All Products
Search
Document Center

Security Center:Enable features on the Container Protection Settings tab

Last Updated:Jan 08, 2024

The Container Protection Settings tab in the Security Center console displays container-related features such as threat detection on Kubernetes containers and container escape prevention. You can enable the features to ensure the runtime security of your containers. This topic describes the features that you can enable on the Container Protection Settings tab. This topic also describes how to enable the features.

K8s Threat Detection

The feature of threat detection on Kubernetes containers checks the security status of running container clusters in real time to detect security threats and attacks at the earliest opportunity. After you enable the feature of threat detection on Kubernetes containers, Security Center automatically detects threats that trigger alerts of the K8s Abnormal Behavior type. For more information about the threats that can be detected by Security Center, see Threats that can be detected.

Limits

Only the Ultimate edition of Security Center supports this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

Enable threat detection on Kubernetes containers

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.In the left-side navigation pane, choose System Configuration > Feature Settings.

  2. On the Container Protection Settings tab of the Settings tab, turn on Threat Detection in the K8s Threat Detection section.

    If Security Center detects threats in your Kubernetes clusters after you turn on the switch, alerts are triggered and displayed on the Alerts page. We recommend that you view and handle the alerts at the earliest opportunity. For information, see View and handle security alerts.

Threats that can be detected

Type

Item

K8s abnormal behavior

Suspicious instruction run on a Kubernetes API server

Mounting of suspicious directories to a pod

Lateral movement among Kubernetes service accounts

Startup of a pod that contains a malicious image

Unusual network connection

Outbound connection of reverse shells

Suspicious outbound network connection

Suspicious lateral movement in internal networks

Malicious process

DDoS trojan

Suspicious connection from mining machines

Suspicious program

Suspicious tool initiating brute-force attacks on ports

Suspicious attack program

Backdoor program

Malicious vulnerability detection tool

Malicious program

Mining program

Trojan

Self-mutating trojan

Worm

Webshell

WebShell

Suspicious process

Suspicious command run by Apache CouchDB

Suspicious command run by FTP applications

Suspicious command run by Hadoop

Suspicious command run by Java applications

Suspicious command run by Jenkins

Suspicious account creation in Linux

Suspicious command run by scheduled tasks in Linux

Suspicious command run by MySQL

Suspicious command run by Oracle

Suspicious command run by PostgreSQL applications

Suspicious command run by Python applications

Suspicious execution of non-interactive SSH commands that contain only one line targeting remote machines

Webshell running suspicious probe commands

Modification of Windows RDP configurations for port 3389

Suspicious execution of download commands in Windows

Suspicious account creation in Windows

Malicious code injection in crontab jobs

Suspicious command sequence in Linux

Execution of suspicious commands in Linux

Dynamic injection of suspicious scripts

Reverse shell

Reverse shell command

Potential data breach by using HTTP tunnels

Suspicious SSH tunneling

Suspicious webshell injection

Suspicious starting of a privileged container

Suspicious port listening

Malicious container startup

Remote API debugging in Docker that may pose security risks

Suspicious command

Privilege escalation in containers or container escapes

Malicious container startup

Container Escape Prevention

The feature of container escape prevention detects high-risk behavior in processes, files, and system calls. The feature establishes a protective barrier between containers and hosts and effectively intercepts escapes to ensure the security of the container runtime. The feature also defends against known and unknown attack modes, and intercepts attacks that are initiated on hosts after attackers exploit container vulnerabilities.

Prerequisites

The switch for Malicious Host Behavior Prevention or Webshell Protection is turned on. For more information, see Proactive Defense.

Enable container escape prevention

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.In the left-side navigation pane, choose System Configuration > Feature Settings.

  2. On the Container Protection Settings tab of the Settings tab, turn on the switch in the Container Escape Prevention section.

What to do next

After you turn on the switch in the Container Escape Prevention section, you must create a defense rule against container escapes to allow the feature of container escape prevention to take effect.

if Security Center detects security risks in Kubernetes container clusters after the feature takes effect, alert events are generated for the risks, and the events are displayed on the Alerts page. We recommend that you check and handle the risks at the earliest opportunity. For more information, see View and handle security alerts.