The Container Protection Settings tab in the Security Center console displays container-related features such as threat detection on Kubernetes containers and container escape prevention. You can enable the features to ensure the runtime security of your containers. This topic describes the features that you can enable on the Container Protection Settings tab. This topic also describes how to enable the features.

K8s Threat Detection

The feature of threat detection on Kubernetes containers checks the security status of running container clusters in real time to detect security threats and attacks at the earliest opportunity. After you enable the feature of threat detection on Kubernetes containers, Security Center automatically detects threats that trigger alerts of the K8s Abnormal Behavior type. For more information about the threats that can be detected by Security Center, see Threats that can be detected.

Limits

Only the Ultimate edition of Security Center supports this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

Enable threat detection on Kubernetes containers

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.In the left-side navigation pane, choose System Configuration > Feature Settings.
  2. On the Container Protection Settings tab of the Settings tab, turn on Threat Detection in the K8s Threat Detection section.
    If Security Center detects threats in your Kubernetes clusters after you turn on the switch, alerts are triggered and displayed on the Alerts page. We recommend that you view and handle the alerts at the earliest opportunity. For information, see View and handle alert events.

Threats that can be detected

TypeItem
K8s abnormal behaviorSuspicious instruction run on a Kubernetes API server
Mounting of suspicious directories to a pod
Lateral movement among Kubernetes service accounts
Startup of a pod that contains a malicious image
Unusual network connectionOutbound connection of reverse shells
Suspicious outbound network connection
Suspicious lateral movement in internal networks
Malicious processDDoS trojan
Suspicious connection from mining machines
Suspicious program
Suspicious tool initiating brute-force attacks on ports
Suspicious attack program
Backdoor program
Malicious vulnerability detection tool
Malicious program
Mining program
Trojan
Self-mutating trojan
Worm
WebshellWebShell
Suspicious processSuspicious command run by Apache CouchDB
Suspicious command run by FTP applications
Suspicious command run by Hadoop
Suspicious command run by Java applications
Suspicious command run by Jenkins
Suspicious account creation in Linux
Suspicious command run by scheduled tasks in Linux
Suspicious command run by MySQL
Suspicious command run by Oracle
Suspicious command run by PostgreSQL applications
Suspicious command run by Python applications
Suspicious execution of non-interactive SSH commands that contain only one line targeting remote machines
Webshell running suspicious probe commands
Modification of Windows RDP configurations for port 3389
Suspicious execution of download commands in Windows
Suspicious account creation in Windows
Malicious code injection in crontab jobs
Suspicious command sequence in Linux
Execution of suspicious commands in Linux
Dynamic injection of suspicious scripts
Reverse shell
Reverse shell command
Potential data breach by using HTTP tunnels
Suspicious SSH tunneling
Suspicious webshell injection
Suspicious starting of a privileged container
Suspicious port listening
Malicious container startup
Remote API debugging in Docker that may pose security risks
Suspicious command
Privilege escalation in containers or container escapes
Malicious container startup

Container Escape Prevention

The feature of container escape prevention detects high-risk behavior in processes, files, and system calls. The feature establishes a protective barrier between containers and hosts and effectively intercepts escapes to ensure the security of the container runtime. The feature also defends against known and unknown attack modes, and intercepts attacks that are initiated on hosts after attackers exploit container vulnerabilities.

Prerequisites

The switch for Malicious Behavior Defense or Webshell Protection is turned on. For more information, see Proactive Defense.

Enable container escape prevention

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.In the left-side navigation pane, choose System Configuration > Feature Settings.
  2. On the Container Protection Settings tab of the Settings tab, turn on the switch in the Container Escape Prevention section.

What to do next

After you turn on the switch in the Container Escape Prevention section, you must create a defense rule against container escapes to allow the feature of container escape prevention to take effect. For more information, see Use container escape prevention.

if Security Center detects security risks in Kubernetes container clusters after the feature takes effect, alert events are generated for the risks, and the events are displayed on the Alerts page. We recommend that you check and handle the risks at the earliest opportunity. For more information, see View and handle alert events.