Installation Guide for Qualys Sensor in AWS ECS Cluster

Docker Security Guide Blog Series [Part 3]

NOTE: This is the third part of a blog series.

Part 1: - Introduction to Docker, Security Best Practices and scans

Part 2: - Docker Vulnerability Scan Tools

Part 3: - QUALYS - Deploying sensor in AWS ECS Cluster

Overview

In Part 1 and Part 2 of this blog series, we have talked about Docker Technology, Docker Security best practices, and Docker Vulnerability Tools in detail. In Part 3, we will talk about how to deploy Qualys Container Sensor in AWS ECS Cluster. We will go through each step of deploying the sensor. After completing these steps, we will be able to see all details in the Qualys Container Security module.

Index

Part 1: Introduction to Docker, Security Best Practices and scans

1. Docker Technology: An Overview
2. Docker Security: A Tricky Way
3. Docker Security Best Practices
4. Docker-Vulnerability Scan (Docker Bench for Security, AWS ECR, Trivy Overview)

Part 2: Docker Vulnerability Scanning

 

Deploying sensor in AWS ECS Cluster

To start with, please prepare the CS connector in Qualys:

1. Login to the Qualys

Login to Qualys. Go to Container Security and select the Configurations tab.

2. Download the QualysContainerSensor.tar.xz

Download the QualysContainerSensor.tar.xz file from Qualys Cloud Portal on a computer. Download General (Host) .tar.xz file.

3. Download the container sensor

Download the container sensor. A tar file containing the sensor docker image and the install script will be downloaded. The sensor is pre-configured to connect to the Qualys Cloud Platform.

Prerequisites: AWS ECS Cluster should be up and running.

4. Sensor package operations

Untar the sensor package: tar -xvf QualysContainerSensor.tar.xz

5. Push the Qualys sensor image to an AWS ECR repository

Use the following commands to push the Qualys sensor image to an ECR repository:

5.1. Load image to the local docker

5.2. Go to the AWS account and create ECR Repository

 

5.3. Check connection to AWS ECR

For example:

aws ecr get-login-password --region us-east-1 --profile xxxxxxx | docker login --username xxxx - password-stdin

xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com 

5.4. Tag the image

If the connection is successful, in this step we need to tag the image. For example:

 docker tag xxxxxxxxxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxx-qualys-registery:latest 

5.5 Push the image to ECR

docker push xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxxxx-qualys-registery:latest 

Note: Do not use the examples as they are. Replace the registry/image path with your own.

6. Modifying the cssensor AWS ECS JSON file

6.1 Modify the cssensor-aws-ecs.json file

Modify the cssensor-aws-ecs.json file (extracted from QualysContainerSensor.tar.xz) to provide values for the following parameters. For the JSON file to work properly, ensure that you do not remove/comment on the respective sections mentioned below. Note that you can download the JSON file directly from here.
Activation ID and Customer ID are required. You can find your Activation ID and Customer ID in your Qualys subscription:

Modify with your Image information, ActivationID and CustomerID:

6.2 Replace the image attribute

"image": 
"xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxx-qualyssensor:latest"

6.3 Specify appropriate values for cpu (no. of vcpu) and memory (size in MB)

6.4 Remove proxy settings from JSON file

You need to delete the foloowing parts:

a. Delete this part from environment:

"name": "qualys_https_proxy", "value": 

"proxy.qualys.com:3128" 

b. Delete this part from mountPoints:

"sourceVolume": "proxy-cert-path", 

"containerPath": "/etc/qualys/qpa/cert/custom-ca.crt" 

c. Delete this part from Volumes:

"name": "proxy-certpath", "host": { 
"sourcePath": "/root/cert/proxy-certificate.crt" 
} 

7. Import the JSON file

7.1. Import the JSON file into Amazon ECS UI to complete the sensor deployment.

7.2. On the Amazon ECS UI, under Task Definitions, click Create New Task Definition.

7.3. Select the launch type compatibility as EC2 (Fargate is not supported).

7.4. Provide the Task Definition name, and then provide Task Role, Network Mode, and Task Execution Role if applicable:

8. Task execution IAM role configurations

8.1. Scroll to the bottom of the page and select Configure via JSON option.

8.2. Remove any existing content and then copy-paste the entire contents of the cssensor-aws-ecs.json file.

8.3. Click Create to create the Task Definition. Once created, it should get listed under Task Definitions.

8.4. Confirm if the task definition is created successfully

9. Select the AWS Cluster

Now go to Clusters and click the cluster name on which you want to deploy the sensor. Under the Services tab, click Create. Select the launch type as EC2.

10. Select the task definition

Select the Task Definition you created above and its revision, and then select a cluster. Provide the Service name, Service type as “DAEMON”, and then configure Network, Load Balancing, and Auto Scaling if applicable.

11. Create task definition

Review the provided information, and then click Create to create the Service. Once created, it should get listed under Services. Verify that the service status is Active. In the tasks tab, verify that tasks are running on all ECS containers.

12. Final Qualys Container Security module

Now, you will see all details in the Qualys Container Security module:

Conclusion

In Part 3, “QUALYS - Deploying sensor in AWS ECS Cluster”, of our blog series, we have talked about how to deploy your Qualys Container Sensor in AWS ECS Cluster. We have shown the steps with detailed screenshots for you to easily deploy your sensor.