Managing the Workload Protection agent in Linux on Power Virtual Server

After you provision an instance of the IBM Cloud® Security and Compliance Center Workload Protection service in IBM Cloud, you can deploy the Workload Protection agent on your Linux hosts on IBM® Power® Virtual Server to collect events and protect your workloads.

Adding an agent to a Linux host on Power Virtual Server

Complete the following steps to add an agent to a Linux host on Power Virtual Server:

  1. Obtain the access key.

  2. Obtain the public or private ingestion URL. For more information, see Collector endpoints.

  3. Install the kernel headers. When you install a Workload Protection agent, the agent uses kernel header files. Choose a distribution and run the corresponding command.

    For Debian and Ubuntu Linux distributions, run the following command:

    apt-get -y install linux-headers-$(uname -r)
    

    For RHEL, CentOS, and Fedora Linux distributions, run the following command:

    yum -y install kernel-devel-$(uname -r)
    
  4. Deploy the Workload Protection agent by running the following command:

    curl -sL https://ibm.biz/install-sysdig-agent | sudo bash -s -- -a ACCESS_KEY -c COLLECTOR_ENDPOINT --collector_port 6443 --tags TAG_DATA --secure true --additional_conf 'sysdig_api_endpoint: API_ENDPOINT\nhost_scanner:\n  enabled: true\n  scan_on_start: true\nkspm_analyzer:\n  enabled: true'
    

    Where:

    ACCESS_KEY
    The ingestion key for the instance.
    COLLECTOR_ENDPOINT
    The public or private ingestion URL for the region where the Workload Protection instance is available. To get an endpoint, see Collector endpoints. For example, ingest.private.us-east.security-compliance-secure.cloud.ibm.com.
    API_ENDPOINT
    The public or private API endpoint URL for the region where the Workload Protection instance is available. To get an endpoint, see API endpoints. Specify the endpoint without https:// or /api. For example, private.us-east.security-compliance-secure.cloud.ibm.com.
    TAG_DATA
    Comma-separated tags that are formatted as TAG_NAME:TAG_VALUE. You can associate one or more tags with your Workload Protection agent. For example, role:serviceX,location:us-south.

    To install cURL, run yum -q -y install curl for RHEL, CentOS, and Fedora Linux distributions.

  5. Verify that the Workload Protection agent is running by running the following command:

    ps -ef | grep sysdig
    
  6. Check the agent logs. The latest Workload Protection agent logs are located in the /opt/draios/logs directory in the draios.log file.

    To look for errors, run the following command:

    grep error /opt/draios/logs/draios.log
    

Updating the agent

To update the Workload Protection agent, complete the following steps:

  1. Clear the yum cache by running the following command:

    sudo yum clean expire-cache
    
  2. Update the agent by running the following command:

    sudo yum -y install draios-agent
    

Removing the agent

To remove the Workload Protection agent, run the following command:

sudo yum erase draios-agent

Checking the agent status

To check the status of the agent, run one of the following commands:

service dragent status
systemctl status dragent

Viewing agent logs

The latest Workload Protection agent logs are located in the /opt/draios/logs directory in the draios.log file.

To view logs for vulnerability scanning, run the following command:

grep host-scanner /opt/draios/logs/draios.log

To view logs for posture management, run the following command:

grep kspm-analyzer /opt/draios/logs/draios.log

To look for errors, run the following command:

grep -i error /opt/draios/logs/draios.log