The Sensor is a lightweight agent installed on Linux hosts, collecting events from the hosts to trigger alert generation or automated response. The Capsule8 sensor integrate with your existing logging and alerting infrastructure. The Sensor can be deployed wherever you have Linux – in public or private cloud, containers or VMs, on-prem bare metal, and across different kernel versions and Linux distributions.
The Capsule8 Sensor releases are distributed as Debian and RPM packages that are hosted in a private package repository by a third-party service called Packagecloud.
- PackageCloud Access Token (To be provided by Capsule8)
- This will be a read-only token that is used to authenticate with PackageCloud.
- Access tokens are alphanumeric strings with no punctuation
- Capsule8 maintains an external package repository where deb and rpm packages are managed so that any user with an access token can install the correct packages for their system.
- Enable Linux Debug System ( Guide to enable is provided in the installation steps below)
- System Requirement
- At least 1 vCPUs
- At least 2 GB RAM
- At least 2 GB disk
The Capsule8 sensor can be installed on Debian or Ubuntu distributions via the Capsule8 Package Repository.
If you haven’t already enabled the Linux debug subsystem, which we use to instrument kernel and userspace events. Do that by using the below command:
$ sudo mount -t debugfs nodev /sys/kernel/debug
Note: Newer kernels have it enabled by default.
To Start, ensure that Capsule8 rep has provided you with the Access Token to the Capsule8 Package Repository. Using the access token, the local system must be updated to enable package installation
This is performed by substituting your access token and running the command below:
$ curl -s https://<package-cloud-token>:@packagecloud.io/install/repositories/capsule8/capsule8/script.deb.sh | sudo bash
Once the local system is updated to pull Capsule8 packages, installation can be done through the system’s native package installer by running the command:
$ sudo apt-get install capsule8-sensor-systemd #Most recent version will be installed by default
$ sudo apt-get install capsule8-sensor-systemd=4.6.0 #You can specify Capsule8-Sensor version of choice
Please note that the Capsule8 Sensor does not ship all detections by default, however a recommended set of detections are available by default just by installing the content package as shown below:
sudo apt-get install capsule8-content #Most recent version will be installed by default
sudo apt-get install capsule8-content=4.6.0 #You can specify the Capsule8-Content version of your choice
The most recent version (sensor and content) available will be installed by default, although you may optionally provide your desired version.
Important: Do not forget the package manager being used to start and manage the running packages on your system (eg. sysV, systemd, upstart or runit) . For example, the above shows the Capsule8 Sensor installation for a system using
systemd as its service manager on a machine using
apt-get as its package manager.
Capsule8 version is optional.
Check for Successful Installation
$ apt list --installed | grep capsule8 # This shows the sensor and content info for debian based distros,
2. Confirm Sensor is running
To enable the newly installed Sensor
$ sudo systemctl enable capsule8-sensor
To start the Sensor, run the command below:
$ sudo systemctl start capsule8-sensor
$ sudo systemctl status capsule8-sensor
To check the logs:
$ sudo journalctl -efu capsule8-sensor #Useful to view the logs of the running sensor
Checking Capability Error Log:
As part of your installation, the sensor should have the CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE and CAP_KILL capabilities. Since the supervisor process executes the sensor as a unprivileged user, this is necessary.
If you are getting "permission denied" errors, you can verify these capabilities are set with getcap <sensor_binary>.
$ setcap cap_sys_admin,cap_dac_override,cap_sys_ptrace,cap_kill=+epi <sensor_binary>
To restart the Sensor:
Congratulations, you have successful installed the Capsule8 Sensor. To optionally upgrade the Capsule8-Sensor you can follow the step below, also you can set up detections by visiting our page.
$ sudo systemctl restart capsule8-sensor # Recommended whenever you make any changes to the sensor
If you want to upgrade the sensor, you can do that by installing the desired Capsule8 Sensor package with your package manager. The package is installed with the name Capsule8 Sensor with the service manager (eg. sysV, systemd, upstart or runit) as a hyphenated suffix, such as:
$ sudo apt-get install capsule8-sensor-systemd