CRS CLI Commands and Options

Qualys Container Runtime Sensor (CRS) offers various options to collect file and process events in your account, categorized under 'Global' and 'CRS Specific' parameters. These options are available with Qualys TotalCloud. 

Global Parameters 

Container Runtime Sensor, Cluster Sensor, and Admission Controller support the following parameters regardless of the command.

Parameter Mandatory/Optional Description
global.customerId Mandatory Unique customer id associated with your account.
global.activationId Mandatory Unique activation id associated with your account.
global.gatewayUrl Mandatory Specify Qualys Platform (POD) gateway URL to communicate with Qualys Enterprise TruRisk™ Platform
Specify this to use a POD which is not listed in: https://www.qualys.com/platform-identification/
global.imagePullSecret Optional Specify to pull images from the private registry.
global.clusterInfoArgs.cloudProvider Optional Specify the name of the Cloud provider.
Cloud Provider examples:
AWS, GCP, AZURE, OCI, selfManagedK8S
global.clusterInfoArgs.AWS.arn Mandatory Required if the cloud provider is 'AWS'. Specify the ARN value.
Example: arn:aws:eks:<region>:<accountid>:cluster/<clustername>.
global.clusterInfoArgs.SELF_
MANAGED_K8S.clusterName
Mandatory Use this to provide a cluster name.
Mandatory if the Cloud Provider is 'SELF_MANAGED_K8S`.
global.clusterInfoArgs.AZURE.id Mandatory Mandatory if the cloud provider is 'AZURE'. Specify value of the id.
Example: 
/subscriptions/<subscription_id>/resourcegroups/NK_test/providers/Microsoft.ContainerService/managedClusters/<cluster_name>
global.clusterInfoArgs.AZURE.region Mandatory Provide the value of the region. Mandatory if the cloud provider is 'AZURE'.
global.clusterInfoArgs.GCP.krn Mandatory Provide the value of the krn. Mandatory if the cloud provider is 'GCP'.
Example:
projects/<project_id>/locations/<region>/clusters/<cluster_name>
global.clusterInfoArgs.OCI.ocid Mandatory Specify the value of the OCID.
Mandatory if the Cloud Provider is 'OCI'
Example: ocid1.cluster.oc1.<REGION>.<TENANCY_OCID>.<CLUSTER_OCID>
global.clusterInfoArgs.OCI.clusterName Mandatory Use this to provide the cluster name.
Mandatory if the Cloud Provider is 'OCI'.
global.clusterInfoArgs.SELF_MANAGED_
K8S.clusterName
Mandatory     Use this to provide the cluster name. Mandatory if the Cloud Provider is 'SELF_MANAGED_K8S'.
global.rootCA.certificate Optional Provide a custom certificate in base64 encoded format to connect with Qualys Enterprise TruRisk™ Platform.
global.proxy.value Optional Specify the URL of the proxy server.
Example: FQDN or IP address
global.proxy.certificate Optional Provide proxy certificate in base64 encoded format to connect with proxy server if required.
global.proxy.skipVerifyTLS     Optional     Use this to skip secure TLS verification.
global.openshift  Optional Set to true, if deploying in OpenShift.
Default value: false

Container Runtime Sensor Specific Parameters

Here are the parameters specific to Container Runtime Sensor commands. 

Parameter Mandatory/Optional Description
runtimeSensor.affinity Optional Flag to set nodeAffinity, podAffinity, and podAntiAffinity based on the requirement.
runtimeSensor.enableDebugPolicy Optional Flag to enable/disable debug policy.
Default value: false
runtimeSensor.enableServiceJob Optional Flag to enable/disable service job feature.
Default value: true
runtimeSensor.eventGlobalRateLimit Optional Indicates the number of events allowed per minute per event type (network, file, process).
Valid range is 10 through 500.
Values < 10 will default to 10. Values > 500 will default to 500.
Default value: 200
runtimeSensor.hostNetwork Optional Specify if the container needs to use the host's network namespace.
Accepted values: true/false
Default value: false
runtimeSensor.hostProc Optional Flag to enable/disable mounting host/proc in the runtime sensor pod.
Default value: true
runtimeSensor.ignoreProcess Optional List of comma-separated process paths whose events are to be ignored.
Default value: None
e.g. /usr/bin/snap
runtimeSensor.image Mandatory Specify the name of the runtime sensor image in the private or DockerHub registry.
Default value: qualys/runtime-sensor:latest
runtimeSensor.imagePullPolicy Optional Pull policy for runtime sensor image.
Valid values: IfNotPresent/Always/Never
Default value: Always
runtimeSensor.logConfig.logFileSize Optional The file is rotated when its size exceeds. File size is in megabytes.
Default value: 10 MB
runtimeSensor.logConfig.logLevel Optional Specify the log level.
Valid values: debug, info, error, warn, fatal 
Default Value: info
runtimeSensor.logConfig.logPurgeCount Optional Maximum number of archived log files.
Default value: 5
runtimeSensor.nodeSelector Optional Flag to set nodeSelector if the runtime sensor needs to be deployed on a specific node.
runtimeSensor.persistentStorage.enabled Optional Flag to run CRS with or without persistent storage.
Valid values: true/false
Default value: false
runtimeSensor.persistentStorage.hostPath Optional Path of the persistent storage
Default value: /usr/local/qualys/runtime-sensor/data
runtimeSensor.priorityClass.enabled Optional Set to true to enable priority and preemption on PODs.
Default value: false
runtimeSensor.priorityClass.name Optional Specify the priority class name used in the runtime sensor daemonset.
runtimeSensor.priorityClass.value Optional Specify the value that determines the priority.
For example, 1000000.
Enter an integer less than or equal to 1 billion (1000000000). The higher the value, the higher the priority.
Values are relative to the values of other priority classes in the cluster.
Reserve very high numbers for system critical pods that you don't want to be preempted (removed).
runtimeSensor.processAllowList.enabled Optional Flag to run the CRS sensor with or without the allowed process list.
Default value: true
runtimeSensor.processAllowList.value Optional Specify a comma-separated list of regex patterns for allowed process paths.
For example, "/*/cat", "/*/(curl|wget)"
Default value: Empty
Valid values: 
"/*/(curl|wget|clang|bcc|gcc|docker|unshare|mount|kubectl|crictl|modprobe|pnscan|masscan|wpscan|nmap|zgrab|
nslookup|netstat|ifconfig|ping|traceroute|route|tcpdump|python|crontab|service|sysctl|rm|nc|ip|arp)$,
^(/dev/fd/|/run/shm/|/dev/shm/)"
runtimeSensor.priorityClass.preemptionPolicy Optional Specify the preemption policy for a POD.
runtimeSensor.resources.limits.cpu Optional Specify the CPU limit of the runtime sensor container.
Default value: 100m 
runtimeSensor.resources.limits.memory Optional Specify the memory limit of the runtime sensor container.
Default value: 1024Mi
runtimeSensor.resources.requests.cpu Optional Specify the CPU request of the runtime sensor container.
Default value: 100m 
runtimeSensor.resources.requests.memory Optional Specify the memory request of the runtime sensor container.
Default value: 250Mi
runtimeSensor.tags Optional Provide a comma-separated list of tags,
For example,  "tag1,tag2"
runtimeSensor.tolerations Optional Add toleration to schedule runtime sensor with matching taints.