Install Host Shield from a Package

This page describes how to install the Sysdig Host Shield on hosts using rpm or deb packages.

Migrate to the Host Shield

The Host Shield is the agent container. Starting from Sysdig Agent 13.6.1, you can enable additional features such as Host Scanning, Host Security Posture Management, and Rapid Response directly from the package configuration.

Package Reference

Driver	Main Package	Dependency Packages
kmod (compatibility mode)	draios-agent	draios-agent-slim, draios-agent-kmodule
kmod (recommended)	draios-agent-kmodule	draios-agent-slim
legacy_ebpf	draios-agent-legacy-ebpf	draios-agent-slim
universal_ebpf	draios-agent-slim

For Debian and Ubuntu

Trust the Sysdig GNU Privacy Guard (GPG) key, configure the apt repository, and update the package list by running the following commands:

curl -s https://download.sysdig.com/DRAIOS-GPG-KEY.public -o /usr/share/keyrings/sysdig-keyring.asc
echo 'deb [signed-by=/usr/share/keyrings/sysdig-keyring.asc] https://download.sysdig.com/stable/deb stable-$(ARCH)/' | tee /etc/apt/sources.list.d/sysdig.list > /dev/null
apt-get update

[kmod/legacy eBPF] Install kernel development files:
```
sudo apt-get -y install linux-headers-$(uname -r)
```
Install the Host Shield:

Install the Host Shield:
```
sudo apt-get -y install draios-agent
```
Specify the agent driver:
- To select the Universal eBPF driver (Recommended for Linux Kernel 5.8 and above):
```
cat > /etc/default/dragent <<< "SYSDIG_AGENT_DRIVER=universal_ebpf"
```
- To select the kernel module driver (Recommended for below Linux Kernel 5.8):
```
cat > /etc/default/dragent <<< "SYSDIG_AGENT_DRIVER=kmod"
```
  Note: On new installations, the kernel module driver is selected by default, and specifying it explicitly in /etc/default/dragent is optional.
- To select the legacy eBPF driver (Not Recommended):
```
cat > /etc/default/dragent <<< 'export SYSDIG_BPF_PROBE=""'
cat >> /etc/default/dragent <<< "SYSDIG_AGENT_DRIVER=legacy_ebpf"
```

Configure Host Shield dragent.yaml:

sudo bash -c 'cat > /opt/draios/etc/dragent.yaml <<EOF
customerid: <ACCESS_KEY>
collector: <COLLECTOR_URL>
collector_port: <COLLECTOR_PORT>

host_scanner:
  enabled: true
  host_fs_mount_path: /
kspm_analyzer:
  enabled: true
  host_root: /
sysdig_api_endpoint: <API_URL>
EOF'

Restart the Host Shield:

sudo service dragent restart

For CentOS, RHEL, Fedora, Amazon AMI, Amazon Linux 2

Trust the Sysdig GPG key and configure the yum repository:

sudo rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public && sudo curl -s -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo

[kmod/legacy eBPF] Install the EPEL repository:
```
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
```
This command is required only if DKMS is not available in the base distribution.
[kmod/legacy eBPF] Install the kernel development files:
```
sudo yum -y install kernel-devel-$(uname -r)
```
Install the Host Shield:
- Install the Host Shield:
```
yum -y install draios-agent
```
- Specify the Host Shield driver:
  - To select the Universal eBPF driver (Recommended for Linux Kernel 5.8 and above):
```
cat > /etc/sysconfig/dragent <<< "SYSDIG_AGENT_DRIVER=universal_ebpf"
```
  - To select the kernel module driver (Recommended for below Linux Kernel 5.8):
```
cat > /etc/sysconfig/dragent <<< "SYSDIG_AGENT_DRIVER=kmod"
```
    Note: On new installations, the kernel module driver is selected by default, and specifying it explicitly in /etc/sysconfig/dragent is optional.
  - To select the legacy eBPF driver (Not Recommended):
```
cat > /etc/sysconfig/dragent <<< 'export SYSDIG_BPF_PROBE=""'
cat >> /etc/sysconfig/dragent <<< "SYSDIG_AGENT_DRIVER=legacy_ebpf"
```
Configure Host Shield dragent.yaml:

sudo bash -c 'cat > /opt/draios/etc/dragent.yaml <<EOF
customerid: <ACCESS_KEY>
collector: <COLLECTOR_URL>
collector_port: <COLLECTOR_PORT>

host_scanner:
  enabled: true
  host_fs_mount_path: /
kspm_analyzer:
  enabled: true
  host_root: /
sysdig_api_endpoint: <API_URL>
EOF'

Start the Host Shield:

sudo systemctl enable dragent
sudo systemctl start dragent

Enable Rapid Response

The Rapid Response feature allows you to remotely execute commands on your hosts for incident response and troubleshooting. This feature is disabled by default.

If you want to enable Rapid Response, add the following configuration to your dragent.yaml file:

rapid_response:
  enabled: true
  password: <RR_PASSWORD>

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.