Skip to content

Sophos Linux Sensor container runtimes visibility

Sophos Linux Sensor (SLS) has different levels of visibility into events running and containers deployed on the host. This includes when you deploy SLS in an environment running container technologies and virtualization technologies that use containers. SLS gathers most events at the kernel level and provides visibility into container technologies isolated by the kernel, such as using cgroups and namespaces.

The events SLS can see depend on the container runtimes being used.

Docker

SLS gathers container metadata events, such as container and image names, from the Docker Engine daemon. SLS has visibility of events inside the container and container events and metadata, such as privileged container was created. SLS can tell which process is in which container.

CRI-O and containerd

SLS supports gathering metadata using the Kubernetes Container Runtime Interface (CRI). By default, SLS searches the following CRI sockets:

  • /var/run/containerd/containerd.sock
  • /var/run/crio/crio.sock
  • /var/run/cri-dockerd.sock
  • /var/run/dockershim.sock

SLS has visibility of events inside the container if runc is the underlying Open Container Initiative (OCI) runtime. It has visibility into container events and metadata only for containers created via the CRI interfaces, such as Kubernetes.

For more information on installing SLS with CRI-O and containerd, see Install SLS with CRI-O and containerd.

Virtualization technologies

Virtualization technologies include solutions that support Virtual Machines (VMs) and hybrid solutions that support the deployment of both VMs and Linux Containers (LXCs) on the same host. While these solutions provide flexibility for deploying and maintaining their applications, there are factors you must consider when deploying SLS to help gain full visibility into events running on the host, VMs, and LXCs.

For example, when deploying VMs, each VM is, by design, an isolated instance with full OS functionality and its own kernel. This is true for both dedicated VM solutions and hybrid solutions running VMs and LXCs. LXCs share the kernel with the host, but some hybrid solutions limit the options for LXCs to run in privileged mode.

We recommend the following deployment strategies for virtualization technologies:

  • Dedicated VM solutions: Deploy SLS on the host to have visibility into events running on the host. Given the isolation of each VM from the host, you must also deploy SLS on each VM running on the host to gain visibility into the events on the VM.

  • Hybrid solutions: Deploy SLS on the host to have visibility into events running on the host. This also provides visibility into any containers running on the host. In most hybrid solutions, deploying SLS as a container image provides visibility into events on the host but not into events within containers. You must deploy SLS on each VM running on the host to provide visibility into the events on each VM.