Container Runtime Security - Qualys
Container Runtime SecurityUser GuideVersion 1.8.2March 9, 2021Verity Confidential
Copyright 2020-2021 by Qualys, Inc. All Rights Reserved.Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarksare the property of their respective owners.Qualys, Inc.919 E Hillsdale Blvd4th FloorFoster City, CA 944041 (650) 801 6100
Table of ContentsAbout this Guide . 4About Qualys . 4Qualys Support . 4About Container Runtime Security . 5CRS Architecture . 5CRS Deployment Workflow . 9Deploy the Instrumenter Service . 11Option 1: Run instrumenter using docker CLI based command.Option 2: Run docker compose file.Option 3: Run kubernetes instrumenter.yml .After the Instrumenter service has been deployed .Troubleshooting the Instrumenter service.1112131515Instrument Container Images with Qualys Instrumentation . 16Instrument images from the UI . 16Instrument images using CLI mode . 17View details for instrumented container. 19Configure and Apply Policies . 20About Policies.About Configurations.Create new policies .Manage your policies .Set policy enforcement .Apply policy to instrumented image .202122262828Configure Instrumentation . 30Select the LogMode. 30Run containers from instrumented image . 31View details for instrumented container image . 31View Your Events. 33Drill-down into event details . 33View event details on dashboard. 34Appendix A - System Calls . 353
About this GuideAbout QualysAbout this GuideWelcome to Qualys Container Runtime Security. CRS is a separately licensed feature in theContainer Security module. It provides runtime behavior visibility & enforcementcapabilities for running containers. We’ll help you get started.About QualysQualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security andcompliance solutions. The Qualys Cloud Platform and its integrated apps help businessessimplify security operations and lower the cost of compliance by delivering criticalsecurity intelligence on demand and automating the full spectrum of auditing,compliance and protection for IT systems and web applications.Founded in 1999, Qualys has established strategic partnerships with leading managedservice providers and consulting organizations including Accenture, BT, CognizantTechnology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT,Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is alsofounding member of the Cloud Security Alliance (CSA). For more information, please visitwww.qualys.comQualys SupportQualys is committed to providing you with the most thorough support. Through onlinedocumentation, telephone help, and direct email support, Qualys ensures that yourquestions will be answered in the fastest time possible. We support you 7 days a week,24 hours a day. Access online support information at www.qualys.com/support/.4
About Container Runtime SecurityCRS ArchitectureAbout Container Runtime SecurityContainer Runtime Security (CRS) is a separately licensed feature in the ContainerSecurity (CS) module. It provides runtime behavior visibility & enforcement capabilitiesfor running containers. This allows customers to address various use cases for runningcontainers around security best practice enforcement, file access monitoring, networkaccess control.CRS requires instrumentation of container images with the Qualys Container RuntimeInstrumentation, which injects probes into the container image. Customers can configureinstrumented images, containers with granular policies which govern container behavior,visibility. Based on these runtime enforcement policies - runtime events, telemetry can beviewed obtained from the backend via UI, API.CRS is not activated by default for existing or new customers. Currently CRS is supportedonly for Linux OS based containers only. If you are interested in this feature, pleasecontact your Qualys Account Manager or Qualys Support.CRS ArchitectureThe diagram below provides a recommended container security workflow leveragingQualys Container Security (Scanning Container Runtime Security).The workflow for Container Runtime Security starts with instrumentation of the targetcontainer image. Qualys provides a customer premise Instrumenter that can be leveragedin a customer environment to instrument application containers with Qualys’ securityprobes. It can be run locally in CLI mode or it can be provisioned as an always runningmicroservice backend.Our instrumentation approach layers in an enhanced version of the glibc linux librarywhich provides container behavior visibility and enforcement. Application containersspun up from instrumented application container images register with the Qualys CloudPlatform and obtain runtime policies. These runtime policies and the Qualysinstrumentation autonomously drive container behavior visibility & enforcement.5
About Container Runtime SecurityCRS ArchitectureCRS InstrumentationProtecting containers with Qualys CRS requires instrumentation of a container image withthe Qualys Instrumentation. You have 2 options for instrumenting container images instrument images on your local host using CLI mode, or run our Instrumenter service inthe backend to instrument images that have been scanned by a registry scan job.Instrumentation using CLI mode - This approach is used for instrumenting individualimages on your local host. You’ll run the instrumenter.sh script with CLI mode enabled(CLI mode is enabled by default) and identify the image to instrument. The image must bepresent locally where you’re running the CLI command. You can optionally specify theruntime policy to apply to the instrumented image. When you instrument an image usingthis method, we’ll immediately add in our solution and create the instrumented image(appended with -layered) at the same location. One command will instrument one imageonly, and then it will exit as soon as instrumentation is done.Instrumentation using the Instrumenter service - This approach is used forinstrumenting images that have been scanned by a registry scan job (registry sensor). TheInstrumenter service is a lightweight microservice that runs in the customer premise. TheInstrumenter service is packaged and distributed to customers as a container image. Thisinstrumenter container is meant to be run on a container host. It requires connectivityback to the Qualys backend. The backend federates instrumentation requests to thismicroservice. Once an image is submitted for instrumentation (via UI, API), theinstrumenter inspects the image, injects the Qualys instrumentation, and provides asoutput a new “instrumented” version of the image. This new image is then uploaded backto the destination container registry with “-layered” appended to the tag. This workflow iscoupled tightly with a registry.RequirementsThe Instrumenter service requires the following:1) Docker engine/server and a DOCKER HOST socket connection2) Docker V2 registry:Public registries: Docker HubPrivate registries: v2-private registry: JFrog Artifactory (secure: auth https)Compatibility- The Instrumenter service is able to request Qualys Container Security user credentialsfrom Vault secret engine types: kv-v1 and kv-v2. Although supported, it is notrecommended to pass credentials in plain text, unencrypted to the Instrumenter service.More details further in this document.- The Instrumenter container requires a Docker engine greater than 1.12.LimitationsPlease note the following limitations:- Only certain container images are supported for instrumentation (see details below)6
About Container Runtime SecurityCRS Architecture- Multiple Instrumenters per subscription are supported. Currently there is no visibility ofInstrumenters via the UI or API.- One Instrumenter service per docker engine/server host is supported- Instrumentation jobs are delivered to any authenticated Instrumenter when using theInstrumenter service to instrument imagesImages supported for instrumentationInstrumentation is supported for container images with certain glibc versions. The tablebelow shows the top images supported per operating system.Want to know if your image is supported? Use the following script to check:https://github.com/Qualys/qualys crs instrumenter/blob/master/check if image instrumentable.shOS versionlibc/glibc versionDocker Name: TagDocker Image SHA (Repo zn2.0.2.x86 d50e7225f9c2glibc-2.2633.amzn2.0.1.x86 e2f9b46f44c8glibc-2.2872.el8.x86 c-2.17307.el7.1.x86 -2.17292.el7.x86 eAmazon LinuxCentos7
About Container Runtime SecurityCRS ArchitectureOS versionlibc/glibc versionDocker Name: TagDocker Image SHA (Repo Digest)9 (stretch)glibc 2.2411 6ec9509000341f3f8e0160d78f3659f1d25a2b252d28e9 (stretch)glibc 2.2411 9f8bc3af9940613c4287205cd71d7c6f9e1718fdcb9b9 (stretch)glibc 2.2411 In-Container InstrumentationThe Qualys instrumentation consists of glibc based hooks to intercept system calls beingmade. CRS policies, configurations for in-container instrumentation are obtained from theQualys Cloud backend. The CRS policies are translated into syscall firewall rules and thein-container instrumentation provides visibility into and enforces container behavior. CRSpolicy events and CRS telemetry is regularly sent back to the Qualys backend where it canbe viewed by API, UI.Qualys BackendThe Qualys backend manages the end-to-end workflow of CRS. From instrumentingimages to managing the policy workflow to viewing CRS telemetry and policy hits.8
About Container Runtime SecurityCRS Deployment WorkflowCRS Deployment WorkflowHere’s a look at the deployment workflow for Container Runtime Security.Step 1: Instrument container images with Qualys instrumentationYou have 2 options for instrumenting images - you can instrument any image on yourlocal host using CLI mode (see 1a), or you can run our Instrumenter service in the backendto instrument images that have been scanned by a registry scan job (see 1b). Choose theapproach you want to take and follow the steps.1a) Instrument image using CLI modeInstrument an image on your local host. We’ll immediately add in our runtime securitysolution and create the instrumented image (appended with -layered) at the samelocation. One command will instrument one image only, and then it will exit as soon asthe instrumentation is done. Tip - If you have a runtime policy ready to go, you canimmediately apply the policy to the instrumented image when running the CLI command.Instrument images using CLI mode1b) Instrument image using the Instrumenter serviceTo use the Instrumenter service, you’ll need to complete the following steps:Build image, Push image to registry, and Scan with registry sensorYou’ll build the image and push it to the registry. Then scan each image you want toinstrument with the registry sensor. This is required for using the Instrumenter service.Deploy the Instrumenter service in your environmentThe Instrumenter service will be used to pull down the unprotected image, package oursolution into it, and then push it back to the registry as a protected image.Deploy the Instrumenter ServiceInstrument container image from the UIWhen using the Instrumenter service, you’ll kick off instrumentation from the UI. Identifythe image you want to instrument on the Images list, and choose the Instrument option.The UI sends an instrumentation job to the deployed Instrumenter. We’ll package in oursolution, and push the protected image back to the registry. Once you have the protectedimage, you can run the image in your runtime environment as a running container.Instrument images from the UIStep 2: Configure policies and instrumentationCreate policies, and assign a policy to an instrumented image. You’ll also want to set thepolicy enforcement level (determines whether policy rules are enforced) and select the logmode (determines which policy hits get logged).Configure and Apply Policies9
About Container Runtime SecurityCRS Deployment WorkflowSet policy enforcementApply policy to instrumented imageConfigure InstrumentationStep 3: Run container from instrumented imageWhen ready, you can spawn containers from the instrumented image. The policy appliedto the instrumented image gets enforced on the container and activities are logged as perthe selected log mode.Run containers from instrumented imageStep 4: View your eventsRuntime events will be listed on the Events tab. Here you can search events and drill-downinto event details.View Your EventsView event details on dashboard10
Deploy the Instrumenter ServiceOption 1: Run instrumenter using docker CLI based commandDeploy the Instrumenter ServiceYou can run the Instrumenter service using any of these options:Option 1: Run instrumenter using docker CLI based commandOption 2: Run docker compose fileOption 3: Run kubernetes instrumenter.ymlOption 1: Run instrumenter using docker CLI based commandThis option lets you run the instrumenter in CLI mode (the default) for instrumentingimages locally or in Daemon mode to use the instrumenter microservice to instrumentimages from the registry. You can run the instrumenter with or without a vault.1) Pull the docker CLI files from github. You can download them fromhttps://github.com/Qualys/qualys crs instrumenter2) Edit instrumenter.sh to configure specific details for proxy and vault usage. See Fileparameters for guidance on inputs.3) Run the docker CLI script.By default, the script will run in CLI mode and for this mode you must specify theendpoint and image. Policy ID is optional. Use this command to run the script:sh instrumenter.sh --endpoint qualys username : qualys password @ api gateway url /crs/v1.2--image image [--policyid policy id ]To use the instrumenter microservice to instrument images from the registry, you mustrun the script in Daemon mode. Specify --daemon-mode and specify the endpoint. In thiscase, you do not specify the image or policy. Use this command to run the script:sh instrumenter.sh --endpoint qualys username : qualys password @ api gateway url /crs/v1.2--daemon-modeUsage ExamplesDefault Example - CLI mode:./instrumenter.sh --endpoint endpoint --image image [-policyid policy id ]Default Example - Daemon mode:./instrumenter.sh --endpoint endpoint --daemon-mode11
Deploy the Instrumenter ServiceOption 2: Run docker compose fileVault Example - CLI mode:./instrumenter.sh --endpoint endpoint --vault-token token --vault-engine engine version [--vault-base64] --vault-path vault-path --vault-address vault-address --image image [-policyid policy id ]Vault Example - Daemon mode:./instrumenter.sh --endpoint endpoint --vault-token token --vault-engine engine version [--vault-base64] --vault-path vault-path --vault-address vault-address --daemon-modeProxy Example - CLI mode:./instrumenter.sh --endpoint endpoint --proxy proxy --image image [--policyid policy id ]Proxy Example - Daemon mode:./instrumenter.sh --endpoint endpoint --proxy proxy --daemonmodeWhere: endpoint is in the format of username:password@url if you are not using a vault. Onlyurl is needed when you are using a vault. image is the image Id (e.g. “6d9ae1a5c970”) or repository name:tag (e.g.“library/centos:centos72” or “java:latest”) for the container image you want to instrumentusing CLI mode. The image must be present locally where you’re running the CLIcommand. policy id is the policy Id (e.g. “5fd20b4321dabf0001fdc464”) for the policy you want toimmediately apply to the image being instrumented using CLI mode.Option 2: Run docker compose fileThis option is for using the instrumenter microservice to instrument images from theregistry. Passing QUALYS GATEWAY ENDPOINT is required.QUALYS GATEWAY ENDPOINT " qualys username : qualys password @ apigateway url /crs/v1.2" docker-compose upNote: Use this command at the directory level where the docker compose file is present.Please edit the fields in the docker compose file and remove # to uncomment and declarethe constant you would like to use. See File parameters for guidance.LI MQURL: qas:// {QUALYS GATEWAY ENDPOINT} # set the usernamepassword and qualys endpoint for instrumenter in env or directly tothis file12
Deploy the Instrumenter ServiceOption 3: Run kubernetes instrumenter.yml######VAULT CONFIG (Change these settings if you have your own vault)LI VAULT SECRET ENGINE: "kv-v2"LI
instrumenters via UI, API. - One Instrumenter service per docker engine/server host is supported - Instrumentation jobs are delivered to any authenticated Instrumenter service Compatibility - The Instrumenter service is able to request Qualys Container Security user credentials from Vault secret engine types: kv-v1 and kv-v2. Although supported .
About this Guide About Qualys 5 About this Guide Welcome to Qualys Patch Management! We’ll help you get acquainted with the Qualys solutions for patching your systems using the Qualys Cloud Security Platform. About Qualys Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading p
Oracle Container Runtime for Docker 19.03 1-2 Oracle Container Runtime for Docker 18.09 1-3 Oracle Container Runtime for Docker 18.03 1-3 Oracle Container Runtime for Docker 17.06 1-4 Docker 17.03 1-5 Docker 1.12 1-6 2 Installing Oracle Container Runtime for Docker Setting Up the Unbreakable Enterprise Kernel 2-1
Qualys Gateway Service (QGS) is a packaged virtual appliance developed by Qualys that provides proxy services for Qualys Cloud Agent deployments that require proxy connectivity to connect agents to the Qualys Clo
For example, package manager outputs like rpm -qa, npm. This is supported across various Linux distributions (CentOS, Ubuntu, CoreOS, etc) and across images like Python, NodeJS, Ruby, and so on. Qualys Container Scanning Connector for Azure DevOps Qualys Container Security provides a plugin for Azure DevOps to get the security posture
container container container container container networking storage registry security logs & metrics container orchestration & cluster management (kubernetes) fedora / centos / red hat enterprise linux container runtime & packaging (docker) atomic host infrastructure automation & cockpit
container container container container container networking storage registry security logs & metrics container orchestration & cluster management (kubernetes) fedora / centos / red hat enterprise linux container runtime & packaging (docker) atomic host infrastructure automation & cockpit
About this Guide About Qualys About this Guide Thank you for your interest in our revolutionary new Qualys Cloud Agent Platform. This new platform extends the Qualys Cloud Platform to continuously assess global IT infrastructure and applications using lightweight agents. All you have to do is install agents on your IT assets.
Qualys Continuous Monitoring is a SaaS-based add-on purchase used with Qualys Vulnerability Management. Qualys CM provides powerful configuration options that scale to custom requirements of large enterprises. Three themes guide the configuration strategy for effective use of Qua
