Getting Started with Container Runtime Sensor (CRS)
Qualys Container Runtime Sensor (CRS) tracks the file and process events happening in your containers which are hosted on a cluster.
- File Events: CRS monitors file events occurring on the specified file paths mentioned in the Tracing policy. CRS currently tracks five kinds of file events - Read, Open, Write, Delete, and Rename.
- Process Events: CRS monitors Process events on the host and container. It currently supports two kinds of process events - Launch and Terminate.
CRS detects events occurring inside containers and converts them to 'Open Cybersecurity Schema Framework (OCSF)' format. Then it sends the OCSF format events to the Qualys Cloud Platform.
Currently, CRS is supported only in Kubernetes environment.
Supported Architecture
Qualys CRS supports the following CPU architecture.
- x86_64 (amd64)
CRS Workflow
Refer to the steps given below to understand the workflow of Qualys Container Runtime Sensor.
Pre-requisites
The below points ensure the working of the Qualys Container Runtime Sensor.
- Helm
- The containerd, docker, or crio runtime
- kubectl
- Qualys Cluster Sensor (Soft Dependency)
- You need to have access to Qualys Cloud Platform along with the 'Container Security (CS)' and 'Container Runtime Sensor (CRS)' apps enabled to view the CRS events on the UI.
- Qualys Container Runtime Sensor uses gateway URLs to communicate with Qualys Cloud Platform. If you are using proxy configuration, you must white-list Qualys gateway URLs for the Cluster sensor to communicate with Qualys Cloud Platform.
Refer to API URLs section present on - https://www.qualys.com/platform-identification/
Default Resource Utilization
The following memory utilization should be considered to use CRS.
resources:
limits:
cpu: "100m"
memory: "1024Mi"
requests:
cpu: "50m"
memory: "250Mi"
Reference
Qualys Cluster Sensor Online Help