Managing the Workload Protection agent in Linux on Power Virtual Server
After you provision an instance of the IBM Cloud® Security and Compliance Center Workload Protection service in IBM Cloud, you can deploy the Workload Protection agent on your Linux hosts on IBM® Power® Virtual Server to collect events and protect your workloads.
Adding an agent to a Linux host on Power Virtual Server
Complete the following steps to add an agent to a Linux host on Power Virtual Server:
-
Obtain the public or private ingestion URL. For more information, see Collector endpoints.
-
Install the kernel headers. When you install a Workload Protection agent, the agent uses kernel header files. Choose a distribution and run the corresponding command.
For Debian and Ubuntu Linux distributions, run the following command:
apt-get -y install linux-headers-$(uname -r)For RHEL, CentOS, and Fedora Linux distributions, run the following command:
yum -y install kernel-devel-$(uname -r) -
Deploy the Workload Protection agent by running the following command:
curl -sL https://ibm.biz/install-sysdig-agent | sudo bash -s -- -a ACCESS_KEY -c COLLECTOR_ENDPOINT --collector_port 6443 --tags TAG_DATA --secure true --additional_conf 'sysdig_api_endpoint: API_ENDPOINT\nhost_scanner:\n enabled: true\n scan_on_start: true\nkspm_analyzer:\n enabled: true'Where:
ACCESS_KEY- The ingestion key for the instance.
COLLECTOR_ENDPOINT- The public or private ingestion URL for the region where the Workload Protection instance is available. To get an endpoint, see Collector endpoints.
For example,
ingest.private.us-east.security-compliance-secure.cloud.ibm.com. API_ENDPOINT- The public or private API endpoint URL for the region where the Workload Protection instance is available. To get an endpoint, see API endpoints.
Specify the endpoint without
https://or/api. For example,private.us-east.security-compliance-secure.cloud.ibm.com. TAG_DATA- Comma-separated tags that are formatted as
TAG_NAME:TAG_VALUE. You can associate one or more tags with your Workload Protection agent. For example,role:serviceX,location:us-south.
To install cURL, run
yum -q -y install curlfor RHEL, CentOS, and Fedora Linux distributions. -
Verify that the Workload Protection agent is running by running the following command:
ps -ef | grep sysdig -
Check the agent logs. The latest Workload Protection agent logs are located in the
/opt/draios/logsdirectory in thedraios.logfile.To look for errors, run the following command:
grep error /opt/draios/logs/draios.log
Updating the agent
To update the Workload Protection agent, complete the following steps:
-
Clear the yum cache by running the following command:
sudo yum clean expire-cache -
Update the agent by running the following command:
sudo yum -y install draios-agent
Removing the agent
To remove the Workload Protection agent, run the following command:
sudo yum erase draios-agent
Checking the agent status
To check the status of the agent, run one of the following commands:
service dragent status
systemctl status dragent
Viewing agent logs
The latest Workload Protection agent logs are located in the /opt/draios/logs directory in the draios.log file.
To view logs for vulnerability scanning, run the following command:
grep host-scanner /opt/draios/logs/draios.log
To view logs for posture management, run the following command:
grep kspm-analyzer /opt/draios/logs/draios.log
To look for errors, run the following command:
grep -i error /opt/draios/logs/draios.log