Summary
Installing the Capsule8 Sensor on AWS EC2 instances.
Version(s)
Sensor 4.1 and above
Prerequisites
- You'll need a Packagecloud access token that will be provided by Capsule8. This will give you access to Capsule8’s Debian and RPM packages.
- Each Sensor instance can run on a t2.micro instance type. This guide is written for 64-bit x86 Ubuntu Server 16.04 LTS.
Steps
Installation
Create Security Groups
In this section, we are going to create a security group for the Capsule8 Sensor. For the sake of simplicity, the Source values are set to Any here, but it is recommended that the asterisks below are replaced with the security group ID to ensure that only resources in your security group can access these ports.
SSH is recommended for direct access, however, it is not required. Configuration can optionally be handled through a configuration management system or through features like EC2 user data.
Capsule8 Sensor
| Type | Protocol | Port Range | Source | Description |
|---|---|---|---|---|
| SSH | TCP | 22 | Any | SSH |
| Custom TCP | TCP | 9010 | Any* | Healthz |
Launch the EC2 Instance
In this section, we are going to create one EC2 instance for the Capsule8 Sensor. No custom IAM role is needed for the instance unless you want to authorize sending Alerts from the Capsule8 Sensor instances to S3 using an IAM role. This authorization can also be provided without the use of an IAM role by setting an access key ID and secret access key in either environment variables or the Capsule8 Analytics configuration file on each instance.
Capsule8 Sensor
Launch a t2.micro instance with 64-bit x86 Ubuntu Server 16.04 LTS.
Configure the EC2 Instance
In this section, we are going to install and configure Capsule8. In a production deployment none of this would be done manually, however, for the sake of simplicity this guide will assume you have manually accessed the instances via SSH. There are two YAML configuration files that control the Capsule8 Sensor. One holds the Capsule8 Analytics security rules and the other is specifically for the Capsule8 Sensor settings. By default, these files are kept in /etc/capsule8 but this location can change if desired. Environment variable configuration is also possible.
Install the Package Repository
Capsule8 will provide you with a Packagecloud access token that will be used to install the package repository locally on the instance. Export the token as an environment variable before running the following command. Be sure to replace ${PACKAGECLOUD_TOKEN} with your token.
$ export PACKAGECLOUD_TOKEN=${PACKAGECLOUD_TOKEN}
$ curl -s https://$PACKAGECLOUD_TOKEN:@packagecloud.io/install/repositories/capsule8/capsule8/script.deb.sh | sudo bash
Capsule8 Sensor
Run the following to install the latest release of the Capsule8 Sensor package:
$ sudo apt-get install capsule8-sensor-systemd=4.1.0Create the directory for your Capsule8 Sensor and Capsule8 Analytics configuration files:
$ mkdir -p /etc/capsule8To configure Capsule8 Analytics open /etc/capsule8/capsule8-analytics.yaml and add:
# Print alerts to stdout and write them to a file
alert_output:
outputs:
- type: stdout
enabled: true
- type: file
enabled: true
file: /var/log/capsule8-alerts.json
# Define an example policy as a proof of concept
Blacklist wget:
policy: program
alertMessage: Unauthorized execution of wget
comments: This policy detects the use of wget
priority: High
enabled: true
rules:
- match programName == */wget"
- default ignore
Finally, restart the Capsule8 Sensor to load the new configuration and check the startup logs:
$ sudo systemctl restart capsule8-console
$ sudo journalctl -ef -u capsule8-sensor
You should see 1 strategies configured in the Capsule8 Sensor logs. If you run wget now, a JSON Alert should be logged out. You’re deployed!
Installing Standard Detections
Next update to a recommended set of detections by installing the content package:
$ sudo apt-get install capsule8-content=4.4.1
$ sudo systemctl restart capsule8-sensor
Comments
0 comments
Please sign in to leave a comment.