Enable Runtime Security and scanning features

Enable Runtime Security, Runtime Vulnerability Scanning, and Runtime Malware Scanning on Kubernetes clusters.

The following table details the runtime security and scanning features available for Kubernetes clusters.

Feature

Description

Runtime Security

Provides visibility into any activity of your running containers that violates a customizable set of rules.

Runtime Vulnerability Scanning

Provides visibility of operating system and open source code vulnerabilities that are part of containers running in clusters.

Important

Runtime Vulnerability Scanning supports clusters with pure ARM64 CPU nodes or pure x86_64 CPU nodes. Mixed CPU modes is not supported.
A vulnerability scan occurs for each newly-deployed image, and then is rescanned every 24 hours.
Cluster worker nodes require at least 2 vCPU and 8 GiB Memory. For more details on the specifications and default limits for these components, you can check the resources section in the helm chart.

Runtime Malware Scanning

Provides detection of malware in your running containers, enabling you to identify and respond to malware threats introduced after deployment.

Procedure

To enable runtime security and scanning features, add the following parameters to your overrides YAML file (usually named 'overrides.yaml').
- runtimeSecurity: enabled: true
- vulnerabilityScanning: enabled: true
- malwareScanning: enabled: true
Example:
```
cloudOne:
    apiKey: <API_KEY>
    endpoint: <ENDPOINT>
    runtimeSecurity:
        enabled: true
    vulnerabilityScanning:
        enabled: true
    malwareScanning:
        enabled: true
   
```
To hide sensitive fields for runtime security events, add scout.falco.sanitizer_output to the override file.
The scout.falco.sanitizer_output.patterns field uses the key-value pairs that have a Falco event field as the key and a regular expression as the value. (See the fields supported by Falco for more information.) The regular expression determines if the string matching the pattern should be hidden in the event output. The redaction occurs in both output and output_fields in a Falco event.
Example:
```
scout:
    falco:
        sanitizer_output:
            enabled: true
            patterns:
                proc.pcmdline: (?<=--process\s)\s?(\S+)|(?<=--root\s)\s?(\S+)
                fd.sip: (?<=169\.254\.)(\S+)
```

Upgrade Container Security using the following command.

helm upgrade \
    trendmicro \
    --namespace trendmicro-system --create-namespace \
    --values overrides.yaml \
    https://github.com/trendmicro/cloudone-container-security-helm/archive/master.tar.gz