You can install the sensor on one or more systems by using the CLI of the sensor control node.
Procedure
To install an IBM®
Storage Defender® sensor on one or multiple systems, complete the following steps:
-
Log in to the system that you use as a sensor control node.
-
Switch to the working directory of the sensor control software.
Remember: This directory is the same directory that you specified to download and install the sensor control software.
-
Create an inventory file that contains the FQDN of all systems that you want to equip with a sensor.
Note: To install a sensor, you must have passwordless sudo access.
-
Edit the /etc/ansible/hosts file.
Tip: You can use a different file to build the inventory. If you use a different file for the inventory, specify the argument -i /your-directory/your-file in the ansible-playbook command in the next step.
-
Add the FQDN of all systems that you want to equip. Add one per line under the tag [defender_sensor_hosts].
Tip: Use the following template (in INI format) that includes the FQDNs of the
IBM
Storage Defender sensor hosts in the /
etc/ansible/hosts file or alternative Ansible hosts inventory file.
[defender_sensor_hosts]
<FQDN1>
<FQDN2>
<FQDN3>
[defender_sensor_hosts:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
ansible_connection=ssh
ansible_ssh_pass=<ssh password>
ansible_ssh_user=<ssh username>
Tip: If you are using an existing inventory file in YAML format, you can extend the inventory file by adding a
defender_sensor_hosts group.
all:
vars:
ansible_connection: ssh
ansible_ssh_user: <ssh username>
ansible_ssh_pass: <ssh password>
ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
children:
defender_sensor_hosts:
hosts:
<FQDN1>:
<FQDN2>:
<FQDN3>:
-
Run the ansible-playbook sensor_install.yml --ask-vault-pass [-i <path_to_alternative_inventory_file>] command. Press return.
-
Enter the Ansible vault password that you defined when you installed the sensor control node software, and then press return.
Note: If you want to prevent saving passwords in the hosts file, you can use the arguments --ask-pass --ask-become-pass to provide the SSH password and sudo password while running the ansible-playbook command.
Note: Alternatively, you can store credentials in the Ansible vault and reference them from the inventory file. Run the ansible-vault command to edit the file:
ansible-vault edit sensor_common/vars/secure.yml
Add credentials for target VM's:
# VM1 credentials
vm1_user: <ssh username>
vm1_password: <ssh password>
# VM2 credentials
vm2_user: <ssh username>
vm2_password: <ssh password>
Create an inventory file:
all:
vars:
ansible_connection: ssh
ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
defender_sensor_hosts:
hosts:
vm1:
ansible_host: <FQDN1>
# Reference to variables in secure.yml
ansible_user: "{{ lookup('file', 'sensor_common/vars/secure.yml') | from_yaml | json_query('vm1_user') }}"
ansible_password: "{{ lookup('file', 'sensor_common/vars/secure.yml') | from_yaml | json_query('vm1_password') }}"
vm2:
ansible_host: <FQDN2>
# Reference to variables in secure.yml
ansible_user: "{{ lookup('file', 'sensor_common/vars/secure.yml') | from_yaml | json_query('vm2_user') }}"
ansible_password: "{{ lookup('file', 'sensor_common/vars/secure.yml') | from_yaml | json_query('vm2_password') }}"
Results
After you finish the installation, the sensor automatically starts to monitor file access activities on the system. The sensor sends alert messages to the on-premises connection manager when it detects any abnormal access patterns that resemble ransomware attacks. The connection manager then forwards these alerts to the IBM
Storage Defender Data Resiliency
Service (DRS) through a secure connection. Additionally, the sensor also sends heartbeat messages to the DRS through the connection manager periodically to indicate that the sensor is running normally.