After you set up a Containerized Sensor, you can install it.

The Containerized Sensor includes both Carbon Black EDR and Image Scanning capabilities. It is used for non-Kubernetes container environments.

Prerequisites

See:

Procedure

  1. Run the container image cbartifactory/cb-containers-sensor:{sensor-version} together with your selected sensor version.
  2. Attach these volume mounts to the container:
    1. Container runtime unix socket. Currently only supports docker - /var/run/docker.sock:/var/run/docker.sock:ro
    2. Host root path - /:/var/opt/root
    3. Host hostname - /etc/hostname:/etc/hostname
    4. Host boot folder - /boot:/boot
    5. Host operating system identification data - /etc/os-release:/etc/os-release
    6. Carbon Black Metadata Mount - /var/opt/carbonblack:/var/opt/carbonblack
  3. During sensor setup, the setup wizard provided these environment variables:
    Environment Variable Description
    CBC_ACCOUNT Your Carbon Black Organization Key.
    CBC_ACCESS_TOKEN API key with appropriate permissions.
    CB_COMPANY_CODES Your Carbon Black Company Codes.
    CBC_API_HOST Your Carbon Black environment API host.
    HOST_ROOT_PATH The mounted location of the root path.
    CONTAINER_REPORTER_HOSTNAME_FILEPATH The mounted location of the hostname path.
    CONTAINER_REPORTER_LABELS Key Value labels used to identify the host. For example: key1=value1,key2=value2.
  4. (Optional) You can configure the sensor image with additional advanced environment variables:
    Environment Variable Description
    CONTAINER_REPORTER_HOST Value you can to set as the container's hostname. You can set the hostname instead of CONTAINER_REPORTER_HOSTNAME_FILEPATH. If both values are set, this variable takes priority. If this value is set, you can delete the hostname volume mount.
    ENDPOINT Value of the host's container-runtime endpoint Unix socket. This value is set to docker's /var/run/docker.sock by default.
    Note: Currently only the docker container runtime is supported.
    CONTAINER_RUNTIME The name of the host container runtime. This value is set to docker-daemon by default.
    Note: Currently only docker container runtime is supported.
    SCANNER_CLI_FLAGS_ENABLE_SECRET_DETECTION Boolean flag to enable/disable container scanning secret detection. This value is set to true (enabled) by default.
    SCANNER_CLI_FLAGS_IGNORE_BUILD_IN_REGEX Boolean flag to determine whether to ignore filenames' built-in regexes and scan every file for secrets. This value is set to false by default.
    SCANNER_CLI_FLAGS_SCAN_BASE_LAYERS Boolean flag used to decide whether to scan the image base layers for secrets. This value is set to false by default.
    SCANNER_CLI_FLAGS_SKIP_DIRS_OR_FILES List of files and directories (in Regexes) to ignore when detecting secrets. This value is set to empty by default.
    SCANNER_CLI_FLAGS_CONCURRENT_FILE_LIMIT Number of files to scan at one time for secrets. This value is set to 200 by default. You can increase or decrease this number to determine the speed of the scan. If the number is higher, the service requires more resources (memory and CPU).
    DISABLE_SCANNER Boolean flag to disable the container scanner capability. This value is set to false by default.
    DISABLE_SENSOR Boolean flag to disable CNDR capability. This value is set to false by default.
  5. Install the sensor: