IBM Cloud Docs
IBM Cloud Security and Compliance Center Workload Protection on Power Virtual Server

IBM Cloud Security and Compliance Center Workload Protection on Power Virtual Server

This tutorial shows how to set up IBM Cloud Security and Compliance Center Workload Protection for Linux on Power Virtual Server and Virtual Servers for VPC.

This tutorial shows detailed instructions on RHEL Linux. Refer to IBM Cloud Security and Compliance Center Workload Protection documentation for supported platforms and operating systems.

Objectives

IBM Cloud Security and Compliance Center Workload Protection can be used to find and prioritize software vulnerabilities, detect and respond to threats, manage configurations, permissions, and compliance from source to run. It can be used to secure containers, Kubernetes, Red Hat OpenShift, and hosts with rapidly integrated runtime security, container forensics and incident response, so you can better understand security breaches and your compliance needs.

IBM® Power is a family of high-performance servers that are designed for running large-scale data-driven and mission-critical workloads. They are known for their scalability, reliability, sustainability, and performance. Power Virtual Server is a Power Systems offering in IBM Cloud. Power® Virtual Servers are located in the IBM data centers, distinct from the IBM Cloud servers with separate networks and direct-attached storage. The internal networks are fenced but offer connectivity options to IBM Cloud infrastructure or on-premises environments. This infrastructure design enables Power® Virtual Servers to maintain key enterprise software certification and support as the Power® Virtual Server architecture is identical to certified on-premises infrastructure.

IBM Cloud® Virtual Servers for Virtual Private Cloud is an Infrastructure-as-a-Service (IaaS) offering that gives you access to the benefits of IBM Cloud VPC, including network isolation, security, and flexibility.

This tutorial documents the steps to set up IBM Cloud Security and Compliance Center Workload Protection on Power Virtual Server and Virtual Servers for VPC.

Architecture
Architecture diagram of the tutorial

This tutorial covers the following aspects:

  1. The user provisions a Power Virtual Server environment by using a deployable architecture that's offered in IBM Cloud.
  2. The user creates IBM Cloud Security and Compliance Center Workload Protection instance.
  3. The user sets up Power Virtual Server agents on Virtual Servers for VPC.
  4. The user set up Power Virtual Server agents on Power Virtual Server.
  5. The user monitors the environment by using Power Virtual Server. The user can also monitor the environment with IBM Cloud monitor, which integrates with IBM Cloud Security and Compliance Center Workload Protection

Provision Power Virtual Server environment in IBM Cloud

First, use a deployable architecture that's offered in IBM Cloud is to set up the Power Virtual Server environment.

Provision Power Virtual Server with Power Virtual Server Quickstart DA

  1. In the IBM Cloud console, go to the IBM Cloud catalog and search for the Power Virtual Server with VPC landing zone deployable architecture.

  2. Use Power Virtual Server quickstart variation to set up environment and Power Virtual Server instance. For more information, see Deploying a Power Virtual Server with VPC landing zone deployable architecture.

  3. You need to fill in the parameters exposed by the deployable architecture. On the 'Security' tab, you can either use an API key or a trusted profile.

    1. To create API key: Go to Manage > Access, and click API keys.
    2. To create a trusted profile, Go to Manage > Access, and click Trusted profiles. After the trusted profile is created, make sure that you add the project by going to the IBM Cloud services tab.
  4. On the 'Required' parameter tab for the deployment architecture, fill in other parameters based on your need. For the 'tshirt_size' field, you can choose the OS type and size based on your need. In this case, since IBM Cloud Security and Compliance Center Workload Protection supports Linux, let’s create a Linux virtual server with RHEL 9.2 image. Pick 'Custom' for 'tshirt_size' field, and we need to specify the other details of the VM in fields on the 'Optional' tab. On the 'Optional' tab, choose ‘Linux - RHEL9-SP2’ for ‘custom_profile_instance_boot_image’, and use the following json snippet for the ‘custom_profile’ field. You can adjust the input (for example, the number of cores or size of memory) based on your requirements.

    {
       "sap_profile_id": null,
       "cores": "1",
       "memory": "2",
       "server_type": "s922",
       "proc_type": "shared",
       "storage": {
          "size": "",
          "tier": ""
       }
    }
    
  5. Next, save and validate the configuration.

  6. After the configuration passes validation, you can approve and deploy it. The environment is deployed automatically. As you can see from the Power Virtual Server deployable architecture, an Edge VPC and Power Virtual Server workspace are created. In Edge VPC, it creates bastion host in the management security group, and a proxy server in the network service security group, both with Linux RHEL. It also creates a Power Virtual Server instance in the Power Virtual Server workspace with RHEL 9.2. Other necessary components to connect Power Virtual Server workspace with IBM Cloud resources and secure the environment are also created, for example, Transit Gateway, VPN, VPE, and so on.

Power Virtual Server Quickstart post setup

Make sure to follow the Quickstart next steps to allow the Power Virtual Server instance to access the internet and mount nfs drive.

  1. Add proxy settings in /etc/bashrc. Locate the <proxy_host_or_ip_port> value in the output section of the deployment, and add the following entries at the end of /etc/bashrc file:

    export http_proxy=http://<proxy_host_or_ip_port>:3128
    export https_proxy=http://<proxy_host_or_ip_port>:3128
    export HTTP_PROXY=http://<proxy_host_or_ip_port>:3128
    export HTTPS_PROXY=http://<proxy_host_or_ip_port>:3128
    export no_proxy=161.0.0.0/0,10.0.0.0/8
    
  2. Next, add the following line in /etc/dnf/dnf.conf:

    proxy=http://10.30.40.4:3128
    
  3. Mount the file storage from VPC on the Power Virtual Server instance:

    mkdir /nfs
    mount <nfs_host_or_ip_path> /nfs
    
  4. Configure DNS on the Power Virtual Server instance. Add the dns_host_or_ip_path value at the top in the /etc/resolv.conf file.

  5. Add the port to the Squid proxy configuration and restart the service if needed.

    1. SSH to the jump server VSI, and then ssh to the network service VSI dns_host_or_ip. You need to make the SSH private key available on the jump server to access the network service VSI.

    2. Make sure that the port, 6443, is added to the end of the line for SLL_ports in file /etc/squid/squid.conf, if it is not there already.

      acl SSL_ports port 443 8443 6443
      
    3. Restart the Squid proxy service if the Squid configuration file was updated.

      systemctl restart squid
      

IBM Cloud Security and Compliance Center Workload Protection setup

As mentioned in the last section, the Power Virtual Server Quickstart deployable architecture sets up 2 VSI instances in VPC and a Power Virtual Server instance in Power Virtual Server workspace. We can set up workload protection for all the virtual server instances.

IBM Cloud Security and Compliance Center Workload Protection documentation described the steps to set up SCC Workload Protection. Let's follow the step 1 and step 2 in this documentation to set up the IBM Cloud Security and Compliance Center Workload Protection instance. In the following sections, we will demonstrate how to config an agent on VPC/VSI and Power Virtual Server instance.

Once the IBM Cloud Security and Compliance Center Workload Protection instance is created, we can collect the configuration information for the instance. We can follow the instructions in this document to collect configuration information.

  1. To get the access key, click the IBM Cloud Security and Compliance Center Workload Protection instance. Next, click Actions > Manage key. Click show key to view the key.
  2. Select the ingestion URL from Collector endpoints. It's recommended to use the private endpoint URL.
  3. Select the API endpoint URL from the Workload Protection API. It's recommended to use the private endpoint.

For this example, the IBM Cloud Security and Compliance Center Workload Protection instance is in Dallas. The following configuration information is used for the following sections:

ACCESS_KEY=your_access_key
COLLECTOR_ENDPOINT=ingest.private.us-south.security-compliance-secure.cloud.ibm.com
API_ENDPOINT=private.us-south.security-compliance-secure.cloud.ibm.com

Protecting VSI for VPC

The Power Virtual Server Quickstart deployable architecture sets up the jump server and network service VSIs for VPC with Linux RHEL in Edge VPC. We can install the agents on both of them.

IBM Cloud Security and Compliance Center Workload Protection provides the following features to protect your stand-alone Linux hosts:

  • Threat detection: Identify threats and suspicious activity based on application, network, and host activity by processing syscall events and investigate with detailed system captures.
  • Posture management: scan host configuration files for compliance and benchmarks such as CIS Linux Benchmark.
  • Host scanning: scan host packages, detect the associated vulnerabilities and identify the resolution priority based on available fixed versions and severity.

For more information, see Protecting Linux hosts.

Install the threat detection agent

Next, let's install the agent on the VSI in Edge VPC by installing it on the jump server.

  1. In the IBM Cloud, go to the VPC Infrastructure > Virtual server instances. SSH to the jump server. Here is the sample command. Make sure to replace the private key file name and server IP in the command.

    ssh -i YOUR_PRIVATE_KEY_FILE root@YOUR_JUMP_SERVER_IP
    
  2. Install the kernel headers:

    yum -y install kernel-devel-$(uname -r)
    
  3. Deploy the Workload Protection agent:

    curl -sL https://ibm.biz/install-sysdig-agent | sudo bash -s -- --access_key $ACCESS_KEY --collector $COLLECTOR_ENDPOINT --collector_port 6443
    
  4. Check that Workload Protection agent is running:

    ps -ef | grep sysdig
    

Identifying vulnerabilities with Host Analyzer

Complete the following steps to install the Host on RHEL. For more information, see Vulnerability Host Scanner installation.

  1. For RPM-based (Red Hat Package Manager) operating systems such as Red Hat Enterprise Linux or SUSE Linux Enterprise, we need to configure the RPM repository and Sysdig GPG key:

    sudo rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public
    sudo curl -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo
    
  2. Install the vuln-host-scanner package:

    sudo yum clean expire-cache && sudo yum install vuln-host-scanner -y
    
  3. Create the vuln-host-scanner configuration file. Make sure the access-key and api-url are set.

    cat << EOF | sudo tee /opt/draios/etc/vuln-host-scanner/env
    SYSDIG_ACCESS_KEY=$ACCESS_KEY
    SYSDIG_API_URL=https://$API_ENDPOINT/api
    # optional
    SCAN_ON_START=true
    EOF
    
  4. Enable and start the vuln-host-scanner.service service:

    sudo systemctl enable --now vuln-host-scanner.service
    
  5. Check the logs to see ensure that everything is working:

    sudo journalctl -fu vuln-host-scanner.service
    

Posture management

To protect linux host, you need to run the Kubernetes Security Posture Management (KSPM) analyzer as a container. Rather than running it using docker, we will use Podman. For more information, see Protecting Linux hosts.

  1. Install Podman:

    dnf install podman
    
  2. Install the Kubernetes Security Posture Management (KSPM) analyzer in a nonkubernetes environment:

    podman run -d -v /:/host:ro -v /tmp:/host/tmp --privileged --network host --pid host --env ACCESS_KEY=$ACCESS_KEY --env API_ENDPOINT=$API_ENDPOINT quay.io/sysdig/kspm-analyzer:latest
    

In this section, the IBM Cloud Security and Compliance Center Workload Protection agents have been set up on the Linux jump server. You can repeat the steps on the network service VSI.

Protecting Linux host on Power Virtual Server

When we run the Power Virtual Server Quickstart deployable architecture, we create a Power Virtual Server instance with Linux RHEL 9.2. We can set up the IBM Cloud Security and Compliance Center Workload Protection on the Power Virtual Server instance. For more information, see Managing the Workload Protection agent in Linux on Power Virtual Server.

Install threat detection agent

Next, let's install the threat detection agent.

  1. Install dkms

    yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
    yum install dkms
    
  2. Enabled the extended Berkeley Packet Filter (eBPF). Add the following line to the end of the /etc/sysconfig/dragent.

    SYSDIG_AGENT_DRIVER=universal_ebpf
    
  3. Trust the GPG key and configure the yum repository

    rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public && curl -s -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo
    
  4. Install the agent package

    yum -y install draios-agent
    
  5. Update the agent yaml file, where ACCESS_KEY and COLLECTOR_ENDPOINT are the values from section 3.2.1. For this tutorial, the proxy information is added to the agent yaml file. Proxy information can be found in the outputs section of the configuration.

    echo customerid: $ACCESS_KEY >> /opt/draios/etc/dragent.yaml
    echo collector: $COLLECTOR_ENDPOINT >> /opt/draios/etc/dragent.yaml
    

    Review the following complete /opt/draios/etc/dragent.yaml file.

    # cat /opt/draios/etc/dragent.yaml
    customerid: $ACCESS_KEY
    collector: $COLLECTOR_ENDPOINT
    http_proxy:
    proxy_host: 10.30.40.4
    proxy_port: 3128
    
  6. Enable the agent

    systemctl enable dragent
    
  7. Start the agent

    systemctl start dragent
    
  8. If the agent does not start correctly, check the log file for errors.

    grep -i error /opt/draios/logs/draios.log
    

Identifying vulnerabilities in Linux host on Power Virtual Server

Now, let’s set up the vulnerability scanning component, which can detect all installed packages and associated vulnerabilities that are sorted by severity and prioritizing those with a fix available.

  1. Download the binary

    curl -LO https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/ppc64le/sysdig-host-scanner
    
  2. Set the executable flag on the file

    chmod +x ./sysdig-host-scanner
    
  3. Start the Host Scanner

    SYSDIG_ACCESS_KEY=$ACCESS_KEY SYSDIG_API_URL=https://$API_ENDPOINT SCAN_ON_START=true ./sysdig-host-scanner
    
  4. Create an environment file to store the configuration and a systemd unit file to run the binary as a service. Make sure that access key and api-url are set.

    mv ./sysdig-host-scanner /usr/local/bin/vuln-host-scanner
    restorecon -Rv /usr/local/bin/vuln-host-scanner
    mkdir -p /opt/draios/etc/vuln-host-scanner/
    
    cat << EOF | tee /opt/draios/etc/vuln-host-scanner/env
    SYSDIG_ACCESS_KEY=$ACCESS_KEY
    SYSDIG_API_URL=https://$API_ENDPOINT/api
    SCAN_ON_START=true
    EOF
    
    cat << EOF | tee /etc/systemd/system/vuln-host-scanner.service
    [Unit]
    Description=Sysdig Vuln Host Scanner component
    
    [Service]
    EnvironmentFile=/opt/draios/etc/vuln-host-scanner/env
    ExecStart=/usr/local/bin/vuln-host-scanner
    
    [Install]
    WantedBy=multi-user.target
    EOF
    
    systemctl daemon-reload
    systemctl enable --now vuln-host-scanner.service
    
  5. Control Host Scanner by using the service vul-host-scanner

    systemctl status vuln-host-scanner
    

Posture management

Run the Kubernetes Security Posture Management (KSPM) analyzer as a container or posture management. For this tutorial, let's use Podman.

  1. Install Podman

    dnf install podman
    
  2. Install Kubernetes Security Posture Management (KSPM) analyzer in a nonkubernetes environment

    podman run -d -v /:/host:ro -v /tmp:/host/tmp --privileged --network host --pid host --env ACCESS_KEY=$ACCESS_KEY --env API_ENDPOINT=$API_ENDPOINT quay.io/sysdig/kspm-analyzer:latest
    

Monitoring with IBM Cloud Security and Compliance Center Workload Protection

IBM Cloud Security and Compliance Center Workload Protection can be used to find and prioritize software vulnerabilities, detect and respond to threats, and manage configurations, permissions, and compliance from source to run.

  1. From the IBM Cloud console, go to the Resource list. You should be able to see the IBM Cloud Security and Compliance Center Workload Protection instance from the Security section.
  2. Select the instance name and click Open dashboard

IBM Cloud Security and Compliance Center Workload Protection is configured for Host Scanning, posture management, and threat detection response.

Host scanning

Host scanning can be used to find and prioritize software vulnerabilities.

1, After you open IBM Cloud Security and Compliance Center Workload Protection, click Vulnerabilities > and then click Runtime. You can see the systems that are being scanned.

  1. Click the instance name to review the details. From the Vulnerabilities page, you can filter by various criteria, for example, filter by ‘Has fix’.
  2. You can download a PDF report, or you can click Vulnerabilities > Reporting to build the report.

Posture management

To explore posture management, click Compliance. You can also click Inventory and check the posture for each inventory item.

Threat detection

  • You can look at Threats -> Host or other platforms depending where you set up the agents.

  • You can also look at Integrations -> Sysdig Agents.

Monitoring with IBM Cloud Monitoring

IBM Cloud Monitoring is also integrated with IBM Cloud Security and Compliance Center Workload Protection.

  • You can create a Cloud Monitoring instance under Observability -> Monitoring and connect a Workload Protection instance.

  • Find the instance under Logging and monitoring section in the Resource list.

  • You can click the ‘Open dashboard’ button and explore the IBM Cloud Monitoring dashboard. Click on Dashboard -> Host Infrastructure -> Linux Host Overview, you can see the usage information of the hosts. You can also explore different sections of the dashboard.

Remove resources

If you want to remove the resources that were created in this tutorial, complete the following steps:

  1. In the IBM Cloud, go to the Navigation menu icon Navigation Menu icon and select Projects.
  2. Clean up any resources created outside the deployable architecture in the same environment before proceeding to the next step, otherwise the undeploy may fail. For example, if you have created a Virtual Private Endpoint (VPE) in the same VPE, you need to make sure it is deleted before you proceed. In this tutorial, we did not create any extra resource, so you can proceed to the next step.
  3. Go to the Configurations tab, and click Undeploy from the dropdown list. This action removes the resources that are deployed by the deployable architecture.