Host Scanning

This doc applies only to the Vulnerability Management engine, released April 20, 2022. Make sure you are using the correct documentation: Which Scanning Engine to Use. You also need to enable it in Sysdig Labs.

A “host” is any runtime entity where you could execute the Sysdig agent, including virtual machines, Kubernetes nodes, bare metal, cloud-managed hosts such as EC2, etc.

Scanning for vulnerabilities on hosts is as important as scanning on containers, and certain standards such as NIST 800-190 require vulnerability reports on running hosts to pass compliance. Sysdig’s host scanning feature provides a unified flow with image scanning, for a smooth user experience.

Note: Having the agent installed on the hosts is not required, but is recommended. Metadata autocomplete on the filters and searches depend on the Sysdig agent.

Enable Host Scanning

Installation methods include Helm (recommended), Docker container, or non-containerized binaries.

Supported OSes and Host Types

  • Ubuntu 22.04
  • Ubuntu 20.04
  • Debian 11
  • Debian 10
  • Redhat Red Hat Enterprise Linux 9
  • Redhat Red Hat Enterprise Linux 8
  • Redhat Red Hat Enterprise Linux 7
  • Red Hat Red Hat Enterprise Linux Core OS
  • Amazon Linux 2
  • Flatcar Container Linux
  • Alibaba Cloud Linux (a.k.a. Aliyun Linux)
  • Google Container-Optimized OS (COS), build 89+

Currently Supported CPU Architectures

  • AMD64 (x86_64)

  • ARM (arm64)

Current Feature Limitations

  • No Risk Spotlight/In Use integration

How Long until Host Scan Results Appear in the UI?

After installation:

  • If the default parameter nodeAnalyzer.nodeAnalyzer.hostScanner.scanOnStart=true is set, then a scan will start just after the pod is ready. You can expect the results in a few minutes, ~15 min max.
  • If this parameter is not set, results will be shown ~11 hours from install
  • In all cases, scans are refreshed every 12 hours
  • Helm chart and Docker container installations behave the same

Helm Install

If you have Kubernetes, the Helm install is the preferred method.

Prerequisites

Host scanning requires Sysdig Secure SaaS to be installed with:

  • sysdig-deploy Helm chart version 1.5.0+
    • HostScanner container version 0.3.0+ (*0.3.1+ for Google COS)
    • Included by default on the helm chart version 1.5.0+, unless the user pins or modifies the defaults
  • Host scanning is installed out of the box by default with the Helm chart; you can opt-out if desired.
Check Your Versions

Check your sysdig-deploy Helm chart (default namespace is sysdig-agent)

helm list -n <namespace>

Example:

helm list -n sysdig-agent
NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                   APP VERSION
sysdig-agent    sysdig-agent    5               2022-11-11 17:57:54.109917081 +0100 CET deployed        sysdig-deploy-1.5.0

Upgrade Helm Chart Instructions here

Opting Out

If for some reason you don’t want to use host scanning, you can opt-out using the Helm chart flag:

--set nodeAnalyzer.nodeAnalyzer.hostScanner.deploy=false

Docker Container Install

If you have non-Kubernetes hosts but still want to use containers, you can deploy Host scanning without Helm as follows:

docker run --detach -e HOST_FS_MOUNT_PATH=/host -e SYSDIG_ACCESS_KEY=<access-key> -e SYSDIG_API_URL=<sysdig-secure-endpoint> -e SCAN_ON_START=true -v /:/host:ro --uts=host --net=host quay.io/sysdig/vuln-host-scanner:$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)

Non-Containerized Install

The Helm chart is the recommended installation method, but if you want to scan a host without using containers at all, we also offer a standalone binary and an RPM package.

The configuration is passed via environment variables, specifically:

  • Retrieve your access key to use for SYSDIG_ACCESS_KEY=<your-access-key>
  • Check your Sysdig Secure endpoint by region to use for SYSDIG_API_URL=https://<sysdig-url>

RPM

Compatible with any host that supports the RPM package format, such as RHEL.

  1. Configure the RPM repository and Sysdig GPG key:
sudo rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public
sudo curl -s -o /etc/yum.repos.d/draios.repo http://download.sysdig.com/stable/rpm/draios.repo
  1. Install the vuln-host-scanner package:
sudo yum install vuln-host-scanner --refresh -y
  1. Create the vuln-host-scanner configuration file:
cat << EOF | sudo tee /opt/draios/etc/vuln-host-scanner/env
SYSDIG_ACCESS_KEY=<access-key>
SYSDIG_API_URL=<api-url>
# optional
SCAN_ON_START=true
EOF
  1. Enable and start the vuln-host-scanner.service service:
sudo systemctl enable --now vuln-host-scanner.service
  1. Check logs to see if everything is working as it should:
sudo journalctl -fu vuln-host-scanner.service

Raw Binary

  1. Download latest version of sysdig-host-scanner with:

    Intel Processor (AMD64)

    curl -LO "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/amd64/sysdig-host-scanner"

    ARM Processor (ARM64)

    curl -LO "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/arm64/sysdig-host-scanner"

  2. Optionally, you can check the sha256sum as:

    Intel Processor (AMD64)

    sha256sum -c <(curl -sL "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/amd64/sysdig-host-scanner.sha256")

    ARM Processor (ARM64)

    sha256sum -c <(curl -sL "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/arm64/sysdig-host-scanner.sha256")

  3. Set the executable flag on the file:

    chmod +x ./sysdig-host-scanner

    You only need to download and set executable once.

  4. You can scan the host by running the sysdig-host-scanner command:

    SYSDIG_ACCESS_KEY=<access-key> SYSDIG_API_URL=<api-url> ./sysdig-host-scanner

Optionally, create an environment file to store the configuration and a systemd unit file to run the binary as a service:

sudo mv ./sysdig-host-scanner /usr/local/bin/vuln-host-scanner
sudo restorecon -Rv /usr/local/bin/vuln-host-scanner
sudo mkdir -p /opt/draios/etc/vuln-host-scanner/

cat << EOF | sudo tee /opt/draios/etc/vuln-host-scanner/env
SYSDIG_ACCESS_KEY=<access-key>
SYSDIG_API_URL=<api-url>
# optional
SCAN_ON_START=true
EOF

cat << EOF | sudo tee /etc/systemd/system/vuln-host-scanner.service
[Unit]
Description=Sysdig Vuln Host Scanner component

[Service]
EnvironmentFile=/opt/draios/etc/vuln-host-scanner/env
ExecStart=/usr/local/bin/vuln-host-scanner

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable --now vuln-host-scanner.service

Kubernetes Metadata:

If your node is part of an existing Kubernetes installation and you’re not using the official Helm chart, you’ll be in charge of setting node name and cluster name via

K8S_CLUSTER_NAME
K8S_NODE_NAME

Other environment variables for the Host Scanner are listed in the chart.

Usage

Once you have deployed the host scanner in your environment, the Runtime UI will integrate the findings alongside the runtime workload results, based on an out-of-the-box Vulnerability policy.

Filter for Hosts

You can filter to find results of host scanning using the quick links in the banner at the top of the page, and/or the filter bar.

Hosts can be filtered using

  • Kubernetes cluster name
  • Cloud account id
  • Cloud account region
  • Host Name
  • Agent tags

See also, Vulnerability Policies|Runtime.

Download Reports

You can schedule and download reports for scanning done on hosts as well as containers.

See Vulnerabilities|Reporting.