CRS Tracing Policies 

CRS Tracing Policies are specialized configurations designed for the Qualys Container Runtime Sensor (CRS) to monitor and track file activities within Kubernetes clusters. These policies help detect security breaches, unauthorized file changes, and potential threats in real-time by capturing specific events. Below tracing policies are created for File Integrity Monitoring (FIM) and CRS preview mode, they ensure comprehensive visibility into containerized environments, enabling quick detection of policy violations and safeguarding against runtime threats.

Tracing Policies Examples

To see CRS and FIM Tracing Policies, refer to Appendix: Tracing Policies.

Applying Tracing Policies

Follow the steps mentioned below to apply a tracing policy.

1. Save the YAML file of the tracing policy provided below.
2. Use the kubectl command to apply the tracing policy in your Kubernetes cluster. 
   kubectl apply -f <policy-file>.yaml
   
   Example:
   kubectl apply -f file-events.yaml
3. Check if the tracing policy has been successfully applied.
   kubectl get tracingpolicies -n <namespace>

Removing Tracing Policies

Follow the steps given below to remove the tracing policies.

1. Use the kubectl command to remove the tracing policy from your cluster.
   kubectl delete -f <policy-file>.yaml
   
   Example:
   kubectl delete -f file-events.yaml
2. Verify the removal of the policy.
   kubectl get tracingpolicies -n <namespace>

This ensures you can easily manage policies within your Kubernetes environment for optimal monitoring and security with CRS.