Carbon Black Containerized Sensor


Overview

The Containerized Sensor bundles Endpoint Detection and Response (EDR) and Container Scanning security in one easy to deploy package. The container is deployed onto your host and from there provides EDR security of the host’s behavior. The Containerized Sensor also detects other containers running on the host and in addition to the EDR process information captured when a sensor is running on an Endpoint, it collects the container context such as container name and id. The Container Image Scanning features, also packaged in the Containerized Sensor then scans them for vulnerabilities, malware and secrets. All this is reported back to Carbon Black Cloud for further analysis.

Use Cases

  • Detect and enforce EDR capabilities with containers context.
  • Detect vulnerabilities, malware and secrets on deployed containers.

Requirements

  • Carbon Black Cloud Container
  • API key with appropriate permissions. See Authentication for details.

Authentication

Determine whether you use Carbon Black Cloud or VMware Cloud Services Platform to manage identity and authorization, or see the Carbon Black Cloud API Access Guide for complete instructions.


Carbon Black Cloud Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with Role-Based Access Control; All APIs and Services authenticate via API Keys. To access the data in Carbon Black Cloud via API, you must set up a key with the correct permissions for the calls you want to make and pass it in the HTTP Headers.

Environment
Available on majority of environments; Use the Carbon Black Cloud Console URL, as described here.

Access Level
Before you create your API Key, you need to create a "Custom" Access Level including each category:
  • Workloads Management > Manage Kubernetes dataplane > kubernetes.dataplane, allow permission to CREATE, READ, UPDATE, DELETE

API Key
When creating your API Key, use the Access Level Type of "Custom" and select the Access Level you created. Details on constructing and passing the API Key in your requests are available here.

Installation

Validation

To verify the security and integrity of the container image, you can validate the container signature.

During verification, use this public key:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1ivoAvFrHGi9lm01ecsBN1juDOp5
6kGA7G5M0WnOS2zc5qNPQSN1fzwOc/EgEIskERJY/NMmCjq0rcZzzKgfxQ==
-----END PUBLIC KEY-----

Prerequisites

Before you can verify the container image signing, you must download the cosign tool.

Procedure

  1. Download the containerized sensor image: cbartifactory/cb-containers-sensor using an image management tool, such as docker.
  2. Run the signature verification command using the public key above:
cosign verify --key container-signing-key.pub cbartifactory/cb-containers-sensor:<sensor-version>

Results

An example of a successful verification:

Verification for docker.io/cbartifactory/cb-containers-sensor:<sensor-version> --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key
[
  {
    "critical": {
      "identity": {
        "docker-reference": "docker.io/cb/cbartifactory/cb-containers-sensor"
      },
      "image": {
        "docker-manifest-digest": "sha256:a1a0dfe211c0fdcbcae68fccb7629e79f3d9775891584daddc8aff5050237911"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "Bundle": {
        "SignedEntryTimestamp": "MEUCIBiIc38wiBow7FT09ylanYEki248tu4kYcJYr3dSwRUkAiEA9R9pK6SnTaTNhPKmK592n0keUGj8mdxTIA1Fc75j7i4=",
        "Payload": {
          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJlZTliNjJiNzI3MjY0NGU0OTQ2M2YxNDllNmU2MGM5NjkxNzc3ODY3YjUwNWE1OTUwOWVhOGNjN2UyYWI4N2ZiIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQU5VY0FlVStYRk9CaEh1TUpRN2x2NVoycllNa1p3eHk1SnlsNWhWNm1BSkFpQWo1S3p0NVA2ZlkxN1drQ01xQXF2eno5dE1zVFpvOUZPN1hPcis2aHo4N0E9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGTVdsMmIwRjJSbkpJUjJrNWJHMHdNV1ZqYzBKT01XcDFSRTl3TlFvMmEwZEJOMGMxVFRCWGJrOVRNbnBqTlhGT1VGRlRUakZtZW5kUFl5OUZaMFZKYzJ0RlVrcFpMMDVOYlVOcWNUQnlZMXA2ZWt0blpuaFJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=",
          "integratedTime": 1699443190,
          "logIndex": 48394752,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      }
    }
  }
]

Configuration

To run the Containerized Sensor, we need to provide its required dependencies.

Container Image

Run the container image cbartifactory/cb-containers-sensor:{sensor-version}, with your selected sensor version.

See the release notes for the latest VMware Carbon Black Cloud Linux Sensor.

Volume Mounts

Attach the following volume mounts to the container:

  • The container runtime unix socket. Currently only supports docker - /var/run/docker.sock:/var/run/docker.sock:ro
  • The host root path - /:/var/opt/root
  • The host hostname - /etc/hostname:/etc/hostname
  • The host boot folder - /boot:/boot
  • The host operating system identification data - /etc/os-release:/etc/os-release
  • Carbon Black Metadata Mount - /var/opt/carbonblack:/var/opt/carbonblack

Permissions

The container needs to run as privileged container.

Network

The container needs to run on the host network mode.

Resources

The container requires at least 2GB of memory.

Environment Variables

Provide the environment variables you received during the setup wizard. These environment variables includes:

Environment Variable Description
CBC_ACCOUNT Your Carbon Black Organization Key. This is available on Settings > General in the Carbon Black Cloud console .
CBC_ACCESS_TOKEN API key with appropriate permissions.
Your API Key requires an Access Level with CREATE, READ, UPDATE and DELETE permissions for Workloads Management > Manage Kubernetes dataplane > kubernetes.dataplane.
See Authentication for details.
CB_COMPANY_CODES Your Carbon Company Codes.
CBC_API_HOST Your Carbon Black environment API host. This is the web address of the Carbon Black Cloud Console, listed here.
HOST_ROOT_PATH The mounted location of the root path. Set as the value you mounted at on Volume Mounts - /var/opt/root.
CONTAINER_REPORTER_HOSTNAME_FILEPATH The mounted location of the hostname path. Set as the value you mounted at on Volume Mounts - /etc/hostname.
CONTAINER_REPORTER_LABELS Key Value labels, to identify the host with. For example: key1=value1,key2=value2.

Advanced Settings

You can configure the image with additional environment variables settings:

Environment Variable Description
CONTAINER_REPORTER_HOST Value you can to set as the container’s hostname. That can be set instead of CONTAINER_REPORTER_HOSTNAME_FILEPATH. If both set, this variable takes priority. If this value is set, you can delete the hostname volume mount.
ENDPOINT Value of the host’s container-runtime endpoint unix socket. Set to docker’s /var/run/docker.sock by default. Currently only docker container runtime is supported.
CONTAINER_RUNTIME The name of the host container runtime. Set to docker-daemon by default. Options - docker-daemon . Currently only docker container runtime is supported.
SCANNER_CLI_FLAGS_ENABLE_SECRET_DETECTION Boolean flag to use to enable/disable container scanning secret detection. Set to true (enabled) to default.
SCANNER_CLI_FLAGS_IGNORE_BUILD_IN_REGEX Boolean flag used to decide whether to ignore filenames build-in regexes and scan every file for secrets. Set to false by default.
SCANNER_CLI_FLAGS_SCAN_BASE_LAYERS Boolean flag used to decide whether to scan the image base layers for secrets. Set to false by default.
SCANNER_CLI_FLAGS_SKIP_DIRS_OR_FILES List of files/directories (in Regexes) to ignore when detecting secrets. Set as empty by default.
SCANNER_CLI_FLAGS_CONCURRENT_FILE_LIMIT Number of files to scan at once for secrets. Set to 200 by default. You can increase/decrease this number if you want the scanner to work faster/slower. As the number is higher, the service requires more resources (memory & CPU)
DISABLE_SCANNER Boolean flag to use if you want to disable the container container scanner capability. Set to false by default.
DISABLE_SENSOR Boolean flag to use if you want to disable the CNDR capability. Set to false by default.

Last modified on January 22, 2024