IBM Cloud Docs
Protecting Linux hosts

Protecting Linux hosts

After you provision an instance of the IBM Cloud® Security and Compliance Center Workload Protection service in IBM Cloud, you can deploy the Workload Protection agent on your Linux hosts to collect events and protect your workloads. You can configure which threats you want to detect in each environment and conduct forensic processes to understand security breaches.

Workload Protection provides the following features to protect your standalone Linux hosts:

  • Threat detection: identify threats and suspicious activity based on application, network and host activity by processing syscall events and investigate with detailed system captures.

  • Posture management: scan host configuration files for compliance and benchmarks such as CIS Linux Benchmark.

  • Host scanning: scan host packages, detect the associated vulnerabilities and identify the resolution priority based on available fixed versions and severity.

Protect your hosts running on IBM Cloud, other cloud providers such as Amazon Web Services, Azure, Google Cloud Platform, or on-premise by using Workload Protection. Support exists for installing the Workload Protection agent using a package on Debian, Ubuntu, CentOS, RHEL, Fedora, Amazon AMI, and Amazon Linux 2.

Deploying the Linux agent by using a script

Complete the following steps to configure a Workload Protection agent on Linux to collect and forward metrics to an instance of the Workload Protection service:

  1. Obtain the access key.

  2. Obtain the public or private ingestion URL. For more information, see Collector endpoints.

  3. Install the kernel headers. When you install a Workload Protection agent, the agent uses kernel header files. Choose a distribution and run the following command for that distribution.

    • For Debian and Ubuntu Linux distributions, run the following command:

      apt-get -y install linux-headers-$(uname -r)

    • For RHEL, CentOS, and Fedora Linux distributions, run the following command:

      yum -y install kernel-devel-$(uname -r)

  4. Deploy the Workload Protection agent. Run the following command:

    curl -sL https://ibm.biz/install-sysdig-agent | sudo bash -s -- --access_key ACCESS_KEY --collector COLLECTOR_ENDPOINT --collector_port 6443 --tags TAG_DATA'

    Where:

    • ACCESS_KEY is the ingestion key for the instance.
    • COLLECTOR_ENDPOINT is the public or private ingestion URL for the region where the Workload Protection instance is available. To get an endpoint, see Collector endpoints.
    • TAG_DATA are comma-separated tags that are formatted as TAG_NAME:TAG_VALUE. You can associate one or more tags to your Workload Protection agent. For example, role:serviceX,location:us-south.

    To install cURL, run yum -q -y install curl for RHEL, CentOS, and Fedora Linux distributions.

  5. Check that the Workload Protection agent is running. Run the following command:

    ps -ef | grep sysdig

To see the latest Workload Protection agent logs, go to the directory /opt/draios/logs and check the log file draios.log.

To look for errors, issue:

grep error /opt/draios/logs/draios.log

Deploying the Linux agent using a package

  1. Obtain the access key.

  2. Obtain the public or private ingestion URL. For more information, see Collector endpoints.

  3. Trust the Sysdig Monitor GPG key, configure the apt repository, and update the package list by running the following commands:

    curl -s https://download.sysdig.com/DRAIOS-GPG-KEY.public | apt-key add -

    curl -s -o /etc/apt/sources.list.d/draios.list http://download.sysdig.com/stable/deb/draios.list

    apt-get update

  4. Install the kernel headers. When you install a Workload Protection agent, the agent uses kernel header files. Choose a distribution and run the following command for that distribution.

    • For Debian and Ubuntu Linux distributions, run the following commands:
    apt-get -y install linux-headers-$(uname -r)
    • For RHEL, CentOS, and Fedora Linux distributions, run the following command:
    yum -y install kernel-devel-$(uname -r)

  5. Install, configure, and restart the Sysdig agent by running the following commands.

    • For Debian and Ubuntu Linux distributions, run the following commands:
    apt-get -y install draios-agent

    echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml

    echo collector: COLLECTOR_URL >> /opt/draios/etc/dragent.yaml echo ssl: true >> /opt/draios/etc/dragent.yaml

    service dragent restart
    • For RHEL, CentOS, and Fedora Linux distributions, run the following commands:
    yum -y install draios-agent

    echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml

    echo collector: COLLECTOR_URL >> /opt/draios/etc/dragent.yaml echo ssl: true >> /opt/draios/etc/dragent.yaml

    echo secure: true >> /opt/draios/etc/dragent.yaml

    sudo systemctl enable dragent

    sudo systemctl start dragent

Updating a Linux agent

Complete the following steps to update a Workload Protection agent on Linux.

To update the agent from Debian and Ubuntu Linux distributions, run the following commands as the sudo user:

sudo apt-get update

sudo apt-get -y install draios-agent

To update the agent from RHEL, CentOS, and Fedora Linux distributions, run the following commands as the sudo user:

yum clean expire-cache

sudo yum -y install draios-agent

Removing a Workload Protection agent that has been deployed as a service in a Linux system

Complete the following steps to remove a Workload Protection agent on Linux.

To uninstall the agent from Debian and Ubuntu Linux distributions, run the following command as the sudo user:

sudo apt-get remove draios-agent

To uninstall the agent from RHEL, CentOS, and Fedora Linux distributions, run the following command as the sudo user:

sudo yum erase draios-agent

Troubleshooting the agent

Checking the status of an agent by using the CLI

To check the status of an agent, run the following command:

service dragent status

systemctl status dragent

Viewing the logs of an agent

To see the latest Workload Protection agent logs, go to the directory /opt/draios/logs and check the log file draios.log.

To look for errors, you can run the following command:

grep error /opt/draios/logs/draios.log

Verifying the state of the agent

To check that the Workload Protection agent is running, run the following command:

ps -ef | grep sysdig

Identifying vulnerabilities in Linux hosts with Host Analyzer

Workload Protection provides host and image scanning in Linux hosts, detecting all installed packages and associated vulnerabilities sorted by severity and prioritizing those with a fix available.

After installing the Host Analyzer, review the detected vulnerabilities in your host accessing Scanning/Hosts in the Workload Protection. The first scan starts shortly after installation.

It is possible to run the Host Analyzer by using either Docker or as a package.

Install using Docker

To install the Host Analyzer, issue:

docker run --detach
-e HOST_FS_MOUNT_PATH=/host
-e SYSDIG_ACCESS_KEY=<ACCESS_KEY>
-e SYSDIG_API_URL=<COLLECTOR_ENDPOINT>
-e SCAN_ON_START=true
-v /:/host:ro --uts=host --net=host
quay.io/sysdig/vuln-host-scanner:$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)

Where:

Where:

  • ACCESS_KEY is the ingestion key for the instance.
  • COLLECTOR_ENDPOINT is the public or private ingestion URL for the region where the Workload Protection instance is available. To get the endpoint you need to use, check out API endpoints.
    • For example, if you have Workload Protection service in EU-GB, the COLLECTOR_ENDPOINT would be https://eu-gb.security-compliance-secure.cloud.ibm.com/internal/scanning/scanning-analysis-collector.
  • SCAN_ON_START forces a first scan when the Host Scanner initializes.

Install as a package

It is also possible to install the Host Analyzer on non-Kubernetes hosts using packages.

To do this, follow the instructions in the Sysdig tutorial Vulnerability Host Scanner, following all of the Installation steps for RPM-based operating systems and substituting the Workload Protection API endpoint for the<api-url> in Step 3.

Scanning for compliance and benchmarks in Linux hosts with KSPM Analyzer

Workload Protection allows you to evaluate your Linux Hosts against several CIS benchmarks such as CIS Distribution Independent Linux Benchmark and compliance policies.

You need to run the Kubernetes Security Posture Management (KSPM) analyzer as a container. To install the KSPM analyzer in a non-Kubernetes environment, you can use:

docker run -d \
-v /:/host:ro -v /tmp:/host/tmp --privileged \ 
--network host --pid host --env \
ACCESS_KEY=<Sysdig agent access key> \
--env API_ENDPOINT=<workload_protection_api_endpoint> \ quay.io/sysdig/kspm-analyzer:latest \

Where:

  • ACCESS_KEY is the ingestion key for the instance.
  • API_ENDPOINT is the public or private API endpoint for the region where the Workload Protection instance is available. To get an endpoint, see API endpoints. Notice that you don’t need to include “https”.
    • For example, if you have Workload Protection service in eu-gb, the API_ENDPOINT would be eu-gb.security-compliance-secure.cloud.ibm.com.

As soon as it is running, the KSPM Analyzer will evaluate Linux configuration files to identify failing controls from the enabled Policies. You can see all results in Posture/Compliance in the Entire Infrastructure zone or define specific zones for your Linux hosts under Policies/Zones.