Protecting Linux hosts
After you provision an instance of the IBM Cloud® Security and Compliance Center Workload Protection service in IBM Cloud, you can deploy the Workload Protection agent on your Linux hosts to collect events and protect your workloads. You can configure which threats you want to detect in each environment and conduct forensic processes to understand security breaches.
Workload Protection provides the following features to protect your standalone Linux hosts:
-
Threat detection: identify threats and suspicious activity based on application, network and host activity by processing syscall events and investigate with detailed system captures.
-
Posture management: scan host configuration files for compliance and benchmarks such as CIS Linux Benchmark.
-
Host scanning: scan host packages, detect the associated vulnerabilities and identify the resolution priority based on available fixed versions and severity.
Protect your hosts running on IBM Cloud, other cloud providers such as Amazon Web Services, Azure, Google Cloud Platform, or on-premise by using Workload Protection. Support exists for installing the Workload Protection agent using a package on Debian, Ubuntu, CentOS, RHEL, Fedora, Amazon AMI, and Amazon Linux 2.
Deploying the Linux agent by using a script
Complete the following steps to configure a Workload Protection agent on Linux to collect and forward metrics to an instance of the Workload Protection service:
-
Obtain the access key.
-
Obtain the public or private ingestion URL. For more information, see Collector endpoints.
-
Install the kernel headers. When you install a Workload Protection agent, the agent uses kernel header files. Choose a distribution and run the following command for that distribution.
-
For Debian and Ubuntu Linux distributions, run the following command:
apt-get -y install linux-headers-$(uname -r)
-
For RHEL, CentOS, and Fedora Linux distributions, run the following command:
yum -y install kernel-devel-$(uname -r)
-
-
Deploy the Workload Protection agent. Run the following command:
curl -sL https://ibm.biz/install-sysdig-agent | sudo bash -s -- --access_key ACCESS_KEY --collector COLLECTOR_ENDPOINT --collector_port 6443 --tags TAG_DATA'
Where:
ACCESS_KEY
is the ingestion key for the instance.COLLECTOR_ENDPOINT
is the public or private ingestion URL for the region where the Workload Protection instance is available. To get an endpoint, see Collector endpoints.TAG_DATA
are comma-separated tags that are formatted asTAG_NAME:TAG_VALUE
. You can associate one or more tags to your Workload Protection agent. For example,role:serviceX,location:us-south
.
To install cURL, run
yum -q -y
install curl for RHEL, CentOS, and Fedora Linux distributions. -
Check that the Workload Protection agent is running. Run the following command:
ps -ef | grep sysdig
To see the latest Workload Protection agent logs, go to the directory /opt/draios/logs
and check the log file draios.log
.
To look for errors, issue:
grep error /opt/draios/logs/draios.log
Deploying the Linux agent using a package
-
Obtain the access key.
-
Obtain the public or private ingestion URL. For more information, see Collector endpoints.
-
Trust the Sysdig Monitor GPG key, configure the
apt
repository, and update the package list by running the following commands:curl -s https://download.sysdig.com/DRAIOS-GPG-KEY.public | apt-key add -
curl -s -o /etc/apt/sources.list.d/draios.list http://download.sysdig.com/stable/deb/draios.list
apt-get update
-
Install the kernel headers. When you install a Workload Protection agent, the agent uses kernel header files. Choose a distribution and run the following command for that distribution.
- For Debian and Ubuntu Linux distributions, run the following commands:
apt-get -y install linux-headers-$(uname -r)
- For RHEL, CentOS, and Fedora Linux distributions, run the following command:
yum -y install kernel-devel-$(uname -r)
-
Install, configure, and restart the Sysdig agent by running the following commands.
- For Debian and Ubuntu Linux distributions, run the following commands:
apt-get -y install draios-agent
echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml
echo collector: COLLECTOR_URL >> /opt/draios/etc/dragent.yaml echo ssl: true >> /opt/draios/etc/dragent.yaml
service dragent restart
- For RHEL, CentOS, and Fedora Linux distributions, run the following commands:
yum -y install draios-agent
echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml
echo collector: COLLECTOR_URL >> /opt/draios/etc/dragent.yaml echo ssl: true >> /opt/draios/etc/dragent.yaml
echo secure: true >> /opt/draios/etc/dragent.yaml
sudo systemctl enable dragent
sudo systemctl start dragent
Updating a Linux agent
Complete the following steps to update a Workload Protection agent on Linux.
To update the agent from Debian and Ubuntu Linux distributions, run the following commands as the sudo
user:
sudo apt-get update
sudo apt-get -y install draios-agent
To update the agent from RHEL, CentOS, and Fedora Linux distributions, run the following commands as the sudo
user:
yum clean expire-cache
sudo yum -y install draios-agent
Removing a Workload Protection agent that has been deployed as a service in a Linux system
Complete the following steps to remove a Workload Protection agent on Linux.
To uninstall the agent from Debian and Ubuntu Linux distributions, run the following command as the sudo
user:
sudo apt-get remove draios-agent
To uninstall the agent from RHEL, CentOS, and Fedora Linux distributions, run the following command as the sudo
user:
sudo yum erase draios-agent
Troubleshooting the agent
Checking the status of an agent by using the CLI
To check the status of an agent, run the following command:
service dragent status
systemctl status dragent
Viewing the logs of an agent
To see the latest Workload Protection agent logs, go to the directory /opt/draios/logs
and check the log file draios.log
.
To look for errors, you can run the following command:
grep error /opt/draios/logs/draios.log
Verifying the state of the agent
To check that the Workload Protection agent is running, run the following command:
ps -ef | grep sysdig
Identifying vulnerabilities in Linux hosts with Host Analyzer
Workload Protection provides host and image scanning in Linux hosts, detecting all installed packages and associated vulnerabilities sorted by severity and prioritizing those with a fix available.
After installing the Host Analyzer, review the detected vulnerabilities in your host accessing Scanning/Hosts in the Workload Protection. The first scan starts shortly after installation.
It is possible to run the Host Analyzer by using either Docker or as a package.
Install using Docker
To install the Host Analyzer, issue:
docker run --detach
-e HOST_FS_MOUNT_PATH=/host
-e SYSDIG_ACCESS_KEY=<ACCESS_KEY>
-e SYSDIG_API_URL=<COLLECTOR_ENDPOINT>
-e SCAN_ON_START=true
-v /:/host:ro --uts=host --net=host
quay.io/sysdig/vuln-host-scanner:$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)
Where:
Where:
- ACCESS_KEY is the ingestion key for the instance.
- COLLECTOR_ENDPOINT is the public or private ingestion URL for the region where the Workload Protection instance is available. To get the endpoint you need to use, check out API endpoints.
- For example, if you have Workload Protection service in EU-GB, the COLLECTOR_ENDPOINT would be
https://eu-gb.security-compliance-secure.cloud.ibm.com/internal/scanning/scanning-analysis-collector
.
- For example, if you have Workload Protection service in EU-GB, the COLLECTOR_ENDPOINT would be
- SCAN_ON_START forces a first scan when the Host Scanner initializes.
Install as a package
It is also possible to install the Host Analyzer on non-Kubernetes hosts using packages.
To do this, follow the instructions in the Sysdig tutorial Vulnerability Host Scanner,
following all of the Installation steps for RPM-based operating systems and substituting
the Workload Protection API endpoint for the<api-url>
in Step 3.
Scanning for compliance and benchmarks in Linux hosts with KSPM Analyzer
Workload Protection allows you to evaluate your Linux Hosts against several CIS benchmarks such as CIS Distribution Independent Linux Benchmark and compliance policies.
You need to run the Kubernetes Security Posture Management (KSPM) analyzer as a container. To install the KSPM analyzer in a non-Kubernetes environment, you can use:
docker run -d \
-v /:/host:ro -v /tmp:/host/tmp --privileged \
--network host --pid host --env \
ACCESS_KEY=<Sysdig agent access key> \
--env API_ENDPOINT=<workload_protection_api_endpoint> \ quay.io/sysdig/kspm-analyzer:latest \
Where:
- ACCESS_KEY is the ingestion key for the instance.
- API_ENDPOINT is the public or private API endpoint for the region where the Workload Protection instance is available. To get an endpoint, see API endpoints.
Notice that you don’t need to include “https”.
- For example, if you have Workload Protection service in
eu-gb
, theAPI_ENDPOINT
would beeu-gb.security-compliance-secure.cloud.ibm.com
.
- For example, if you have Workload Protection service in
As soon as it is running, the KSPM Analyzer will evaluate Linux configuration files to identify failing controls from the enabled Policies. You can see all results in Posture/Compliance in the Entire Infrastructure zone or define specific zones for your Linux hosts under Policies/Zones.