The container file protection feature can monitor directories and files in containers in real time, and generate alerts or intercept tampering operations when the directories or files are tampered with. This prevents your applications from being inserted with illegal information or malicious code and ensures the security of the container environment. This topic describes how to use the container file protection feature.
Background information
To make illegal profits or launch business attacks, attackers exploit vulnerabilities in the container environment to tamper with files by inserting malicious code or hidden links. Files that are tampered with may affect normal business operations in containers and cause serious economic loss, damage to brand reputation, and political risks.
You can configure rules for the container file protection feature in the Security Center console to defend against file tampering for your cluster assets. This helps improve the security of the container environment.
Limits
Only the Ultimate edition of Security Center supports this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.
Only clusters that are connected to Security Center can be protected. If you want to use Security Center to protect a self-managed cluster, you must connect the cluster to Security Center. For more information, see Connect a self-managed Kubernetes cluster to Security Center.
The operating systems and kernel versions of the servers on which your cluster is deployed must be supported by the container file protection feature. For more information about the operating systems and kernel versions that are supported by the container file protection feature, see Supported operating systems and kernel versions.
The number of protected directories to which a pod label is added in a cluster cannot exceed 10. Only the protected directories for which rules are enabled are counted. If the number of protected directories exceeds 10, the container file protection feature becomes unavailable for the cluster.
The number of pod labels that are specified in all enabled rules in a cluster cannot exceed 10 after deduplication. If the number of pod labels exceeds 10, the container file protection feature becomes unavailable for the cluster.
For example, Cluster01 is created and contains Pod01. Only Label01 is added to Pod01. In addition, 12 rules are created for Cluster01. The rules range from Rule01 to Rule12.
In Rule01, Label01 of Cluster01 is specified as the pod label.
In Rule02, Label02 of Cluster01 is specified as the pod label. You can use Label02 regardless of whether it is added to a pod in Cluster01.
……
In Rule09, Label09 of Cluster01 is specified as the pod label.
In Rule10, Label10 of Cluster01 is specified as the pod label.
In Rule11. Label10 of Cluster01 is specified as the pod label.
In Rule12, Label10 of Cluster01 is specified as the pod label.
A total of 12 pod labels are specified for Cluster01. After deduplication, the number becomes 10. In this case, the container file protection feature can take effect for the cluster as expected.
If you create Rule13 by specifying Label10 and Label11 for Cluster01, the total number of pod labels after deduplication is 11. In this case, the container file protection feature becomes unavailable for Cluster01.
Prerequisites
The Security Center agent is installed on the servers on which your cluster is deployed. For more information, see Install the Security Center agent.
Create a rule
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
On the Container File Protection page, click New rule.
In the New rule panel, configure the parameters and click Next.
Parameter
Description
Example
Rule Name
Enter a name for the rule. The name must be 6 to 50 characters in length and can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter.
Cluster01
Rule Configuration
Protected File Directory
Enter the directory that you want to protect. When you configure this parameter, take note of the following items:
The directory must start with a forward slash (/). You can enter only one directory.
The length of a directory must be less than 500 characters.
You can enter only one directory each time. To protect multiple directories, click Add in the Actions column.
You can specify up to 10 directories in a rule.
/home/app/label
Whitelist
Enter the processes that are allowed to modify the directory. If a process is added to the whitelist, no alert is generated or the process is not blocked when the process modifies the directory. When you configure this parameter, take note of the following items:
You can enter only the processes that run in your container.
The length of a process cannot exceed 50 characters.
You must separate multiple processes with semicolons (;).
You can add up to 10 processes to the whitelist of a directory.
/bin/cp;/usr/bin/mv;/bin/vi
Action
Select the action that you want Security Center to perform when a tampering operation is detected. Valid values:
Alert: When Security Center detects tampering operations on files in the directory, Security Center only generates alerts.
Intercept: When Security Center detects tampering operations on files in the directory, Security Center generates alerts and intercepts the tampering processes.
NoteWe recommend that you first set the Action parameter to Alert. After you confirm that no false alerts are generated, change the Action parameter to Intercept. This prevents normal processes from being intercepted. If an intercepted process is required in your workloads, you can add the process to the whitelist.
Alert
Select the cluster on which you want the rule to take effect in the Cluster status column and select a pod label in the Pod Tag column. Then, click Determine.
We recommend that you select a pod label that starts with
app
. In Kubernetes, labels are key-value pairs and are used to label and classify Kubernetes resources, such as pods, Deployments, and services. You can add custom labels to Kubernetes resources based on scenarios, features, or purposes to better manage the resources. Labels that start withapp
are used to organize resources by application. For more information about labels, see Recommended labels.If no labels are displayed in the drop-down list, you must enter a label. If you want the rule to take effect on multiple clusters or multiple pod labels in a cluster, you can click Add in the Actions column to specify multiple clusters or pod labels.
Manage a rule
After you create a rule, you can perform the following operations on the Container File Protection page:
Enable or disable the rule
Find the rule and turn on or turn off the switch in the Enable column to enable or disable the rule.
Modify the rule
Find the rule and click Edit in the Actions column to modify the name, configurations, and scope of the rule.
Delete the rule
ImportantAfter a rule is deleted, it cannot be restored. Make sure that you no longer need a rule before you delete it.
Find the rule and click Delete in the Actions column. In the message that appears, click Determine.
View alerting results
After you create and enable a rule, go to the Detection and Response > Alerts page, click the Container tab, and then set Alert Type to Container Active Defense. In the alert list, you can view the alerts that are generated by the container file protection feature. The names of the alerts start with File Defense. Alert states vary based on the action specified in the rule that triggers the alerts.
If an alert is triggered by a rule whose Action is Alert, the alert is in the Unhandled state. We recommend that you handle this type of alert at the earliest opportunity. For more information, see View and handle alerts.
If an alert is triggered by a rule whose Action is Intercept, the alert is in the Successful Interception state. This type of alert is automatically handled by Security Center. You can view this type of alert in the list of handled alerts.
Supported operating systems and kernel versions
Operating system | Kernel version |
CentOS (64-bit) |
|
Alibaba Cloud Linux (64-bit) |
|
Ubuntu (64-bit) |
|
Anolis OS (64-bit) |
|
Red Hat Enterprise Linux (RHEL) (64-bit) |
|