Container Alarm Events¶
After node protection is enabled, an agent is deployed on each container host to monitor the running status of containers in real time. The agents support escape detection, high-risk system calls, abnormal processes, abnormal files, and container environment detection. You can learn alarm events comprehensively on the Container Alarms page, and eliminate security risks in your assets in a timely manner.
Constraints¶
Only the HSS container edition supports container security alarms.
Container Security Alarms¶
Event Type | Alarm Name | Mechanism |
---|---|---|
Malware | Unclassified malware | Check malware, such as web shells, Trojan horses, mining software, worms, and other viruses and variants. The malware is found and removed by analysis on program characteristics and behaviors, AI image fingerprint algorithms, and cloud scanning and killing. |
Ransomware | Check for ransomware in web pages, software, emails, and storage media. Ransomware can encrypt and control your data assets, such as documents, emails, databases, source code, images, and compressed files, to leverage victim extortion. | |
Web shells | Check whether the files (often PHP and JSP files) in the web directories on containers are web shells. | |
Hacker tools | Report alarms on the malicious behaviors that exploit vulnerabilities or are performed using hacker tools. | |
Vulnerability Exploits | Vulnerability escapes | HSS reports an alarm if it detects container process behavior that matches the behavior of known vulnerabilities (such as Dirty COW, brute-force attack, runC, and shocker). |
File escapes | HSS reports an alarm if it detects that a container process accesses a key file directory (for example, /etc/shadow or /etc/crontab). Directories that meet the container directory mapping rules can also trigger such alarms. | |
Abnormal System Behaviors | Reverse shells | Reverse shells can be detected for protocols including TCP, UDP, and ICMP. You can configure the reverse shell detection rule in the Malicious File Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands. |
File privilege escalation | Report alarms on root privilege escalations exploiting SUID and SGID program vulnerabilities. | |
Process privilege escalations | After hackers intrude containers, they will try exploiting vulnerabilities to grant themselves the root permissions or add permissions for files. In this way, they can illegally create system accounts, modify account permissions, and tamper with files. HSS can detect the following abnormal privilege escalation operations:
| |
Important file changes | Monitor important system files (such as ls, ps, login, and top) in real time and generate alarms if these files are modified. For more information, see Monitored important file paths. HSS reports all the changes on important files, regardless of whether the changes are performed manually or by processes. | |
Abnormal process behaviors | Check the processes on servers, including their IDs, command lines, process paths, and behavior. Send alarms on unauthorized process operations and intrusions. The following abnormal process behavior can be detected:
| |
High-risk system calls | CGS reports an alarm if it detects a high-risk call, such as open_by_handle_at, ptrace, setns, and reboot. | |
High-risk command executions | Check executed commands in containers and generate alarms if high-risk commands are detected. | |
Abnormal container processes |
| |
Sensitive file access | HSS monitors the container image files associated with file protection policies, and reports an alarm if the files are modified. | |
Abnormal container startups | HSS monitors container startups and reports an alarm if it detects that a container with too many permissions is started. This alarm does not indicate an actual attack. Attacks exploiting this risk will trigger other HSS container alarms. HSS container check items include:
| |
Container Image blocking | If a container contains insecure images specified in the , before the container is started, an alarm will be generated for the insecure images. Note You need to . | |
Suspicious command executions |
| |
Abnormal User Behaviors | Invalid accounts | Hackers can probably crack unsafe accounts on your containers and control the containers. HSS checks suspicious hidden accounts and cloned accounts and generates alarms on them. |
Brute-force attacks | Detect and report alarms for brute-force attack behaviors, such as brute-force attack attempts and successful brute-force attacks, on containers. Detect SSH, web, and Enumdb brute-force attacks on containers. Note
| |
Password thefts | Report alarms on user key theft. | |
Abnormal Network Access | Abnormal outbound connections | Report alarms on suspicious IP addresses that initiate outbound connections. |
Port forwarding | Report alarms on port forwarding using suspicious tools. | |
Abnormal Cluster Behaviors | Abnormal pod behaviors | Detect abnormal operations such as creating privileged pods, static pods, and sensitive pods in a cluster and abnormal operations performed on existing pods and report alarms. |
User information enumerations | Detect the operations of enumerating the permissions and executable operation list of cluster users and report alarms. | |
Binding cluster roles | Detect operations such as binding or creating a high-privilege cluster role or service account and report alarms. | |
Kubernetes event deletions | Detect the deletion of Kubernetes events and report alarms. |
Security Alarm Severities¶
HSS alarm severities indicate alarm impact on service systems. It can be Critical, High, Medium, or Low. For details, see Table 1.
Alarm Severity | Description |
---|---|
Critical | A critical alarm indicates that the system is severely attacked, which may cause data loss, system breakdown, or long service interruption. For example, such alarms are generated if ransomware encryption behaviors or malicious programs are detected. You are advised to handle the alarms immediately to avoid severe system damage. |
High | A high-risk alarm indicates that the system may be under an attack that has not caused serious damage. For example, such alarms are generated if unauthorized login attempts are detected or unsafe commands (for deleting critical system files or modifying system settings) are executed. You are advised to investigate and take measures in a timely manner to prevent attacks from spreading. |
Medium | A medium-risk alarm indicates that the system has potential security threats, but there are no obvious signs of being attacked. For example, if abnormal modifications of a file or directory are detected, there may be potential attack paths or configuration errors in the system. You are advised to further analyze and take proper preventive measures to enhance system security. |
Low | A low-risk alarm indicates that a minor security threat exists in the system but does not have significant impact on your system. For example, such alarms are generated if port scans are detected, indicating that there may be attackers trying to find system vulnerabilities. These alarms do not require immediate emergency measures. If you have high requirements on asset security, pay attention to the security alarms of this level. |
Monitored important file paths¶
Type | Linux |
---|---|
bin | /bin/ls /bin/ps /bin/bash /bin/login |
usr | /usr/bin/ls /usr/bin/ps /usr/bin/bash /usr/bin/login /usr/bin/passwd /usr/bin/top /usr/bin/killall /usr/bin/ssh /usr/bin/wget /usr/bin/curl |