Security Center:Use the feature of proactive defense for containers

Rule description

The following table describes the rule types that you can select based on your business requirements.

Limits

Only the Ultimate edition of Security Center supports this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

At-risk image blocking

Supported ACK clusters

The feature of proactive defense for containers supports the following Container Service for Kubernetes (ACK) clusters.

Principles

After you create a rule of the at-risk image blocking type for a cluster, a request is sent to Security Center to detect image risks when you use an image to create resources such as pods in the cluster. Security Center detects risks on the image based on the rule. The risks include vulnerabilities, baseline risks, and malicious samples. If the image hits the rule, Security Center handles the image based on the action that is specified in the rule, and an alert event is generated for the risk detection result. The action can be Alert, Block, or Allow.

Prerequisites

Before you create a rule, make sure that the components required for policy management are installed in the ACK console. The required components are gatekeeper, policy-template-controller, and logtail-ds. For more information, see Install policy-template-controller.

Create a rule

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.

2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Proactive Defense for Containers.

3. On the Proactive Defense for Containers page, click New rule.

   If you created a rule for the cluster, find the rule and click Copy in the Actions column. In the Copy Rule panel, you can modify the parameters of the rule based on your business requirements and click OK.

4. In the New rule panel, configure the following parameters and click Next.

   Parameter	Description
   Rule Name	Select a rule template from the drop-down list and enter a name for the rule. You can select Blank template to create a rule based on your business requirements. You can also select an existing template with preconfigured risk detection settings.
   Rule description	Enter a description for the rule.
   Unscanned Image	Specify whether to allow the images that are not scanned by container image scan to start. Note If you turn on the switch, the images that you specify in the rule are scanned. If you turn on the switch, we recommend that you set Action to Alert. If you have high requirements for security performance, you can change the action to Block. Before you change the action, we recommend that you observe the alert events that are generated based on the current rule and check whether your business is affected. If your business is not affected, you can change the action of the rule.
   Malicious Internet Image	Specify whether to block the startup of malicious images that are spread over the Internet. Malicious images include malicious images that are downloaded from public image repositories and the images that are pulled from Docker Hub repositories and contain malicious programs such as webshells and trojans.
   Alert Policy	Configure the alert rule for the following types of risks: Baseline Vulnerability Malicious Sample You can configure alert rules for baseline risks, vulnerabilities, and malicious samples based on your business requirements. Important If an alert rule that is configured for a type of risk is matched, Security Center immediately handles the risks based on the action that is specified in the rule. The remaining alert rules are no longer matched. Alert rules are matched against the following types of risks in sequence: malicious Internet images, unscanned images, malicious samples, baseline risks, and vulnerabilities. The conditions of an alert rule are evaluated by using a logical OR. If you set Risk Level to High and configure CVE ID when you configure an alert rule for vulnerabilities, the alert rule is hit if the images that are started in the cluster contain high-risk vulnerabilities or if the images contain vulnerabilities with the specified CVE IDs.
   Action	Specify the action that you want Security Center to perform when a rule is hit. Valid values: Alert: If an image is started and hits the rule, an alert event whose Action is Alert is generated. Block: If an image is being started and hits the rule, the image is blocked, and an alert event whose Action is Block is generated. Allow: If an image is started and hits the rule, the image is allowed, and an alert event whose Action is Allow is generated.
   Add to Whitelist	Click Create Rule and enter the name of the image that you want to add to the whitelist. You can add up to 20 images to the whitelist. Fuzzy match is supported by using keywords. For example, if you want to add the image whose address is yundun-example-registry.cn-hangzhou.aliyuncs.com/yundun-example/yun-repo:test to the whitelist, you can enter one of the following keywords: yun-repo test yun-repo:test repo:test Important After you add an image to the whitelist, Security Center does not detect risks on the image when the image is started. Proceed with caution.

5. Configure the protection scope and click OK.

   Click the Cluster, Image, or Tag tab to select the assets that you want to protect.

View the alert events that are generated

After you create and enable a rule of the at-risk image blocking type, you can perform the following operations to view the details of alert events that are generated and handle the alert events: Log on to the Security Center console. In the left-side navigation pane, choose Detection and Response > Alerts. On the Alerts page, select Risk Image Blocking for Alert Type. Find the alert event that you want to manage and click Details in the Actions column. On the Details tab of the details panel that appears, you can handle the alert event based on Disposal recommendations.

Manage a rule

After you create a rule of the at-risk image blocking type, you can perform the following operations:

• View the protection scope of the rule

  Find the rule and click the number in the Protection Scope column of the rule. In the Protection scope panel, you can view the clusters, images, and tags that are protected by the rule.

• Modify the rule

  Find the rule and click Edit in the Actions column. In the Edit panel, modify the parameters and protection scope.

• Copy the rule

  Find the rule and click Copy in the Actions column. In the Copy Rule panel, modify the parameters and protection scope of the rule to create another rule.

• Delete the rule

  Important

  After you delete a rule, the assets that are protected by the rule are no longer protected, and the rule cannot be restored. Proceed with caution.

  Find the rule and click Delete in the Actions column. In the message that appears, click OK.

Untrusted process defense

In a container environment, basic software is included in the image of a container. You do not need to install or modify software when the container is running. The startup of a program that is not included in the image during the running of the container is considered an abnormal behavior. The behavior may be caused by malicious software such as trojans that are inserted by attackers. To ensure the runtime security of the container, you can enable the untrusted process defense feature and configure rules.

Create a rule

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.

2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Proactive Defense for Containers.

3. In the Rule type section, click Untrusted Process Defense.

4. Click New rule.

5. In the New rule panel, configure the parameters and click Next.

   Parameter	Required	Description
   Rule name	Yes	The name of the rule.
   Rule description	Yes	The description of the rule.
   Status	No	The switch that is used to enable or disable the rule. Valid values: On: If you turn on the switch, the rule is enabled after it is created and is automatically applied to protect the clusters within the protection scope. Off: If you turn off the switch, the rule is disabled and does not take effect after it is created.
   Defense Action	Yes	The action that is performed after the rule is triggered. Valid values: Alert: If an untrusted process is detected, Security Center generates an alert event. Intercept: If an untrusted process is detected, Security Center generates an alert event and blocks the process. Note We recommend that you first set the Defense Action parameter to Alert. If no executable programs that are not included in container images are installed and started during the running of your container, change the value of the Defense Action parameter to Intercept. This helps prevent false positives.
   Add to Whitelist	No	The directories of files that do not require detection. Separate multiple directories with line breaks. Example: /user/name1.

6. Select the clusters to which you want to apply the rule and click OK.

   You can select clusters that are connected to Security Center. You can configure only one rule for a cluster. If a rule is already configured for a cluster, you cannot select the cluster in this step.

View the alert events that are generated

After you create and enable a rule of the untrusted process defense type, you can perform the following operations to view the alert events that are generated: Go to the Alerts page of the Security Center console. Select Container Active Defense for Alert Type. The names of the alert events are Non mirror native program startup The alert events that are generated based on the untrusted process defense feature are divided into the following types based on the value of the Defense Action parameter in the rule:

• If the Defense Action parameter is set to Alert in the rule, an alert event in the Unhandled state is generated when the rule is triggered. We recommend that you handle the alert event at the earliest opportunity. For more information, see View and handle alert events.

• If the Defense Action parameter is set to Intercept in the rule, an alert event in the Target process does not exist or End process successful state is generated when the rule is triggered. You can view the alert event of this type in the handled alert event list. The following list describes the Target process does not exist state and the End process successful state:

  • Target process does not exist: The process exists for a short period of time and is stopped before Security Center handles the process. You do not need to handle the alert event.

  • End process successful: Security Center blocks the process. You do not need to handle the alert event.

Manage a rule

After you create a rule of the untrusted process defense type, you can perform the following operations in the rule list:

• View the protection scope of the rule

  Find the rule and click the number in the Protection Scope column. In the Protection scope panel, you can view the clusters that are protected by the rule.

• Enable or disable the rule

  Find the rule and click the switch in the Enable column to enable or disable the rule.

• Modify the rule

  Find the rule and click Edit in the Actions column to modify the name, description, status, action, whitelist settings, and protection scope of the rule.

• Delete the rule

  Important

  After a rule is deleted, it cannot be restored. Before you delete a rule, make sure that you no longer need it.

  Find the rule and click Delete in the Actions column. In the message that appears, click OK.

Container escape prevention

A container, except for a security container, that resides on a host uses the kernel of the operating system that runs on the host. In this case, attackers can exploit the vulnerabilities in the container to implement privilege escalation and control the operating system of the host or the other containers that reside on the host. Security Center provides the feature of container escape prevention that blocks container escapes to ensure the runtime security of containers. You must configure rules to use the feature.

Prerequisites

• The switch for Malicious Behavior Defense or Webshell Protection is turned on. For more information, see Proactive Defense.

• The switch for Container Escape Prevention is turned on. For more information, see Container Escape Prevention.

Create a rule

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.

2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Proactive Defense for Containers.

3. In the Rule type section, click Container Escape Prevention.

4. Click New rule.

5. In the New rule panel, configure the parameters and click Next.

   Parameter	Description
   Rule name	Enter a name for the rule.
   Rule type	Select a rule type from the drop-down list. You can select a rule type based on your security requirements. After you select a type, all check items that are supported for the type are selected. If you do not require specific check items, you can clear the check items. You can view the supported rule types and check items in the Security Center console.
   Defense Action	Specify a defense action. Valid values: Alert: Security Center only generates alert events when it detects risks specified in the rule. Intercept: Security Center generates alert events and blocks the related processes or operations when it detects risks specified in the rule. Important A rule may be triggered in some normal business scenarios. When you configure a rule, we recommend that you set the Defense Action parameter to Alert and check whether false positive alert events are generated within a period of time. If no false positive alert events are generated, change the Defense Action parameter to Intercept.

6. Select the clusters that you want to protect and click Determine.

   You can select only clusters that are connected to Security Center. If you want Security Center to protect a self-managed Kubernetes cluster, you must connect the cluster to Security Center. For more information, see Connect a self-managed Kubernetes cluster to Security Center.

View the alert events that are generated

After you create and enable a rule of the container escape prevention type, you can perform the following operations to view the alert events that are generated: Go to the Alerts page of the Security Center console. Select Container Escape Prevention for Alert Type. Security Center generates alert events in different states based on the value of the Defense Action parameter.

• If the Defense Action parameter is set to Alert in a rule, an alert event in the Unhandled state is generated when the rule is triggered. We recommend that you handle the alert event at the earliest opportunity. For more information, see View and handle alert events.

• If the Defense Action parameter is set to Intercept in a rule, an alert event in the Successful Interception state is generated when the rule is triggered. This indicates that Security Center blocked container escapes. You do not need to handle the alert events.

Manage a rule

• View the protection scope of the rule

  Find the rule and click the number in the Protection Scope column. In the Protection scope panel, you can view the clusters that are protected by the rule.

• Enable or disable the rule

  Find the rule and click the switch in the Enable column to enable or disable the rule.

• Modify the rule

  Find the rule and click Edit in the Actions column to modify the name, type, status, action, and protection scope of the rule.

• Delete the rule

  Important

  After a rule is deleted, it cannot be restored. Before you delete a rule, make sure that you no longer need it.

  Find the rule and click Delete in the Actions column. In the message that appears, click OK.

References

• View and handle alert events

• View security information about containers