This article covers using the Lacework CLI to create agent access tokens and install the Lacework Datacollector Agent on supported linux distributions..
The Lacework CLI runs on macOS, Linux, and Windows, and once installed and configured, provides the ability to create, edit, and enable/disable agent access tokens from the command-line, without the need to login to the Lacework Console. Additionally, the Lacework CLI has the ability to install agents to remote hosts over SSH provided the user running the Lacework CLI has root privileges on the remote host.
This method for deployment is suitable for one off installations, but does not take into account the configuration of the Lacework Datacollector agent. For custom configuration of the Datacollector agent via the /var/lib/lacework/datacollector/config.json it is recommended to consider using configuration management including Ansible, or Chef.
If you are new to the Lacework CLI, check out the article Getting Started with the Lacework CLI.
Create Access Token via Lacework CLI
To list all agent access tokens:
$ lacework agent token list
IMPORTANT: Agent tokens should be treated as secret and not published. A token uniquely identifies a Lacework customer. If you suspect your token has been publicly exposed or compromised, generate a new token, update the new token on all machines using the old token. When complete, the old token can safely be disabled without interrupting Lacework services.
To create a new agent access token:
$ lacework agent token create MyTokenName [description]
NOTE: The [description] is an optional argument.
You can use the agent token name to logically separate your deployments, for example, by environment types (QA, Dev, etc.) or system types (CentOS, RHEL, etc.).
To show details about an agent access token:
$ lacework agent token show MyAgentToken
WARNING: By design, agent tokens cannot be deleted.
To disable an agent access token:
$ lacework agent token update MyAgentToken --disable
To enable an agent access token:
$ lacework agent token update MyAgentToken --enable
You can also update the name and/or description of any agent access token with the command:
$ lacework agent token update MyAgentToken --name dev --description "k8s deployment for dev env"
Install the Lacework Agent with the Lacework CLI
To analyze application, host, and user behavior, Lacework uses a lightweight agent, which securely forwards collected metadata to the Lacework platform for analysis. The agent requires minimal system resources and runs on most Linux distributions.
Use the command lacework agent install <[user@]host> for single-host installation of the Lacework agent via Secure Shell (SSH). When this command is executed without any additional flag, an interactive prompt will be launched to help gather the necessary authentication information to access the remote host.
To authenticate to the remote host with a username and password:
$ lacework agent install MyHost --ssh_username MyUsername --ssh_password MyPassword
To authenticate to the remote host with an identity file instead:
$ lacework agent install MyUsername@MyHost -i /path/to/your/key
To provide an agent access token of your choice, use the command lacework agent token list,
select a token and pass it to the --token flag.
After you install the agent, it takes 10 to 15 minutes for agent data to appear in the Lacework Console under Resources > Agents.