All Products
Search
Document Center

Security Center:Use the feature of proactive defense for containers

Last Updated:Jun 01, 2023

The feature of proactive defense for containers allows you to create the following types of rules: at-risk image blocking, untrusted process defense, and container escape prevention. You can use the rules to block the running of at-risk images, stop untrusted processes, and block container escapes. This helps improve the runtime security of your containers. This topic describes how to configure rules of the at-risk image blocking, untrusted process defense, and container escape protection types.

Rule description

The following table describes the rule types that you can select based on your business requirements.

Rule type

Description

At-risk image blocking

After you create a rule of the at-risk image blocking type, Security Center detects risks on images based on the rule when you use images to create resources in the clusters that are specified in the rule. If an image hits the rule, Security Center performs the action that is specified in the rule on the image, and generates an alert event for the risk detection result. The action can be Alert, Block, or Allow. This ensures that only images that meet your security requirements can be started in your clusters.

Untrusted process defense

After you create a rule of the untrusted process defense type, Security Center detects and blocks the startup of programs that are not included in the images of clusters specified in the rule. This helps defend against malicious software intrusion and known and unknown attacks.

Container escape prevention

After you create a rule of the container escape prevention type, Security Center detects risky operations from multiple dimensions, such as processes, files, and system calls, and establishes protection barriers between containers and hosts. This effectively blocks escape behavior and ensures the runtime security of containers. You can also block attacks that are launched by exploiting container vulnerabilities to take control over hosts. This helps improve the security of operating systems.

Limits

Only the Ultimate edition of Security Center supports this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

At-risk image blocking

Supported ACK clusters

The feature of proactive defense for containers supports the following Container Service for Kubernetes (ACK) clusters.

ACK cluster

Supported

Managed Kubernetes cluster

Yes

Dedicated Kubernetes cluster

Yes

Serverless Kubernetes cluster

No

Managed edge Kubernetes cluster

No

Registered cluster

No

Principles

After you create a rule of the at-risk image blocking type for a cluster, a request is sent to Security Center to detect image risks when you use an image to create resources such as pods in the cluster. Security Center detects risks on the image based on the rule. The risks include vulnerabilities, baseline risks, and malicious samples. If the image hits the rule, Security Center handles the image based on the action that is specified in the rule, and an alert event is generated for the risk detection result. The action can be Alert, Block, or Allow.

Prerequisites

Before you create a rule, make sure that the components required for policy management are installed in the ACK console. The required components are gatekeeper, policy-template-controller, and logtail-ds. For more information, see Install policy-template-controller.

Create a rule

Note

You can create up to 40 rules for each cluster.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Proactive Defense for Containers.

  3. On the Proactive Defense for Containers page, click New rule.

    If you created a rule for the cluster, find the rule and click Copy in the Actions column. In the Copy Rule panel, you can modify the parameters of the rule based on your business requirements and click OK.

  4. In the New rule panel, configure the following parameters and click Next.

    Parameter

    Description

    Rule Name

    Select a rule template from the drop-down list and enter a name for the rule. You can select Blank template to create a rule based on your business requirements. You can also select an existing template with preconfigured risk detection settings.

    Rule description

    Enter a description for the rule.

    Unscanned Image

    Specify whether to allow the images that are not scanned by container image scan to start.

    Note

    If you turn on the switch, the images that you specify in the rule are scanned. If you turn on the switch, we recommend that you set Action to Alert. If you have high requirements for security performance, you can change the action to Block. Before you change the action, we recommend that you observe the alert events that are generated based on the current rule and check whether your business is affected. If your business is not affected, you can change the action of the rule.

    Malicious Internet Image

    Specify whether to block the startup of malicious images that are spread over the Internet. Malicious images include malicious images that are downloaded from public image repositories and the images that are pulled from Docker Hub repositories and contain malicious programs such as webshells and trojans.

    Alert Policy

    Configure the alert rule for the following types of risks:

    • Baseline

    • Vulnerability

    • Malicious Sample

    You can configure alert rules for baseline risks, vulnerabilities, and malicious samples based on your business requirements.

    Important
    • If an alert rule that is configured for a type of risk is matched, Security Center immediately handles the risks based on the action that is specified in the rule. The remaining alert rules are no longer matched. Alert rules are matched against the following types of risks in sequence: malicious Internet images, unscanned images, malicious samples, baseline risks, and vulnerabilities.

    • The conditions of an alert rule are evaluated by using a logical OR. If you set Risk Level to High and configure CVE ID when you configure an alert rule for vulnerabilities, the alert rule is hit if the images that are started in the cluster contain high-risk vulnerabilities or if the images contain vulnerabilities with the specified CVE IDs.

    Action

    Specify the action that you want Security Center to perform when a rule is hit. Valid values:

    • Alert: If an image is started and hits the rule, an alert event whose Action is Alert is generated.

    • Block: If an image is being started and hits the rule, the image is blocked, and an alert event whose Action is Block is generated.

    • Allow: If an image is started and hits the rule, the image is allowed, and an alert event whose Action is Allow is generated.

    Add to Whitelist

    Click Create Rule and enter the name of the image that you want to add to the whitelist. You can add up to 20 images to the whitelist.

    Fuzzy match is supported by using keywords. For example, if you want to add the image whose address is yundun-example-registry.cn-hangzhou.aliyuncs.com/yundun-example/yun-repo:test to the whitelist, you can enter one of the following keywords:

    • yun-repo

    • test

    • yun-repo:test

    • repo:test

    Important

    After you add an image to the whitelist, Security Center does not detect risks on the image when the image is started. Proceed with caution.

  5. Configure the protection scope and click OK.

    Click the Cluster, Image, or Tag tab to select the assets that you want to protect.

View the alert events that are generated

After you create and enable a rule of the at-risk image blocking type, you can perform the following operations to view the details of alert events that are generated and handle the alert events: Log on to the Security Center console. In the left-side navigation pane, choose Detection and Response > Alerts. On the Alerts page, select Risk Image Blocking for Alert Type. Find the alert event that you want to manage and click Details in the Actions column. On the Details tab of the details panel that appears, you can handle the alert event based on Disposal recommendations.

At-risk Image Blocking Alert

Manage a rule

After you create a rule of the at-risk image blocking type, you can perform the following operations:

  • View the protection scope of the rule

    Find the rule and click the number in the Protection Scope column of the rule. In the Protection scope panel, you can view the clusters, images, and tags that are protected by the rule.

  • Modify the rule

    Find the rule and click Edit in the Actions column. In the Edit panel, modify the parameters and protection scope.

  • Copy the rule

    Find the rule and click Copy in the Actions column. In the Copy Rule panel, modify the parameters and protection scope of the rule to create another rule.

  • Delete the rule

    Important

    After you delete a rule, the assets that are protected by the rule are no longer protected, and the rule cannot be restored. Proceed with caution.

    Find the rule and click Delete in the Actions column. In the message that appears, click OK.

Untrusted process defense

In a container environment, basic software is included in the image of a container. You do not need to install or modify software when the container is running. The startup of a program that is not included in the image during the running of the container is considered an abnormal behavior. The behavior may be caused by malicious software such as trojans that are inserted by attackers. To ensure the runtime security of the container, you can enable the untrusted process defense feature and configure rules.

Create a rule

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Proactive Defense for Containers.

  3. In the Rule type section, click Untrusted Process Defense.

  4. Click New rule.

  5. In the New rule panel, configure the parameters and click Next.

    Parameter

    Required

    Description

    Rule name

    Yes

    The name of the rule.

    Rule description

    Yes

    The description of the rule.

    Status

    No

    The switch that is used to enable or disable the rule. Valid values:

    • On: If you turn on the switch, the rule is enabled after it is created and is automatically applied to protect the clusters within the protection scope.

    • Off: If you turn off the switch, the rule is disabled and does not take effect after it is created.

    Defense Action

    Yes

    The action that is performed after the rule is triggered. Valid values:

    • Alert: If an untrusted process is detected, Security Center generates an alert event.

    • Intercept: If an untrusted process is detected, Security Center generates an alert event and blocks the process.

      Note

      We recommend that you first set the Defense Action parameter to Alert. If no executable programs that are not included in container images are installed and started during the running of your container, change the value of the Defense Action parameter to Intercept. This helps prevent false positives.

    Add to Whitelist

    No

    The directories of files that do not require detection. Separate multiple directories with line breaks. Example: /user/name1.

  6. Select the clusters to which you want to apply the rule and click OK.

    You can select clusters that are connected to Security Center. You can configure only one rule for a cluster. If a rule is already configured for a cluster, you cannot select the cluster in this step.

View the alert events that are generated

After you create and enable a rule of the untrusted process defense type, you can perform the following operations to view the alert events that are generated: Go to the Alerts page of the Security Center console. Select Container Active Defense for Alert Type. The names of the alert events are Non mirror native program startup The alert events that are generated based on the untrusted process defense feature are divided into the following types based on the value of the Defense Action parameter in the rule:

  • If the Defense Action parameter is set to Alert in the rule, an alert event in the Unhandled state is generated when the rule is triggered. We recommend that you handle the alert event at the earliest opportunity. For more information, see View and handle alert events.image

  • If the Defense Action parameter is set to Intercept in the rule, an alert event in the Target process does not exist or End process successful state is generated when the rule is triggered. You can view the alert event of this type in the handled alert event list. The following list describes the Target process does not exist state and the End process successful state:

    • Target process does not exist: The process exists for a short period of time and is stopped before Security Center handles the process. You do not need to handle the alert event.

    • End process successful: Security Center blocks the process. You do not need to handle the alert event.

  • image

Manage a rule

After you create a rule of the untrusted process defense type, you can perform the following operations in the rule list:

  • View the protection scope of the rule

    Find the rule and click the number in the Protection Scope column. In the Protection scope panel, you can view the clusters that are protected by the rule.

  • Enable or disable the rule

    Find the rule and click the switch in the Enable column to enable or disable the rule.

  • Modify the rule

    Find the rule and click Edit in the Actions column to modify the name, description, status, action, whitelist settings, and protection scope of the rule.

  • Delete the rule

    Important

    After a rule is deleted, it cannot be restored. Before you delete a rule, make sure that you no longer need it.

    Find the rule and click Delete in the Actions column. In the message that appears, click OK.

Container escape prevention

A container, except for a security container, that resides on a host uses the kernel of the operating system that runs on the host. In this case, attackers can exploit the vulnerabilities in the container to implement privilege escalation and control the operating system of the host or the other containers that reside on the host. Security Center provides the feature of container escape prevention that blocks container escapes to ensure the runtime security of containers. You must configure rules to use the feature.

Prerequisites

  • The switch for Malicious Behavior Defense or Webshell Protection is turned on. For more information, see Proactive Defense.

  • The switch for Container Escape Prevention is turned on. For more information, see Container Escape Prevention.

Create a rule

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Proactive Defense for Containers.

  3. In the Rule type section, click Container Escape Prevention.

  4. Click New rule.

  5. In the New rule panel, configure the parameters and click Next.

    Parameter

    Description

    Rule name

    Enter a name for the rule.

    Rule type

    Select a rule type from the drop-down list.

    You can select a rule type based on your security requirements. After you select a type, all check items that are supported for the type are selected. If you do not require specific check items, you can clear the check items. You can view the supported rule types and check items in the Security Center console.

    Defense Action

    Specify a defense action. Valid values:

    • Alert: Security Center only generates alert events when it detects risks specified in the rule.

    • Intercept: Security Center generates alert events and blocks the related processes or operations when it detects risks specified in the rule.

    Important

    A rule may be triggered in some normal business scenarios. When you configure a rule, we recommend that you set the Defense Action parameter to Alert and check whether false positive alert events are generated within a period of time. If no false positive alert events are generated, change the Defense Action parameter to Intercept.

  6. Select the clusters that you want to protect and click Determine.

    You can select only clusters that are connected to Security Center. If you want Security Center to protect a self-managed Kubernetes cluster, you must connect the cluster to Security Center. For more information, see Connect a self-managed Kubernetes cluster to Security Center.

View the alert events that are generated

After you create and enable a rule of the container escape prevention type, you can perform the following operations to view the alert events that are generated: Go to the Alerts page of the Security Center console. Select Container Escape Prevention for Alert Type. Security Center generates alert events in different states based on the value of the Defense Action parameter.

  • If the Defense Action parameter is set to Alert in a rule, an alert event in the Unhandled state is generated when the rule is triggered. We recommend that you handle the alert event at the earliest opportunity. For more information, see View and handle alert events.Unhandled

  • If the Defense Action parameter is set to Intercept in a rule, an alert event in the Successful Interception state is generated when the rule is triggered. This indicates that Security Center blocked container escapes. You do not need to handle the alert events.Successful Interception

Manage a rule

  • View the protection scope of the rule

    Find the rule and click the number in the Protection Scope column. In the Protection scope panel, you can view the clusters that are protected by the rule.

  • Enable or disable the rule

    Find the rule and click the switch in the Enable column to enable or disable the rule.

  • Modify the rule

    Find the rule and click Edit in the Actions column to modify the name, type, status, action, and protection scope of the rule.

  • Delete the rule

    Important

    After a rule is deleted, it cannot be restored. Before you delete a rule, make sure that you no longer need it.

    Find the rule and click Delete in the Actions column. In the message that appears, click OK.

References