- Service Overview
- User Guide
- Best Practices
-
FAQs
-
Technologies
- How Do I Enable Cluster Protection?
- How Do I Disable Cluster Protection?
- What Should I Do If the Shield on a Node Is Offline?
- What Should I Do If I Have No Service Authorization Permissions or Fail to Create an Agency as an IAM User?
- How Often Are CGS Vulnerability Libraries Updated?
- When Does CGS Update and Back Up Logs?
- Where Can I Find My CGS Logs?
- Does the Shield Plug-in of CGS Affect My Services?
- Product Consultation
- Pricing
- Regions and AZs
- Change History
-
Technologies
- General Reference
Copied.
Functions
CGS provides container image security, security policies, and runtime security functions.
Container Image Security
CGS scans your images that are running or displayed in your image list, and provides suggestions on how to fix detected vulnerabilities and malicious files.
NOTICE:
CGS can scan Linux images.
|
Item |
Description |
Check Frequency |
|---|---|---|
|
Private image security |
Scans private images in SWR for vulnerabilities, unsafe settings, and malicious code. The following items are checked: |
|
|
Local image vulnerabilities |
Checks whether there are CVE or other vulnerabilities in the images running in CCE containers. |
Real-time check |
|
Official image vulnerabilities |
Periodically scans official Docker images for vulnerabilities. |
- |
Container Security Policies
You can configure security policies, whitelist container processes, and set protected files to minimize the permissions required for containers to run, improving system and application security.
|
Item |
Description |
Check Frequency |
|---|---|---|
|
Process whitelist |
Alarms will be triggered if processes not whitelisted are started, preventing abnormal processes, privilege escalation attacks, and violations. |
Real-time check |
|
File protection |
Read-only permissions should be configured for critical application directories (such as bin, lib, and usr directories) in the container to prevent hackers from tampering and attacking. If you set these directories to be read-only, CGS will protect them from security incidents such as file tampering. |
Real-time check |
Container Runtime Security
CGS scans running containers for malicious programs including miners and ransomware, detects non-compliant security policies, file tampering, and container escape, and provide suggestions.
|
Item |
Description |
Check Frequency |
|---|---|---|
|
Container escape detection |
Uses rules and machine learning technologies to accurately detect escape behaviors on servers, including shocker attacks, process privilege escalation, Dirty COW, and brute-force attacks. |
Real-time check |
|
High-risk system calls |
Detects Linux system calls that were made within containers and could pose security risks. |
Real-time check |
|
Abnormal program detection |
Detects the startup of processes that violate security policies and malicious programs such as miners, ransomware, viruses, and Trojans. |
Real-time check |
|
Abnormal files |
Detects file access that violates security policies. Security O&M personnel can check whether hackers are intruding and tampering with sensitive files. |
Real-time check |
|
Container environment |
Checks for abnormal container runtime, including abnormal startup and improper configurations. |
Real-time check |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
