CRS Runtime (Tracing) Policies
CRS Runtime (Tracing) Policies are specialized configurations designed for the Qualys Container Runtime Sensor (CRS) to monitor and track file activities within Kubernetes clusters. These policies help detect security breaches, unauthorized file changes, and potential threats in real-time by capturing specific events. Below runtime policies are created for File Integrity Monitoring (FIM) and CRS preview mode, they ensure comprehensive visibility into containerized environments, enabling quick detection of policy violations and safeguarding against runtime threats.
Applying Runtime Policies
Follow the steps mentioned below to apply a Runtime policy.
- Save the YAML file of the Runtime policy provided below.
- Use the kubectl command to apply the Runtime policy in your Kubernetes cluster.
Example:kubectl apply -f <policy-file>.yamlkubectl apply -f file-events.yaml - Check if the Runtime policy has been successfully applied.
kubectl get tracingpolicies -n <namespace>
Removing Runtime Policies
Follow the steps given below to remove the Runtime policies.
- Use the kubectl command to remove the Runtime policy from your cluster.
Example:kubectl delete -f <policy-file>.yamlkubectl delete -f file-events.yaml - Verify the removal of the policy.
kubectl get tracingpolicies -n <namespace>
This ensures you can easily manage policies within your Kubernetes environment for optimal monitoring and security with CRS.
How to apply a Runtime Policy to a specific POD?
CRS Runtime policies supports pod label filters (pod selectors), allowing you to apply policies only to specific pods instead of all workloads in the cluster.
With this feature, runtime monitoring and event collection are limited to pods that match defined labels. Pods that do not match the label selector are excluded from the policy.
This enables fine-grained control over monitoring scope, helping reduce event noise and focus on critical workloads.
Steps to apply a Runtime policy to a pod.
- Define a 'podSelector' in the runtime policy.
Below is an example of Runtime policy with pod-selector.monitor-file-delete.yaml
apiVersion: qualys.com/v1 kind: RuntimePolicy metadata: name: monitor-file-delete spec: base-policy: "file-delete" action: "audit" monitor-paths: - "/etc/dave" - "/etc/john/" podSelector: matchLabels: app: "nginx" - Apply the policy.
kubectl apply -f monitor-file-delete.yaml - This policy monitors file deletion activities and applies the policy only to pods labeled:
app=nginx.
This policy ignores rest of the pods in your cluster.
Pod Label Filters (pod selectors) enable targeted runtime policy enforcement in CRS. By applying policies only to specific pods, you can reduce noise, improve detection quality, and align security monitoring with application architecture.