...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
| minLevel | 3 |
|---|---|
| maxLevel | 4 |
| outline | false |
| type | list |
| printable | false |
Sensors
...
Sensor installation must come before adding a registry.
Install a Container Sensor
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Container Security.
Click the Registries tab.
Click the New button at the top-right of the screen.
In the button options, select New Sensor.
In the displayed aside, select the registry provider where you expect to install the container sensor
The aside will refresh to display:
A button for downloading the sensor installation package
Step-by-step CLI commands for installing the sensor on the selected registry provider
Uninstall A Container Sensor
- Same steps as Install a Container Sensor
- Download the installation package
- Extract its contents. Within the package = uninstallsensor.sh script
- Depending on your Docker host configurations:
- Host is configured to communicate over docker.sock: run the following command:
./uninstallsensor.sh -s - Host is configured to communicate over TCP socket
- Substitute the address on which Docker daemon is configured to listen
- Run the following command:
./uninstallsensor.sh DockerHost=<<IPv4 address or FQDN>:<Port#>> -s
- Host is configured to communicate over docker.sock: run the following command:
- Follow the on-screen prompts to uninstall the sensor.
- If prompted, Armor recommends not to clear the persistent storage.
| Info |
|---|
If the docker host is configured to communicate over TCP socket then provide the address on which docker daemon is configured to listen:
For example:
Follow the on-screen prompts to uninstall the sensor. |
Registry Configurations Required by Connectors
...
AWS Elastic Container Registry
Create IAM Role
Log in to Amazon Web Services (AWS) Console.
Go to the IAM service.
Go to Roles and click Create Role
Under "Select type of trusted entity" choose Another AWSaccount. Then:a.Paste in the Qualys AWS Account ID (from connector details).b.Select Require external ID and paste in the External ID (from connector details).c.Click Next: Permissions
Find the policy titled "AmazonEC2ContainerRegistryReadOnly"and select the check box next to it.
Enter a role name (e.g. CMS) and click Create role.
Click on the role you just created to view details. Copy the Role ARN value and paste it into the connector details.
Azure Container Registry
Step 1: Create Application and get Application Id & Client Secret
Log on to Microsoft Azure portal, navigate to Azure Active Directory then to App Registrations.
Click on New Registration and provide the folowing details:a. Name: A name for the application.b. Supported account types: Single Tenant and Accounts in this organizational directory only.
Click on Register.
Copy the Application (client) ID.
Navigate to the Certificates & secrets on the left panel then generate client secret by clicking on New Client Secret, provide the following details:
Description: A description of the client secret.
Expires: Never.
Click on Add.
Copy the Client secret that is generated.
Step 2: Assigning Service Principal
Log on to Microsoft Azure portal
In the left panel, navigate to Container registries and then Access control (IAM)
Navigate to Role assignments
Click the Add the to Add Role assignment option and provide the following details:
Role: Contributor.
Assign access to: Azure AD user, group or service principal.
Select: Application created with client secret.
Click on Save.
Step 3: Provide Configuration Details to Armor
Add Application Id and Client Secret to the Connector Details screen within the Armor Management Portal (AMP).
Google Cloud Container Registry
Step 1: Enabling Access Within API Library
Log into Google Cloud Platform (GCP) console.
Select an organization.
Select a project or create a new project. Ensure that you select the correct project.
In the left sidebar, navigate to APIs and Services.
Search Compute Engine API from the API Library, click Manage and then click Enable API. Similarly, also enable Cloud Resource Manager API, Compute Engine API, Kubernetes Engine API and Cloud SQL Admin API from the API library.
Step 2: Setting Up A Service Account
Login to the GCP console and select a project.
From the left sidebar, navigate to IAM & admin > Service accounts
...
Ckick CREATE SERVICE ACCOUNT.
Provide a name and description (optional) for the service account and click CREATE.
Choose Viewer and Security Reviewer role to assign at least reader permissions to the service account and click CONTINUE.
Click CREATE KEY.
Select JSON as Key type and click CREATE. A message saying "Private key saved to your computer" is displayed and the JSON file is downloaded to your computer.
Click CLOSE and then click DONE.
Step 3: Provide Configuration File to Armor
Once you have downloaded your configuration file, add it to the Connector Details screen within the Armor Management Portal (AMP).
...
When assigning any write permission, it is advised to also assign the corresponding read permission. For example, "Write Container Security Registries" should not be assigned without also assigning "Read Container Security Registries."
Action | Permission(s) Required |
|---|---|
Get Accounts | Read Container Security Accounts |
Get Vendor Types | Read Container Security Vendor Types |
Add Connector | Write Container Security Connectors |
View Connectors | Read Container Security Connectors |
Delete Connectors | Write Container Security Connectors |
Add Registry | Write Container Security Registries |
View Registries | Read Container Security Registries |
Delete Registry | Write Container Security Registries |
View Images | Read Container Security Registries |
View Sensors (API only) | Read Container Security Sensors |
Containers Documentation
...
| Table of Contents | ||||
|---|---|---|---|---|
|