Threat Stack Containerized Agent

Follow

Overview

Containers are a standardized unit of software. A container packages an application’s code, configurations, and dependencies into a single unit that can be quickly and reliably deployed to any environment that supports containers, regardless of the underlying operating system (OS).

The Threat Stack Agent can be deployed as a container. You can deploy the containerized Agent on any supported Linux distribution in Docker-based container environments.

In the Agent 1.x series, the containerized Agent runs as a privileged container. By operating as a privileged container, the containerized Agent can talk to the kernel and other containers to ensure host security is adequately monitored. In the Agent 2.x series, the Agent does not need to run as a privileged container, but rather includes capabilities that can talk to the kernel and other containers.

In the Agent 1.x series, the containerized Agent has feature parity with the host-based Agent, with one exception: the customer must create a configuration file for the containerized Agent, as the deploy script does not automatically create one. In the Agent 2.x series, the configuration file is included with the deploy script.

Since customers deploy the containerized Agent in containerized environments, Threat Stack does not support direct commands to the Agent. Do not use the following commands:

  • Agent 1.x series:
    • sudo cloudsight-start
    • sudo clousight-stop
    • sudo cloudsight-restart
    • sudo cloudsight-config
  • Agent 2.x series:
    • sudo tsagent-start
    • sudo tsagent-stop
    • sudo tsagent-restart
    • sudo tsagent-config

Note

After deployment, customers only access the containerized Agent directly to gather logs for support requests. Container restarts, starts, and stops can be performed outside of the container, through the orchestration layer. For more information on the orchestration level, see Threat Stack Kubernetes DaemonSet.

Notes

  • The containerized Agent is a standalone Agent and cannot be run side-by-side on the host with another Threat Stack Agent.
  • Securing AWS Elastic Container Search (ECS) workloads requires the Threat Stack host-based Agent. For more information, see FAQ: How do I secure my AWS ECS workload with Threat Stack?.

What information does the containerized Agent collect?

The containerized Agent collects the same information collected by the non-containerized Agent.

Additionally, the Docker rule set is recommended to be added for the containerized Agent.

How do I deploy containerized Agent?

Prerequisites

  • Access to DockerHub
  • Docker installed and running

    Note

    If Docker is not installed or is not running, then any attempt to start the Agent will result in the Agent exiting and an error message that states: “If problems persist, please disable tscontainers.”.

  • Access to the Threat Stack containerized Agent
  • Access to the Threat Stack console
  • Ensure no other applications use the auditd process. For more information, see the Known Conflicts section of System Requirements.

Tip

Threat Stack recommends using side-by-side windows – one browser window for DockerHub and one window for the Command Line – to deploy the Agent.

Deploy containerized Agent for 1.x series

  1. Log into DockerHub.
  2. Go to threatstack/ts-docker2.
  3. Copy the deploy command.
  4. Open the Command Line.
  5. Type the following command and press ENTER:
    sudo docker login
  6. In the Username field, type your DockerHub username.
  7. In the Password field, type your DockerHub password.
  8. Paste the command copied from threatstack/ts-docker2, append the following, and press ENTER:
    :latest

    Example: docker pull threatstack/ts-docker2:latest

  9. Create a configuration file. Threat Stack suggests creating it in /etc/ts-agent and name it "ts-config". Ensure the “configuration”: variable is present. Ensure your deploy key (available here) is present. Example below. Or Download a sample ts-config.json file.
    {

    "deploy-key": "<your deploy key>",

    "agent_type": "i",

    "ruleset": "Base Rule Set, Docker Rule Set",

    "configuration": {

    "enable_containers":1,

    "log_level": "info"

    }

    }

     

    Warning

    If you do not provide a configuration file, or if you provide a misconfigured configuration file, then the deployment of the containerized Agent will not work.

  10. To find your image hash type the following command and press ENTER:
    sudo docker images
  11. Copy the image hash.
  12. The following command is the deploy command for the container. It should be entered as one block.  Type or copy and paste the following command and press ENTER:
    sudo docker run -it -d \
    -e THREATSTACK_CONFIG_PATH="/etc/ts-agent/ts-config" \
    --name=ts-docker \
    --privileged \
    --network=host \
    --pid=host \
    --cap-add=AUDIT_CONTROL \
    --cap-add=AUDIT_READ \
    --cap-add=NET_ADMIN \
    --cap-add=SYS_ADMIN \
    -v /:/threatstackfs/ \
    -v /var/run/docker.sock:/var/run/docker.sock <paste IMAGE_HASH here>

    Replace <paste IMAGE_HASH here> with the image hash copied in step 11.

    The containerized Agent successfully deploys to the Docker environment.

  13. Confirm the containerized Agent deployed correctly. 
    1. Log into Threat Stack and view the new server.
    2. Log into the container and run the command "sudo cloudsight status"

Deploy containerized Agent for 2.x series

  1. Log into DockerHub.
  2. Go to threatstack/ts-docker2.
  3. Copy the deploy command.
  4. Open the Command Line.
  5. Type the following command and press ENTER:
    sudo docker login
  6. In the Username field, type your DockerHub username.
  7. In the Password field, type your DockerHub password.
  8. Paste the command copied from threatstack/ts-docker2, append the following, and press ENTER:
    :latest

    Example: docker pull threatstack/ts-docker2:latest

  9. To find your image hash type the following command and press ENTER:
    sudo docker images
  10. Copy the image hash.
  11. The following command is the deploy command for the container. It should be entered as one block.  Type or copy and paste the following command and press ENTER:
    sudo docker run -it -d \
    -e THREATSTACK_SETUP_ARGS="-deploy-key -ruleset 'Base Rule Set, Docker Rule Set'"\
    -e THREATSTACK_CONFIG_ARGS="enable_containers 1" \
    --name=ts-docker \
    --network=host \
    --pid=host \
    --cap-add=AUDIT_CONTROL \
    --cap-add=CHOWN \
    --cap-add=DAC_OVERRIDE \
    --cap-add=DAC_READ_SEARCH \
    --cap-add=FOWNER \
    --cap-add=FSETID \
    --cap-add=SETGID \
    --cap-add=SETUID \
    --cap-add=SYS_ADMIN \
    --cap-add=SYS_PTRACE \
    -v /:/threatstackfs/ \
    -v /var/run/docker.sock:/var/run/docker.sock <paste IMAGE_HASH here>

    Replace <paste IMAGE_HASH here> with the image hash copied in step 10.

    The containerized Agent successfully deploys to the Docker environment.

  12. Confirm the containerized Agent deployed correctly. 
    1. Log into Threat Stack and view the new server.
    2. Log into the container and run the command sudo tsagent status
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.