The Capsule8 sensor can be installed on RHEL, CentOS, or Fedora distributions via a binary or Capsule8’s package repository. After you install the Capsule8 sensor, you can deploy a sensor configuration, which sets the sensor’s functionality.
If you haven’t already, enable the Linux debug subsystem, which we use to instrument kernel and userspace events. Newer kernels (what # & up??) have it enabled by default. To enable the debug subsystem, use the following command:
sudo mount -t debugfs nodev /sys/kernel/debug
The Capsule8 sensor can be installed as a binary on Red Hat Enterprise Linux (RHEL), CentOS, or Fedora using the following command:
sudo rpm -i capsule8-sensor-*.rpm
Note: For RHEL 6 or CentOS 6 distributions, the
redhat-lsb-core dependency is required and can be installed suing the following command:
sudo yum install -y redhat-lsb-core
The sensor does not ship with any detections enabled by default, but a recommended set of detections is available by installing the content package:
sudo rpm -i capsule8-content-*.rpm
Capsule8 maintains an external package repository where deb and rpm packages are managed so that any user with an access token can install the correct packages for their system.
To start, ask your Capsule8 rep for an access token to Capsule8’s package repository. This will be a read-only token that is used to authenticate with PackageCloud. Access tokens are alpha numeric strings with no punctuation.
Once you receive your access token, the local system must be updated to enable package installation. This is performed through the following script, in which you should substitute your access token at the beginning of the url (after
https:// and before
curl -s https://10987654321fedcba893fab2838bce8923984abcdef0123456789:@packagecloud.io/install/repositories/capsule8/capsule8/script.rpm.sh | sudo bash
Once the local system is updated to pull Capsule8’s packages, installation can be done through the system’s native package installer. Before proceeding, make note of which package manager is being used to start and manage running packages on your system, as well as which version of Capsule8 you desire.
The service and package manager of the system is required when installing a Capsule8 package. The most recent version available will be installed by default, although you may optionally provide your desired version. As an example, the following is a command that would install the Capsule8 sensor version
4.3.0 for a system using
systemd as its service manager on a machine using
yum as its package manager:
sudo yum install capsule8-sensor-systemd-4.3.0 `` The sensor does not ship with any detections enabled by default, but a recommended set of detections is available by installing the content package: ```bash sudo yum install capsule8-content-4.3.0
The sensor can be upgraded by installing the desired Capsule8 Sensor package with your package manager. The package is installed with the name Capsule8 Sensor with the service manager (eg. sysV, systemd, upstart or runit) as a hyphenated suffix, such as:
sudo yum install capsule8-sensor-systemd