Threat Stack Containerized Agent



Containers are a standardized unit of software. A container packages an application’s code, configurations, and dependencies into a single unit that can be quickly and reliably deployed to any environment that supports containers, regardless of the underlying operating system (OS).

The Threat Stack Agent can be deployed as a container. You can deploy the containerized Agent on any supported Linux distribution in Docker-based container environments.

The containerized Agent is a privileged container. By operating as a privileged container, the containerized Agent can talk to the kernel and other containers to ensure host security is adequately monitored.

The containerized Agent has feature parity with the host-based Agent, with two exceptions:

  • The customer must create a configuration file for the containerized Agent, as the deploy script does not automatically create one.
  • Since customers deploy the containerized Agent in containerized environments, Threat Stack removed support for direct commands to the Agent. The following commands no longer function:
    • sudo cloudsight-start
    • sudo clousight-stop
    • sudo cloudsight-restart
    • sudo cloudsight-config


    After deployment, customers only access the containerized Agent directly to gather logs for support requests. Container restarts, starts, and stops can be performed outside of the container, through the orchestration layer. For more information on the orchestration level, see Threat Stack Kubernetes DaemonSet.


  • The containerized Agent is a standalone Agent and cannot be run side-by-side on the host with another Threat Stack Agent.
  • Securing AWS Elastic Container Search (ECS) workloads requires the Threat Stack host-based Agent. For more information, see FAQ: How do I secure my AWS ECS workload with Threat Stack?.

What information does the containerized Agent collect?

The containerized Agent collects the same information collected by the non-containerized Agent.

Additionally, the Docker rule set is recommended to be added for the containerized Agent.

How do I deploy containerized Agent?


  • Access to DockerHub
  • Access to the Threat Stack containerized Agent
  • Access to the Threat Stack console
  • Ensure no other applications use the auditd process. For more information, see the Known Conflicts section of System Requirements.


Threat Stack recommends using side-by-side windows – one browser window for DockerHub and one window for the Command Line – to deploy the Agent.

Deploy containerized Agent

  1. Log into DockerHub.
  2. Go to threatstack/ts-docker.
  3. Copy the deploy command.
  4. Open the Command Line.
  5. Type the following command and press ENTER:

    sudo docker login

  6. In the Username field, type your DockerHub username.
  7. In the Password field, type your DockerHub password.
  8. Paste the command copied from threatstack/ts-docker, append the following, and press ENTER:


    Example: docker pull threatstack/ts-docker:latest

  9. Create a configuration file. Threat Stack suggests creating it in /etc/ts-agent and name it "ts-config". Ensure the “configuration”: variable is present. Ensure your deploy key (available here) is present. Example below. Or Download a sample ts-config.json file.


    "deploy-key": "<your deploy key>",

    "agent_type": "i",

    "ruleset": "Base Rule Set, Docker Rule Set",

    "configuration": {


    "log_level": "info"





    If you do not provide a configuration file, or if you provide a misconfigured configuration file, then the deployment of the containerized Agent will not work.

  10. To find your image hash type the following command and press ENTER:

    sudo docker images

  11. Copy the image hash.
  12. The following command is the deploy command for the container. It should be entered as one block.  Type or copy and paste the following command and press ENTER:

    sudo docker run -it -d \

    -e THREATSTACK_CONFIG_PATH="/etc/ts-agent/ts-config" \

    --name=ts-docker \

    --privileged \

    --network=host \

    --pid=host \

    --cap-add=AUDIT_CONTROL \

    --cap-add=AUDIT_READ \

    --cap-add=NET_ADMIN \

    --cap-add=SYS_ADMIN \

    -v /:/threatstackfs/ \

    -v /var/run/docker.sock:/var/run/docker.sock <paste IMAGE_HASH here>

    The containerized Agent successfully deploys to the Docker environment.

  13. Confirm the containerized Agent deployed correctly. 
    1. Log into Threat Stack and view the new server.
    2. Log into the container and run the command "sudo cloudsight status"
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Article is closed for comments.