Container Runtime Security (CRS) is a separately licensed feature of Container Security. It provides runtime behavior visibility & enforcement capabilities for running containers. This allows customers to address various use cases for running containers around security best practice enforcement, file access monitoring, network access control.
CRS requires instrumentation of container images with the Qualys Container Runtime Instrumentation, which injects probes into the container image. Customers can configure instrumented images, containers with granular policies which govern container behavior, visibility. Based on these runtime enforcement policies - runtime events, telemetry can be viewed obtained from the backend via UI, API.
CRS is not activated by default for existing or new customers. Currently CRS is supported for Linux OS based containers only. If you are interested in this feature, please contact your Qualys Account Manager or Qualys Support.
CRS is a separately licensed feature of Container Security and must be enabled.
Customers need to have at least one host/sensor license for Container Security Scanning capabilities. In addition to this, customers need to be licensed for an appropriate number of containers for CRS. CRS relies on instrumenting a container image with Qualys instrumentation. This allows for in-container behavior visibility and enforcement.
Here’s a look at the deployment workflow for Container Runtime Security.
You’ll build the image and push it to the registry. Then you must scan the image with the registry sensor. This is a prerequisite for using runtime protection. You’ll need to scan each image you want to instrument.
This is the service that is needed to instrument your images. You’ll deploy this service in your environment. Then when you choose to instrument an image from the Container Security UI, the instrumenter service will be used to pull down the unprotected image, package our solution into it, and then push it back to the registry as a protected image.
Deploy the Instrumenter Service
After you build the image and push it into the registry, you’ll want to instrument that image with our runtime security solution so that when the image is spun up as a running container it’s protected. Once you have the protected image, you can run the image in your runtime environment as a running container. The alerts and notifications will be sent back to Qualys and you’ll be able to view the events from the UI.
Instrument container images
You’ll use the Container Runtime Security API to create policies, and then use the UI to assign a policy to an instrumented image. You’ll also want to set the policy enforcement level (determines whether policy rules are enforced) and select the log mode (determines which policy hits get logged).
Create policies (using API)
Set policy enforcement
Apply policy to instrumented image
Configure instrumentation to select the log mode
When ready, you can spawn containers from the instrumented image. The policy applied to the instrumented image gets enforced on the container and activities are logged as per the selected log mode.
Run container from instrumented image
Runtime events will be listed on the Events tab. Here you can search events and drill-down into event details.
View your events
View event details on dashboard