After you enabled cluster protection, the CGS shield will be installed as a daemonset to monitor container status on cluster nodes, report alarms on abnormal events, and to provide solutions.
CGS can detect escapes, high-risk system calls, abnormal processes, abnormal files; and can check the container environment.
Check Frequency
CGS monitors containers running in the container cluster in real time. You can view container exception details at any time.
Prerequisites
Cluster Protection Status is Enabled.
Detection Mechanisms
Table 1 Runtime vulnerability detection
|
Check Item |
Mechanism |
|
Escapes |
- Escape vulnerability attack
CGS reports an alarm if it detects container process behavior that matches the behavior of known vulnerabilities (such as Dirty COW, brute-force attack, runC, and shocker).
- Escape file access
CGS reports an alarm if it detects that a container process accesses a key file directory (for example, /etc/shadow or /etc/crontab). Directories that meet the container directory mapping rules can also trigger such alarms.
|
|
High-risk system calls |
CGS reports an alarm if it detects a high-risk call, such as open_by_handle_at, ptrace, setns, or reboot. |
|
Abnormal processes |
- Malicious container program
CGS monitors container process behavior and process file fingerprints. It reports an alarm if it detects a process whose behavior characteristics match those of a predefined malicious program.
- Abnormal processes
To allow only specific processes to run in a container, you can add the processes to the whitelist of a policy, and associate the policy with the container.
CGS reports an alarm if it detects that a process not in the whitelist is running in the container.
|
|
Abnormal files |
CGS monitors the container image files associated with file protection policies, and reports an alarm if the files are modified. |
|
Container environment |
CGS monitors container startups and reports an alarm if it detects that a container with too many permissions is started. This alarm does not indicate an actual attack. Attacks exploiting this risk will trigger other CGS alarms.
Container environment check items include:
- Privileged container startup (privileged:true)
CGS reports an alarm if it detects a container started with the maximum permissions. Settings that can trigger such alarms include the –privileged=true parameter in the docker run command, and privileged: true in the securityContext of the container in a Kubernetes pod.
The details of such alarms contain privileged:true.
- Too many container capabilities (capability:[xxx])
Linux system permissions are divided into groups before assigned to containers. A container only has a limited number of permissions, and the impact scope of this container is limited in the case of an incident. However, malicious users can grant all the system permissions to a container by modifying its startup configurations.
CGS reports an alarm containing capabilities:[xxx] if it detects a container started with too many capabilities.
- Seccomp not enabled (seccomp=unconfined)
Secure computing mode (seccomp) is a Linux kernel feature. It can restrict system calls invoked by processes to reduce the attack surface of the kernel. If seccomp=unconfined is configured when a container is started, system calls will not be restricted for the container.
CGS reports an alarm containing seccomp=unconfined if it detects a container started without enabling seccomp.
 NOTE:
If seccomp is enabled, permissions will be verified for every system call. The verifications will probably affect services if system calls are frequent. Before you decide whether to enable seccomp, you are advised to test-enable it and analyze the impact on your services.
- Container privilege escalation (no-new-privileges:false)
CGS reports an alarm if it detects that a process attempts to escalate permissions by running the sudo command and using the SUID or SGID bit.
If –no-new-privileges=false is specified when a container is started, the container can escalate privileges.
Such alarms contain no-new-privileges:false, indicating that privileges are not restricted for the alarmed containers.
- High-risk directory mapping (mounts:[...])
For convenience purposes, when a container is started on a server, the directories of the server can be mapped to the container. In this way, services in the container can directly read and write resources on the server. However, this mapping incurs security risks. If any critical directory in the server OS is mapped to the container, improper operations in the container will probably damage the server OS.
CGS reports an alarm if it detects that a critical server path (/boot, /dev, /etc, /sys, /var/run) is mounted during container startup.
Such alarms contain mounts:[{"source":"xxx","destination":"yyy"...].
NOTE:
Alarms will not be triggered for the files that need to be frequently accessed by Docker containers, such as /etc/hosts and /etc/resolv.conf.
|
Procedure
- Log in to the management console.
- In the upper part of the page, select a region, click
, and choose Security & Compliance > Container Guard Service.
- In the navigation pane on the left, choose Runtime Security.
- Click a tab (Escapes, High-risk System Calls, Abnormal Programs, Abnormal Files, or Container Environment) to check the container security trends and exceptions.
Figure 1 Container exception trend
Figure 2 Abnormal container event list
- The container exception chart displays the exceptions in the past 30 days.
- In the exception list, you can view the exceptions in the past one day, three days, or seven days, and handle them based on the solution provided.
