Container Alarm Events¶
After node protection is enabled, an agent is deployed on each container host to monitor the running status of containers in real time. The agents support escape detection, high-risk system calls, abnormal processes, abnormal files, and container environment detection. You can learn alarm events comprehensively on the Container Alarms page, and eliminate security risks in your assets in a timely manner.
Container Alarm Types¶
Event Type | Alarm Name | Mechanism |
---|---|---|
Malware | Unclassified malware | Check malware, such as web shells, Trojan horses, mining software, worms, and other viruses and variants. The malware is found and removed by analysis on program characteristics and behaviors, AI image fingerprint algorithms, and cloud scanning and killing. |
Ransomware | Check for ransomware in web pages, software, emails, and storage media. Ransomware can encrypt and control your data assets, such as documents, emails, databases, source code, images, and compressed files, to leverage victim extortion. | |
Web shells | Check whether the files (often PHP and JSP files) in the web directories on containers are web shells. | |
Vulnerability Exploits | Vulnerability escapes | HSS reports an alarm if it detects container process behavior that matches the behavior of known vulnerabilities (such as Dirty COW, brute-force attack, runC, and shocker). |
File escapes | HSS reports an alarm if it detects that a container process accesses a key file directory (for example, /etc/shadow or /etc/crontab). Directories that meet the container directory mapping rules can also trigger such alarms. | |
Abnormal System Behaviors | Reverse shells | Monitor user process behaviors in real time to detect reverse shells caused by invalid connections. Reverse shells can be detected for protocols including TCP, UDP, and ICMP. You can configure the reverse shell detection rule in the Malicious File Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands. |
Process privilege escalations | After hackers intrude containers, they will try exploiting vulnerabilities to grant themselves the root permissions or add permissions for files. In this way, they can illegally create system accounts, modify account permissions, and tamper with files. HSS can detect the following abnormal privilege escalation operations:
| |
High-risk system calls | Users can run tasks in kernels by Linux system calls. CGS reports an alarm if it detects a high-risk call, such as open_by_handle_at, ptrace, setns, and reboot. | |
High-risk command executions | Check executed commands in containers and generate alarms if high-risk commands are detected. | |
Abnormal container processes |
| |
Sensitive file access | HSS monitors the container image files associated with file protection policies, and reports an alarm if the files are modified. | |
Abnormal container startups | HSS monitors container startups and reports an alarm if it detects that a container with too many permissions is started. This alarm does not indicate an actual attack. Attacks exploiting this risk will trigger other HSS container alarms. HSS container check items include:
| |
Container Image blocking | If a container contains insecure images specified in the Suspicious Image Behaviors, before the container is started, an alarm will be generated for the insecure images. Note You need to . | |
Abnormal User Behavior | Invalid accounts | Hackers can probably crack unsafe accounts on your containers and control the containers. HSS checks suspicious hidden accounts and cloned accounts and generates alarms on them. |
Brute-force attacks | Detect and report alarms for brute-force attack behaviors, such as brute-force attack attempts and successful brute-force attacks, on containers. Detect SSH, web, and Enumdb brute-force attacks on containers. Note Currently, brute-force attacks can be detected only in the Docker runtime. | |
Abnormal Cluster Behaviors | Abnormal pod behaviors | Detect abnormal operations such as creating privileged pods, static pods, and sensitive pods in a cluster and abnormal operations performed on existing pods and report alarms. |
User information enumerations | Detect the operations of enumerating the permissions and executable operation list of cluster users and report alarms. | |
Binding cluster roles | Detect operations such as binding or creating a high-privilege cluster role or service account and report alarms. | |
Kubernetes event deletions | Detect the deletion of Kubernetes events and report alarms. |