Install a Containerized Sensor

After you set up a Containerized Sensor, you can install it.

The Containerized Sensor includes both Carbon Black EDR and Image Scanning capabilities. It is used for non-Kubernetes container environments.

Prerequisites

See:

Procedure

Run the container image cbartifactory/cb-containers-sensor:{sensor-version} together with your selected sensor version.
Attach these volume mounts to the container:
1. Container runtime unix socket. Currently only supports docker - /var/run/docker.sock:/var/run/docker.sock:ro
2. Host root path - /:/var/opt/root
3. Host hostname - /etc/hostname:/etc/hostname
4. Host boot folder - /boot:/boot
5. Host operating system identification data - /etc/os-release:/etc/os-release
6. Carbon Black Metadata Mount - /var/opt/carbonblack:/var/opt/carbonblack

During sensor setup, the setup wizard provided these environment variables:


Environment Variable	Description
CBC_ACCOUNT	Your Carbon Black Organization Key.
CBC_ACCESS_TOKEN	API key with appropriate permissions.
CB_COMPANY_CODES	Your Carbon Black Company Codes.
CBC_API_HOST	Your Carbon Black environment API host.
HOST_ROOT_PATH	The mounted location of the root path.
CONTAINER_REPORTER_HOSTNAME_FILEPATH	The mounted location of the hostname path.
CONTAINER_REPORTER_LABELS	Key Value labels used to identify the host. For example: `key1=value1,key2=value2`.

(Optional) You can configure the sensor image with additional advanced environment variables:


Environment Variable	Description
CONTAINER_REPORTER_HOST	Value you can to set as the container's hostname. You can set the hostname instead of `CONTAINER_REPORTER_HOSTNAME_FILEPATH`. If both values are set, this variable takes priority. If this value is set, you can delete the hostname volume mount.
ENDPOINT	Value of the host's container-runtime endpoint Unix socket. This value is set to docker's `/var/run/docker.sock` by default. Note: Currently only the docker container runtime is supported.
CONTAINER_RUNTIME	The name of the host container runtime. This value is set to `docker-daemon` by default. Note: Currently only docker container runtime is supported.
SCANNER_CLI_FLAGS_ENABLE_SECRET_DETECTION	Boolean flag to enable/disable container scanning secret detection. This value is set to `true` (enabled) by default.
SCANNER_CLI_FLAGS_IGNORE_BUILD_IN_REGEX	Boolean flag to determine whether to ignore filenames' built-in regexes and scan every file for secrets. This value is set to `false` by default.
SCANNER_CLI_FLAGS_SCAN_BASE_LAYERS	Boolean flag used to decide whether to scan the image base layers for secrets. This value is set to `false` by default.
SCANNER_CLI_FLAGS_SKIP_DIRS_OR_FILES	List of files and directories (in Regexes) to ignore when detecting secrets. This value is set to `empty` by default.
SCANNER_CLI_FLAGS_CONCURRENT_FILE_LIMIT	Number of files to scan at one time for secrets. This value is set to `200` by default. You can increase or decrease this number to determine the speed of the scan. If the number is higher, the service requires more resources (memory and CPU).
DISABLE_SCANNER	Boolean flag to disable the container scanner capability. This value is set to `false` by default.
DISABLE_SENSOR	Boolean flag to disable CNDR capability. This value is set to `false` by default.

Install the sensor:
- Using a docker compose file: Install a Containerized Sensor on a Docker Client.
- On an AWS ECS cluster: Install a Containerized Sensor on an ECS Cluster.