Skip to main content

Configure Linux Agent Using the Lacework Console

Overview

You can configure the agent using the following options:

  • From the Lacework Console.
  • Using a config.json file on the host on which the agent is installed. For more information, see Configure Linux Agent Behavior in config.json File.
  • Using the LaceworkAccessToken, LaceworkServerUrl, and LaceworkConfig environment variables on the host on which the agent is installed.
note

The agent access token is the only required setting for the agent. All other settings are optional. You can specify the access token only in the config.json file or the LaceworkAccessToken environment variable. You cannot specify the access token from the Lacework Console.

Lacework recommends configuring the agent from the Lacework Console because of the following reasons:

  • You can quickly view, modify, or reset the configuration for all the agents that use a specific agent access token. You do not have to login to host machines to view or modify the configuration using the config.json file or the LaceworkAccessToken, LaceworkServerUrl, and LaceworkConfig environment variables.
  • Any new agent that you install using a specific agent access token will use the configuration for that token from the Lacework Console. You need not manually configure it using the config.json file or the environment variables.
  • You can navigate to Settings > Usage > Audit logs to view the history of all agent configuration changes made in the Lacework Console. This helps you to know who modified the configuration and what was modified. For more information, see Audit logs.

How Configuring the Agent from the Lacework Console Works

The Lacework agent uses an agent access token to communicate with the Lacework platform. When you create an agent access token, you select the Lacework license subscription associated with the token. The license subscription you select for the token has a default agent configuration that will be applied to all the agents that use that token.

You can use the Lacework Console to view, modify, or reset the configuration for all agents that use a specific agent token. The changes you make in the configuration are automatically applied to all the agents that use that token. Any new agent that you install using that token will also use the same configuration from the Lacework Console.

note

If you have configured an agent using the config.json file or the LaceworkAccessToken, LaceworkServerUrl, and LaceworkConfig environment variables, the agent will apply the settings in the following order:

  1. The settings from the LaceworkAccessToken, LaceworkServerUrl, and LaceworkConfig environment variables first.
  2. The settings from the config.json file next.
  3. The settings for the agent access token from the Lacework Console last.

For example, if you specify the memory limit as 750M using the LaceworkConfig environment variable, 1024M in the config.json file, and 1000M in the Lacework Console, the agent will use the 750M memory limit from the LaceworkConfig environment variable. However, if you specify a proxy server URL in the Lacework Console but do not specify it in the config.json file or the LaceworkConfig environment variable, the agent will use the proxy server URL from the Lacework Console.

View the Agent Configuration

To view the configuration:

  1. Login to the Lacework Console.

  2. Go to Settings > Configuration > Agent Tokens.

  3. Click on the row for the token.

    The Access Token page appears.

  4. Click the Configure tab to view the configuration.

Modify the Agent Configuration

To modify the configuration:

  1. Login to the Lacework Console.

  2. Go to Settings > Configuration > Agent Tokens.

  3. Click on the row for the token.

    The Access Token page appears.

  4. Click the Configure tab, then click the Edit icon Edit Icon.

  5. Modify the configuration as required. For more information, see Agent Configuration Options.

  6. Click Save All.

The updated configuration is applied to all the agents that use the token.

Reset the Agent Configuration

Every Lacework license subscription has a default agent configuration that enables the features supported by the license subscription.

To reset the configuration to the default for a license subscription:

  1. Login to the Lacework Console.
  2. Go to Settings > Configuration > Agent Tokens.
  3. Click on the row for the token. The Access Token page appears.
  4. Click the Configure tab, then click the Edit icon Edit Icon.
  5. In the Reset configuration section, select the license subscription you want to associate with the token.
  6. Click Overwrite Config.

The updated configuration is applied to all the agents that use the token.

note

Resetting the agent configuration will only reset the settings in the Lacework Console. It will not modify the config.json file or the LaceworkAccessToken, LaceworkServerUrl, and LaceworkConfig environment variables on the host on which the agent is installed.

Agent Configuration Options

This section describes all the agent configuration options available on the Access Token page.

Reset Configuration

Reset configuration to default for license subscription

Every Lacework license subscription has a default agent configuration that enables the features supported by the license subscription.

Select the Lacework license subscription you want to associate with the agent token and click Overwrite Config to reset the agent configuration with the default agent configuration for that license subscription.

The default configuration will be applied to all the agents that use that token.

tip

To know the license subscriptions for your Lacework account, go to Settings > License in the Lacework Console.

Agent administration settings

CPU limit

Specify the maximum number of CPU units that the Lacework agent can use on a host. If the agent measures sustained CPU usage over the specified limit during a 4-minute window, the agent restarts. Note that if the CPU usage spikes quickly up and down, the agent does not restart.

note

The number of connections made by the host determines the CPU impact of the Lacework agent on an individual system. However, for an average workload, Lacework has observed 1-3% CPU usage for the agent.

Lacework has guardrails to prevent the agent from consuming all the CPU on a host. A host is where the agent process is running, either as a Docker container or as part of a Kubernetes cluster, virtual machine, or standalone machine.

Specify the unit of CPU size as a suffix, as shown in the following example:

500m

In this example, the suffix m stands for millicpu.

note

The CPU limit also applies to container-based agent deployments. You can also do the following to set CPU limits for containers:

Memory limit

Specify the maximum amount of memory that the Lacework agent can use on a host. If the agent measures sustained memory usage over the specified limit during a 4-minute window, the agent restarts. Note that if the memory usage spikes quickly up and down, the agent does not restart.

note

Lacework has observed an average of 250-300 MB of memory usage by the agent, but the memory usage can vary depending on the host workload, such as the number of network connections, running applications, running containers, and the amount of metadata processing.

Lacework also has guardrails to prevent the agent from consuming an unlimited amount of memory on a host. A host is where the agent process is running, either as Docker container or as part of a Kubernetes cluster, virtual machine, or standalone machine.

Specify the unit of memory size as a suffix, as shown in the following example: 750M

In this example, the suffix M stands for Megabytes.

Specify one of the following size units as a suffix:

  • m or M for Megabytes.
  • g or G for Gigabytes.
note

The memory limit also applies to container-based agent deployments. You can also do the following to set memory limits for containers:

Agent server URL

(Optional for Linux agent v6.2 and later versions) Specify the region-specific agent server URL that the Lacework agent uses to communicate with the Lacework platform. Lacework supports the following regions and URLs:

RegionURL
US (default)https://api.lacework.net
US-02 (US)https://aprodus2.agent.lacework.net
GPRODUS1 (US)https://agent.gprodus1.lacework.net
European Union (EU)https://api.fra.lacework.net
Australia and New Zealand (ANZ)https://auprodn1.agent.lacework.net

By default, agents use the https://api.lacework.net URL in the US region. If you have Linux agent v6.1 or earlier installed outside the default region (US), you must explicitly specify the agent server URL for your region.

Starting with Linux agent v6.2, it is optional for you to specify the agent server URL even if you install agents outside the default region. The agent automatically discovers the agent server URL for your region.

To automatically discover the agent server URL for Linux agent v6.2 or later:

  • If you have not specified the agent server URL, agents will first communicate with https://api.lacework.net that is located in the US region to know the region they belong to, and then use only the region-specific URL.
  • If you have specified the agent server URL, agents will first communicate with the configured server URL to know the region they belong to.

Once the correct region is established, agents remember it and communicate only with the agent server URL for that region until you modify the URL.

In the near future, agents will default to a new URL as given below for automatically discovering the agent server URL.

RegionNew URLOld URL (Deprecated)
US (default)https://agent.lacework.nethttps://api.lacework.net
US-02 (US)https://agent.aprodus2.lacework.nethttps://aprodus2.agent.lacework.net
European Union (EU)https://agent.euprodn.lacework.nethttps://api.fra.lacework.net
Australia and New Zealand (ANZ)https://agent.auprodn1.lacework.nethttps://auprodn1.agent.lacework.net/
note

If you have specified an old URL, it will continue to work. However, Lacework recommends that you specify a new URL because the old URLs will be retired in the future.

info

If you have explicitly allowlisted an old URL or IP address, ensure that the new URLs or IP addresses are included in the allowlist to enable agents to communicate with the Lacework platform. For more information, see Required Connectivity, Proxies & Certificates.

Proxy server URL

Specify the HTTP or SOCKS proxy server for the Lacework agent to use as a network proxy in the following format:

http://Your_Proxy_Server:Your_Port

Where Your_Proxy_Server is the URL for your proxy server and Your_Port is the port number of your proxy server.

If your proxy server requires a password, use the following format:

http://username:password@Your_Proxy_Server:Your_Port

Where username is the username for the proxy server, and password is the password for the proxy server.

When you configure the Lacework agent in environments with http/s proxy, the agent attempts a connection through the configured proxy. In agent v4.3 and later, if there is a failure or timeout for the connection, the agent will not be able to connect to Lacework. In releases prior to agent v4.3, if there is a failure or timeout for the connection, the agent bypasses the proxy and uses a direct outbound connection.

Enable auto upgrade

Every few months, Lacework qualifies a Linux agent release as a fleet upgrade release version. The latest fleet upgrade versions are available at https://packages.lacework.net/?prefix=established/RPMS/x86_64/.

By default, the agent is automatically upgraded when a new fleet upgrade version is available.

note

For improved security and to benefit from new and improved features, Lacework recommends that you do not disable automatic upgrade of the agent.

Performance mode

Select the mode in which you want the agent to run.

Default

The default mode in which the agent runs.

Lite

Select this mode if your workload has a large number of connections or handles a large volume of data. In Lite mode, for the same load (number of connections) the agent CPU and memory usage is 10% less than normal.

Lite mode does not change the effectiveness of Lacework intrusion detection. However, it disables features such as File Integrity Monitoring (FIM) scan, package scan, and process scan by default.

If you want to re-enable FIM scan, package scan, or process scan, enable then explicitly.

note

On hosts running Linux kernel v4.16 and later, Lite mode uses eBPF to capture packets on interfaces. On hosts running Linux kernel versions older than v4.16, Lite mode uses libpcap to capture packets on interfaces.

The following are the limitations of running the agent in Lite mode:

  • The Agent mode column in the Agent monitor table on the Agents dossier in the Lacework Console displays the performance mode as normal instead of lite.

  • The agent does not report UDP traffic.

  • The agent might not detect process attribution for certain local traffic (which originates and is consumed on the same machine). For example, in Default mode, if connections are terminated on an nginx server running on the host, the agent reports all connections that are terminated by nginx with connection details showing dst_pid_hash as pid_hash of nginx.

  • The agent does not collect the following connection metrics:

    • SESS_COUNT_IN

    • SESS_COUNT_OUT

    • PKT_PER_SESS_COUNT_IN

    • PKT_PER_SESS_COUNT_OUT

    • BYTES_PER_PKT_COUNT_IN

    • BYTES_PER_PKT_COUNT_OUT

    • SESSTIME_PER_SESS_IN

    • SESSTIME_PER_SESS_OUT

    • RESPTIME_PER_SESS_IN

    • RESPTIME_PER_SESS_OUT

    • OUTGOING histogram

    • INCOMING histogram

eBPF Lite

The eBPF Lite mode uses less CPU and memory than the Lite mode on hosts that have a large number of connections. However, it does not disable features such as File Integrity Monitoring (FIM) scan, package scan, and process scan like the Lite mode.

note

The Lacework agent supports the eBPF Lite mode only on hosts running Linux kernel v4.16 and later. If you enable it on a host that has Linux kernel version older than v4.16, the agent will run in Default mode. In the Default mode, the agent uses libpcap to capture packets on interfaces.

The following are the limitations of running the agent in eBPF Lite mode:

  • The Agent mode column in the Agent monitor table on the Agents dossier in the Lacework Console displays the performance mode as normal instead of ebpf lite.
  • The agent does not report outgoing UDP traffic.
  • The agent might not detect process attribution for certain local traffic (which originates and is consumed on the same machine). For example, in normal mode, if connections are terminated on an nginx server running on the host, the agent reports all connections that are terminated by nginx with connection details showing dst_pid_hash as pid_hash of nginx.
  • The agent does not collect the following connection metrics:
    • SESS_COUNT_IN
    • SESS_COUNT_OUT
    • PKT_PER_SESS_COUNT_IN
    • PKT_PER_SESS_COUNT_OUT
    • BYTES_PER_PKT_COUNT_IN
    • BYTES_PER_PKT_COUNT_OUT
    • SESSTIME_PER_SESS_IN
    • SESSTIME_PER_SESS_OUT
    • RESPTIME_PER_SESS_IN
    • RESPTIME_PER_SESS_OUT
    • OUTGOING histogram
    • INCOMING histogram
Scan

Select this mode if you want the agent to perform host vulnerability and FIM scans only. In Scan mode, the agent uses less CPU because it does not perform other activities such as network monitoring or process attribution.

Enable package scan

Allows you to enable or disable package scan. Package scan scans OS packages for vulnerabilities.

By default, package scanning is enabled.

Package scan interval

Specifies the package scan interval in minutes. The default package scan interval is 60 minutes.

Enable process scan

Allows you to enable or disable process scan. Process scan scans processes to check if they reference any JAR files and detects potential log4j vulnerability.

By default, process scanning is enabled.

Process scan interval

Specifies the process scan interval in minutes. The default process scan interval is 720 minutes (12 hours).

Agent runtime settings

Enable active package detection

info

This feature is in Preview as of Linux Agent v6.4 for hosts, and Linux Agent v6.9 for hosts and containers.

Active package detection enables you to know whether a vulnerable package is being used by an application on your host/container and prioritize fixing active vulnerable packages first.

For the list of supported package managers and types, see Which package managers and types are supported?. For some package types (as shown in the table), you also need to enable Agentless Workload Scanning in your environment.

By default, active package detection is disabled.

  • To enable active package detection on hosts only, set the option to Hosts only (all).

  • To enable active package detection on hosts and containers, set the option to Hosts and containers (experimental).

  • To disable active package detection on hosts and containers, set the option to Disabled (false).

Use the Package Status filter on the Host Vulnerability and Container Vulnerability pages to view active or inactive vulnerable packages.

Agent Resource Utilization

Active package detection uses very low CPU, memory, and network resources. If the agent has sustained CPU or memory usage over the CPU or memory limits (specified using the CPU limit and Memory limit fields) during a 4-minute window, the agent restarts. Note that if the CPU or memory usage spikes quickly up and down, the agent does not restart.

Discover DNS over TCP

By default, the agent discovers DNS requests over TCP and sends them to the Lacework platform to enable it to identify DNS-over-TCP connections.

note

The agent does not discover the following over TCP:

  • Fragmented DNS packets
  • DNS packets greater than 512 bytes
  • Encrypted DNS packets
  • DNSSEC records

Netmask for anonymizing IPv4 addresses

IP addresses are considered as personally identifiable information (PII) by privacy laws such as GDPR (General Data Protection Regulation). If applicable in your region or country, you can enable the Lacework agent to anonymize inbound IP addresses to comply with privacy laws that may be relevant to your business. This feature is customer-controlled, and it is the customer's responsibility to determine what is applicable to their region or country.

Note the following:

  • Only source public IPv4 addresses for incoming network connections (IPv4 addresses of external hosts connecting to a server) will be anonymized. Public IPv4 addresses for outgoing networking connections (IPv4 address of a server connecting to external hosts) will not be anonymized.
  • The anonymized IPv4 addresses will be displayed in the Lacework Console. You cannot identify the real IP address from an anonymized IP address.
  • IPv6 addresses will not be anonymized.
  • Private and internal IPv4 addresses will not be anonymized. This includes the following subnets:
    • 127.0.0.0/8: Loopback IP range
    • 10.0.0.0/8: Private IP range (see RFC1918)
    • 172.16.0.0/12: Private IP range (see RFC1918)
    • 192.168.0.0/16: Private IP range (see RFC1918)
    • 169.254.0.0/16: Link-Local IP range (see RFC3927)

To anonymize public IPv4 addresses, enter any valid IPv4 netmask, except for the following that should not be used for the reasons given below.

Invalid NetmaskReason
0.0.0.0This netmask will result in IPv4 addresses anonymized as 0.0.0.0.
127.0.0.0This netmask will result in IPv4 addresses anonymized as 127.0.0.0 (loopback IP range) or 0.0.0.0.
224.0.0.0This netmask will result in IPv4 addresses anonymized as multicast addresses.
255.255.255.255With this netmask, the anonymized IPv4 addresses will be the same as the original IPv4 addresses.
Example

The following examples show how the netmask you specify anonymizes IPv4 addresses. Note how multiple IP addresses are anonymized to the same IP address 54.213.202.0 and 54.213.0.0.

Public IP AddressNetmaskAnonymized IP Address
54.213.202.1255.255.255.054.213.202.0
54.213.202.65255.255.255.054.213.202.0
54.213.202.78255.255.255.054.213.202.0
54.213.202.1255.255.0.054.213.0.0
54.213.202.65255.255.0.054.213.0.0
54.213.202.78255.255.0.054.213.0.0
Limitations of Anonymizing Public IPv4 Addresses
  • You cannot identify the real IP address from an anonymized IP addresses. This can impact your ability to identify the source of a threat or unusual activity that is reported in an alert.
  • Only the source IP addresses in incoming network connections are anonymized, and multiple IP addresses may be anonymized to the same IP address. This will result in inaccurate polygraphs in the Lacework Console because the source and target IP address of an incoming connection cannot be matched.
  • Depending on the netmask, the geographical location of an anonymized IP address may not be correct.

Capture commands and Ignore commands

By default, the agent collects command-line arguments for all executables when collecting process metadata.

  • To configure the agent to collect data for all executables, enter only the * wildcard in the Capture commands field and do not enter anything in the Ignore commands field. This is the default and recommended setting.

  • If you do not want the agent to collect data for specific executables, add the executable names or paths as a list of comma-separated strings in the Ignore commands field. If an executable name or path matches one of the specified strings, the agent does not collect data for that executable. For example:

    • If you specify java, any java executable found in the operating system is excluded from collection.
    • If you specify /bin/java, both /usr/bin/java and /usr/mypath/bin/java match. Therefore, both would be excluded from collection.
  • To configure the agent to collect data only for specific executables, add the executable names or paths as a list of comma-separated strings in the Capture commands field and do not enter anything in the Ignore commands field. If an executable name or path matches one of the specified strings, the agent collects data for that executable. For example:

    • If you specify perl,bash, the agent collects data only for the perl and bash executables found in the operating system.
    • If you specify bin/bash, the agent collects data for /bin/bash and /usr/bin/bash but not for /bin/bash_2, /bin/mybash, or /mybin/bash.
  • To disable the agent from collecting data for all executables, enter only the * wildcard in the Ignore commands field and do not enter anything in the Capture commands field. This stops data collection for all executables and is not recommended.

danger

Limiting the data collected by the agent reduces Lacework’s process-aware threat and intrusion detection in your cloud environment and limits the alerts that Lacework generates. If you must disable sensitive data collection in your environment, Lacework recommends disabling the smallest set of executables possible.

AWS metadata request interval

The agent retrieves metadata tags from AWS to enable you to quickly identify where you need to take actions to fix alerts displayed in the Lacework Console. To ensure that the latest metadata is displayed in the Lacework Console, the agent periodically makes describe-tags API calls to retrieve tags from AWS.

  • To limit the number of API calls, you can specify the interval after which the agent retrieves the tags.

    The default interval is 1m (one minute). The interval can be specified in ns (nanoseconds), us (microseconds), ms (milliseconds), s (seconds), m (minutes), or h (hours). For example, to retrieve the tags once every 15 minutes, specify the following:

    15m

  • To disable the agent from retrieving tags from AWS, specify the following:

    0

Enable eBPF connection tracking

Enables the agent to use eBPF (Extended Berkeley Packet Filter) to monitor short-lived connections and processes, resulting in better visibility of your workloads.

This feature is supported in Lacework agent v4.3 and later versions.

File Integrity Monitoring settings

File Integrity Monitoring (FIM) monitors a predefined set of files and directories at a periodic interval. FIM identifies new, changed, malicious, and non-package installed files and generates alerts for malicious files. You can configure custom FIM policies to generate alerts for your specific requirements. For more information, see Create Custom Policies.

Enabled

Allows you to enable or disable FIM. FIM requires an Enterprise license subscription.

Run at

By default, the agent runs the FIM scan at an undetermined time once per day. To change the start time of the daily FIM scan, enter the start time in the HH:MM format. For example, to start the FIM scan at 11:50 PM daily, enter:

23:50

Minimum delay between scans

By default, when you restart the agent, it runs FIM after 60 minutes. This is done to prevent FIM from being run immediately after you restart the agent.

If you want to run FIM immediately after you restart the agent, set the delay period to 0.

Ignore file access time

Specify whether you want to prevent the file access timestamp (atime) from being used for the metadata hash computation that the agent uses to determine if a file was changed. The atime is the last time a file was read but not modified.

Scan paths

Specify the paths or files that you want the agent to monitor. By default, Lacework monitors a set of default paths and files.

If you want to monitor an entire directory but exclude specific files in that directory, specify the directory to monitor in the Scan paths list and the files to exclude in the Ignore paths list.

You can use the * and ? wildcards in a path.

Ignore paths

Specify the paths or files that you do not want the agent to monitor. By default, Lacework excludes monitoring a set of default paths and files.

You can use the * and ? wildcards in a path.

File modification monitoring settings

File modification monitoring tracks create, modify, move, delete, and attribute change events on specified files and directories.

Lacework provides default policies to display alerts for malicious file modification events. See Process Execution and File Modification Monitoring Policies for more information. In addition, you can use the LW_HA_SYSCALLS_FILE LQL datasource to create custom policies to display alerts for file modification events in the Lacework Console.

note

The Lacework agent does not currently track file read events.

Important

This feature requires the following:

  • A supported Linux operating system that has kernel version 5.1 or later. For more information, see Supported Linux Operating Systems.

    If you are using Linux kernel version 5.1 through 5.8, the following limitations apply. Linux kernel version 5.9 or later do not have these limitations.

    • If a file is deleted within 3 seconds after it is created, the create and delete events may not be tracked for the file.
    • Recursive directory monitoring is not supported.
  • Linux agent v6.7 or later version for file modification monitoring on host machines.

  • Linux agent v6.9 or later version for file modification monitoring on Kubernetes clusters.

Exclude events for specific files

Specifies the paths to the files or directories for which you do not want to monitor file modification events.

To add the path to a file or directory, do the following:

  1. Enter a description for the file or directory in the Description field.

  2. Enter the path to the file or directory in the File or directory path field.

    You can use a single * wildcard character in the path.

    • The following example uses the * wildcard character to monitor events for files and directories whose name starts with lacework in the /tmp directory.

      /tmp/lacework*
    • The following example uses the * wildcard character to monitor events for files in any directory under /home that has the /.ssh subdirectory such as /home/user-a/.ssh/ and /home/user-b/.ssh.

      /home/*/.ssh/
  3. Click +Add a path.

  4. Click Save All.

note
  • If you add the same file or directory path in the Monitor events for specific files only section and the Exclude events for specific files section, the agent will not monitor events for the file or directory.

    For example, if you do the following, the agent will not monitor events for the /tmp/mylog.log file.

    • Add the /tmp/mylog.log path in the Monitor events for specific files only section.
    • Add the /tmp/mylog.log path in the Exclude events for specific files section.
  • If you add a directory path in the Monitor events for specific files only section and add the path to a folder inside that directory in the Exclude events for specific files section, the agent will not monitor events in that folder.

    For example, if your host has a path like /tmp/log/user-a/ and you do the following, the agent will monitor files in the /tmp directory and the /tmp/log/user-a/ directory but will not monitor files in the /tmp/log/ directory.

    • Add the /tmp path with the directory depth to recurse value of 3 in the Monitor events for specific files only section.
    • Add the /tmp/log/ path in the Exclude events for specific files section.

Monitor events for specific files only

Specifies the paths to the files or directories for which you want to monitor file modification events. The agent monitors file modification events for a default set of files and directories.

To add the path to a file or directory, do the following:

  1. Enter a description for the file or directory in the Description field.

  2. Enter the path to the file or directory in the File or directory path field.

  3. In the Events to watch for field, enter the file events you want to monitor as a comma separated list. The following file events can be monitored. Hence, if you want to monitor only file create and modify events, enter create,modify in the Events to watch for field.

    • create
    • delete
    • modify
    • move
  4. If you have entered the path to a directory in the File or directory path field, enter the maximum directory depth to recurse while tracking file events in the Directory depth to recurse field.

    The default depth is 1. You can specify a maximum depth of 10.

    For example, if you enter /etc/init.d in the File or directory path field, only file events in the /etc/init.d directory are monitored if the depth is 1.

    To recurse up to two levels of subdirectories inside the /etc/init.d directory, enter 2 in the Directory depth to recurse field. For example, if you have a directory structure like /etc/init.d/folder1/folder2, the agent monitors only the file events in the following directories because you have specified the depth as 2:

    /etc/init.d/ (depth = 1)
    /etc/init.d/folder1/ (depth = 2)

    If you also want the file events in the /etc/init.d/folder1/folder2 directory to be monitored, enter 3 in the Directory depth to recurse field.

  5. Click +Add a path.

  6. Click Save All.

Process execution monitoring settings

To improve threat and MITRE ATT&CK detection, the agent supports process execution monitoring for all processes, even those that do not make external connections.

Lacework provides default policies to display alerts for malicious process execution events. See Process Execution and File Modification Monitoring Policies for more information. In addition, you can use the LW_HA_SYSCALLS_EXEC LQL datasource to create custom policies to display alerts for process execution events in the Lacework Console.

Important

This feature requires the following:

  • A supported Linux operating system that has kernel version 4.16 or later. For more information, see Supported Linux Operating Systems.
  • Linux agent v6.7 or later version for process execution monitoring on host machines.
  • Linux agent v6.9 or later version for process execution monitoring on Kubernetes clusters.

Monitor all process execution events

By default, the agent monitors process execution events for all executables.

Toggle Monitor all process execution events to off (toggle to the left) if you want to do any of the following:

  • Disable monitoring process execution events for specific executables. Enter the paths to the executables in the Exclude events for specific executables section.
  • Monitor process execution events for specific executables only. Enter the paths to the executables in the Monitor events for specific executables only section.

Exclude events for specific executables

Specifies the paths to the executables for which you do not want to monitor process execution events.

To add the path to an executable, do the following:

  1. Toggle Monitor all process execution events to off (toggle to the left).
  2. Enter a description for the executable in the Description field.
  3. Enter the path to the executable in the Executable path field.
  4. Click +Add a path.
  5. Click Save All.

Monitor events for specific executables only

Specifies the paths to the executables for which you want to monitor process execution events.

To add the path to an executable, do the following:

  1. Toggle Monitor all process execution events to off (toggle to the left).
  2. Enter a description for the executable in the Description field.
  3. Enter the path to the executable in the Executable path field.
  4. Click +Add a path.
  5. Click Save All.