Host Scanner

This page describes how to install the Sysdig Host Scanner on non-Kubernetes hosts using packages. The Host Scanner is used to scan for vulnerabilities on hosts, in addition to the default runtime scanner on containers.

Prerequisites

Retrieve your access key to use for SYSDIG_ACCESS_KEY=<your-access-key>
Check your Sysdig Secure endpoint by region to use for SYSDIG_API_URL=https://<sysdig-url>
See Host Scanner installation requirements for remaining requirements.

Installation

RPM-Based Operating System

Configure the RPM repository and Sysdig GPG key:

sudo rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public
sudo curl -s -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo

Install the vuln-host-scanner package:

sudo yum install vuln-host-scanner --refresh -y

Create the vuln-host-scanner configuration file:

cat << EOF | sudo tee /opt/draios/etc/vuln-host-scanner/env
SYSDIG_ACCESS_KEY=<access-key>
SYSDIG_API_URL=<api-url>
# optional
SCAN_ON_START=true
EOF

Enable and start the vuln-host-scanner.service service:

sudo systemctl enable --now vuln-host-scanner.service

Check logs to see if everything is working as it should:
```
sudo journalctl -fu vuln-host-scanner.service
```

For Other Oses or Raw Binary

Download latest version of sysdig-host-scanner with:

Intel Processor (AMD64)

curl -LO "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/amd64/sysdig-host-scanner"

ARM Processor (ARM64)

curl -LO "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/arm64/sysdig-host-scanner"

Optionally, you can check the sha256sum as:

Intel Processor (AMD64)

sha256sum -c <(curl -sL "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/amd64/sysdig-host-scanner.sha256")

ARM Processor (ARM64)

sha256sum -c <(curl -sL "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/arm64/sysdig-host-scanner.sha256")

Set the executable flag on the file:
```
chmod +x ./sysdig-host-scanner
```
You only need to download and set executable once.

You can scan the host by running the sysdig-host-scanner command:

SYSDIG_ACCESS_KEY=<access-key> SYSDIG_API_URL=<api-url> ./sysdig-host-scanner

Optionally, create an environment file to store the configuration and a systemd unit file to run the binary as a service:

sudo mv ./sysdig-host-scanner /usr/local/bin/vuln-host-scanner
sudo restorecon -Rv /usr/local/bin/vuln-host-scanner
sudo mkdir -p /opt/draios/etc/vuln-host-scanner/

cat << EOF | sudo tee /opt/draios/etc/vuln-host-scanner/env
SYSDIG_ACCESS_KEY=<access-key>
SYSDIG_API_URL=<api-url>
# optional
SCAN_ON_START=true
EOF

cat << EOF | sudo tee /etc/systemd/system/vuln-host-scanner.service
[Unit]
Description=Sysdig Vuln Host Scanner component

[Service]
EnvironmentFile=/opt/draios/etc/vuln-host-scanner/env
ExecStart=/usr/local/bin/vuln-host-scanner

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable --now vuln-host-scanner.service

Additional Information

Kubernetes Metadata

If your node is part of an existing Kubernetes installation and you’re not using the official Helm chart, you’ll be in charge of setting node name and cluster name via:

K8S_CLUSTER_NAME
K8S_NODE_NAME

Next Steps

Install the Agent using a package

Use the Host Scanner in the Sysdig Secure UI

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.