The purpose of this document is to provide Sophos Customers with information regarding the usage of the Sophos Linux Protection ThinInstaller. It is assumed the ThinInstaller has been downloaded from Sophos Central so that you have the file “SophosSetup.sh” available on your system and have made the file executable.
To run the installer in debug mode for trouble shooting, the following option is set as an environmental argument on startup - where 1 is enabled and 0 is disabled. eg.
If the /tmp directory on a machine is not mounted as executable then this environment variable can be set while running the ThinInstaller so that a different temporary directory can be used by the installer during the installation process. eg.
# export TMPDIR=/some/other/dir
# TMPDIR=/some/other/dir ./SophosSetup.sh
Sophos Linux Protection and auditd
By default, Sophos EDR will disable auditd so that historic event data can be queried by the product for the purposes of Live Query. If required, auditd can be left enabled using the command line option --do-not-disable-auditd as shown in the table.
Whether the systemd journal will stop receiving audit events or not is also controlled by the disabling of auditd in Sophos Linux Protection. If the product disables auditd customers will also stop receiving audit events in their systemd journal logs, normally accessed by the journalctl command.
If Sophos Linux Protection is uninstalled it will not change or restore whether auditd is enabled. I.e. if the product disabled auditd, as it does by default, after uninstallation auditd will still be left disabled.
Re-registering the product will not change the auditd settings either.
Related information / See also [this is an optional section, select or delete ONE or both of these options. Add links to other info/kbas as required.]
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.