignore Property
By default, Lacework excludes monitoring a set of default paths. You can optionally override these non-monitored default paths using this property as shown in the following example. For the default paths and more information, see File Integrity Monitoring.
"fileignore": ["/etc/fstab"]
runat Property
By default, Lacework runs the FIM scan at an undetermined time once per day. To control the start time of the daily FIM scan, enter the start time as HH:MM as shown in the following example.
"runat": "23:50"