Summary
Installing the Capsule8 Sensor on AWS EC2 instances.
Version(s)
Sensor 4.1 and above
Prerequisites
- You'll need a Packagecloud access token that will be provided by Capsule8. This will give you access to Capsule8’s Debian and RPM packages.
- Each Sensor instance can run on a t2.micro instance type. This guide is written for 64-bit x86 Ubuntu Server 16.04 LTS.
Steps
Installation
Create Security Groups
In this section, we are going to create a security group for the Capsule8 Sensor. For the sake of simplicity, the Source values are set to Any here, but it is recommended that the asterisks below are replaced with the security group ID to ensure that only resources in your security group can access these ports.
SSH is recommended for direct access, however, it is not required. Configuration can optionally be handled through a configuration management system or through features like EC2 user data.
Capsule8 Sensor
Type | Protocol | Port Range | Source | Description |
---|---|---|---|---|
SSH | TCP | 22 | Any | SSH |
Custom TCP | TCP | 9010 | Any* | Healthz |
Launch the EC2 Instance
In this section, we are going to create one EC2 instance for the Capsule8 Sensor. No custom IAM role is needed for the instance unless you want to authorize sending Alerts from the Capsule8 Sensor instances to S3 using an IAM role. This authorization can also be provided without the use of an IAM role by setting an access key ID and secret access key in either environment variables or the Capsule8 Analytics configuration file on each instance.
Capsule8 Sensor
Launch a t2.micro instance with 64-bit x86 Ubuntu Server 16.04 LTS.
Configure the EC2 Instance
In this section, we are going to install and configure Capsule8. In a production deployment none of this would be done manually, however, for the sake of simplicity this guide will assume you have manually accessed the instances via SSH. There are two YAML configuration files that control the Capsule8 Sensor. One holds the Capsule8 Analytics security rules and the other is specifically for the Capsule8 Sensor settings. By default, these files are kept in /etc/capsule8 but this location can change if desired. Environment variable configuration is also possible.
Install the Package Repository
Capsule8 will provide you with a Packagecloud access token that will be used to install the package repository locally on the instance. Export the token as an environment variable before running the following command. Be sure to replace ${PACKAGECLOUD_TOKEN}
with your token.
$ export PACKAGECLOUD_TOKEN=${PACKAGECLOUD_TOKEN}
$ curl -s https://$PACKAGECLOUD_TOKEN:@packagecloud.io/install/repositories/capsule8/capsule8/script.deb.sh | sudo bash
Capsule8 Sensor
Run the following to install the latest release of the Capsule8 Sensor package:
$ sudo apt-get install capsule8-sensor-systemd=4.6.0
Create the directory for your Capsule8 Sensor and Capsule8 Analytics configuration files:
$ mkdir -p /etc/capsule8
To configure Capsule8 Analytics open /etc/capsule8/capsule8-analytics.yaml
and add:
# Print alerts to stdout and write them to a file
alert_output:
outputs:
- type: file
enabled: true
name: /var/log/capsule8-alerts.json
# Define an example policy as a proof of concept
Blacklist wget:
policy: program
alertMessage: Unauthorized execution of wget
comments: This policy detects the use of wget
priority: High
enabled: true
rules:
- match programName == "*/wget"
- default ignore
Finally, restart the Capsule8 Sensor to load the new configuration and check the startup logs:
$ sudo journalctl -ef -u capsule8-sensor
You should see 1 strategies configured
in the Capsule8 Sensor logs. If you run wget
now, a JSON Alert should be logged out. You’re deployed!
Install Standard Detections (recommended)
Next update to a recommended set of detections by installing the content package:
$ sudo apt-get install capsule8-content=4.6.0
$ sudo systemctl restart capsule8-sensor
Comments
0 comments
Please sign in to leave a comment.