Install and Manage

Sensors

Sensor installation must come before adding a registry.

Install a Container Sensor

1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

2. Click Container Security.

3. Click the Registries tab.

4. Click the New button at the top-right of the screen.

5. In the button options, select New Sensor.

6. In the displayed aside, select the registry provider where you expect to install the container sensor

7. The aside will refresh to display:

   1. A button for downloading the sensor installation package

   2. Step-by-step CLI commands for installing the sensor on the selected registry provider

Uninstall A Container Sensor

1. Same steps as Install a Container Sensor

2. Download the installation package

3. Extract its contents. Within the package = uninstallsensor.sh script

4. Depending on your Docker host configurations:

   1. Host is configured to communicate over docker.sock: run the following command: ./uninstallsensor.sh -s

   2. Host is configured to communicate over TCP socket

      1. Substitute the address on which Docker daemon is configured to listen

      2. Run the following command: ./uninstallsensor.sh DockerHost=<<IPv4 address or FQDN>:<Port#>> -s

5. Follow the on-screen prompts to uninstall the sensor.

   1. If prompted, Armor recommends not to clear the persistent storage.

If the docker host is configured to communicate over TCP socket then provide the address on which docker daemon is configured to listen:

./uninstallsensor.sh DockerHost=<<IPv4 address or FQDN>:<Port#>> -s

For example:

./uninstallsensor.sh DockerHost=10.115.27.54:3128 -s

Follow the on-screen prompts to uninstall the sensor.

Registry Configurations Required by Connectors

With the exception of Docker Hub, each registry type requires setups to be in place ahead of configuration connectors within the Armor Management Portal (AMP). Follow the vendor-specific instructions below.

AWS Elastic Container Registry

Create IAM Role

1. Log in to Amazon Web Services (AWS) Console.

2. Go to the IAM service.

3. Go to Roles and click Create Role

4. Under "Select type of trusted entity" choose Another AWSaccount. Then:a.Paste in the Qualys AWS Account ID (from connector details).b.Select Require external ID and paste in the External ID (from connector details).c.Click Next: Permissions

5. Find the policy titled "AmazonEC2ContainerRegistryReadOnly"and select the check box next to it.

6. Enter a role name (e.g. CMS) and click Create role.

7. Click on the role you just created to view details. Copy the Role ARN value and paste it into the connector details.

Azure Container Registry

Step 1: Create Application and get Application Id & Client Secret

1. Log on to Microsoft Azure portal, navigate to Azure Active Directory then to App Registrations.

2. Click on New Registration and provide the folowing details:a. Name: A name for the application.b. Supported account types: Single Tenant and Accounts in this organizational directory only.

3. Click on Register.

4. Copy the Application (client) ID.

5. Navigate to the Certificates & secrets on the left panel then generate client secret by clicking on New Client Secret, provide the following details:

   1. Description: A description of the client secret.

   2. Expires: Never.

   3. Click on Add.

   4. Copy the Client secret that is generated.

Step 2: Assigning Service Principal

1. Log on to Microsoft Azure portal

2. In the left panel, navigate to Container registries and then Access control (IAM)

3. Navigate to Role assignments

4. Click the Add the to Add Role assignment option and provide the following details:

   1. Role: Contributor.

   2. Assign access to: Azure AD user, group or service principal.

   3. Select: Application created with client secret.

   4. Click on Save.

Step 3: Provide Configuration Details to Armor

Add Application Id and Client Secret to the Connector Details screen within the Armor Management Portal (AMP).

Google Cloud Container Registry

Step 1: Enabling Access Within API Library

1. Log into Google Cloud Platform (GCP) console.

2. Select an organization.

3. Select a project or create a new project. Ensure that you select the correct project.

4. In the left sidebar, navigate to APIs and Services.

5. Search Compute Engine API from the API Library, click Manage and then click Enable API. Similarly, also enable Cloud Resource Manager API, Compute Engine API, Kubernetes Engine API and Cloud SQL Admin API from the API library.

Step 2: Setting Up A Service Account

1. Login to the GCP console and select a project.

2. From the left sidebar, navigate to IAM & admin > Service accounts

3. Click CREATE SERVICE ACCOUNT.

4. Provide a name and description (optional) for the service account and click CREATE.

5. Choose Viewer and Security Reviewer role to assign at least reader permissions to the service account and click CONTINUE.

6. Click CREATE KEY.

7. Select JSON as Key type and click CREATE. A message saying "Private key saved to your computer" is displayed and the JSON file is downloaded to your computer.

8. Click CLOSE and then click DONE.

Step 3: Provide Configuration File to Armor

Once you have downloaded your configuration file, add it to the Connector Details screen within the Armor Management Portal (AMP).

Manage AMP Permissions

Below is a list of portal and API actions, along with the required AMP permissions for each. Note that some actions require multiple permission assignments; should you encounter errors while managing Container Security configurations, please double-check you have the proper combinations.

When assigning any write permission, it is advised to also assign the corresponding read permission. For example, "Write Container Security Registries" should not be assigned without also assigning "Read Container Security Registries."

Containers Documentation

For Containers

Containers - Getting Started

Install and Manage

Containers FAQ