Managing the Workload Protection agent in AIX on PowerVS
After you provision an instance of the IBM Cloud® Security and Compliance Center Workload Protection service in IBM Cloud, you can deploy the Workload Protection agent on your AIX hosts on IBM® Power® Virtual Server to validate your AIX operating system security.
Workload Protection provides the following features to protect your standalone AIX hosts on Power Virtual Server:
- Posture management: scan host configuration files for compliance and benchmarks such as CIS AIX Benchmark.
Deploying the agent by running the binary
Complete the following steps to configure a Workload Protection agent on AIX for validating your operating system posture. This agent will forward the security findings to an instance of the Workload Protection service:
-
Obtain the public or private ingestion URL. For more information, see Collector endpoints.
-
Download the binary:
curl https://s3.us-east-1.amazonaws.com/download.draios.com/dependencies/kspm-analyzer/1.44.17/kspm-analyzer-aix-ppc64 -o /tmp/kspm-analyzer-aix-ppc64
Note: This command stores the binary under
/tmp
, you can use your desire directory. -
Configure the service:
mkssys -p /tmp/kspm-analyzer-aix-ppc64 -s kspm_analyzer -u 0 -e /tmp/kspm-analyzer.log -i /tmp/kspm-analyzer.log -o /tmp/kspm-analyzer.log
Where:
-p
is the full path of your kspm-analyzer binary you have downloaded in step 3.-s
is the service name.-i
,-o
and-e
to write logs under/tmp/kspm-analyzer.log
. You can use any other file for writing the service logs.
-
Add execution permissions to the binary:
chmod +x /tmp/kspm-analyzer-aix-ppc64
-
Start the service. Make sure to replace
<HOSTNAME>
,<REGION>
and<ACCESS KEY>
:startsrc -s kspm_analyzer -e 'NODE_NAME=<HOSTNAME> API_ENDPOINT=<REGION>.security-compliance-secure.cloud.ibm.com ACCESS_KEY=<ACCESS KEY>'
Where:
HOSTNAME
: it will be used for showing results and your server in Inventory.REGION
: depending on the region your have deployed Workload Protection. Check step 2.ACCESS KEY
: from step 1.
An example would be:
startsrc -s kspm_analyzer -e 'NODE_NAME=myhostname API_ENDPOINT=us-east.security-compliance-secure.cloud.ibm.com ACCESS_KEY=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
-
Configure the service to run during startup (
inittab
):mkitab "fkcmd:2:respawn:startsrc -s kspm_analyzer -e 'NODE_NAME=<HOSTNAME> API_ENDPOINT=<REGION>.security-compliance-secure.cloud.ibm.com ACCESS_KEY=<ACCESSKEY>'"
-
Verify the service is running by checking the logs under
/tmp/kspm-analyzer.log
.