Container Intrusion Response
Container Guard Service (CGS) can detect escapes, high-risk system calls, abnormal processes, abnormal files; and can check the container environment. After the alarm notification function is enabled, you can receive alarm notification emails and SMS messages sent by CGS when it detects abnormal events.
This document describes the emergency response measures during and after a container intrusion.
Context
An increasing number of enterprises are using cloud-native technologies, deploying their applications on containers. However, many containers are exposed to attacks. Containers share resources such as OS kernels and storage. If attackers intrude a container, they can exploit vulnerabilities to escape from the container to attack server OS, breach data, or compromise servers. Therefore, you need to take countermeasures immediately when a container intrusion is detected.
Prerequisites
You have confirmed that the CGS intrusion alarm is true.
Handling a Container Intrusion Emergency
- Log in to the management console.
- In the upper part of the page, select a region, click , and choose Security & Compliance > Container Guard Service.
- In the navigation pane, choose Runtime Security.
- Obtain the container instance name and node name of the intrusion program.
Click a tab (Escapes, High-risk System Calls, Abnormal Programs, Abnormal Files, or Container Environment) according to the alarm information and check the container instance name and node.Figure 1 Abnormal event list
- Disconnect the container from the Internet.
For example, use Elastic Load Balance (ELB) to configure an access control policy to allow only specific IP addresses to access the container.
- Click and choose Network > Elastic Load Balance.
- Find the ELB instance used by the container.
- Click the instance name. Click the Listeners tab.
- In the Basic Information area, click Configure Access Control.
Figure 2 Configuring access control
- In the Configure Access Control dialog box, add IP addresses to the whitelist.
- Set Access Policy to Whitelist.
- Select an IP address group.
- Enable Access Control.
Figure 3 Configuring the IP address whitelist
- Click OK.
- Stop the container.
For example, remotely log in to the intruded node on the ECS console and stop the container.
- In the navigation pane, choose Elastic Cloud Server.
- In the Operation column of the intruded node, click Remote Login.
If the login fails, rectify the fault by referring to What Should I Do If I Cannot Log In to My Linux ECS?
Figure 4 Remote login
- Run the following command to obtain the ID of the container:
- Run the following command to suspend the container:
- Retain intrusion traces.
- Analyze the attack source.
- On another node, import the image that was exported from 7.a. Run the following command:
docker load - Image_file.tar
- Use the imported image to start the new container.
docker run -d -it --name Container_name Image_ID /bin/bash
- Contact technical support to query system logs and search for malicious files to locate the intrusion cause and decide emergency response measures.
- On another node, import the image that was exported from 7.a. Run the following command:
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot