Release 1.3.0

October 14, 2025

Qualys Container Runtime Sensor (CRS) 1.3.0 release introduces key enhancements that focus on improving event monitoring and management capabilities. It introduces the following features.

Optional Cilium Policy Loading

CRS has introduced an option to enable or disable Cilium policy loading through Helm configuration, providing a debug mode and flexibility for diverse Kubernetes environments.

Support for File Create Events

CRS now supports file creation events using FIM policies. This allows monitoring of critical directories for new file creation, helping detect unauthorized or suspicious changes. A tracing policy example of file creation is shown below.

fim_create.yaml
apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
  name: fim-policy-create
spec:
  base-policy: file-create
  action: audit
  monitor-paths:
  - "/etc/demo"
  - "/etc/"

Threat Detection Rules for Containers

CRS now enables advanced threat detection by analyzing process behavior and binary characteristics. To achieve this, it collects binary properties—privilege changes—from process events. 

With the new runtime process Threat Detection Rules, Qualys Container Security now flags and correlates critical container-based threats, such as:

  • Container escapes
  • Privilege escalation attempts
  • Malicious process and IP communications 

With this enhancement, Container Security can detect and stop advanced runtime attacks before they spread across your Kubernetes environment.

TCP Connection Event Monitoring through Network Policy 

With this release, CRS has added support for network policies using mini-CRD, including TCP connection monitoring. This enhancement provides fine-grained control over network activity. CRS can now capture 'tcp_connect' requests and generate events when policy is applied. An example of Network Tracing Policy to collect the tcp-open network events is shown below.

net-policy-tcp-open.yaml
apiVersion: qualys.com/v1
kind: RuntimePolicy
metadata:
  name: net-policy-tcp-open
spec:
  base-policy: net-tcp-open
  action: audit
  skip-dest-ips:
    - "10.0.0.0/8"
    - "172.16.0.0/12"
    - "192.168.0.0/16"
    - "127.0.0.0/8"

Apart from the skip-dest-ips we can apply the following kinds of filters:

  • IP-based: 
    • monitor-dest-ips: Monitor the given destination IP addresses
    • monitor-src-ips: Monitor the given Source IP addresses
    • skip-src-ips: Skip the given destination IP addresses
  • Port-based:
    • monitor-dest-ports: Monitor the given destination ports 
    • monitor-src-ports: Monitor the given Source ports
    • skip-dest-ports: Skip the given destination ports
    • skip-src-ports: Skip the given source ports


Currently,
- CRS supports only numeric IPs. It does not support FQDN.
- IPv6 is not supported.
- IP addresses can be given either IP like - '192.168.11.1' or IP range in CIDR format - '192.168.1.1/16'
- Port addresses can be given as a string - '344'.

Optimization in Process Exit Event 

The eBPF agent now filters out process-exit events unless the exit status indicates failure.
This enhancement reduces resource consumption by eliminating process events that are exited successfully, improving performance and clarity in event logs.

Optimized eBPF Agent

CRS has optimized the eBPF-agent to reduce resource consumption. Due to this enhancement, the CPU and memory usage are reduced, improving sensor efficiency and scalability.

Rate Limiting for Network Events

Network policies now support rate limiting using:

  • rate-limit: Time window to suppress repeated events (default: 1m)
  • rate-limit-scope: Scope of rate limiting (process or pod)

This prevents event flooding and improves signal-to-noise ratio, especially in high-traffic environments.

CRS has introduced an option to rate limit the network events generated using the above two options in the network policy.


net-policy-tcp-open.yaml
apiVersion: qualys.com/v1
kind: RuntimePolicy
metadata:
  name: net-policy-tcp-open
spec:
  base-policy: net-tcp-open
  action: audit
  rate-limit: "1m"
  rate-limit-scope: "pod"
  skip-dest-ips:
    - "10.0.0.0/8"
    - "172.16.0.0/12"
    - "192.168.0.0/16"
    - "127.0.0.0/8"


You can set the rate-limit in seconds, minutes, or hours.
For example, 5 seconds = 5s, 10 minutes = 10m, 1 hour = 1h
To disable the rate limiting, set rate-limit: 0s.

The following are the valid options for rate-limit-scope.
Valid options: 'pod' or 'process'

Issues Addressed

The following issues have been fixed with this release:

Category Issue
eBPF Agent eBPF-Agent retry mechanism failed after its process termination, ensuring continuous agent recovery.
File event Fixed incorrect and inconsistent categorization of file creation events, improving FIM (File Integrity Monitoring) data reliability.
CRS Pod Addressed an issue where deleting the CRS sensor pod caused existing runtime policies to stop triggering file events.
CRS Upgrade using Helm Resolved Helm upgrade failures caused by existing net-policy-tcp-open RuntimePolicy CRDs, ensuring smooth upgrade workflows.
Exit Event Status code Fixed missing exit_code or status fields in process exit events to ensure complete and accurate event payloads.

 

To know more about Container Runtime Sensor, refer to CRS Online Help.

 

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: November, 2025