Skip to content

Installing Sophos Linux Sensor on CRI-O and Containerd

Configuration

The CRI sensor configuration values reside in the Sophos Linux Sensor (SLS) configuration file - (/etc/sophos/runtimedetections-rules.yaml).

There are three CRI-specific configuration values:

ValueMeaningDefaultExample
enabledBoolean indicating if SLS is enabled or notfalsecrisensor.enabled: true
addrString path to the CRI Container Runtime API""crisensor.addr: unix://var/run/crio/crio.sock
poll_intervalDuration indicating how often the CRI interface should be checked for changes to container state250mscrisensor.poll_interval: 150ms

The addr value must be prefixed with unix://, and will error if this is not the case.

For example, if you wanted to connect to the CRI-O unix socket, you would specify addr as addr: unix://var/run/crio/crio.sock

In YAML, this takes the following form:

crisensor:

    enabled: true

    addr: unix://var/run/crio/crio.sock

    poll_interval: 250ms

Default Unix socket paths for supported runtimes

The default paths for supported runtimes are shown in the following table:

RuntimeSocket PathExample Config Option
CRI-O/var/run/crio/crio.sockcrisensor.addr: unix://var/run/crio/crio.sock
Containerd/var/run/containerd/containerd.sockcrisensor.addr: unix://var/run/containerd/containerd.sock

Container deployment

If you are deploying the SLS in a container, the path specified in crisensor.addr must match the path of the unix socket as mounted into the container.

If you are using CRI-O as your container runtime, you will need to set the environment variable GRPC_GO_REQUIRE_HANDSHAKE to off when running SLS. This can be added to the env section of your Kubernetes daemonset manifests, as shown below:

env:

 - name: GRPC_GO_REQUIRE_HANDSHAKE

   value: "off"

This environment variable is required due to a GRPC protocol change between versions 1.17 and newer. Many versions of CRI-O are built with the older version of GRPC and require the environment variable for compatibility.

If you don't set the GRPC_GO_REQUIRE_HANDSHAKE environment variable, you may encounter the following error when SLS is unable to connect to the CRI socket:

ERRO[0004] crisensor: connection error context deadline exceeded

This indicates that SLS was unable to connect to the CRI-compatible container runtime's unix socket.

Setting the environment variable solves the issue.

Limitations

The CRI-based sensor is polling by design and not event-driven. As a result of this, it's possible that container events or state transitions may occur between polls, resulting in reduced visibility of events. This is due to limitations of the CRI API as of 2019-08-30, as the API doesn't provide any mechanisms to notify a caller when a state transition occurs.

To partially work around the above limitation, SLS will issue synthentic events when it notices that it has missed a state transition. For example, if a container has exited and is not present at the next poll, SLS will forge a container exit event and a container destroyed event.

This issue can be reduced by setting the event_reorder_window value to a longer duration (default is 25ms) in the runtimedetections-rules.yaml config. The example below shows an event_reorder_window of 270ms, which will improve the ability of the analytics engine to appropriately enrich events with correct container data.

/etc/sophos/runtimedetections-rules.yaml

event_reorder_window: 270ms

Note

Increasing the reorder window will also have the effect of making response actions slower.

Back to top