Sensor Deployment

Sensor Deployment

The CBOM Sensor is a standalone Java CLI application that runs near your infrastructure, executes cryptographic discovery scans, and pushes results to the API.

---

Installation

cd cbom/sensor
mvn package -DskipTests

# The JAR is at target/cbom-sensor-*.jar

---

Running a Scan

java -jar cbom-sensor.jar --config=path/to/config.yml

Each config file defines:

1. Scanner type — What kind of scan to perform
2. API connection — Where to push results
3. Scanner config — Type-specific settings (endpoints, paths, credentials)

---

Dry Run Mode

Omit apiUrl from the config to run in dry-run mode. The sensor will scan and print results to stdout without pushing to the API.

---

Configuration Format

Every sensor config follows this structure:

scanner: <scanner-type>

# API connection (omit for dry-run)
apiUrl: http://your-api-host:9090
apiKey: your-api-key-here

# Scanner-specific settings
config:
  # ... varies by scanner type

---

Scanner Types

HTTPS Endpoint Scanner

Connects to TLS endpoints and extracts certificate chains, cipher suites, and protocol versions.

scanner: https-endpoint
apiUrl: http://localhost:9090
apiKey: your-api-key-here

config:
  endpoints:
    - api.example.com:443
    - internal-service.corp.local:8443
  timeoutMs: 10000

Discovers: Certificates (full chain), algorithms, key sizes, cipher suites, TLS protocol version.

---

File System Scanner

Scans directories for cryptographic material files.

scanner: filesystem
apiUrl: http://localhost:9090
apiKey: your-api-key-here

config:
  paths:
    - /etc/ssl/certs
    - /etc/pki
    - /opt/app/keystores
  # password: changeit  # Optional: for PKCS#12/JKS files

Supported formats: .pem, .crt, .cer, .key, .der, .p12, .pfx, .jks, .jceks, .p7b, .csr, .crl

Discovers: Certificates, private keys, public keys, keystore contents.

---

Java Keystore Scanner

Included in the filesystem scanner. Handles JKS and PKCS#12 keystores with password-based access.

---

SSH Key Scanner

Scans common SSH key locations for private and public keys.

scanner: ssh-keys
apiUrl: http://localhost:9090
apiKey: your-api-key-here

config:
  # paths:  # Defaults to ~/.ssh and /etc/ssh if not specified
  #   - /home/user/.ssh
  #   - /etc/ssh

Discovers: SSH private keys, public keys, key algorithms (RSA, ECDSA, Ed25519), key sizes.

---

Windows Certificate Store Scanner

Scans Windows certificate stores using certutil.

scanner: windows-certstore
apiUrl: http://localhost:9090
apiKey: your-api-key-here

config:
  storeLocation: LocalMachine  # or CurrentUser
  stores:
    - My        # Personal certificates
    - Root      # Trusted Root CAs
    - CA        # Intermediate CAs
    - Trust     # Enterprise Trust

Requires: Windows OS with certutil available.

---

Source Code Scanner

Scans source code for cryptographic API calls, hardcoded keys, and crypto library imports.

scanner: source-code
apiUrl: http://localhost:9090
apiKey: your-api-key-here

config:
  paths:
    - /home/user/repo/src
  excludePaths:
    - node_modules
    - target
    - .git
    - build
    - dist
  cryptoApiCalls: true       # Detect crypto API usage
  hardcodedKeys: true        # Detect hardcoded keys/secrets
  importStatements: true     # Detect crypto library imports

Discovers: Algorithm usage, hardcoded keys, crypto library dependencies.

---

Binary Scanner

Scans compiled binaries for cryptographic usage — linked crypto libraries, function symbols, embedded PEM data, algorithm references, and crypto constants (e.g., AES S-box).

scanner: binary
apiUrl: http://localhost:9090
apiKey: your-api-key-here

config:
  paths:
    - /usr/local/bin
    - /opt/app/lib
  extensions:
    - dll
    - exe
    - so
    - jar
  maxFileSize: 50MB  # Default: 100MB

Supported file types: DLL, EXE, SO, dylib, JAR, WAR, EAR, class, .o, .a, .lib, .sys, .node

---

AWS Scanner

Scans AWS services for certificates and cryptographic keys.

scanner: aws
apiUrl: http://localhost:9090
apiKey: your-api-key-here

config:
  region: us-east-1
  services:
    - acm    # AWS Certificate Manager
    - kms    # Key Management Service
    - iam    # IAM server certificates
  # Credentials (optional — uses default credential chain if omitted)
  accessKeyId: AKIAXXXXXXXXXXXXXXXX
  secretAccessKey: your-secret-access-key

Credential resolution order: Config file → Environment variables → ~/.aws/credentials → Instance profile.

---

Active Directory / LDAP Scanner

Scans Active Directory Certificate Services (ADCS) for issued certificates, CA certificates, and certificate templates.

scanner: active-directory
apiUrl: http://localhost:9090
apiKey: your-api-key-here

config:
  scan_name: Production AD Scan
  page_size: 500
  connect_timeout_seconds: 10
  search_timeout_seconds: 30
  retry_attempts: 3
  retry_delay_seconds: 5

  forests:
    - name: corp.example.com
      auth_type: simple  # simple, ntlm, or gssapi (Kerberos)
      username: CN=svc_scanner,OU=ServiceAccounts,DC=corp,DC=example,DC=com
      password: your-password
      domain: CORP
      use_ssl: true
      verify_ssl: true

      domains:
        - server: dc01.corp.example.com
          base_dn: DC=corp,DC=example,DC=com

Authentication types: Simple bind, NTLM, GSSAPI (Kerberos).

---

Deployment Patterns

One-off scan

Run a sensor manually for initial discovery:

java -jar cbom-sensor.jar --config=scan-production-endpoints.yml

Scheduled via cron

/etc/cron.d/cbom-sensor

0 2 * * * java -jar /opt/cbom/cbom-sensor.jar --config=/etc/cbom/nightly-scan.yml

Multiple scanners

Run multiple configs in sequence or parallel:

java -jar cbom-sensor.jar --config=https-endpoints.yml
java -jar cbom-sensor.jar --config=filesystem.yml
java -jar cbom-sensor.jar --config=aws.yml

Managed via UI

Register sensors in the UI and assign scanner configurations. The API tracks scan runs and results per sensor.

→ Sensor Management UI

---

Related

• Architecture — How sensors communicate with the API
• Discovery & Scanners — Scanner capabilities in detail
• Sensor Management UI — Managing sensors from the dashboard