Install Host Shield from a Package

This page describes how to install the Sysdig Host Shield on hosts using rpm or deb packages.

Prerequisites

System Requirements

  • A supported distribution or Kubernetes platform

  • Port 6443 open for outbound traffic

    The Host Shield communicates with the collector on port 6443. If you’re using a firewall, make sure to open port 6443 for outbound traffic so that the Host Shield can communicate with the collector.

  • Allow traffic on port 12000 to communicate within the cluster for Kubernetes Security Posture Management (KSPM).

Kubernetes Platforms

The supported Kubernetes platforms are:

  • Kubernetes (Vanilla)

  • Amazon Elastic Kubernetes Service (EKS)

    Note: AWS Fargate is not supported on EKS

  • Google Kubernetes Engine (GKE)

  • Azure Kubernetes Service (AKS)

  • RedHat Openshift

  • IBM Kubernetes Service (IKS)

  • RKE Government (RKE2)

Linux Distributions

The supported Linux distributions are:

  • Debian
  • Ubuntu 18.04 and above
  • Ubuntu (Amazon)
  • CentOS 7 and above
  • Alma Linux
  • Rocky Linux
  • Red Hat Enterprise Linux (RHEL) 7 and above
  • SuSE Linux Enterprise Server*
  • RHEL CoreOS (RHCOS)
  • Fedora
  • Fedora CoreOS
  • Linux Mint
  • Amazon Linux (Original)
  • Amazon Linux 2 (AL2)
  • Amazon Linux 2023 (AL2023)
  • Amazon Bottlerocket
  • Google Container Optimized OS (COS)
  • Oracle Linux (UEH)
  • Oracle Linux (RHCK)
  • Azure Linux (CBL-Mariner)
  • EulerOS
  • ArchLinux
  • Alpine Linux 3.20 and above

We may support additional Linux distributions depending on the feature required. For more details, Contact Sysdig Support.

CPU Architectures

The supported CPU architectures are:

  • X86
  • ARM
  • ppc64le (IBM Power)
  • s390x (zLinux)

Migrate to Host Shield

You can enable additional features such as Host Scanning, Host Security Posture Management, and Rapid Response directly from the package configuration.

Package Reference

DriverMain PackageDependency Packages
kmod (compatibility mode)draios-agentdraios-agent-slim, draios-agent-kmodule
kmod (recommended)draios-agent-kmoduledraios-agent-slim
legacy_ebpfdraios-agent-legacy-ebpfdraios-agent-slim
universal_ebpfdraios-agent-slim

Debian and Ubuntu

  1. Trust the Sysdig GNU Privacy Guard (GPG) key, configure the apt repository, and update the package list by running the following commands:

    curl -s https://download.sysdig.com/DRAIOS-GPG-KEY.public -o /usr/share/keyrings/sysdig-keyring.asc
echo 'deb [signed-by=/usr/share/keyrings/sysdig-keyring.asc] https://download.sysdig.com/stable/deb stable-$(ARCH)/' | tee /etc/apt/sources.list.d/sysdig.list > /dev/null
apt-get update

  2. [kmod/legacy eBPF] Install kernel development files:

    sudo apt-get -y install linux-headers-$(uname -r)

  3. Install the Host Shield:

    sudo apt-get -y install draios-agent
  • Specify the agent driver:

    • To select the Universal eBPF driver (Recommended for Linux Kernel 5.8 and above):

      cat > /etc/default/dragent <<< "SYSDIG_AGENT_DRIVER=universal_ebpf"

    • To select the kernel module driver (Recommended for below Linux Kernel 5.8):

      cat > /etc/default/dragent <<< "SYSDIG_AGENT_DRIVER=kmod"

      Note: On new installations, the kernel module driver is selected by default, and specifying it explicitly in /etc/default/dragent is optional.

    • To select the legacy eBPF driver (Not Recommended):

      cat > /etc/default/dragent <<< 'export SYSDIG_BPF_PROBE=""'
cat >> /etc/default/dragent <<< "SYSDIG_AGENT_DRIVER=legacy_ebpf"
  1. Configure Host Shield dragent.yaml: Collect the following information associated with your private registry:

  • Access Key.

  • Collector URL.

  • Collector Port.

  • Sysdig Secure API Endpoint.

    sudo bash -c 'cat > /opt/draios/etc/dragent.yaml <<EOF
customerid: <ACCESS_KEY>
collector: <COLLECTOR_URL>
collector_port: <COLLECTOR_PORT>

host_scanner:
  enabled: true
  host_fs_mount_path: /
kspm_analyzer:
  enabled: true
  host_root: /
features:
  respond:
    response_actions:
      enabled: true
sysdig_api_endpoint: <SECURE_API_ENDPOINT>
EOF'
  1. Restart the Host Shield:
sudo service dragent restart

For CentOS, RHEL, Fedora, Amazon AMI, Amazon Linux 2

  1. Trust the Sysdig GPG key and configure the yum repository:

    sudo rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public && sudo curl -s -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo

  2. [kmod/legacy eBPF] Install the EPEL repository:

    sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

    This command is required only if DKMS is not available in the base distribution.

  3. [kmod/legacy eBPF] Install the kernel development files:

    sudo yum -y install kernel-devel-$(uname -r)

  4. Install the Host Shield:

    • Install the Host Shield:
      yum -y install draios-agent
    • Specify the Host Shield driver:

      • To select the Universal eBPF driver (Recommended for Linux Kernel 5.8 and above):

        cat > /etc/sysconfig/dragent <<< "SYSDIG_AGENT_DRIVER=universal_ebpf"

      • To select the kernel module driver (Recommended for below Linux Kernel 5.8):

        cat > /etc/sysconfig/dragent <<< "SYSDIG_AGENT_DRIVER=kmod"

        Note: On new installations, the kernel module driver is selected by default, and specifying it explicitly in /etc/sysconfig/dragent is optional.

      • To select the legacy eBPF driver (Not Recommended):

        cat > /etc/sysconfig/dragent <<< 'export SYSDIG_BPF_PROBE=""'
cat >> /etc/sysconfig/dragent <<< "SYSDIG_AGENT_DRIVER=legacy_ebpf"

  5. Configure Host Shield dragent.yaml: Collect the following information associated with your private registry:

  • Access Key.

  • Collector URL.

  • Collector Port.

  • Sysdig Secure API Endpoint.

    sudo bash -c 'cat > /opt/draios/etc/dragent.yaml <<EOF
customerid: <ACCESS_KEY>
collector: <COLLECTOR_URL>
collector_port: <COLLECTOR_PORT>

host_scanner:
  enabled: true
  host_fs_mount_path: /
kspm_analyzer:
  enabled: true
  host_root: /
features:
  respond:
    response_actions:
      enabled: true
sysdig_api_endpoint: <SECURE_API_ENDPOINT>
EOF'
  1. Start the Host Shield:
    sudo systemctl enable dragent
sudo systemctl start dragent

Enable Rapid Response

Rapid Response lets you remotely execute commands on your hosts for incident response and troubleshooting. This feature is disabled by default.

If you want to enable Rapid Response, add the following configuration to your dragent.yaml file:

rapid_response:
  enabled: true
  password: <RR_PASSWORD>

Later, you can use the password you set up here to Start Rapid Response.