Proactively defend against risks in container runtime - Security Center

The feature of proactive defense for containers proactively detects risks when your containers start or run from the following dimensions: image security, runtime security, and running environment security. You can configure rules to block the running of at-risk images, stop untrusted processes, and block container escapes. This helps improve the runtime security of your containers. This topic describes how to configure rules of the at-risk image blocking, non-image program defense, and container escape prevention types.

Rule description

The following table describes the rule types that you can select based on your business requirements.

Rule type	Description
At-risk Image Blocking	After you create a rule of the At-risk Image Blocking type, Security Center detects risks on images based on the rule when you use the images to create resources in the clusters that are specified in the rule. If an image hits the rule, Security Center performs the action that is specified in the rule on the image, and generates an alert event for the risk detection result. The action can be Alert, Block, or Allow. This ensures that only images that meet your security requirements can be started in your clusters.
Non-image Program Defense	After you create a rule of the Non-image Program Defense type, Security Center detects and blocks the startup of programs that are not included in the images of specified clusters in the rule. This helps defend against malicious software intrusion and known and unknown attacks.
Container Escape Prevention	After you create a rule of the Container Escape Prevention type, Security Center detects risky operations from multiple dimensions, such as processes, files, and system calls, and establishes protection barriers between containers and hosts. This helps block escape behavior and ensure the runtime security of containers in an efficient manner. You can also use this type of rule to block attacks that are launched by exploiting container vulnerabilities to take control over hosts. This helps improve the security of operating systems.

Limits

Only the Ultimate edition of Security Center supports this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

At-risk image blocking

Supported cluster types

The At-risk Image Blocking feature supports only Container Registry clusters. The following table describes the support for ACK clusters.

ACK cluster	Supported
Managed Kubernetes cluster	Yes
Dedicated Kubernetes cluster	Yes
Serverless Kubernetes cluster	No
Managed edge Kubernetes cluster	No
Registered cluster	No

Principles

After you create a rule of the At-risk Image Blocking type for a cluster, a request is sent to Security Center to detect image risks when you use an image specified in the rule to create resources such as pods in the cluster. Security Center checks whether the image contains risks that you select in the rule. If the image hits the rule, Security Center handles the image based on the action that is specified in the rule, and generates an alert event for the risk detection result. The action can be Alert, Block, or Allow.

If multiple rules are created for a cluster, all rules take effect. If an image hits multiple rules, Security Center handles the image based on the actions that are specified in the rules, and generates multiple alert events.

If multiple alert policies are configured in a rule and an alert policy is hit, Security Center immediately handles the risks based on the action that is specified in the rule. Security Center no longer matches the image against other alert policies. Security Center detects the following types of risks on an image in sequence: malicious Internet images, unscanned images, malicious samples, baseline risks, and vulnerabilities. The following figure shows the order by which Security Center detects risks.

Prerequisites

Before you create a rule, make sure that the components that are required for policy management are installed in the ACK console. The required components are gatekeeper, policy-template-controller, and logtail-ds. For more information, see Install policy-template-controller.

Create a rule

Note

You can create up to 40 rules for each cluster.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Protection Configuration > Container Protection > Proactive Defense for Containers.
Select At-risk Image Blocking for Rule type. Then, click New rule.
If you created a rule for the cluster, find the rule and click Copy in the Actions column. In the Copy Rule panel, you can modify the parameters of the rule based on your business requirements and click OK.

In the New rule panel, configure the following parameters and click Next.

Parameter	Description
Rule Name	Select a rule template from the drop-down list and enter a name for the rule. You can select Blank template to create a rule based on your business requirements. You can also select an existing template with preconfigured risk detection settings.
Rule description	Enter a description for the rule.
Unscanned Image	Specify whether to detect the startups of images that are not scanned by container image scan. If you turn on the switch, the detection is enabled. If you turn off the switch, the detection is disabled. If you turn on the switch, Security Center generates an alert event when Security Center detects that an unscanned image is started, and handles the image based on the action that is specified in the rule. Note If you turn on the switch, we recommend that you set Action to Alert. If you have high requirements for security management, you can change the action to Block. Before you change the action, we recommend that you observe the alert events that are generated based on the existing settings for a period of time and check whether your business is affected. If your business is not affected, you can change the action of the rule.
Malicious Internet Image	Specify whether to detect the startups of malicious images. If you turn on the switch, the detection is enabled. If you turn off the switch, the detection is disabled. If you turn on the switch, Security Center can detect the startups of images that are marked as malicious on the Internet, such as the malicious images that are downloaded from public image repositories and the images that are pulled from Docker Hub repositories and contain malicious programs such as webshells and trojans. If Security Center detects that a malicious image is started, Security Center generates an alert event and handles the image based on the action that is specified in the rule.
Alert Policy	Select the risks that you want to detect on images. Security Center checks whether the specified risks exist on images. If Security Center detects the specified risks on an image, Security Center immediately generates an alert. The following types of risks are supported: Baseline Vulnerability Malicious Sample You can configure alert rules for baseline risks, vulnerabilities, and malicious samples based on your business requirements. Important The conditions of an alert rule are evaluated by using a logical OR. If you set Risk Level to High Risk and configure CVE ID when you configure an alert policy for vulnerabilities, the alert policy is hit if a started image contains high-risk vulnerabilities or vulnerabilities that use specified CVE IDs.
Action	Specify the action that you want Security Center to perform when Security Center detects the startup of an unscanned image or a malicious Internet image and when the rule is hit. Valid values: Alert: If an image is started and hits the rule, an alert event whose Action is Alert is generated on the Alerts page. Block: If an image is started and hits the rule, the image is blocked, and an alert event whose Action is Block is generated on the Alerts page. Allow: If an image is started and hits the rule, the image is allowed, and an alert event whose Action is Allow is generated on the Alerts page.
Add to Whitelist	Click Create Rule and enter the tag of the image that you want to add to the whitelist. You can add up to 20 images to the whitelist. After you add an image to the whitelist, Security Center no longer detects risks on the image when the image is started. Fuzzy match is supported by using keywords. For example, if you want to add the image whose address is yundun-example-registry.cn-hangzhou.aliyuncs.com/yundun-example/yun-repo:test to the whitelist, you can enter one of the following keywords: yun-repo test yun-repo:test repo:test

Configure the protection scope and click OK.
Click the Cluster, Image, or Tag tab to select the assets that you want to protect.

View the alert events that are generated

After you create and enable a rule of the at-risk image blocking type, you can perform the following operations to view the details of alert events that are generated and handle the alert events: Log on to the Security Center console. In the left-side navigation pane, choose Detection and Response > Alerts. On the Alerts page, select Risk Image Blocking for Alert Type. Find the alert event that you want to manage and click Details in the Actions column. On the Details tab of the details panel that appears, you can handle the alert event based on Disposal recommendations.

风险镜像阻断告警

Manage a rule

After you create a rule of the at-risk image blocking type, you can perform the following operations:

View the protection scope of the rule
Find the rule whose protection scope you want to view and click the number in the Protection Scope column of the rule. In the Protection scope panel, you can view the clusters, images, and tags that are protected by the rule.
Modify the rule
Find the rule that you want to modify and click Edit in the Actions column. In the Edit panel, modify the parameters and protection scope.
Copy the rule
Find the rule that you want to copy and click Copy in the Actions column. In the Copy Rule panel, modify the parameters and protection scope of the rule to create another rule.
Delete the rule
Important
After you delete a rule, the assets that are protected by the rule are no longer protected, and the rule cannot be restored. Proceed with caution.
Find the rule that you want to delete and click Delete in the Actions column. In the message that appears, click OK.

Non-image program defense

In a container environment, basic software is included in the image of a container. You do not need to install or modify software when the container is running. The startup of a program that is not included in the image during the running of the container is considered an abnormal behavior. The behavior may be caused by malicious software such as trojans that are inserted by attackers. The non-image program defense feature can detect and block such behavior, which helps ensure the runtime security of containers.

Manage a system rule

By default, Security Center provides a system rule for non-image program defense. The system rule is automatically enabled for users who do not configure custom rules for non-image program defense. The system rule generates alerts for the startups of non-image programs in all clusters that are added to Security Center. You can perform the following operations to view the system rule: Log on to the Security Center console, go to the Proactive Defense for Containers page, click Non-image Program Defense in the Rule type section, and then click the System Rules tab.

The action that is specified in the system rule is Alert. When the startup of a non-image program is detected, Security Center generates an alert event and does not block the startup of the non-image program. You can enable or disable the system rule, and modify the clusters on which the system rule takes effect. If the clusters are changed or new clusters are added, the system automatically adds the new clusters to the protection scope.

The first time you use the non-image program defense feature, we recommend that you check whether false positive alerts are generated by the system rule. You cannot configure whitelists for system rules or block the risky behavior detected by system rules. If you want to configure a whitelist or block risky behavior, you can create custom rules. After you create a custom rule, the system rule is automatically disabled and cannot be re-enabled. If you want to enable the system rule, you must delete all custom rules.

Create a custom rule

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Protection Configuration > Container Protection > Proactive Defense for Containers.
In the Rule type section, click Non-image Program Defense.
On the Custom Rules tab, click New rule.

In the New rule panel, configure the parameters and click Next.

Parameter	Description
Rule Name	Enter a name for the rule.
Rule description	The description of the rule.
Status	The switch that is used to enable or disable the rule. Valid values: On: If you turn on the switch, the rule is enabled after it is created and is automatically applied to protect the clusters within the protection scope. Off: If you turn off the switch, the rule is disabled and does not take effect after it is created.
Defense Action	The action that is performed after the rule is triggered. Valid values: Alert: If an untrusted process is detected, Security Center generates an alert event. Intercept: If an untrusted process is detected, Security Center generates an alert event and blocks the process. Note We recommend that you first set the Defense Action parameter to Alert. If no executable programs that are not included in container images are installed and started during the running of your container, change the value of the Defense Action parameter to Intercept. This helps prevent false positives.
Create File Directory Whitelist	The directories of files that you want to add to the whitelist. Separate multiple directories with line breaks. Example: `/user/name1`.
Create Image Whitelist	The names of images that you want to add to the whitelist. For example, if you want to add the image whose address is yundun-example-registry.cn-hangzhou.aliyuncs.com/yundun-example/yun-repo:test to the whitelist, you can enter one of the following keywords: yun-repo test yun-repo:test repo:test

Select the clusters to which you want to apply the rule and click OK.
You can select clusters that are connected to Security Center. You can configure only one rule for a cluster. If a rule is already configured for a cluster, you cannot select the cluster in this step.

View the alert events that are generated

After you create and enable a rule of the non-image program defense type, you can perform the following operations to view the alert events that are generated: Go to the Detection and Response > Alerts page of the Security Center console. Select Container Active Defense for Alert Type. The names of the alert events are Non mirror native program startup. The alert events that are generated based on the non-image program defense feature are divided into the following types based on the value of the Defense Action parameter in the rule:

If the Defense Action parameter is set to Alert in a rule, an alert event in the Unhandled state is generated when the rule is triggered. We recommend that you handle the alert event at the earliest opportunity. For more information, see View and handle security alerts.
If the Defense Action parameter is set to Intercept in the rule, an alert event in the Target process does not exist or End process successful state is generated when the rule is triggered. You can view the alert event of this type in the handled alert event list. The following list describes the Target process does not exist state and the End process successful state:
- Target process does not exist: The process exists for a short period of time and is stopped before Security Center handles the process. You do not need to handle the alert event.
- End process successful: Security Center blocks the process. You do not need to handle the alert event.

Manage a rule

After you create a rule of the non-image program defense type, you can perform the following operations in the rule list:

View the protection scope of the rule
Find the rule whose protection scope you want to view and click the number in the Protection Scope column. In the Protection scope panel, you can view the clusters that are protected by the rule.
Enable or disable the rule
Find the rule that you want to manage and click the switch in the Enable column to enable or disable the rule.
Modify the rule
Find the rule that you want to modify and click Edit in the Actions column to modify the name, description, status, action, whitelist settings, and protection scope of the rule.
Delete the rule
Important
- Default rules cannot be deleted.
- After a rule is deleted, the rule cannot be restored. Before you delete a rule, make sure that you no longer require the rule.
Find the rule that you want to delete and click Delete in the Actions column. In the message that appears, click OK.

Container escape prevention

A container, except for a security container, that resides on a host uses the kernel of the operating system that runs on the host. In this case, attackers can exploit the vulnerabilities in the container to implement privilege escalation and control the operating system of the host or the other containers that reside on the host. Security Center provides the feature of container escape prevention that blocks container escapes to ensure the runtime security of containers. You must configure rules to use the feature.