Protecting Linux hosts

After you provision an instance of the IBM Cloud® Security and Compliance Center Workload Protection service in IBM Cloud, you can deploy the Workload Protection agent on your Linux hosts to collect events and protect your workloads. You can configure which threats you want to detect in each environment and conduct forensic processes to understand security breaches.

Workload Protection provides the following features to protect your standalone Linux hosts:

Threat detection: identify threats and suspicious activity based on application, network and host activity by processing syscall events and investigate with detailed system captures.
Posture management: scan host configuration files for compliance and benchmarks such as CIS Linux Benchmark.
Host scanning: scan host packages, detect the associated vulnerabilities and identify the resolution priority based on available fixed versions and severity.

Protect your hosts running on IBM Cloud, other cloud providers such as Amazon Web Services, Azure, Google Cloud Platform, or on-premise by using Workload Protection. Support exists for installing the Workload Protection agent using a package on Debian, Ubuntu, CentOS, RHEL, Fedora, Amazon AMI, and Amazon Linux 2.

Deploying the Linux agent by using a script

Complete the following steps to configure a Workload Protection agent on Linux for detecting threats, validating your operating system posture and scanning your server to identify vulnerabilities. This agent will forward all security findings to an instance of the Workload Protection service:

Obtain the access key.
Obtain the public or private ingestion URL. For more information, see Collector endpoints.
Install the kernel headers. When you install a Workload Protection agent, the agent uses kernel header files. Choose a distribution and run the following command for that distribution.
- For Debian and Ubuntu Linux distributions, run the following command:
```
apt-get -y install linux-headers-$(uname -r)
```
- For RHEL, CentOS, and Fedora Linux distributions, run the following command:
```
yum -y install kernel-devel-$(uname -r)
```
Deploy the Workload Protection agent. Run the following command:
```
curl -sL https://ibm.biz/install-sysdig-agent | sudo bash -s -- -a ACCESS_KEY -c COLLECTOR_ENDPOINT --collector_port 6443 --tags TAG_DATA --secure true --additional_conf 'sysdig_api_endpoint: API_ENDPOINT\nhost_scanner:\n  enabled: true\n  scan_on_start: true\nkspm_analyzer:\n  enabled: true'
```
Where:
- ACCESS_KEY is the ingestion key for the instance.
- COLLECTOR_ENDPOINT is the public or private ingestion URL for the region where the Workload Protection instance is available. To get an endpoint, see Collector endpoints. For example, ingest.private.us-east.security-compliance-secure.cloud.ibm.com.
- API_ENDPOINT is the public or private API Endpoint URL for the region where the Workload Protection instance is available. To get an endpoint, see Collector endpoints. Make sure to add it without https or /api, for example private.us-east.security-compliance-secure.cloud.ibm.com.
- TAG_DATA are comma-separated tags that are formatted as TAG_NAME:TAG_VALUE. You can associate one or more tags to your Workload Protection agent. For example, role:serviceX,location:us-south.
To install cURL, run yum -q -y install curl for RHEL, CentOS, and Fedora Linux distributions.
Check that the Workload Protection agent is running. Run the following command:
```
ps -ef | grep sysdig
```

To see the latest Workload Protection agent logs, go to the directory /opt/draios/logs and check the log file draios.log.

To look for errors, issue:

grep error /opt/draios/logs/draios.log

Deploying the Linux agent using a package

You can also install the Workload Protection agent manually by installing the package and defining all the configuration.

Obtain the access key.
Obtain the public or private ingestion URL. For more information, see Collector endpoints.

Trust the Sysdig Monitor GPG key, configure the apt repository, and update the package list by running the following commands:

curl -s https://download.sysdig.com/DRAIOS-GPG-KEY.public | apt-key add -

curl -s -o /etc/apt/sources.list.d/draios.list http://download.sysdig.com/stable/deb/draios.list

apt-get update

Install the kernel headers. When you install a Workload Protection agent, the agent uses kernel header files. Choose a distribution and run the following command for that distribution.
- For Debian and Ubuntu Linux distributions, run the following commands:
```
apt-get -y install linux-headers-$(uname -r)
```
- For RHEL, CentOS, and Fedora Linux distributions, run the following command:
```
yum -y install kernel-devel-$(uname -r)
```

Install, configure, and restart the Sysdig agent by running the following commands.

For Debian and Ubuntu Linux distributions, run the following commands:

apt-get -y install draios-agent

echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml 
echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml

echo collector: COLLECTOR_URL >> /opt/draios/etc/dragent.yaml 
echo ssl: true >> /opt/draios/etc/dragent.yaml

service dragent restart

For RHEL, CentOS, and Fedora Linux distributions, run the following commands:

yum -y install draios-agent

echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml 
echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml

echo collector: COLLECTOR_URL >> /opt/draios/etc/dragent.yaml 
echo ssl: true >> /opt/draios/etc/dragent.yaml

echo secure: true >> /opt/draios/etc/dragent.yaml

echo sysdig_api_endpoint: API_ENDPOINT >> /opt/draios/etc/dragent.yaml
echo host_scanner: >> /opt/draios/etc/dragent.yaml
echo "  enabled: true" >> /opt/draios/etc/dragent.yaml
echo "  scan_on_start: true" >> /opt/draios/etc/dragent.yaml
echo kspm_analyzer: >> /opt/draios/etc/dragent.yaml
echo "  enabled: true" >> /opt/draios/etc/dragent.yaml

sudo systemctl enable dragent

sudo systemctl start dragent

Your configuration file (/opt/draios/etc/dragent.yaml) needs to look like:

customerid: ACCESS_KEY
tags: [TAGS]
collector: COLLECTOR_URL
sysdig_api_endpoint: API_ENDPOINT
host_scanner:
  enabled: true
  scan_on_start: true
kspm_analyzer:
  enabled: true
collector_port: 6443
ssl: true

Updating a Linux agent

Complete the following steps to update a Workload Protection agent on Linux.

To update the agent from Debian and Ubuntu Linux distributions, run the following commands as the sudo user:

sudo apt-get update

sudo apt-get -y install draios-agent

To update the agent from RHEL, CentOS, and Fedora Linux distributions, run the following commands as the sudo user:

yum clean expire-cache

sudo yum -y install draios-agent

Removing a Workload Protection agent that has been deployed as a service in a Linux system

Complete the following steps to remove a Workload Protection agent on Linux.

To uninstall the agent from Debian and Ubuntu Linux distributions, run the following command as the sudo user:

sudo apt-get remove draios-agent

To uninstall the agent from RHEL, CentOS, and Fedora Linux distributions, run the following command as the sudo user:

sudo yum erase draios-agent

Troubleshooting the agent

Checking the status of an agent by using the CLI

To check the status of an agent, run the following command:

service dragent status

systemctl status dragent

Viewing the logs of an agent

To see the latest Workload Protection agent logs, go to the directory /opt/draios/logs and check the log file draios.log.

If you want to see logs for the vulnerability scanning, grep by host-scanner. To look for Posture information, grep by kspm-analyzer.

To look for errors, you can run the following command:

grep error /opt/draios/logs/draios.log

Verifying the state of the agent

To check that the Workload Protection agent is running, run the following command:

ps -ef | grep sysdig

Verifying results in the UI

After a few minutes, you can check the results in the UI for your Vulnerabilities, the Posture validation and, if any, Threats detected in your host.

Access to your Workload Protection instance:

Verify your agent is connected correctly under Integrations / Data Sources / Sysdig Agents.
Review your host appears under Inventory. You can filter by the hostname (Resource Name) or type of operating system (Platform)
The Workload Protection agent will evaluate Linux configuration files to identify failing controls from the enabled Policies. You can see all results in Posture/Compliance in the Entire Infrastructure zone or define specific zones for your Linux hosts under Policies/Zones.
The Workload Protection agent provides host and image scanning in Linux hosts, detecting all installed packages and associated vulnerabilities sorted by severity and prioritizing those with a fix available. Access to Vulnerabilities / Runtime and search for your host by the hostname or type of system (asset.type is host).
As soon as the Workload Protection will start detecting threats based on the Runtime Policies that are configured. Access to Threats to see if any event was detected. In this document, you can find how to manage the threat detection policies and rules.