IBM Cloud Security and Compliance Center Workload Protection on Power Virtual Server
This tutorial shows how to set up IBM Cloud Security and Compliance Center Workload Protection for Linux on Power Virtual Server and Virtual Servers for VPC.
This tutorial shows detailed instructions on RHEL Linux. Refer to IBM Cloud Security and Compliance Center Workload Protection documentation for supported platforms and operating systems.
Objectives
IBM Cloud Security and Compliance Center Workload Protection can be used to find and prioritize software vulnerabilities, detect and respond to threats, manage configurations, permissions, and compliance from source to run. It can be used to secure containers, Kubernetes, Red Hat OpenShift, and hosts with rapidly integrated runtime security, container forensics and incident response, so you can better understand security breaches and your compliance needs.
IBM® Power is a family of high-performance servers that are designed for running large-scale data-driven and mission-critical workloads. They are known for their scalability, reliability, sustainability, and performance. Power Virtual Server is a Power Systems offering in IBM Cloud. Power® Virtual Servers are located in the IBM data centers, distinct from the IBM Cloud servers with separate networks and direct-attached storage. The internal networks are fenced but offer connectivity options to IBM Cloud infrastructure or on-premises environments. This infrastructure design enables Power® Virtual Servers to maintain key enterprise software certification and support as the Power® Virtual Server architecture is identical to certified on-premises infrastructure.
IBM Cloud® Virtual Servers for Virtual Private Cloud is an Infrastructure-as-a-Service (IaaS) offering that gives you access to the benefits of IBM Cloud VPC, including network isolation, security, and flexibility.
This tutorial documents the steps to set up IBM Cloud Security and Compliance Center Workload Protection on Power Virtual Server and Virtual Servers for VPC.
This tutorial covers the following aspects:
- The user provisions a Power Virtual Server environment by using a deployable architecture that's offered in IBM Cloud.
- The user creates IBM Cloud Security and Compliance Center Workload Protection instance.
- The user sets up Power Virtual Server agents on Virtual Servers for VPC.
- The user set up Power Virtual Server agents on Power Virtual Server.
- The user monitors the environment by using Power Virtual Server. The user can also monitor the environment with IBM Cloud monitor, which integrates with IBM Cloud Security and Compliance Center Workload Protection
-
Make sure that you have the following access roles to create a project and permission to create the project tool resources within the account:
- The Editor role on the IBM Cloud Projects service.
- The Editor and Manager role on the IBM Cloud® Schematics
- The Viewer role on the resource group for the project
- For more information about access and permissions, see Assigning users access to projects.
-
Set up an authentication method. You can either use a Secrets Manager to manage API keys, or use Trusted Profiles to manage permission.
- For more information, see Using an API key with Secrets Manager to authorize a project to deploy an architecture.
- For more information, see Using trusted profiles to authorize a project to deploy an architecture.
Provision Power Virtual Server environment in IBM Cloud
First, use a deployable architecture that's offered in IBM Cloud is to set up the Power Virtual Server environment.
Provision Power Virtual Server with Power Virtual Server Quickstart DA
-
In the IBM Cloud console, go to the IBM Cloud catalog and search for the Power Virtual Server with VPC landing zone deployable architecture.
-
Use Power Virtual Server quickstart variation to set up environment and Power Virtual Server instance. For more information, see Deploying a Power Virtual Server with VPC landing zone deployable architecture.
-
You need to fill in the parameters exposed by the deployable architecture. On the 'Security' tab, you can either use an API key or a trusted profile.
- To create API key: Go to Manage > Access, and click API keys.
- To create a trusted profile, Go to Manage > Access, and click Trusted profiles. After the trusted profile is created, make sure that you add the project by going to the IBM Cloud services tab.
-
On the 'Required' parameter tab for the deployment architecture, fill in other parameters based on your need. For the 'tshirt_size' field, you can choose the OS type and size based on your need. In this case, since IBM Cloud Security and Compliance Center Workload Protection supports Linux, let’s create a Linux virtual server with RHEL 9.2 image. Pick 'Custom' for 'tshirt_size' field, and we need to specify the other details of the VM in fields on the 'Optional' tab. On the 'Optional' tab, choose ‘Linux - RHEL9-SP2’ for ‘custom_profile_instance_boot_image’, and use the following json snippet for the ‘custom_profile’ field. You can adjust the input (for example, the number of cores or size of memory) based on your requirements.
{ "sap_profile_id": null, "cores": "1", "memory": "2", "server_type": "s922", "proc_type": "shared", "storage": { "size": "", "tier": "" } }
-
Next, save and validate the configuration.
-
After the configuration passes validation, you can approve and deploy it. The environment is deployed automatically. As you can see from the Power Virtual Server deployable architecture, an Edge VPC and Power Virtual Server workspace are created. In Edge VPC, it creates bastion host in the management security group, and a proxy server in the network service security group, both with Linux RHEL. It also creates a Power Virtual Server instance in the Power Virtual Server workspace with RHEL 9.2. Other necessary components to connect Power Virtual Server workspace with IBM Cloud resources and secure the environment are also created, for example, Transit Gateway, VPN, VPE, and so on.
Power Virtual Server Quickstart post setup
Make sure to follow the Quickstart next steps to allow the Power Virtual Server instance to access the internet and mount nfs drive.
-
Add proxy settings in /etc/bashrc. Locate the <proxy_host_or_ip_port> value in the output section of the deployment, and add the following entries at the end of
/etc/bashrc
file:export http_proxy=http://<proxy_host_or_ip_port>:3128 export https_proxy=http://<proxy_host_or_ip_port>:3128 export HTTP_PROXY=http://<proxy_host_or_ip_port>:3128 export HTTPS_PROXY=http://<proxy_host_or_ip_port>:3128 export no_proxy=161.0.0.0/0,10.0.0.0/8
-
Next, add the following line in
/etc/dnf/dnf.conf
:proxy=http://10.30.40.4:3128
-
Mount the file storage from VPC on the Power Virtual Server instance:
mkdir /nfs mount <nfs_host_or_ip_path> /nfs
-
Configure DNS on the Power Virtual Server instance. Add the
dns_host_or_ip_path
value at the top in the /etc/resolv.conf file. -
Add the port to the Squid proxy configuration and restart the service if needed.
-
SSH to the jump server VSI, and then ssh to the network service VSI
dns_host_or_ip
. You need to make the SSH private key available on the jump server to access the network service VSI. -
Make sure that the port, 6443, is added to the end of the line for SLL_ports in file /etc/squid/squid.conf, if it is not there already.
acl SSL_ports port 443 8443 6443
-
Restart the Squid proxy service if the Squid configuration file was updated.
systemctl restart squid
-
IBM Cloud Security and Compliance Center Workload Protection setup
As mentioned in the last section, the Power Virtual Server Quickstart deployable architecture sets up 2 VSI instances in VPC and a Power Virtual Server instance in Power Virtual Server workspace. We can set up workload protection for all the virtual server instances.
IBM Cloud Security and Compliance Center Workload Protection documentation described the steps to set up SCC Workload Protection. Let's follow the step 1 and step 2 in this documentation to set up the IBM Cloud Security and Compliance Center Workload Protection instance. In the following sections, we will demonstrate how to config an agent on VPC/VSI and Power Virtual Server instance.
Once the IBM Cloud Security and Compliance Center Workload Protection instance is created, we can collect the configuration information for the instance. We can follow the instructions in this document to collect configuration information.
- To get the access key, click the IBM Cloud Security and Compliance Center Workload Protection instance. Next, click Actions > Manage key. Click show key to view the key.
- Select the ingestion URL from Collector endpoints. It's recommended to use the private endpoint URL.
- Select the API endpoint URL from the Workload Protection API. It's recommended to use the private endpoint.
For this example, the IBM Cloud Security and Compliance Center Workload Protection instance is in Dallas. The following configuration information is used for the following sections:
ACCESS_KEY=your_access_key
COLLECTOR_ENDPOINT=ingest.private.us-south.security-compliance-secure.cloud.ibm.com
API_ENDPOINT=private.us-south.security-compliance-secure.cloud.ibm.com
Protecting VSI for VPC
The Power Virtual Server Quickstart deployable architecture sets up the jump server and network service VSIs for VPC with Linux RHEL in Edge VPC. We can install the agents on both of them.
IBM Cloud Security and Compliance Center Workload Protection provides the following features to protect your stand-alone Linux hosts:
- Threat detection: Identify threats and suspicious activity based on application, network, and host activity by processing syscall events and investigate with detailed system captures.
- Posture management: scan host configuration files for compliance and benchmarks such as CIS Linux Benchmark.
- Host scanning: scan host packages, detect the associated vulnerabilities and identify the resolution priority based on available fixed versions and severity.
For more information, see Protecting Linux hosts.
Install the threat detection agent
Next, let's install the agent on the VSI in Edge VPC by installing it on the jump server.
-
In the IBM Cloud, go to the VPC Infrastructure > Virtual server instances. SSH to the jump server. Here is the sample command. Make sure to replace the private key file name and server IP in the command.
ssh -i YOUR_PRIVATE_KEY_FILE root@YOUR_JUMP_SERVER_IP
-
Install the kernel headers:
yum -y install kernel-devel-$(uname -r)
-
Deploy the Workload Protection agent:
curl -sL https://ibm.biz/install-sysdig-agent | sudo bash -s -- --access_key $ACCESS_KEY --collector $COLLECTOR_ENDPOINT --collector_port 6443
-
Check that Workload Protection agent is running:
ps -ef | grep sysdig
Identifying vulnerabilities with Host Analyzer
Complete the following steps to install the Host on RHEL. For more information, see Vulnerability Host Scanner installation.
-
For RPM-based (Red Hat Package Manager) operating systems such as Red Hat Enterprise Linux or SUSE Linux Enterprise, we need to configure the RPM repository and Sysdig GPG key:
sudo rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public sudo curl -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo
-
Install the vuln-host-scanner package:
sudo yum clean expire-cache && sudo yum install vuln-host-scanner -y
-
Create the vuln-host-scanner configuration file. Make sure the access-key and api-url are set.
cat << EOF | sudo tee /opt/draios/etc/vuln-host-scanner/env SYSDIG_ACCESS_KEY=$ACCESS_KEY SYSDIG_API_URL=https://$API_ENDPOINT/api # optional SCAN_ON_START=true EOF
-
Enable and start the vuln-host-scanner.service service:
sudo systemctl enable --now vuln-host-scanner.service
-
Check the logs to see ensure that everything is working:
sudo journalctl -fu vuln-host-scanner.service
Posture management
To protect linux host, you need to run the Kubernetes Security Posture Management (KSPM) analyzer as a container. Rather than running it using docker, we will use Podman. For more information, see Protecting Linux hosts.
-
Install Podman:
dnf install podman
-
Install the Kubernetes Security Posture Management (KSPM) analyzer in a nonkubernetes environment:
podman run -d -v /:/host:ro -v /tmp:/host/tmp --privileged --network host --pid host --env ACCESS_KEY=$ACCESS_KEY --env API_ENDPOINT=$API_ENDPOINT quay.io/sysdig/kspm-analyzer:latest
In this section, the IBM Cloud Security and Compliance Center Workload Protection agents have been set up on the Linux jump server. You can repeat the steps on the network service VSI.
Protecting Linux host on Power Virtual Server
When we run the Power Virtual Server Quickstart deployable architecture, we create a Power Virtual Server instance with Linux RHEL 9.2. We can set up the IBM Cloud Security and Compliance Center Workload Protection on the Power Virtual Server instance. For more information, see Managing the Workload Protection agent in Linux on Power Virtual Server.
Install threat detection agent
Next, let's install the threat detection agent.
-
Install dkms
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm yum install dkms
-
Enabled the extended Berkeley Packet Filter (eBPF). Add the following line to the end of the
/etc/sysconfig/dragent
.SYSDIG_AGENT_DRIVER=universal_ebpf
-
Trust the GPG key and configure the yum repository
rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public && curl -s -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo
-
Install the agent package
yum -y install draios-agent
-
Update the agent yaml file, where
ACCESS_KEY
andCOLLECTOR_ENDPOINT
are the values from section 3.2.1. For this tutorial, the proxy information is added to the agent yaml file. Proxy information can be found in the outputs section of the configuration.echo customerid: $ACCESS_KEY >> /opt/draios/etc/dragent.yaml echo collector: $COLLECTOR_ENDPOINT >> /opt/draios/etc/dragent.yaml
Review the following complete /opt/draios/etc/dragent.yaml file.
# cat /opt/draios/etc/dragent.yaml customerid: $ACCESS_KEY collector: $COLLECTOR_ENDPOINT http_proxy: proxy_host: 10.30.40.4 proxy_port: 3128
-
Enable the agent
systemctl enable dragent
-
Start the agent
systemctl start dragent
-
If the agent does not start correctly, check the log file for errors.
grep -i error /opt/draios/logs/draios.log
Identifying vulnerabilities in Linux host on Power Virtual Server
Now, let’s set up the vulnerability scanning component, which can detect all installed packages and associated vulnerabilities that are sorted by severity and prioritizing those with a fix available.
-
Download the binary
curl -LO https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/ppc64le/sysdig-host-scanner
-
Set the executable flag on the file
chmod +x ./sysdig-host-scanner
-
Start the Host Scanner
SYSDIG_ACCESS_KEY=$ACCESS_KEY SYSDIG_API_URL=https://$API_ENDPOINT SCAN_ON_START=true ./sysdig-host-scanner
-
Create an environment file to store the configuration and a systemd unit file to run the binary as a service. Make sure that
access key
andapi-url
are set.mv ./sysdig-host-scanner /usr/local/bin/vuln-host-scanner restorecon -Rv /usr/local/bin/vuln-host-scanner mkdir -p /opt/draios/etc/vuln-host-scanner/ cat << EOF | tee /opt/draios/etc/vuln-host-scanner/env SYSDIG_ACCESS_KEY=$ACCESS_KEY SYSDIG_API_URL=https://$API_ENDPOINT/api SCAN_ON_START=true EOF cat << EOF | tee /etc/systemd/system/vuln-host-scanner.service [Unit] Description=Sysdig Vuln Host Scanner component [Service] EnvironmentFile=/opt/draios/etc/vuln-host-scanner/env ExecStart=/usr/local/bin/vuln-host-scanner [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable --now vuln-host-scanner.service
-
Control Host Scanner by using the service vul-host-scanner
systemctl status vuln-host-scanner
Posture management
Run the Kubernetes Security Posture Management (KSPM) analyzer as a container or posture management. For this tutorial, let's use Podman.
-
Install Podman
dnf install podman
-
Install Kubernetes Security Posture Management (KSPM) analyzer in a nonkubernetes environment
podman run -d -v /:/host:ro -v /tmp:/host/tmp --privileged --network host --pid host --env ACCESS_KEY=$ACCESS_KEY --env API_ENDPOINT=$API_ENDPOINT quay.io/sysdig/kspm-analyzer:latest
Monitoring with IBM Cloud Security and Compliance Center Workload Protection
IBM Cloud Security and Compliance Center Workload Protection can be used to find and prioritize software vulnerabilities, detect and respond to threats, and manage configurations, permissions, and compliance from source to run.
- From the IBM Cloud console, go to the Resource list. You should be able to see the IBM Cloud Security and Compliance Center Workload Protection instance from the Security section.
- Select the instance name and click Open dashboard
IBM Cloud Security and Compliance Center Workload Protection is configured for Host Scanning, posture management, and threat detection response.
Host scanning
Host scanning can be used to find and prioritize software vulnerabilities.
1, After you open IBM Cloud Security and Compliance Center Workload Protection, click Vulnerabilities > and then click Runtime. You can see the systems that are being scanned.
- Click the instance name to review the details. From the Vulnerabilities page, you can filter by various criteria, for example, filter by ‘Has fix’.
- You can download a PDF report, or you can click Vulnerabilities > Reporting to build the report.
Posture management
To explore posture management, click Compliance. You can also click Inventory and check the posture for each inventory item.
Threat detection
-
You can look at Threats -> Host or other platforms depending where you set up the agents.
-
You can also look at Integrations -> Sysdig Agents.
Monitoring with IBM Cloud Monitoring
IBM Cloud Monitoring is also integrated with IBM Cloud Security and Compliance Center Workload Protection.
-
You can create a Cloud Monitoring instance under Observability -> Monitoring and connect a Workload Protection instance.
-
Find the instance under Logging and monitoring section in the Resource list.
-
You can click the ‘Open dashboard’ button and explore the IBM Cloud Monitoring dashboard. Click on Dashboard -> Host Infrastructure -> Linux Host Overview, you can see the usage information of the hosts. You can also explore different sections of the dashboard.
Remove resources
If you want to remove the resources that were created in this tutorial, complete the following steps:
- In the IBM Cloud, go to the Navigation menu icon
and select Projects.
- Clean up any resources created outside the deployable architecture in the same environment before proceeding to the next step, otherwise the undeploy may fail. For example, if you have created a Virtual Private Endpoint (VPE) in the same VPE, you need to make sure it is deleted before you proceed. In this tutorial, we did not create any extra resource, so you can proceed to the next step.
- Go to the Configurations tab, and click Undeploy from the dropdown list. This action removes the resources that are deployed by the deployable architecture.