Security Center:Container file protection

Limitations

• Edition requirement: Only the Ultimate edition of Security Center supports this feature. For more information, see Purchase Security Center and Upgrade and downgrade Security Center.

• Cluster connectivity: Only clusters connected to Security Center are protected. To protect a self-managed Kubernetes cluster, connect it to Security Center first. For more information, see Connect a self-managed Kubernetes cluster to Security Center.

• OS and kernel support: The servers hosting your cluster must run a supported operating system and kernel version. For the full compatibility list, see Supported operating systems and kernel versions.

• Protected directories per cluster: The number of protected directories to which a pod label is added in a cluster cannot exceed 10 (counting only enabled rules). Exceeding this limit disables the feature for the entire cluster.

• Unique pod labels per cluster: All enabled rules in a cluster can reference at most 10 unique pod labels (after deduplication). Exceeding this limit disables the feature for the entire cluster.

Example: Cluster01 has 12 rules (Rule01–Rule12). Rule01 references Label01, Rule02 references Label02, and so on through Rule10 (Label10). Rule11 and Rule12 both reference Label10. After deduplication, that is 10 unique labels, so the feature works normally. If you add Rule13 that references Label10 and Label11, the deduplicated count becomes 11, and the feature becomes unavailable for Cluster01.

A pod label can be referenced in a rule even if no pod in the cluster carries that label.

Prerequisites

Before you begin, ensure that you have:

• The Security Center agent installed on all servers that host your cluster. For more information, see Install the Security Center agent

Create a rule

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset you want to protect: China or Outside China.Log on to the Security Center console.

2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Container File Protection.

3. On the Container File Protection page, click Create Rule.

4. In the Create Rule panel, configure the following parameters, then click Next. For Whitelist and Excluded File Path: each entry must be no longer than 50 characters; separate multiple entries with semicolons (;); specify up to 10 whitelist processes and 10 excluded file paths per protected directory. How path matching works Rules use wildcard-based, prefix-aware matching. The following examples use /dir1/test to illustrate the behavior. How each parameter applies matching: When configuring Whitelist and Excluded File Path, follow the principle of least privilege: specify only what is required for normal container workloads, and avoid broad wildcard patterns.

   • Protected File Directory /dir1/test (exact): Only the /dir1/test directory itself is protected. If it is deleted or renamed, an alert is generated or the process is blocked. Subdirectories and files inside are not covered.

   • Whitelist /dir1/test (exact): Processes spawned by the executable /dir1/test can modify the protected directory without triggering an alert. Processes spawned by /dir1/test/1.html are still subject to the rule.

   • Protected File Directory /dir1/* with Excluded File Path /dir1/test: The /dir1/test directory is excluded. Deleting or renaming /dir1/test does not trigger the rule, but modifying content inside /dir1/test/1.html still does.

   Start with Alert to verify no false positives are generated, then switch to Block. If a blocked process is required for normal workloads, add it to the Whitelist.

   Parameter	Description
   Rule Name	Enter a name for the rule. The name must be 6–50 characters long, contain only letters, digits, underscores (_), or hyphens (-), and start with a letter.
   Protected File Directory	Enter the directory to protect. Each entry must start with / and be no longer than 500 characters. Click Add in the Actions column to add up to 10 directories per rule.
   Whitelist	Enter the processes that are allowed to modify the protected directory, or enter the directories that can be modified. When a whitelisted process modifies the directory, no alert is generated and the process is not blocked.
   Excluded File Path	Enter subdirectories or files within the protected directory that are exempt from protection. Modifications to excluded paths do not trigger alerts or blocking.
   Action	Select what Security Center does when tampering is detected: Alert (generate an alert only, no process is blocked) or Block (generate an alert and block the tampering process).

   Pattern	What it matches	What it does not match
   /dir1/test (exact)	/dir1/test only	/dir1/test/1.html, /dir1/test/dir1/2.html
   /dir1/test* (wildcard)	/dir1/test, /dir1/test/1.html, /dir1/test1/1.html	/dir1/tes
   /dir1/test/*.html	/dir1/test/index.html, /test/dir1/index.html	/dir1/test/file.css

5. In the cluster list, select the cluster in the Cluster Name column. In the Pod Tag column, select a pod label, then click OK. Use pod labels that start with app. In Kubernetes, labels are key-value pairs used to organize resources such as pods, Deployments, and Services. Labels prefixed with app group resources by application, making scope management more predictable. For more information, see Recommended labels. If no labels appear in the dropdown, type the label directly. To apply the rule to multiple clusters or multiple pod labels, click Add in the Actions column.

Manage rules

On the Container File Protection page, you can perform the following operations on existing rules.

Enable or disable a rule

Find the rule and toggle the switch in the Enable column.

Edit a rule

Find the rule and click Edit in the Actions column to modify its name, configuration, or scope.

Delete a rule

Find the rule and click Delete in the Actions column. Click OK in the confirmation dialog.

View alerting results

After creating and enabling a rule, go to Detection and Response > Alerts, click the tab, and then set Alert Type to Container Active Defense. Alerts generated by container file protection all start with File Defense.

Alert states vary based on the action configured in the triggering rule:

• Alert action: The alert state is Container. Handle these alerts promptly. For more information, see View and handle security alerts.

• Block action: The alert state is Blocked. Security Center handles these alerts automatically. View them in the list of handled alerts.

Supported operating systems and kernel versions