Skip to main content

Install Linux Agent on Alpine Linux

beta feature

This topic describes functionality that is currently in beta.

You can install the Lacework agent on Alpine Linux using the methods described in the following sections.

For supported Alpine Linux versions, see Supported Operating Systems.

Use the Lacework Installation Script

Follow the steps described in Use the Lacework Installation Script [install.sh].

Install using an .apk Package

For single host installations, you can install the Lacework agent using an .apk package. Download a release package (YourRelease.tgz file) from the Lacework Agent Release GitHub repository. Lacework agent versions 2.12.1 and later support Alpine Linux.

After downloading the appropriate package locally, copy it to /tmp or another directory on the target Linux server using your preferred method. Alternatively, the package can be downloaded directly from the Linux instance.

When installing using a package, you must manually create a config.json file on your target Linux server and add your access token. In the steps below, replace Your_Agent_Access_Token with your agent access token. For more information, see Create Agent Access Token. Replace YOUR_API_ENDPOINT with your agent server URL. For more information, see Agent Server URL.

  1. Create the directory where the agent will look for the config.json file.
    sudo mkdir -p /var/lib/lacework/config
  2. Using your preferred text editor, create a file called config.json in the /var/lib/lacework/config directory with your agent access token and optionally your agent server URL.
    {
    "tokens": { "AccessToken":"Your_Agent_Access_Token" },
    "serverurl" : "Your_API_Endpoint"
    }
    Replace Your_API_Endpoint with your agent server URL.
  3. Verify that the file contains your access token.
    cat /var/lib/lacework/config/config.json
  4. Install the Alpine signing key as described in Alpine RSA key.
  5. Install the .apk package.
    sudo apk add lacework-latest-r1.apk
  6. Data collection from agents is sent to the Lacework backend and a newly added agent on the VM (installed as a package or a container) should be visible in 10 to 15 minutes. Verify that the Lacework Console Resources > Agents page displays the new host.

Install on a Dockerized Host

If using Docker, you can install the Lacework agent in a privileged container to provide security for all containers provisioned on the host. For the agent to work with Docker containers, Linux host machines must use systemd. You can pull the agent container from DockerHub, or you can build and install your own container using a customizable Lacework Dockerfile.

Pulling the agent container requires you to provide your access token. Building your own requires you to build an image using two files and to provide your access token, all of which you can find in the Lacework Console. For more information, see Create Agent Access Token and Download Linux Agent Installer.

Docker Hub

  1. Using the Docker client [cli], pull the Lacework image using this format: docker pull lacework/datacollector:VERSION-alpine, where VERSION is the string latest or the actual agent version number, for example:

    docker pull lacework/datacollector:5.4.1-alpine
  2. Create a writeable container layer and start the image. Replace YOUR_AGENT_ACCESS_TOKEN with your agent access token and optionally YOUR_API_ENDPOINT with your agent server URL.

    For more information about the agent access token, see Create Agent Access Token.

    For more information about the agent server URL, see Agent Server URL.

    /usr/bin/docker run --name datacollector \
    --net=host \
    --pid=host \
    --privileged \
    --volume /:/laceworkfim:ro \
    --volume /var/lib/lacework:/var/lib/lacework \
    --volume /var/log:/var/log \
    --volume /var/run:/var/run \
    --volume /etc/passwd:/etc/passwd:ro \
    --volume /etc/group:/etc/group:ro \
    --env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
    --env serverurl=$YOUR_API_ENDPOINT \
    lacework/datacollector:5.4.1-alpine

Build an Alpine Linux Image

You can also create your own container using DockerfileAlpine from Lacework. The datacollector_wrap.sh script must be in the same directory as DockerfileAlpine.

  1. Download docker.tar.gz (the Docker Container) from the Lacework Console, unzip it, and save the contents locally (DockerfileAlpine and datacollector_wrap.sh are included).

  2. Build the Lacework image using a supported Alpine Linux distribution.

    docker build -t "datacollector:5.4.1-alpine" -f YourDirectoryPathToDownloadedFiles/DockerfileAlpine
  3. Move the image to your private repository or run it locally.

  4. Create a writeable container layer and start the image. Replace YOUR_AGENT_ACCESS_TOKEN with your agent access token and optionally YOUR_API_ENDPOINT with your agent server URL.

    For more information about the agent access token, see Create Agent Access Token.

    For more information about the agent server URL, see Agent Server URL.

    /usr/bin/docker run --name datacollector \
    --net=host \
    --pid=host \
    --privileged \
    --volume /:/laceworkfim:ro \
    --volume /var/lib/lacework:/var/lib/lacework \
    --volume /var/log:/var/log \
    --volume /var/run:/var/run \
    --volume /etc/passwd:/etc/passwd:ro \
    --volume /etc/group:/etc/group:ro \
    --env ACCESS_TOKEN=$YOUR_AGENT_ACCESS_TOKEN \
    --env serverurl=$YOUR_API_ENDPOINT \
    datacollector:5.4.1-alpine

    After you install the agent, it takes 10 to 15 minutes for agent data to appear in the Lacework Console under Resources > Agents.

note

Due to Alpine Linux behavior and libmusl library requirements, files used for login accounting (utmp, wtmp, lastlog) are not updated or created and are stubbed out. This prevents Lacework agents from reporting user logins. It causes the Insider Behavior Polygraph to be unavailable for Alpine Linux-based deployments.