Capsule8 Docs
Capsule8 Docs

Installation on RHEL, CentOS, or Fedora

The Capsule8 sensor can be installed on RHEL, CentOS, or Fedora distributions via a binary or Capsule8’s package repository. After you install the Capsule8 sensor, you can deploy a sensor configuration, which sets the sensor’s functionality.

Before you begin

If you haven’t already, enable the Linux debug subsystem, which we use to instrument kernel and userspace events. Newer kernels (what # & up??) have it enabled by default. To enable the debug subsystem, use the following command: sudo mount -t debugfs nodev /sys/kernel/debug

Installation via a Binary

The Capsule8 sensor can be installed as a binary on Red Hat Enterprise Linux (RHEL), CentOS, or Fedora using the following command:

sudo rpm -i capsule8-sensor-*.rpm

Note: For RHEL 6 or CentOS 6 distributions, the redhat-lsb-core dependency is required and can be installed suing the following command:

sudo yum install -y redhat-lsb-core

The sensor does not ship with any detections enabled by default, but a recommended set of detections is available by installing the content package:

sudo rpm -i capsule8-content-*.rpm

Installation via the Capsule8 Package Repository

Capsule8 maintains an external package repository where deb and rpm packages are managed so that any user with an access token can install the correct packages for their system.

Access Token

To start, ask your Capsule8 rep for an access token to Capsule8’s package repository. This will be a read-only token that is used to authenticate with PackageCloud. Access tokens are alpha numeric strings with no punctuation.

Once you receive your access token, the local system must be updated to enable package installation. This is performed through the following script, in which you should substitute your access token at the beginning of the url (after https:// and before curl -s | sudo bash

Install Packages

Once the local system is updated to pull Capsule8’s packages, installation can be done through the system’s native package installer. Before proceeding, make note of which package manager is being used to start and manage running packages on your system, as well as which version of Capsule8 you desire.

The service and package manager of the system is required when installing a Capsule8 package. The most recent version available will be installed by default, although you may optionally provide your desired version. As an example, the following is a command that would install the Capsule8 sensor version 4.1.0 for a system using systemd as its service manager on a machine using yum as its package manager:

sudo yum install capsule8-sensor-systemd-4.1.0

The sensor does not ship with any detections enabled by default, but a recommended set of detections is available by installing the content package:
sudo yum install capsule8-content-4.1.0

Upgrading the Sensor

The sensor can be upgraded by installing the desired Capsule8 Sensor package with your package manager. The package is installed with the name Capsule8 Sensor with the service manager (eg. sysV, systemd, upstart or runit) as a hyphenated suffix, such as: sudo yum install capsule8-sensor-systemd