Managing the Workload Protection agent in Linux on PowerVS
After you provision an instance of the IBM Cloud® Security and Compliance Center Workload Protection service in IBM Cloud, you can deploy the Workload Protection agent on your Linux hosts on IBM® Power® Virtual Server to collect events and protect your workloads.
Workload Protection provides the following features to protect your standalone Linux hosts on Power Virtual Server:
- Threat detection and response: identify threats and suspicious activity based on application, network, and host activity by processing syscall events and investigate with detailed system captures.
- Posture management: scan host configuration files for compliance and benchmarks such as CIS Linux Benchmark.
- Host scanning: scan host packages, detect the associated vulnerabilities and identify the resolution priority based on available fixed versions and severity.
Deploying the agent for threat detection and response
-
Obtain the public or private ingestion URL. For more information, see Collector endpoints.
-
Make sure
dkms
is installed:- For RHEL or CentOS, run the following command:
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm sudo yum install dkms
-
Install the kernel headers. When you install a Workload Protection agent, the agent uses kernel header files.
- For RHEL or CentOS, run the following command:
sudo yum -y install kernel-devel-$(uname -r)
-
Trust the GPG key and configure the yum repository:
- For RHEL or CentOS, run the following command:
sudo rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public && sudo curl -s -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo
-
Install, configure, and restart the Workload Protection agent by running the following commands:
- For RHEL or CentOS, run the following command:
Install the agent package:
sudo yum -y install draios-agent
Add the Collector endpoint and the Access Key:
echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml
echo collector: COLLECTOR_URL >> /opt/draios/etc/dragent.yaml
sudo systemctl enable dragent
sudo systemctl start dragent
Wait a few seconds to make sure the agent is started and access to Workload Protection Data Sources (Integrations > Data Sources | Sysdig Agents) to verify the agent is correctly conencted.
Updating the agent
Complete the following steps to update a Workload Protection agent on Linux on Power Virtual Server.
sudo yum clean expire-cache
sudo yum -y install draios-agent
Troubleshooting the agent
To see the latest Workload Protection agent logs, go to the directory /opt/draios/logs
and check the log file draios.log
.
To look for errors, you can run the following command:
grep -i error /opt/draios/logs/draios.log
Scanning vulnerabilities in Linux hosts on PowerVS
Workload Protection provides a scanning component to identify vulnerabilities in your Linux hosts on Power Virtual Server. It detects all installed packages and associated vulnerabilities sorted by severity and prioritizing those with a fix available.
After installing the Host Scanner, review the detected vulnerabilities in your host accessing Vulnerabilities / Runtime and filter by asset.type = host
in Workload Protection. The first scan starts shortly after installation.
You will install the Host Scanner from the binary.
-
Obtain the public or private API Endpoint. For more information, see REST API endpoints. Note: you need to remove
/api
when configuring step 5, example:https://us-east.security-compliance-secure.cloud.ibm.com
-
Download the binary:
curl -LO https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/ppc64le/sysdig-host-scanner
-
Set the executable flag on the file:
chmod +x ./sysdig-host-scanner
-
You can run once the Host Scanner by running the
sysdig-host-scanner
command:SYSDIG_ACCESS_KEY=<access-key> SYSDIG_API_URL=<api-url> SCAN_ON_START=true ./sysdig-host-scanner
-
Create an environment file to store the configuration and a systemd unit file to run the binary as a service. Make sure to replace
<access key>
and<api-url>
:sudo mv ./sysdig-host-scanner /usr/local/bin/vuln-host-scanner sudo restorecon -Rv /usr/local/bin/vuln-host-scanner sudo mkdir -p /opt/draios/etc/vuln-host-scanner/ cat << EOF | sudo tee /opt/draios/etc/vuln-host-scanner/env SYSDIG_ACCESS_KEY=<access-key> SYSDIG_API_URL=<api-url> SCAN_ON_START=true EOF cat << EOF | sudo tee /etc/systemd/system/vuln-host-scanner.service [Unit] Description=Sysdig Vuln Host Scanner component [Service] EnvironmentFile=/opt/draios/etc/vuln-host-scanner/env ExecStart=/usr/local/bin/vuln-host-scanner [Install] WantedBy=multi-user.target EOF sudo systemctl daemon-reload sudo systemctl enable --now vuln-host-scanner.service
-
Now, you can control the Host Scanner via the service
vuln-host-scanner
:systemctl status vuln-host-scanner
After a few minutes, access to Workload Protection Vulnerabilities / Runtime and filter by asset.type = host
to review the vulnerabilities associated to your host.
Running posture validation in Linux hosts on PowerVS
Workload Protection allows you to evaluate your Linux hosts on Power Virtual Server against several CIS benchmarks such as CIS Distribution Independent Linux Benchmark and compliance policies.
You must run the Kubernetes Security Posture Management (KSPM) analyzer as a container. Podman is an option.
To install the KSPM analyzer in a non-Kubernetes environment:
-
Obtain the public or private API Endpoint. For more information, see REST API endpoints. Note: you need to remove
/api
and without the protocol when configuring step 3, example:us-east.security-compliance-secure.cloud.ibm.com
-
Run the KSPM analyzer:
podman run -d -v /:/host:ro -v /tmp:/host/tmp --privileged \ --network host --pid host --env ACCESS_KEY=<Sysdig agent access key> \ --env API_ENDPOINT=<workload_protection_api_endpoint> \ quay.io/sysdig/kspm-analyzer:latest
As soon as it is running, the KSPM Analyzer will evaluate Linux configuration files to identify failing controls from the enabled policies. You can see all results in Posture/Compliance in the Entire Infrastructure zone or define specific zones for your Linux hosts on Power Virtual Server under Policies/Zones.