Skip to content

Sophos Linux Sensor container runtimes visibility

Sophos Linux Sensor (SLS) has different levels of visibility on the host. This includes when you deploy SLS on a host running container technologies. SLS gathers most events at the kernel level and provides visibility into container technologies isolated by the kernel, such as using cgroups and namespaces.

The events SLS can see depend on the container runtimes being used.

Docker

SLS gathers container metadata events, such as container and image names, from the Docker Engine daemon. SLS has visibility of events inside the container and container events and metadata, such as privileged container was created. SLS can tell which process is in which container.

CRI-O and containerd

SLS supports gathering metadata using the Kubernetes Container Runtime Interface (CRI). By default, SLS searches the following CRI sockets:

  • /var/run/containerd/containerd.sock
  • /var/run/crio/crio.sock
  • /var/run/cri-dockerd.sock
  • /var/run/dockershim.sock

SLS has visibility of events inside the container if runc is the underlying Open Container Initiative (OCI) runtime. It has visibility into container events and metadata only for containers created via the CRI interfaces, such as Kubernetes.

For more information on installing SLS with CRI-O and containerd, see Install SLS with CRI-O and containerd.

Virtualization

Container technologies that use virtualization prevent SLS from gathering events within those containers. In these environments, SLS will have visibility of container events and metadata but not activity occurring within the container itself.