You can install the Lacework agent on a Google Compute Engine (GCE) host instance to monitor workloads. The workload portion provides process-aware threat and intrusion detection for your GCE environment and notifies you of any events through your chosen method.
Additionally, installing a Lacework agent requires obtaining or creating the installer script and access tokens. For more information, see Create Agent Access Token and Download Linux Agent Installer.
Unless you are installing the agent on a Container-Optimized OS (COS) instance, use your preferred deployment method detailed in Install the Linux Agent. For Container-Optimized OS instances, perform the following steps.
Install the Agent on the GCE Container-Optimized OS (COS) Instance
Install the datacollector on the host by running the
Open a terminal on your host as a user with
install.shscript onto your host by using the following command. You may specify a different location for your
install.shscript to download. If you choose to do so, ensure that you update the path in Step 3.
curl https://your-instance.lacework.net/path/to/your/install.sh -o /tmp/install.sh
Run the following command to install the Lacework agent
sudo sh /tmp/install.sh
If you need to use a different endpoint than the default endpoint (api.lacework.com), specify the URL of the endpoint, as shown:
sh /tmp/install.sh -U API_SERVER_URL
Verify the output of the command:
Check connectivity to Lacework server
Check Go Daddy root certificate
Installing on cos (85)
Using access token : 185e01a1f2c3df9f370568c5f137de ...
Using server url : https://api.lacework.net
Writing configuration file
+ sh -c 'mkdir -p /var/lib/lacework/config'
+ sh -c Writing config.json in /var/lib/lacework/config
+ curl -fsSL https://updates.lacework.net/18.104.22.16823_2022-03-02_release-v5.4_40c388324f25e853c5847c1c323dcbcbd42c217f/datacollector.service
Remounting /var/lib/lacework/ with exec permissions to start lacework agent.
+ mount -B /var/lib/lacework/ /var/lib/lacework/
+ mount -o remount,exec /var/lib/lacework/
+ systemctl stop datacollector.service
+ systemctl daemon-reload
+ systemctl enable datacollector.service
Created symlink /etc/systemd/system/multi-user.target.wants/datacollector.service → /etc/systemd/system/datacollector.service.
+ systemctl start datacollector.service
Lacework successfully installed
Once the agent is installed, verify that the Docker container is created successfully and has a Status of "Up" with the following command:
A successful installation displays an output similar to the following:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4c7e22aeacfa lacework/datacollector:latest "/var/lib/backup/dat..." About a minute ago Up About a minute datacollector
Configure the instance to remount the
/var/lib/laceworkdirectory as an executable path. By default, COS mounts
noexecon boot. COS uses
cloud-initfor configuration operations and reads the
user-datavalue out of the instance metadata as a
cloud-config. Add the following metadata to the
user-datakey for the instance if no value is present or add the two
mountstatements to an existing
- [/var/lib/lacework, /var/lib/lacework, "none", "bind", "0", "0"]
- [/var/lib/lacework, /var/lib/lacework, "auto", "remount,exec,nosuid,nodev", "0", "1"]
To validate, run the
mount |grep laceworkcommand on the host to ensure that the filesystem is mounted correctly after a reboot. You should see output similar to:
/dev/sda1 on /var/lib/lacework type ext4 (rw,nosuid,nodev,relatime,commit=30)