Getting Started with Container Runtime Sensor (CRS)

Qualys Container Runtime Sensor (CRS) tracks the file, process, and network events happening in your containers which are hosted on a cluster. 

  1. File Events: CRS monitors file events occurring on the specified file paths mentioned in the Tracing policy. CRS currently tracks five kinds of file events - Read, Open, Write, Delete, and Rename
  2. Process Events: CRS monitors Process events on the host and container. It currently supports two kinds of process events - Launch and Terminate.
  3. Network Events: CRS monitors network events. It currently capture tcp_connect requests and generate evnets when policy is applied.

CRS detects events occurring inside containers and converts them to 'Open Cybersecurity Schema Framework (OCSF)' format. Then it sends the OCSF format events to the Qualys Enterprise TruRisk™ Platform.

Currently, CRS is supported only in Kubernetes environment.

Supported Architecture

Qualys CRS supports the following CPU architecture.

  • x86_64 (amd64)
  • ARM64 (aarch64)

CRS Workflow

Refer to the steps given below to understand the workflow of Qualys Container Runtime Sensor.

  1. Pre-requisites
  2. Getting CRS Image
  3. Installing & Uninstalling Container Runtime Sensor
  4. CRS Output

Pre-requisites

The following points ensure the working of the Qualys Container Runtime Sensor.

  • Helm - You can use this to install the CRS, and also to configure the Process Allowlist. 
  • The containerd, docker, or cri-o runtime
  • kubectl
  • Qualys Cluster Sensor (Soft Dependency)
  • You need to have access to Qualys Enterprise TruRisk™ Platform along with the 'Container Security (CS)' module and 'Container Runtime Sensor (CRS)' enabled to view the CRS events on the Qualys Enterprise TruRisk™ Platform
  • Qualys Container Runtime Sensor uses gateway URLs to communicate with Qualys Enterprise TruRisk™ Platform. If you are using proxy configuration, you must white-list Qualys gateway URLs for the Cluster sensor to communicate with Qualys Enterprise TruRisk™ Platform.
    Refer to API URLs section present on - https://www.qualys.com/platform-identification/

Default Resource Utilization

The following memory utilization should be considered to use CRS.

resources:
     limits:
         cpu: "100m"
         memory: "1024Mi"
     requests:
         cpu: "50m"
         memory: "250Mi"

References

Qualys Cluster Sensor Online Help

Qualys Container Security Online Help