Install on a GCE Host
You can install the Lacework agent on a Google Compute Engine (GCE) host instance to monitor workloads. The workload portion provides process-aware threat and intrusion detection for your GCE environment and notifies you of any events through your chosen method.
Additionally, installing a Lacework agent requires obtaining or creating the installer script and access tokens. For more information, see Download Agent Installers and Get the Agent Access Token.
Unless you are installing the agent on a Container-Optimized OS (COS) instance, use your preferred deployment method detailed in Linux Agent Installation Options. For Container-Optimized OS instances, perform the following steps.
Install the Agent on the GCE Container-Optimized OS (COS) Instance
Install the datacollector on the host by running the install.sh
script.
Open a terminal on your host as a user with
sudo
privileges.Download the
install.sh
script onto your host by using the following command. You may specify a different location for yourinstall.sh
script to download. If you choose to do so, ensure that you update the path in Step 3.curl https://your-instance.lacework.net/path/to/your/install.sh -o /tmp/install.sh
Run the following command to install the Lacework agent
sudo sh /tmp/install.sh
If you need to use a different endpoint than the default endpoint (api.lacework.com), specify the URL of the endpoint, as shown:
sh /tmp/install.sh -U API_SERVER_URL
Verify the output of the command:
Check connectivity to Lacework server
Check Go Daddy root certificate
Installing on cos (85)
Using access token : 185e01a1f2c3df9f370568c5f137de ...
Using server url : https://api.lacework.net
Writing configuration file
+ sh -c 'mkdir -p /var/lib/lacework/config'
+ sh -c Writing config.json in /var/lib/lacework/config
+ curl -fsSL https://updates.lacework.net/5.4.1.7323_2022-03-02_release-v5.4_40c388324f25e853c5847c1c323dcbcbd42c217f/datacollector.service
Remounting /var/lib/lacework/ with exec permissions to start lacework agent.
+ mount -B /var/lib/lacework/ /var/lib/lacework/
+ mount -o remount,exec /var/lib/lacework/
+ systemctl stop datacollector.service
+ systemctl daemon-reload
+ systemctl enable datacollector.service
Created symlink /etc/systemd/system/multi-user.target.wants/datacollector.service → /etc/systemd/system/datacollector.service.
+ systemctl start datacollector.service
Lacework successfully installedOnce the agent is installed, verify that the Docker container is created successfully and has a Status of "Up" with the following command:
docker ps
A successful installation displays an output similar to the following:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4c7e22aeacfa lacework/datacollector:latest "/var/lib/backup/dat..." About a minute ago Up About a minute datacollectorConfigure the instance to remount the
/var/lib/lacework
directory as an executable path. By default, COS mounts/var
asnoexec
on boot. COS usescloud-init
for configuration operations and reads theuser-data
value out of the instance metadata as acloud-config
. Add the following metadata to theuser-data
key for the instance if no value is present or add the twomount
statements to an existingcloud-config
if present:#cloud-config
mounts:
- [/var/lib/lacework, /var/lib/lacework, "none", "bind", "0", "0"]
- [/var/lib/lacework, /var/lib/lacework, "auto", "remount,exec,nosuid,nodev", "0", "1"]To validate, run the
mount |grep lacework
command on the host to ensure that the filesystem is mounted correctly after a reboot. You should see output similar to:/dev/sda1 on /var/lib/lacework type ext4 (rw,nosuid,nodev,relatime,commit=30)