If you run the install.sh script to install a Lacework agent on a machine, the script creates a config.json file in the /var/lib/lacework/config directory. You can add properties to the config.json file to alter the agent behavior as described below.
General Agent Properties
The config.json file must start with a { parentheses and end with a } parentheses with commas separating each property as shown by the contents of this example config.json file:
{
“Tokens”: { "AccessToken" : "Your_Access_Token"},
“ProxyUrl”:”http://Your_Proxy_Server:Your_Port”
}
This first section describes the general agent properties.
tokens Property
To connect to the Lacework Application, Lacework agents require an access token. For more information, see Agent Access Tokens.
“tokens”:
{
"accesstoken" : "Your_Access_Token"
}
Where Your_Access_Token is an access token generated by Lacework.
proxyurl Property
The Lacework agent can be configured to use a network proxy by adding proxy information to the configuration file or by creating a https_proxy environment variable. For more information, see Required Connectivity, Proxies & Certificates.
“proxyurl”:”http://Your_Proxy_Server:Your_Port”
Where Your_Proxy_Server is the URL for your HTTP or Socks proxy server and Your_Port is the port number of your proxy server.
tags Property
Specify name/value tags to categorize your agents, for example, identifying critical assets. For more information, see Adding Agent Tags.
"tags":
{
"test_01": "Value_01",
"test_02" : "Value_02"
}
cpulimit Property
Specify the maximum number of CPU units that the Lacework agent can use on the host where the agent is installed. If the agent measures sustained CPU usage over the specified limit during a 4-minute window, the agent restarts. Note that if the CPU usage spikes quickly up and down, the agent does not restart.
"cpulimit": "500m"
In this example, the suffix 'm' stands for one hundred millicpu.
memlimit Property
Specify the maximum amount of memory that the Lacework agent can use on the host where the agent is installed. If the agent measures sustained memory usage over the specified limit during a 4-minute window, the agent restarts. Note that if the memory usage spikes quickly up and down, the agent does not restart.
Specify the unit of size as a suffix, as shown in the following example.
"memlimit": "750M"
In this example, the suffix 'M' stands for Megabytes.
Specify one of the following size units as a suffix.
- 'm' or 'M' is Megabytes.
- 'g' or 'G' is Gigabytes.
AutoUpgrade Property
If this property is set to enable, the Agent automatically upgrades itself. This is the default setting. Before changing this setting, contact Lacework Customer Success.
File Integrity Monitoring (FIM) Properties
This section describes the File Integrity Monitoring (FIM) agent properties. For more information about File Integrity Monitoring, see the following topics:
- For more information about the Files (FIM) Dossier, see Files (FIM) Dossier.
- For frequently asked questions about File Integrity Monitoring, see Lacework File Integrity Monitoring [FIM] - FAQs.
- For instructions on changing the default paths using the config.json file, see File Integrity Monitoring [FIM].
These properties must be specified within a single fim property as shown in the following example:
"fim":
{
"fileignore": ["/etc/fstab"],
"filepath": ["/home/user/.ssh", "/opt/bin"]
}
filepath Property
By default, Lacework monitors a set of default paths. You can optionally override these default paths using this property as shown in the following example. For the default paths and more information, see File Integrity Monitoring.
"filepath": ["/home/user/.ssh", "/opt/bin"]
The filepath property also supports the * and ? Linux wildcards.
Note that specifying more filepaths may temporary increase scan time, cpu, memory and network resource usage.
fileignore Property
By default, Lacework excludes monitoring a set of default paths. You can optionally override these non-monitored default paths using this property as shown in the following example. For the default paths and more information, see File Integrity Monitoring.
"fileignore": ["/etc/fstab"]
The fileignore property also supports the * and ? Linux wildcards.
runat Property
By default, Lacework runs the FIM scan at an undetermined time once per day. To control the start time of the daily FIM scan, enter the start time as HH:MM as shown in the following example.
"runat": "23:50"