Scanning Guidelines

Host Scanning

A host is any runtime entity where you could execute the Sysdig agent, including virtual machines, Kubernetes nodes, bare metal, and cloud-managed hosts such as EC2. Sysdig offers different ways to install the scan the host in your environment, including agent and agentless. Having the agent installed on the hosts is not required, but is recommended. The autocomplete feature on filters and searches depends on the Sysdig agent."

Enable Host Scanning

Agent-Based Host Scanning

You can install the agent-based host scanner in several ways:

• On a Kubernetes cluster
• On a host as a container
• As an RPM package
• As a binary application

For more information, see Installation Requirements.

Each of these methods enables the scanning of hosts.

Scanning Non-Kubernetes Containers

You can also extend the “host scanner” to scan for non-Kubernetes containers:

• On a host as a container
• As an RPM package
• As a binary application

These configurations are each described on the Non-Kubernetes Container Scanning page.

Agentless Host Scanning (Tech Preview)

You can deploy agentless vulnerability management host scanning in AWS, GCP, or Azure using the Cloud Account onboarding wizard.

Note: You can apply tags to limit the scope on VPC/instance/disk access on your infrastructure. Do it before connecting the account, as described in the Prerequisites, or later on.

See Connect Cloud Accounts for AWS, GCP, or Azure, for installation details.

See Integrations > Data Sources | Cloud Hosts to check the status of the discovered resources.

Limitations

No Risk Spotlight/In Use integration

View Scan Results in the UI

Agent-Based

• If the default parameter nodeAnalyzer.nodeAnalyzer.hostScanner.scanOnStart=true is set, then a scan will start just after the pod is ready. You can expect the results in a few minutes, ~15 minutes max.
• If this parameter is not set, results will be shown ~11 hours from installation.
• In all cases, scans are refreshed every 12 hours.
• Helm chart and Docker container installations behave the same.

Agentless

• It could take up to 15 minutes before scan results appear in Runtime.
• Scans are refreshed every 24 hours.

See Integrations > Data Sources | Cloud Hosts to check the status of the discovered resources.

Usage

Once you have deployed the host scanner in your environment, the Runtime UI will integrate the findings alongside the runtime workload results, based on an out-of-the-box Vulnerability policy.

Filter for Hosts

You can filter to find results of host scanning using the quick links in the banner at the top of the page, and/or the filter bar.

Agent-Based Result Filters

• Kubernetes cluster name
• Cloud account id
• Cloud account region
• Host Name
• Agent tags

Agentless Result Filters

• Cloud account id
• Cloud account region
• Host Name
• Cloud instance ID (text search)

See Vulnerability Policies|Runtime.

Download Reports

You can schedule and download reports for scanning done on hosts as well as containers. See Reporting for more information.

Container Scanning

To manage container vulnerabilities in your runtime environment, you can extend the Host Scanner to scan for Docker and Podman containers present within the host file system. Sysdig provides a list of vulnerabilities, policy evaluations, has-fix, and has-exploit information to help you focus on the most critical vulnerabilities in your environment.

Sysdig supports the following container scanning types :

• Kubernetes containers: The runtime scanner installed with the Sysdig agent scans for runtime vulnerabilities in Kubernetes workloads.
• Non-Kubernetes containers: To scan non-Kubernetes containers such as Docker, you can extend any of the three non-Kubernetes host scanning configurations, as described below.

This section convers non-Kubernetes container scanning. For information on Kubernetes container scanning, see Cluster Shield.

Prerequisites

• Sysdig Secure SaaS, running the Vulnerability Management engine

• Host Scanner v.0.7.0+

Supported Container Versions

• Docker Engine API Version v1.21 (introduced in Docker Engine 1.9.0) and above.
• Podman version 3.1+

Limitations

Risk Spotlight/In-Use and Reporting features are not yet supported for non-Kubernetes container scanning.

Install on a Host as a Container

To install on a host as a container:

1. Run the following Docker command to deploy the Sysdig Host Scanning container:

   docker run --detach -e HOST_FS_MOUNT_PATH=/host -e SYSDIG_ACCESS_KEY=<access-key> -e SYSDIG_API_URL=<sysdig-secure-endpoint> -e USE_COMBINED_SCANNER=true  -e SCAN_CONTAINERS_ENABLED=true -e SCAN_ON_START=true -v /:/host:ro -v /var/run:/host/var/run:ro --uts=host --net=host quay.io/sysdig/vuln-host-scanner:$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)
   

   This command downloads and starts the Sysdig Host Scanning container.

   • Replace with your agent access key, and with the URL for your Sysdig Secure endpoint by region.

   Once the container is running, the scanner begins scanning your host for vulnerabilities and providing security recommendations. You can view the results in the Sysdig Secure UI after 12 hours of installation as scans are refreshed every 12 hours.

   Container scans will be shown within 30 minutes of installation. They are refreshed four times per day if new vulnerabilities are added to Sysdig’s vulnerability database.

   By default, the host scanner attempts to connect to the following sockets:

   • Docker Unix socket /var/run/docker.sock
   • Podman Unix socket /var/run/podman.sock

2. (Optional) If you have a custom socket location, you can override it by setting a custom socket location with environment variables:

   -e DOCKER_SOCKET_PATHS=unix:///var/run/docker.sock 
   -e PODMAN_SOCKET_PATHS=unix:///var/run/podman.sock
   

Install as an RPM Package

To install as an RPM package:

1. Configure the RPM repository and Sysdig GPG key:

   sudo rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public
   sudo curl -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo
   

2. Install the vuln-host-scanner package:

   sudo yum install vuln-host-scanner --refresh -y
   

Note: On RHEL/CentOS platforms, use sudo yum clean expire-cache && sudo yum install vuln-host-scanner -y

3. Create the vuln-host-scanner configuration file:

   cat << EOF | sudo tee /opt/draios/etc/vuln-host-scanner/env
   SYSDIG_ACCESS_KEY=<access-key>
   SYSDIG_API_URL=<api-url>
   # optional
   SCAN_ON_START=true
   # container scanning options
   USE_COMBINED_SCANNER=true
   SCAN_CONTAINERS_ENABLED=true
   # optional container scanning parameters. 
   # Uncomment and provide them only if your docker / podman setup have a
   # different socket path
   # DOCKER_SOCKET_PATHS=unix:///var/run/docker.sock
   # PODMAN_SOCKET_PATHS=unix:///var/run/podman.sock
   EOF
   

4. Enable and start the vuln-host-scanner.service service:

   sudo systemctl enable --now vuln-host-scanner.service
   

5. Check logs to verify your configuration:

   sudo journalctl -fu vuln-host-scanner.service
   

Install as a Binary Application

To install your container as a binary application:

1. Download the latest version of sysdig-host-scanner with:

   Intel Processor (AMD64)

   curl -LO "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/amd64/sysdig-host-scanner"
   

   ARM Processor (ARM64)

   curl -LO "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/arm64/sysdig-host-scanner"
   

2. Optionally, you can check the sha256sum as follows:

   Intel Processor (AMD64)

   sha256sum -c <(curl -sL "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/amd64/sysdig-host-scanner.sha256")
   

   ARM Processor (ARM64)

   sha256sum -c <(curl -sL "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/arm64/sysdig-host-scanner.sha256")
   

3. Set the executable flag on the file:

   chmod +x ./sysdig-host-scanner
   

   You only need to download and set the executable once.

4. You can scan the host by running the sysdig-host-scanner command:

   SYSDIG_ACCESS_KEY=<access-key> SYSDIG_API_URL=<api-url> ./sysdig-host-scanner
   

Optionally, create an environment file to store the configuration and a systemd unit file to run the binary as a service:

sudo mv ./sysdig-host-scanner /usr/local/bin/vuln-host-scanner
sudo restorecon -Rv /usr/local/bin/vuln-host-scanner
sudo mkdir -p /opt/draios/etc/vuln-host-scanner/

cat << EOF | sudo tee /opt/draios/etc/vuln-host-scanner/env
SYSDIG_ACCESS_KEY=<access-key>
SYSDIG_API_URL=<api-url>
# optional
SCAN_ON_START=true
EOF

cat << EOF | sudo tee /etc/systemd/system/vuln-host-scanner.service
[Unit]
Description=Sysdig Vuln Host Scanner component

[Service]
EnvironmentFile=/opt/draios/etc/vuln-host-scanner/env
ExecStart=/usr/local/bin/vuln-host-scanner

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable --now vuln-host-scanner.service

Add Custom Sockets (Optional)

By default, the host scanner attempts to connect to the following sockets:

• Docker Unix socket /var/run/docker.sock
• Podman Unix socket /var/run/podman.sock

If you have a custom socket location, you can override it by setting the following environment variables:

-e DOCKER_SOCKET_PATHS=unix:///var/run/docker.sock 
-e PODMAN_SOCKET_PATHS=unix:///var/run/podman.sock

as follows:

SYSDIG_ACCESS_KEY=<access-key> SYSDIG_API_URL=<api-url> USE_COMBINED_SCANNER=true SCAN_CONTAINERS_ENABLED=true DOCKER_SOCKET_PATHS=unix:///var/run/docker.sock PODMAN_SOCKET_PATHS=unix:///var/run/podman.sock ./sysdig-host-scanner

Environment File

If you are creating the environment file to store the configuration and a systemd unit file to run the binary as a service, add the following to the /opt/draios/etc/vuln-host-scanner/env section:

\# optional container scanning parameters. 
\# Uncomment and provide them only if your docker / podman setup have a
\# different socket path
\# DOCKER_SOCKET_PATHS=unix:///var/run/docker.sock
\# PODMAN_SOCKET_PATHS=unix:///var/run/podman.sock

Container Scanning via Agentless Host Scanning

To enable container scanning through Sysdig Agentless Host Scanning:

1. Connect your cloud account with Agentless Scanning enabled. See Connect Cloud Accounts

2. Navigate to your cloud account under Cloud Accounts and locate your specific cloud provider.

3. Navigate to the individual account, select it, and enable the Container Scanning check box.