Installing Sensors from the Capsule8 Console

Prerequisites

• Capsule8 Console version 4.4.1 or later.
• A Package Cloud token should be set in the Console Configuration with the console.package_token setting.
• If you require specific sensor versions, see the Quick Install Sensor Version section.
• Non-admin users require the "Add New Resources" permission.

Quick Install Supported Distributions:

The Quick Install guide does not support all Linux distributions. Users who need to install the sensor on unsupported distributions should manually install the sensor according to the relevant instructions and use the "Manual Install" dialog described below to obtain an initial sensor configuration. The following is a list of distributions supported by Quick Install:

• Amazon Linux 2
• CentOS 7
• CentOS 8
• Debian 8 (jessie)
• Debian 9 (stretch)
• Debian 10 (buster)
• Ubuntu 16.04 (Xenial)
• Ubuntu 18.04 (Bionic)
• Ubuntu 20.04 (Focal)

Introduction

After installing the Capsule8 Console, users will see this guide:

Select either Manual Install or Quick Install to set up a Sensor. For supported distributions, Capsule8 recommends using Quick Install.

Once a host is connected, this dialog no longer appears on login. In Console 4.5.0 and later, users may re-open this dialog to install additional sensors by navigating to Resources and clicking Add Resource.

Quick Installation of Sensors from Console UI

Follow the Quick Install guide to install the Capsule8 Sensor.

Press Finish to complete the installation. As of Console 4.5.0, you will see a walkthrough of the Console's alert handling functionality.

Quick Install Sensor Version

By default, the Quick Install guide installs a recent sensor version that has been selected by Capsule8. Users who require a specific version may set the Console configuration console.quick_install_sensor_version to e.g. 4.7.3.

Manual Installation of Sensors from Console UI

If Manual Install is selected, users are presented with the below step

The configuration here may be copy/pasted into /etc/capsule8/capsule8-sensor.yaml on the Sensor host machine. As of Console 4.6.0, this configuration always includes a webhook alert_output block. Consoles configured with S3/SQS additionally include a commented-out S3 alert_output block. Users who prefer to transport alerts via S3 may uncomment and edit this block. See Getting Started: Exporting Alerts to learn about additional alert output configurations.

Unsafe Features

To enable these features, first follow the "Enabling 'unsafe' features" steps in our automated response guide. Enhanced detections can then be configured from the installation guide by clicking the link on the first panel:

Notes

• To use "Quick Install" in Console 4.4.1, enable Console control of the Capsule8 Sensor with the console.policy_config_enabled setting. This setting defaults to true in Console version 4.5.0 and later.