Agent Management
To analyze application, host, and user behavior, Lacework uses a lightweight agent, which securely forwards collected metadata to the Lacework platform for analysis. The agent requires minimal system resources and runs on most Linux distributions.
Install an Agent
Use the command lacework agent install <[user@]host[:port]>
for single-host installation of the Lacework agent via Secure Shell (SSH). When this command is executed without any additional flag, an interactive prompt will be launched to help gather the necessary authentication information to access the remote host.
note
For a complete list of supported installation methods, see Agent Install Options
To authenticate to the remote host with a username and password.
lacework agent install <host> --ssh_username <your-user> --ssh_password <secret>
To authenticate to the remote host with an identity file instead.
lacework agent install <user@host> -i /path/to/your/key
To provide an agent access token of your choice, use the command lacework agent token list
, select a token and pass it to the --token
flag.
To authenticate to the remote host on a non-standard SSH port use the '--ssh_port' flag or pass it directly via the argument.
lacework agent install <user@host:port>
To bypass the question to add unknown host keys to the ~/.ssh/known_hosts
file, use the flag
--trust_host_key
.
List Agents
List all hosts that have a running agent in your environment using the command.
lacework agent list
You can use key:value
pairs to filter the list of hosts with the --filter
flag.
lacework agent list --filter 'os:Amazon Linux' --filter 'tags.VpcId:vpc-72225916'
note
The value can be a regular expression such as hostname:db-server.*
Agent Access Tokens
To list all agent access tokens:
lacework agent token list
important
Agent tokens should be treated as secret and not published. A token uniquely identifies a Lacework customer. If you suspect your token has been publicly exposed or compromised, generate a new token, update the new token on all machines using the old token. When complete, the old token can safely be disabled without interrupting Lacework services.
To create a new agent access token:
lacework agent token create <name> [description]
note
The [description]
is an optional argument.
You can use the agent token name to logically separate your deployments, for example, by environment types (QA, Dev, etc.) or system types (CentOS, RHEL, etc.).
To show details about an agent access token:
lacework agent token show <token>
important
By design, agent tokens cannot be deleted.
To disable an agent access token:
lacework agent token update <token> --disable
To enable an agent access token:
lacework agent token update <token> --enable
You can also update the name and/or description of any agent access token with the command:
lacework agent token update <token> --name dev --description "k8s deployment for dev env"