Managing the Workload Protection agent in Linux on PowerVS

After you provision an instance of the IBM Cloud® Security and Compliance Center Workload Protection service in IBM Cloud, you can deploy the Workload Protection agent on your Linux hosts on IBM® Power® Virtual Server to collect events and protect your workloads.

Workload Protection provides the following features to protect your standalone Linux hosts on Power Virtual Server:

Threat detection and response: identify threats and suspicious activity based on application, network, and host activity by processing syscall events and investigate with detailed system captures.
Posture management: scan host configuration files for compliance and benchmarks such as CIS Linux Benchmark.
Host scanning: scan host packages, detect the associated vulnerabilities and identify the resolution priority based on available fixed versions and severity.

Deploying the agent by using a script

Complete the following steps to configure a Workload Protection agent on Linux for detecting threats, validating your operating system posture and scanning your server to identify vulnerabilities. This agent will forward all security findings to an instance of the Workload Protection service:

Obtain the access key.
Obtain the public or private ingestion URL. For more information, see Collector endpoints.
Install the kernel headers. When you install a Workload Protection agent, the agent uses kernel header files. Choose a distribution and run the following command for that distribution.
- For Debian and Ubuntu Linux distributions, run the following command:
```
apt-get -y install linux-headers-$(uname -r)
```
- For RHEL, CentOS, and Fedora Linux distributions, run the following command:
```
yum -y install kernel-devel-$(uname -r)
```
Deploy the Workload Protection agent. Run the following command:
```
curl -sL https://ibm.biz/install-sysdig-agent | sudo bash -s -- -a ACCESS_KEY -c COLLECTOR_ENDPOINT --collector_port 6443 --tags TAG_DATA --secure true --additional_conf 'sysdig_api_endpoint: API_ENDPOINT\nhost_scanner:\n  enabled: true\n  scan_on_start: true\nkspm_analyzer:\n  enabled: true'
```
Where:
- ACCESS_KEY is the ingestion key for the instance.
- COLLECTOR_ENDPOINT is the public or private ingestion URL for the region where the Workload Protection instance is available. To get an endpoint, see Collector endpoints. For example, ingest.private.us-east.security-compliance-secure.cloud.ibm.com.
- API_ENDPOINT is the public or private API Endpoint URL for the region where the Workload Protection instance is available. To get an endpoint, see Collector endpoints. Make sure to add it without https or /api, for example private.us-east.security-compliance-secure.cloud.ibm.com.
- TAG_DATA are comma-separated tags that are formatted as TAG_NAME:TAG_VALUE. You can associate one or more tags to your Workload Protection agent. For example, role:serviceX,location:us-south.
To install cURL, run yum -q -y install curl for RHEL, CentOS, and Fedora Linux distributions.
Check that the Workload Protection agent is running. Run the following command:
```
ps -ef | grep sysdig
```

To see the latest Workload Protection agent logs, go to the directory /opt/draios/logs and check the log file draios.log.

To look for errors, issue:

grep error /opt/draios/logs/draios.log

Deploying the agent using a package

You can also install the Workload Protection agent manually by installing the package and defining all the configuration.

Obtain the access key.
Obtain the public or private ingestion URL. For more information, see Collector endpoints.

Make sure dkms is installed:

For RHEL or CentOS, run the following command:

sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo yum install dkms

Install the kernel headers. When you install a Workload Protection agent, the agent uses kernel header files.
- For RHEL or CentOS, run the following command:
```
sudo yum -y install kernel-devel-$(uname -r)
```

Trust the GPG key and configure the yum repository:

For RHEL or CentOS, run the following command:

sudo rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public && sudo curl -s -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo

Install, configure, and restart the Workload Protection agent by running the following commands:

For RHEL or CentOS, run the following command:

Install the agent package:

sudo yum -y install draios-agent

Add the Collector endpoint and the Access Key:

echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml

echo collector: COLLECTOR_URL >> /opt/draios/etc/dragent.yaml

echo sysdig_api_endpoint: API_ENDPOINT >> /opt/draios/etc/dragent.yaml
echo host_scanner: >> /opt/draios/etc/dragent.yaml
echo "  enabled: true" >> /opt/draios/etc/dragent.yaml
echo "  scan_on_start: true" >> /opt/draios/etc/dragent.yaml
echo kspm_analyzer: >> /opt/draios/etc/dragent.yaml
echo "  enabled: true" >> /opt/draios/etc/dragent.yaml

sudo systemctl enable dragent

sudo systemctl start dragent

Your configuration file (/opt/draios/etc/dragent.yaml) needs to look like:

customerid: ACCESS_KEY
tags: [TAGS]
collector: COLLECTOR_URL
sysdig_api_endpoint: API_ENDPOINT
host_scanner:
  enabled: true
  scan_on_start: true
kspm_analyzer:
  enabled: true
collector_port: 6443
ssl: true

Wait a few seconds to make sure the agent is started and access to Workload Protection Data Sources (Integrations > Data Sources | Sysdig Agents) to verify the agent is correctly conencted.

Updating the agent

Complete the following steps to update a Workload Protection agent on Linux on Power Virtual Server.

sudo yum clean expire-cache

sudo yum -y install draios-agent

Troubleshooting the agent

To see the latest Workload Protection agent logs, go to the directory /opt/draios/logs and check the log file draios.log.

If you want to see logs for the vulnerability scanning, grep by host-scanner. To look for Posture information, grep by kspm-analyzer.

To look for errors, you can run the following command:

grep -i error /opt/draios/logs/draios.log

Verifying results in the UI

After a few minutes, you can check the results in the UI for your Vulnerabilities, the Posture validation and, if any, Threats detected in your host.

Access to your Workload Protection instance:

Verify your agent is connected correctly under Integrations / Data Sources / Sysdig Agents.
Review your host appears under Inventory. You can filter by the hostname (Resource Name) or type of operating system (Platform)
The Workload Protection agent will evaluate Linux configuration files to identify failing controls from the enabled Policies. You can see all results in Posture/Compliance in the Entire Infrastructure zone or define specific zones for your Linux hosts under Policies/Zones.
The Workload Protection agent provides host and image scanning in Linux hosts, detecting all installed packages and associated vulnerabilities sorted by severity and prioritizing those with a fix available. Access to Vulnerabilities / Runtime and search for your host by the hostname or type of system (asset.type is host).
As soon as the Workload Protection will start detecting threats based on the Runtime Policies that are configured. Access to Threats to see if any event was detected. In this document, you can find how to manage the threat detection policies and rules.