CRS CLI Commands and Options
Qualys Container Runtime Sensor (CRS) offers various options to collect file and process events in your account, categorized under 'Global' and 'CRS Specific' parameters. These options are available with Qualys TotalCloud.
Global Parameters
Container Runtime Sensor, Cluster Sensor, and Admission Controller support the following parameters regardless of the command.
| Parameter | Mandatory/Optional | Description |
|---|---|---|
| global.customerId | Mandatory | Unique customer id associated with your account. |
| global.activationId | Mandatory | Unique activation id associated with your account. |
| global.gatewayUrl | Mandatory | Specify Qualys Platform (POD) gateway URL to communicate with Qualys Enterprise TruRisk™ Platform. Specify this to use a POD which is not listed in: https://www.qualys.com/platform-identification/ |
| global.imagePullSecret | Optional | Specify to pull images from the private registry. |
| global.clusterInfoArgs.cloudProvider | Optional | Specify the name of the Cloud provider. Cloud Provider examples: AWS, GCP, AZURE, OCI, selfManagedK8S |
| global.clusterInfoArgs.AWS.arn | Mandatory | Required if the cloud provider is 'AWS'. Specify the ARN value. Example: arn:aws:eks:<region>:<accountid>:cluster/<clustername>. |
| global.clusterInfoArgs.SELF_ MANAGED_K8S.clusterName |
Mandatory | Use this to provide a cluster name. Mandatory if the Cloud Provider is 'SELF_MANAGED_K8S`. |
| global.clusterInfoArgs.AZURE.id | Mandatory | Mandatory if the cloud provider is 'AZURE'. Specify value of the id. Example: /subscriptions/<subscription_id>/resourcegroups/NK_test/providers/Microsoft.ContainerService/managedClusters/<cluster_name> |
| global.clusterInfoArgs.AZURE.region | Mandatory | Provide the value of the region. Mandatory if the cloud provider is 'AZURE'. |
| global.clusterInfoArgs.GCP.krn | Mandatory | Provide the value of the krn. Mandatory if the cloud provider is 'GCP'. Example: projects/<project_id>/locations/<region>/clusters/<cluster_name> |
| global.clusterInfoArgs.OCI.ocid | Mandatory | Specify the value of the OCID. Mandatory if the Cloud Provider is 'OCI' Example: ocid1.cluster.oc1.<REGION>.<TENANCY_OCID>.<CLUSTER_OCID> |
| global.clusterInfoArgs.OCI.clusterName | Mandatory | Use this to provide the cluster name. Mandatory if the Cloud Provider is 'OCI'. |
| global.clusterInfoArgs.SELF_MANAGED_ K8S.clusterName |
Mandatory | Use this to provide the cluster name. Mandatory if the Cloud Provider is 'SELF_MANAGED_K8S'. |
| global.rootCA.certificate | Optional | Provide a custom certificate in base64 encoded format to connect with Qualys Enterprise TruRisk™ Platform. |
| global.proxy.value | Optional | Specify the URL of the proxy server. Example: FQDN or IP address |
| global.proxy.certificate | Optional | Provide proxy certificate in base64 encoded format to connect with proxy server if required. |
| global.proxy.skipVerifyTLS | Optional | Use this to skip secure TLS verification. |
| global.openshift | Optional | Set to true, if deploying in OpenShift. Default value: false |
Container Runtime Sensor Specific Parameters
Here are the parameters specific to Container Runtime Sensor commands.
| Parameter | Mandatory/Optional | Description |
|---|---|---|
| runtimeSensor.affinity | Optional | Flag to set nodeAffinity, podAffinity, and podAntiAffinity based on the requirement. |
| runtimeSensor.enableDebugPolicy | Optional | Flag to enable/disable debug policy. Default value: false |
| runtimeSensor.enableServiceJob | Optional | Flag to enable/disable service job feature. Default value: true |
| runtimeSensor.eventGlobalRateLimit | Optional | Indicates the number of events allowed per minute per event type (network, file, process). Valid range is 10 through 500. Values < 10 will default to 10. Values > 500 will default to 500. Default value: 200 |
| runtimeSensor.hostNetwork | Optional | Specify if the container needs to use the host's network namespace. Accepted values: true/false Default value: false |
| runtimeSensor.hostProc | Optional | Flag to enable/disable mounting host/proc in the runtime sensor pod. Default value: true |
| runtimeSensor.ignoreProcess | Optional | List of comma-separated process paths whose events are to be ignored. Default value: None e.g. /usr/bin/snap |
| runtimeSensor.image | Mandatory | Specify the name of the runtime sensor image in the private or DockerHub registry. Default value: qualys/runtime-sensor:latest |
| runtimeSensor.imagePullPolicy | Optional | Pull policy for runtime sensor image. Valid values: IfNotPresent/Always/Never Default value: Always |
| runtimeSensor.logConfig.logFileSize | Optional | The file is rotated when its size exceeds. File size is in megabytes. Default value: 10 MB |
| runtimeSensor.logConfig.logLevel | Optional | Specify the log level. Valid values: debug, info, error, warn, fatal Default Value: info |
| runtimeSensor.logConfig.logPurgeCount | Optional | Maximum number of archived log files. Default value: 5 |
| runtimeSensor.nodeSelector | Optional | Flag to set nodeSelector if the runtime sensor needs to be deployed on a specific node. |
| runtimeSensor.persistentStorage.enabled | Optional | Flag to run CRS with or without persistent storage. Valid values: true/false Default value: false |
| runtimeSensor.persistentStorage.hostPath | Optional | Path of the persistent storage Default value: /usr/local/qualys/runtime-sensor/data |
| runtimeSensor.priorityClass.enabled | Optional | Set to true to enable priority and preemption on PODs. Default value: false |
| runtimeSensor.priorityClass.name | Optional | Specify the priority class name used in the runtime sensor daemonset. |
| runtimeSensor.priorityClass.value | Optional | Specify the value that determines the priority. For example, 1000000. Enter an integer less than or equal to 1 billion (1000000000). The higher the value, the higher the priority. Values are relative to the values of other priority classes in the cluster. Reserve very high numbers for system critical pods that you don't want to be preempted (removed). |
| runtimeSensor.processAllowList.enabled | Optional | Flag to run the CRS sensor with or without the allowed process list. Default value: true |
| runtimeSensor.processAllowList.value | Optional | Specify a comma-separated list of regex patterns for allowed process paths. For example, "/*/cat", "/*/(curl|wget)" Default value: Empty Valid values: "/*/(curl|wget|clang|bcc|gcc|docker|unshare|mount|kubectl|crictl|modprobe|pnscan|masscan|wpscan|nmap|zgrab| nslookup|netstat|ifconfig|ping|traceroute|route|tcpdump|python|crontab|service|sysctl|rm|nc|ip|arp)$, ^(/dev/fd/|/run/shm/|/dev/shm/)" |
| runtimeSensor.priorityClass.preemptionPolicy | Optional | Specify the preemption policy for a POD. |
| runtimeSensor.resources.limits.cpu | Optional | Specify the CPU limit of the runtime sensor container. Default value: 100m |
| runtimeSensor.resources.limits.memory | Optional | Specify the memory limit of the runtime sensor container. Default value: 1024Mi |
| runtimeSensor.resources.requests.cpu | Optional | Specify the CPU request of the runtime sensor container. Default value: 100m |
| runtimeSensor.resources.requests.memory | Optional | Specify the memory request of the runtime sensor container. Default value: 250Mi |
| runtimeSensor.tags | Optional | Provide a comma-separated list of tags, For example, "tag1,tag2" |
| runtimeSensor.tolerations | Optional | Add toleration to schedule runtime sensor with matching taints. |