Vulnerability Host Scanner (Packages)

This page describes how to install the Sysdig Host Scanner on non-Kubernetes hosts using packages. The Host Scanner is used to scan for vulnerabilities on hosts, in addition to the default runtime scanner on containers.

Prerequisites

Installation

RPM-Based Operating System

  1. Configure the RPM repository and Sysdig GPG key:

    $$sudo rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public sudo curl -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo$$
  2. Install the vuln-host-scanner package:

    $$sudo yum install vuln-host-scanner --refresh -y$$

Note: On RHEL/CentOS platforms, use sudo yum clean expire-cache && sudo yum install vuln-host-scanner -y

  1. Create the vuln-host-scanner configuration file:

    $$cat << EOF | sudo tee /opt/draios/etc/vuln-host-scanner/env SYSDIG_ACCESS_KEY= SYSDIG_API_URL= # optional SCAN_ON_START=true EOF$$
  2. Enable and start the vuln-host-scanner.service service:

    $$sudo systemctl enable --now vuln-host-scanner.service$$
  3. Check logs to see if everything is working as it should:

    $$sudo journalctl -fu vuln-host-scanner.service$$

Scan for Containers

You can extend the host scanner to scan for containers such as Docker and Podman.

See Container Scanning for details.

For Other Operating Systems and Raw Binary

  1. Download the latest version of sysdig-host-scanner with:

    Intel Processor (AMD64)

    curl -LO "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/amd64/sysdig-host-scanner"
    

    ARM Processor (ARM64)

    curl -LO "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/arm64/sysdig-host-scanner"
    
  2. Optionally, you can check the sha256sum as follows:

    Intel Processor (AMD64)

    sha256sum -c <(curl -sL "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/amd64/sysdig-host-scanner.sha256")
    

    ARM Processor (ARM64)

    sha256sum -c <(curl -sL "https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/arm64/sysdig-host-scanner.sha256")
    
  3. Set the executable flag on the file:

    $$chmod +x ./sysdig-host-scanner$$

    You only need to download and set the executable once.

  4. You can scan the host by running the sysdig-host-scanner command:

    $$SYSDIG_ACCESS_KEY= SYSDIG_API_URL= ./sysdig-host-scanner$$

Optionally, create an environment file to store the configuration and a systemd unit file to run the binary as a service:

$$sudo mv ./sysdig-host-scanner /usr/local/bin/vuln-host-scanner sudo restorecon -Rv /usr/local/bin/vuln-host-scanner sudo mkdir -p /opt/draios/etc/vuln-host-scanner/ cat << EOF | sudo tee /opt/draios/etc/vuln-host-scanner/env SYSDIG_ACCESS_KEY= SYSDIG_API_URL= # optional SCAN_ON_START=true EOF cat << EOF | sudo tee /etc/systemd/system/vuln-host-scanner.service [Unit] Description=Sysdig Vuln Host Scanner component StartLimitIntervalSec=500 StartLimitBurst=5 [Service] EnvironmentFile=/opt/draios/etc/vuln-host-scanner/env ExecStart=/usr/local/bin/vuln-host-scanner Restart=on-failure RestartSec=5s [Install] WantedBy=multi-user.target EOF sudo systemctl daemon-reload sudo systemctl enable --now vuln-host-scanner.service$$

Option: Scan for Containers

You can extend the host scanner to scan for containers such as Docker and Podman.

See Container Scanning for details.

Additional Configurations

You can include additional configuration options in the configuration file.

These options are added to /opt/draios/etc/vuln-host-scanner/env:

$$#required SYSDIG_ACCESS_KEY= SYSDIG_API_URL= # optional HOST_DIRS_TO_SCAN= (Using this will override the default directories) (Default directories - /etc,/var/lib/dpkg,/usr/local,/usr/lib/sysimage/rpm,/var/lib/rpm,/lib/apk/db) ADDITIONAL_HOST_DIRS_TO_SCAN= HOST_DIRS_TO_SKIP= SCAN_ON_START= (Default is false) HTTP_PROXY=
HTTPS_PROXY=
NO_PROXY=$$

Kubernetes Metadata

If your node is part of an existing Kubernetes installation and you’re not using the official Helm chart, you’ll be in charge of setting node name and cluster name via:

$$K8S_CLUSTER_NAME K8S_NODE_NAME$$

Next Steps

Install the Agent using a package

Use the Host Scanner in the Sysdig Secure UI