May 18th, 2021

Installation Guide for Qualys Sensor in AWS ECS Cluster

#DockerContainerSecurity

#DockerBaseImage

#DockerVulnerabilityScanning

Docker Security Guide Blog Series [Part 3]

NOTE: This is the third part of a blog series.

Part 1: - Introduction to Docker, Security Best Practices and scans

Part 2: - Docker Vulnerability Scan Tools

Part 3: - QUALYS - Deploying sensor in AWS ECS Cluster

Overview

In Part 1 and Part 2 of this blog series, we have talked about Docker Technology, Docker Security best practices, and Docker Vulnerability Tools in detail. In Part 3, we will talk about how to deploy Qualys Container Sensor in AWS ECS Cluster. We will go through each step of deploying the sensor. After completing these steps, we will be able to see all details in the Qualys Container Security module.

Index

Part 1: Introduction to Docker, Security Best Practices and scans

  1. Docker Technology: An Overview
  2. Docker Security: A Tricky Way
  3. Docker Security Best Practices
  4. Docker-Vulnerability Scan (Docker Bench for Security, AWS ECR, Trivy Overview)

Part 2: Docker Vulnerability Scanning

  1. Docker Vulnerability Scan Overview & Importance
  2. Docker Vulnerability Scan Tools in Detail
    1. Docker Bench for Security
    2. Dive
    3. Inspec
    4. AWS ECR
    5. Trivy

Part 3: QUALYS - Deploying sensor in AWS ECS Cluster

  1. Login to the Qualys
  2. Download the QualysContainerSensor.tar.xz file
  3. Download the container sensor.
  4. Sensor package operations
  5. Push the Qualys sensor image to an AWS ECR repository.
  6. Modify the cssensor AWS ECS JSON file
  7. Import the JSON file
  8. Task execution IAM role configurations
  9. Select the AWS Cluster
  10. Select the task definition
  11. Create task definition
  12. Final Qualys Container Security module

 

Deploying sensor in AWS ECS Cluster

To start with, please prepare the CS connector in Qualys:

1. Login to the Qualys

Login to Qualys. Go to Container Security and select the Configurations tab.

2. Download the QualysContainerSensor.tar.xz

Download the QualysContainerSensor.tar.xz file from Qualys Cloud Portal on a computer. Download General (Host) .tar.xz file. 1

3. Download the container sensor

Download the container sensor. A tar file containing the sensor docker image and the install script will be downloaded. The sensor is pre-configured to connect to the Qualys Cloud Platform.

Prerequisites: AWS ECS Cluster should be up and running.

2

4. Sensor package operations

Untar the sensor package: tar -xvf QualysContainerSensor.tar.xz

Untaring the Qualys Container Sensor tar file.

5. Push the Qualys sensor image to an AWS ECR repository

Use the following commands to push the Qualys sensor image to an ECR repository:

5.1. Load image to the local docker

4

5.2. Go to the AWS account and create ECR Repository

Creating ECR Repository on the AWS account.

 

5.3. Check connection to AWS ECR

For example:

aws ecr get-login-password --region us-east-1 --profile xxxxxxx | docker login --username xxxx - password-stdin

xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com 

Creating ECR Repository on the AWS account.

5.4. Tag the image

If the connection is successful, in this step we need to tag the image. For example:

 docker tag xxxxxxxxxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxx-qualys-registery:latest 

Creating ECR Repository on the AWS account.

5.5 Push the image to ECR

docker push xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxxxx-qualys-registery:latest 

Creating ECR Repository on the AWS account.

Note: Do not use the examples as they are. Replace the registry/image path with your own.

6. Modifying the cssensor AWS ECS JSON file

6.1 Modify the cssensor-aws-ecs.json file

Modify the cssensor-aws-ecs.json file (extracted from QualysContainerSensor.tar.xz) to provide values for the following parameters. For the JSON file to work properly, ensure that you do not remove/comment on the respective sections mentioned below. Note that you can download the JSON file directly from here.
Activation ID and Customer ID are required. You can find your Activation ID and Customer ID in your Qualys subscription:

Copying your Activation ID and Customer ID from your Qualys subscription.

Modify with your Image information, ActivationID and CustomerID:

Modifying the cssensor-awsecs.json file with your Image information, ActivationID and CustomerID.

6.2 Replace the image attribute

"image": 
"xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxx-qualyssensor:latest"

6.3 Specify appropriate values for cpu (no. of vcpu) and memory (size in MB)

6.4 Remove proxy settings from JSON file

You need to delete the foloowing parts:

a. Delete this part from environment:

"name": "qualys_https_proxy", "value": 

"proxy.qualys.com:3128" 

b. Delete this part from mountPoints:

"sourceVolume": "proxy-cert-path", 

"containerPath": "/etc/qualys/qpa/cert/custom-ca.crt" 

c. Delete this part from Volumes:

"name": "proxy-certpath", "host": { 
"sourcePath": "/root/cert/proxy-certificate.crt" 
} 

7. Import the JSON file

7.1. Import the JSON file into Amazon ECS UI to complete the sensor deployment.

7.2. On the Amazon ECS UI, under Task Definitions, click Create New Task Definition.

7.3. Select the launch type compatibility as EC2 (Fargate is not supported).

7.4. Provide the Task Definition name, and then provide Task Role, Network Mode, and Task Execution Role if applicable:

Selecting the launch type compatibility as EC2

8. Task execution IAM role configurations

8.1. Scroll to the bottom of the page and select Configure via JSON option.

8.2. Remove any existing content and then copy-paste the entire contents of the cssensor-aws-ecs.json file.

8.3. Click Create to create the Task Definition. Once created, it should get listed under Task Definitions. Confirming the task definition is created successfully.

8.4. Confirm if the task definition is created successfully

Confirming the task definition is created successfully.

9. Select the AWS Cluster

Now go to Clusters and click the cluster name on which you want to deploy the sensor. Under the Services tab, click Create. Select the launch type as EC2.

Under Services tab, click Create

10. Select the task definition

Select the Task Definition you created above and its revision, and then select a cluster. Provide the Service name, Service type as “DAEMON”, and then configure Network, Load Balancing, and Auto Scaling if applicable.

Providing fields with the necessary information and configuring settings.

11. Create task definition

Review the provided information, and then click Create to create the Service. Once created, it should get listed under Services. Verify that the service status is Active. In the tasks tab, verify that tasks are running on all ECS containers.

Providing fields with the necessary information and configuring settings.

12. Final Qualys Container Security module

Now, you will see all details in the Qualys Container Security module: Providing fields with the necessary information and configuring settings.

Conclusion

In Part 3, “QUALYS - Deploying sensor in AWS ECS Cluster”, of our blog series, we have talked about how to deploy your Qualys Container Sensor in AWS ECS Cluster. We have shown the steps with detailed screenshots for you to easily deploy your sensor.

If you liked this post, share it now!

Our Recent Posts

The Best User Management Service: AWS Cognito

Discover how to provide user management with AWS Cognito User Pool and access control to web an...

Read More

How to Create Web Apps with AWS Serverless Microservice Patterns [Part 2]

Discover how to create a GraphQL API and use it in front-end React apps. Learn how to set up th...

Read More

AppSec Blog Series 2 - What is OWASP?

Learn everything you are wondering about OWASP! What is it used for? What are OWASP Top 10 and ...

Read More