Container Alarm Events
After node protection is enabled, an agent is deployed on each container host to monitor the running status of containers in real time. The agents support escape detection, high-risk system calls, abnormal processes, abnormal files, and container environment detection. You can learn alarm events comprehensively on the Container Alarms page, and eliminate security risks in your assets in a timely manner.
Constraints
- Only the HSS container edition supports container security alarms. For details about how to purchase and upgrade HSS, see Purchasing HSS and Upgrading Quota.
- The container security alarm function supports intrusion detection and alarm reporting for the following Linux container runtime components:
- Containerd
- Docker
Container Alarm Types
Event Type |
Alarm Name |
Mechanism |
---|---|---|
Malware |
Unclassified malware |
Check malware, such as web shells, Trojan horses, mining software, worms, and other viruses and variants. The malware is found and removed by analysis on program characteristics and behaviors, AI image fingerprint algorithms, and cloud scanning and killing. |
Ransomware |
Check for ransomware in web pages, software, emails, and storage media. Ransomware can encrypt and control your data assets, such as documents, emails, databases, source code, images, and compressed files, to leverage victim extortion. |
|
Web shells |
Check whether the files (often PHP and JSP files) in the web directories on containers are web shells. |
|
Hacker tools |
Report alarms on the malicious behaviors that exploit vulnerabilities or are performed using hacker tools. |
|
Vulnerability Exploits |
Vulnerability escapes |
HSS reports an alarm if it detects container process behavior that matches the behavior of known vulnerabilities (such as Dirty COW, brute-force attack, runC, and shocker). |
File escapes |
HSS reports an alarm if it detects that a container process accesses a key file directory (for example, /etc/shadow or /etc/crontab). Directories that meet the container directory mapping rules can also trigger such alarms.
NOTE:
UOS 1050u2e does not support file escape detection. |
|
Abnormal System Behaviors |
Reverse shells |
Monitor user process behaviors in real time to report alarms on and block reverse shells caused by invalid connections. Reverse shells can be detected for protocols including TCP, UDP, and ICMP. You can configure the reverse shell detection rule and automatic blocking in the Malicious File Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands. You can also configure automatic blocking of reverse shells in the HIPS Detection rule on the Policies page. |
File privilege escalation |
Report alarms on root privilege escalations exploiting SUID and SGID program vulnerabilities. |
|
Process privilege escalations |
After hackers intrude containers, they will try exploiting vulnerabilities to grant themselves the root permissions or add permissions for files. In this way, they can illegally create system accounts, modify account permissions, and tamper with files. HSS can detect the following abnormal privilege escalation operations:
|
|
Important file changes |
Monitor important system files (such as ls, ps, login, and top) in real time and generate alarms if these files are modified. For more information, see Monitored important file paths. HSS reports all the changes on important files, regardless of whether the changes are performed manually or by processes. |
|
Abnormal process behaviors |
Check the processes on servers, including their IDs, command lines, process paths, and behavior. Send alarms on unauthorized process operations and intrusions. The following abnormal process behavior can be detected:
|
|
High-risk system calls |
CGS reports an alarm if it detects a high-risk call, such as open_by_handle_at, ptrace, setns, and reboot. |
|
High-risk command executions |
Check executed commands in containers and generate alarms if high-risk commands are detected. |
|
Abnormal container processes |
|
|
Sensitive file access |
HSS monitors the container image files associated with file protection policies, and reports an alarm if the files are modified. |
|
Abnormal container startups |
HSS monitors container startups and reports an alarm if it detects that a container with too many permissions is started. This alarm does not indicate an actual attack. Attacks exploiting this risk will trigger other HSS container alarms. HSS container check items include:
|
|
Container Image blocking |
If a container contains insecure images specified in the Suspicious Image Behaviors, before the container is started, an alarm will be generated for the insecure images.
NOTE:
You need to install the Docker plug-in. |
|
Suspicious command executions |
|
|
Abnormal User Behaviors |
Invalid accounts |
Hackers can probably crack unsafe accounts on your containers and control the containers. HSS checks suspicious hidden accounts and cloned accounts and generates alarms on them. |
Brute-force attacks |
Detect and report alarms for brute-force attack behaviors, such as brute-force attack attempts and successful brute-force attacks, on containers. Detect SSH, web, and Enumdb brute-force attacks on containers.
NOTE:
|
|
Password thefts |
Report alarms on user key theft. |
|
Abnormal Network Access |
Abnormal outbound connections |
Report alarms on suspicious IP addresses that initiate outbound connections. |
Port forwarding |
Report alarms on port forwarding using suspicious tools. |
|
Abnormal Cluster Behaviors |
Abnormal pod behaviors |
Detect abnormal operations such as creating privileged pods, static pods, and sensitive pods in a cluster and abnormal operations performed on existing pods and report alarms. |
User information enumerations |
Detect the operations of enumerating the permissions and executable operation list of cluster users and report alarms. |
|
Binding cluster roles |
Detect operations such as binding or creating a high-privilege cluster role or service account and report alarms. |
|
Kubernetes event deletions |
Detect the deletion of Kubernetes events and report alarms. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.