On other Linux hosts
After you provision an instance of the IBM Cloud® Security and Compliance Center Workload Protection service in IBM Cloud, you can deploy the Workload Protection agent on your Linux hosts to collect events and protect your workloads. You can configure which threats you want to detect in each environment and conduct forensic processes to understand security breaches.
You can protect your hosts running on IBM Cloud, other cloud providers such as Amazon Web Services, Azure, Google Cloud Platform, or on-premises by using Workload Protection. Support exists for installing the Workload Protection agent using a package on Debian, Ubuntu, CentOS, RHEL, Fedora, Amazon AMI, and Amazon Linux 2. For information about deploying the agent on Linux hosts running on IBM® Power® Virtual Server, see Managing the Workload Protection agent on Linux on Power Virtual Server.
Adding an agent to a Linux host by using a script
Complete the following steps to add an agent to a Linux host by using a script:
-
Obtain the public or private ingestion URL. For more information, see Collector endpoints.
-
Install the kernel headers. When you install a Workload Protection agent, the agent uses kernel header files. Choose a distribution and run the corresponding command.
For Debian and Ubuntu Linux distributions, run the following command:
apt-get -y install linux-headers-$(uname -r)For RHEL, CentOS, and Fedora Linux distributions, run the following command:
yum -y install kernel-devel-$(uname -r) -
Deploy the Workload Protection agent by running the following command:
curl -sL https://ibm.biz/install-sysdig-agent | sudo bash -s -- -a ACCESS_KEY -c COLLECTOR_ENDPOINT --collector_port 6443 --tags TAG_DATA --secure true --additional_conf 'sysdig_api_endpoint: API_ENDPOINT\nhost_scanner:\n enabled: true\n scan_on_start: true\nkspm_analyzer:\n enabled: true'Where:
ACCESS_KEY- The ingestion key for the instance.
COLLECTOR_ENDPOINT- The public or private ingestion URL for the region where the Workload Protection instance is available. To get an endpoint, see Collector endpoints.
For example,
ingest.private.us-east.security-compliance-secure.cloud.ibm.com. API_ENDPOINT- The public or private API endpoint URL for the region where the Workload Protection instance is available. To get an endpoint, see API endpoints.
Specify the endpoint without
https://or/api. For example,private.us-east.security-compliance-secure.cloud.ibm.com. TAG_DATA- Comma-separated tags that are formatted as
TAG_NAME:TAG_VALUE. You can associate one or more tags with your Workload Protection agent. For example,role:serviceX,location:us-south.
To install cURL, run
yum -q -y install curlfor RHEL, CentOS, and Fedora Linux distributions. -
Verify that the Workload Protection agent is running by running the following command:
ps -ef | grep sysdig -
Check the agent logs. The latest Workload Protection agent logs are located in the
/opt/draios/logsdirectory in thedraios.logfile.To look for errors, run the following command:
grep error /opt/draios/logs/draios.log
Adding an agent to a Linux host by using a package
You can also install the Workload Protection agent manually by installing the package and defining the configuration.
Adding an agent to Debian or Ubuntu
Complete the following steps to add an agent to a Debian or Ubuntu Linux host:
-
Obtain the public or private ingestion URL. For more information, see Collector endpoints.
-
Trust the GPG key, configure the
aptrepository, and update the package list by running the following commands:curl -s https://download.sysdig.com/DRAIOS-GPG-KEY.public | apt-key add -curl -s -o /etc/apt/sources.list.d/draios.list http://download.sysdig.com/stable/deb/draios.listapt-get update -
Install the kernel headers by running the following command:
apt-get -y install linux-headers-$(uname -r) -
Install the agent package by running the following command:
apt-get -y install draios-agent -
Configure the agent by adding the access key and collector endpoint:
echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml echo collector: COLLECTOR_URL >> /opt/draios/etc/dragent.yaml echo ssl: true >> /opt/draios/etc/dragent.yaml echo secure: true >> /opt/draios/etc/dragent.yaml -
Restart the agent by running the following command:
service dragent restart
Adding an agent to RHEL, CentOS, or Fedora
Complete the following steps to add an agent to a RHEL, CentOS, or Fedora Linux host:
-
Obtain the public or private ingestion URL. For more information, see Collector endpoints.
-
Trust the GPG key and configure the yum repository by running the following command:
sudo rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public && sudo curl -s -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo -
Install the kernel headers by running the following command:
yum -y install kernel-devel-$(uname -r) -
Install the agent package by running the following command:
yum -y install draios-agent -
Configure the agent by adding the access key and collector endpoint:
echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml echo collector: COLLECTOR_URL >> /opt/draios/etc/dragent.yaml echo ssl: true >> /opt/draios/etc/dragent.yaml echo secure: true >> /opt/draios/etc/dragent.yaml echo sysdig_api_endpoint: API_ENDPOINT >> /opt/draios/etc/dragent.yaml echo host_scanner: >> /opt/draios/etc/dragent.yaml echo " enabled: true" >> /opt/draios/etc/dragent.yaml echo " scan_on_start: true" >> /opt/draios/etc/dragent.yaml echo kspm_analyzer: >> /opt/draios/etc/dragent.yaml echo " enabled: true" >> /opt/draios/etc/dragent.yaml -
Enable and start the agent by running the following commands:
sudo systemctl enable dragentsudo systemctl start dragent
Verifying the configuration file
Your configuration file (/opt/draios/etc/dragent.yaml) should contain the following settings:
customerid: ACCESS_KEY
tags: [TAGS]
collector: COLLECTOR_URL
sysdig_api_endpoint: API_ENDPOINT
host_scanner:
enabled: true
scan_on_start: true
kspm_analyzer:
enabled: true
collector_port: 6443
ssl: true
secure: true
Updating the agent
To update the Workload Protection agent, complete the following steps based on your Linux distribution.
For Debian and Ubuntu Linux distributions, run the following commands:
sudo apt-get update
sudo apt-get -y install draios-agent
For RHEL, CentOS, and Fedora Linux distributions, run the following commands:
sudo yum clean expire-cache
sudo yum -y install draios-agent
Removing the agent
To remove the Workload Protection agent, complete the following steps based on your Linux distribution.
For Debian and Ubuntu Linux distributions, run the following command:
sudo apt-get remove draios-agent
For RHEL, CentOS, and Fedora Linux distributions, run the following command:
sudo yum erase draios-agent
Checking the agent status
To check the status of the agent, run one of the following commands:
service dragent status
systemctl status dragent
Viewing agent logs
The latest Workload Protection agent logs are located in the /opt/draios/logs directory in the draios.log file.
To view logs for vulnerability scanning, run the following command:
grep host-scanner /opt/draios/logs/draios.log
To view logs for posture management, run the following command:
grep kspm-analyzer /opt/draios/logs/draios.log
To look for errors, run the following command:
grep -i error /opt/draios/logs/draios.log