Release 1.4.0

January 21, 2026

Qualys Container Runtime Sensor (CRS) 1.4.0 release introduces key enhancements that focus on improving event monitoring and management capabilities. 

Permission, Ownership Tracking in File Events

CRS now captures file permission changes, file ownership changes, and file size truncation events occurring in file activity details. These updates appear in the event payload under: File -> xattributes.

You can verify the newly added fields in event payload and proper paths to them.

File event payload with file permission change
"xattributes": {
            "fileAttributesNew": {
                "filePermission": {
                    "fileMode": 438
                 }
            }
        },

File event payload with file ownership change
"xattributes": {
            "fileAttributesNew": {
                "fileOwnership": {
                    "fileOwner": 1000,
                    "fileGroup": -1
                }
            }
        },

To know more about the file event payload, refer to CRS Online Help.

Track 'Update Events' triggered by 'Truncate' Command

With the help of CRS, you can now track the 'update events' triggered by the 'Truncate' command. You can gain real-time visibility into 'Truncate' operations, improving security, auditability, and protection against unintended data loss in containerized workloads.
To view the file event payload with file truncate command, refer to the CRS Online Help. 

File Soft-Link and Hard-Link Create Event Support (Phase 1)

CRS has introduced support for detecting 'symbolic link (sym-link)' and 'hard-link' creation.
To view the exact file event type - soft-link or hard-link - please refer file/file-result->type field in the event payload. 

In Phase 1, CRS supports creating events only for soft-links and hard-links. Other link operations are not supported yet.

Support for Latest CRI-O Version (1.30+)

CRS now supports newer CRI-O versions, whereas earlier versions failed to fetch events. To support this, the global values.yaml (qualys-tc > values.yaml) has been updated.

For CRI-O setups, you must enable CRI-O runtime in the global values.yaml and provide the cri-o socket path. For example, the code snippet below is from values.yaml with an enabled CRI-O runtime.

# Enable cri-o runtime and its socket-path as per your setup. Default is false.
    crio:
      enabled: true
      socketPath: "/var/run/crio/crio.sock"
 

If your setup has Docker or Containerd runtimes, you need to update the docker or containerd section present in the values.yaml respectively.

Support for Kill Action in Tracing Policies

In addition to 'audit' action, CRS now supports the 'kill' action in Tracing Policies. This allows you not only to audit or monitor events but also to terminate processes that trigger specific events. 

Sample policy with 'kill' action

apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
  name: fim-policy-delete
spec:
  base-policy: file-delete
  action: kill
  monitor-paths:
    - /etc/demo

Support for Process Binary Matching Filter in Tracing Policies

You can now filter events based on the process binary that generated them. Paths or complete binary names can be specified for filtering. For example, you can specify the paths or the complete names of the binaries whose process events need to be filtered, using the following syntax.

Create a policy with a binary filter
apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
  name: fim-policy-create
spec:
  base-policy: file-create
  action: audit
  monitor-paths:
  - "/etc/demo"
  match-binaries:
  - operator: "In"
    values:
    - "/usr/bin/bash"
    - "/bin/bash"

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: January, 2026