Carbon Black Containerized Sensor

Overview

The Containerized Sensor bundles Endpoint Detection and Response (EDR) and Container Scanning security in one easy to deploy package. The container is deployed onto your host and from there provides EDR security of the host’s behavior. The Containerized Sensor also detects other containers running on the host and in addition to the EDR process information captured when a sensor is running on an Endpoint, it collects the container context such as container name and id. The Container Image Scanning features, also packaged in the Containerized Sensor then scans them for vulnerabilities, malware and secrets. All this is reported back to Carbon Black Cloud for further analysis.

Use Cases

Detect and enforce EDR capabilities with containers context.
Detect vulnerabilities, malware and secrets on deployed containers.

Requirements

Carbon Black Cloud Container
API key with appropriate permissions. See Authentication for details.

Authentication

Determine whether you use Carbon Black Cloud or VMware Cloud Services Platform to manage identity and authorization, or see the Carbon Black Cloud API Access Guide for complete instructions.

CBC Managed Identity

Carbon Black Cloud Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with Role-Based Access Control; All APIs and Services authenticate via API Keys. To access the data in Carbon Black Cloud via API, you must set up a key with the correct permissions for the calls you want to make and pass it in the HTTP Headers.

Environment
Available on majority of environments; Use the Carbon Black Cloud Console URL, as described here.

Access Level
Before you create your API Key, you need to create a "Custom" Access Level including each category:

Workloads Management > Manage Kubernetes dataplane > kubernetes.dataplane, allow permission to CREATE, READ, UPDATE, DELETE

API Key
When creating your API Key, use the Access Level Type of "Custom" and select the Access Level you created. Details on constructing and passing the API Key in your requests are available here.

Installation

To install the agent using docker compose file, see Carbon Black Container - Docker Agent.
To install the agent on AWS ECS cluster, see Carbon Black Container - ECS Agent.

Validation

To verify the security and integrity of the container image, you can validate the container signature.

During verification, use this public key:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1ivoAvFrHGi9lm01ecsBN1juDOp5
6kGA7G5M0WnOS2zc5qNPQSN1fzwOc/EgEIskERJY/NMmCjq0rcZzzKgfxQ==
-----END PUBLIC KEY-----

Prerequisites

Before you can verify the container image signing, you must download the cosign tool.

Procedure

Download the containerized sensor image: cbartifactory/cb-containers-sensor using an image management tool, such as docker.
Run the signature verification command using the public key above:

cosign verify --key container-signing-key.pub cbartifactory/cb-containers-sensor:<sensor-version>

Results

An example of a successful verification:

Verification for docker.io/cbartifactory/cb-containers-sensor:<sensor-version> --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key
[
  {
    "critical": {
      "identity": {
        "docker-reference": "docker.io/cb/cbartifactory/cb-containers-sensor"
      },
      "image": {
        "docker-manifest-digest": "sha256:a1a0dfe211c0fdcbcae68fccb7629e79f3d9775891584daddc8aff5050237911"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "Bundle": {
        "SignedEntryTimestamp": "MEUCIBiIc38wiBow7FT09ylanYEki248tu4kYcJYr3dSwRUkAiEA9R9pK6SnTaTNhPKmK592n0keUGj8mdxTIA1Fc75j7i4=",
        "Payload": {
          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJlZTliNjJiNzI3MjY0NGU0OTQ2M2YxNDllNmU2MGM5NjkxNzc3ODY3YjUwNWE1OTUwOWVhOGNjN2UyYWI4N2ZiIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQU5VY0FlVStYRk9CaEh1TUpRN2x2NVoycllNa1p3eHk1SnlsNWhWNm1BSkFpQWo1S3p0NVA2ZlkxN1drQ01xQXF2eno5dE1zVFpvOUZPN1hPcis2aHo4N0E9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGTVdsMmIwRjJSbkpJUjJrNWJHMHdNV1ZqYzBKT01XcDFSRTl3TlFvMmEwZEJOMGMxVFRCWGJrOVRNbnBqTlhGT1VGRlRUakZtZW5kUFl5OUZaMFZKYzJ0RlVrcFpMMDVOYlVOcWNUQnlZMXA2ZWt0blpuaFJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=",
          "integratedTime": 1699443190,
          "logIndex": 48394752,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      }
    }
  }
]

Configuration

To run the Containerized Sensor, we need to provide its required dependencies.

Container Image

Run the container image cbartifactory/cb-containers-sensor:{sensor-version}, with your selected sensor version.

See the release notes for the latest VMware Carbon Black Cloud Linux Sensor.

Volume Mounts

Attach the following volume mounts to the container:

The container runtime unix socket. Currently only supports docker - /var/run/docker.sock:/var/run/docker.sock:ro
The host root path - /:/var/opt/root
The host hostname - /etc/hostname:/etc/hostname
The host boot folder - /boot:/boot
The host operating system identification data - /etc/os-release:/etc/os-release
Carbon Black Metadata Mount - /var/opt/carbonblack:/var/opt/carbonblack

Permissions

The container needs to run as privileged container.

Network

The container needs to run on the host network mode.

Resources

The container requires at least 2GB of memory.

Environment Variables

Provide the environment variables you received during the setup wizard. These environment variables includes:

Environment Variable	Description
CBC_ACCOUNT	Your Carbon Black Organization Key. This is available on Settings > General in the Carbon Black Cloud console .
CBC_ACCESS_TOKEN	API key with appropriate permissions. Your API Key requires an Access Level with CREATE, READ, UPDATE and DELETE permissions for Workloads Management > Manage Kubernetes dataplane > kubernetes.dataplane. See Authentication for details.
CB_COMPANY_CODES	Your Carbon Company Codes.
CBC_API_HOST	Your Carbon Black environment API host. This is the web address of the Carbon Black Cloud Console, listed here.
HOST_ROOT_PATH	The mounted location of the root path. Set as the value you mounted at on Volume Mounts - `/var/opt/root`.
CONTAINER_REPORTER_HOSTNAME_FILEPATH	The mounted location of the hostname path. Set as the value you mounted at on Volume Mounts - `/etc/hostname`.
CONTAINER_REPORTER_LABELS	Key Value labels, to identify the host with. For example: `key1=value1,key2=value2`.

Advanced Settings

You can configure the image with additional environment variables settings:

Environment Variable	Description
CONTAINER_REPORTER_HOST	Value you can to set as the container’s hostname. That can be set instead of `CONTAINER_REPORTER_HOSTNAME_FILEPATH`. If both set, this variable takes priority. If this value is set, you can delete the hostname volume mount.
ENDPOINT	Value of the host’s container-runtime endpoint unix socket. Set to docker’s `/var/run/docker.sock` by default. Currently only docker container runtime is supported.
CONTAINER_RUNTIME	The name of the host container runtime. Set to `docker-daemon` by default. Options - `docker-daemon` . Currently only docker container runtime is supported.
SCANNER_CLI_FLAGS_ENABLE_SECRET_DETECTION	Boolean flag to use to enable/disable container scanning secret detection. Set to `true` (enabled) to default.
SCANNER_CLI_FLAGS_IGNORE_BUILD_IN_REGEX	Boolean flag used to decide whether to ignore filenames build-in regexes and scan every file for secrets. Set to `false` by default.
SCANNER_CLI_FLAGS_SCAN_BASE_LAYERS	Boolean flag used to decide whether to scan the image base layers for secrets. Set to `false` by default.
SCANNER_CLI_FLAGS_SKIP_DIRS_OR_FILES	List of files/directories (in Regexes) to ignore when detecting secrets. Set as empty by default.
SCANNER_CLI_FLAGS_CONCURRENT_FILE_LIMIT	Number of files to scan at once for secrets. Set to `200` by default. You can increase/decrease this number if you want the scanner to work faster/slower. As the number is higher, the service requires more resources (memory & CPU)
DISABLE_SCANNER	Boolean flag to use if you want to disable the container container scanner capability. Set to `false` by default.
DISABLE_SENSOR	Boolean flag to use if you want to disable the CNDR capability. Set to `false` by default.

Give Feedback

New survey coming soon!

Last modified on January 22, 2024

Carbon Black Cloud

Page Contents