Invasion Detection Policy
The container invasion is mainly to monitor command execution, file reading and writing, network activity, host exception, and other types.
The platform supports multiple types of detection rules to detect and protect the attack behaviors of hackers. In addition, the policy can be preset to pause the invasion behavior of the container immediately when the event occurs. In addition, the pod where the container is located can be paused and supported.
Default Policy
The enabling status of the built-in default policy of the platform is Enabled by default. The status can only be viewed and edited, but cannot be deleted.
When editing the default policy, you can select the application object, customize the rule, and conduct other operations.
For details about the detection rules contained in the default policy, see System Built-in Rules.
Adding a Policy
1. Log in to the CSG Console.
2. Select Container security > Policy Management on the left navigation bar to go to the Policy Management page.
3. On the Intrusion detection policy tab, click “New policy" to go to the new policy page.
4. Configure basic information.
5. Select the object to which the policy applies.
6. Configure policy rules, including the rules in use, handling methods of configuration rules, etc.
Under each invasion behavior lists the relevant behavior descriptions and enabling suggestions, which are provided by reference.
Only the system built-in policy can be configured with the host exception rule:
7. When the parameters are configured, click "save" .
Replicating a Policy
By replicating a policy, you can quickly add a policy that is similar to an existing policy.
1. Log in to the CSG Console.
2. Select Container security > Policy Management on the left navigation bar to go to the Policy Management page.
3. On the Intrusion detection policy tab, click "Copy" in the operation column of the existing policy to go to the copying page.
4. For details, see Adding a Policy for a detailed description of policy configuration.
Editing a Policy
1. Log in to the CSG Console.
2. Select Container security > Policy Management on the left navigation bar to go to the Policy Management page.
3. On the Intrusion detection policy tab, click "Edit" in the operation column of the existing policy to go to the editing page.
4. On the edit interface, you can modify the policy name, the object of the policy application, and the corresponding processing method of the detection rule configuration. For details, see Adding a Policy for a detailed description of policy configuration.
Batch Management Policy
You can manage policies by batches, including enabling, disabling, and deleting.
1. Log in to the CSG Console.
2. Select Container security > Policy Management on the left navigation bar to go to the Policy Management page.
3. On the Intrusion detection policy tab, check the check box before the name of the invasion behavior to select the policy you want to operate.
4. Click the batch button above the selection list to conduct the batch operation.
5. Select the operation to perform based on your needs, such as batch enabling, disabling, and deleting.
Invasion Detection Rules
The system has rich built-in detection rules. You can also customize detection rules as needed.
The built-in rules of the system can only be viewed, and cannot be copied, edited, or deleted.
You can add, edit, or delete the custom rules.
Adding a Custom Rule
1. Log in to the CSG Console.
2. On the left navigation bar, select Container security > Policy Management to go to the Policy Management page.
3. Select the Intrusion detection rules tab.
4. Click “New rule" to go to the adding page.
5. Enter the rule name (mandatory) and rule description (optional) on the Intrusion detection rules page and select whether to enable the rule or not. Enter the alarm information, select the rule type (command execution, network activity, file read and write, and file content), ATT&CK tactics, ATT&CK technology, risk level, rule content (DSL), repair suggestion, and enabling suggestion.
6. Click "save" to generate a new rule.
System Built-in Rules
Type | Test Item | Description |
Command Execution | Starting privileged containers | Starting a container in privileged mode is equivalent to having administrator privileges on the server, allowing users to operate any resource on the server and execute any command. |
Using the NCAT tool in the container | This type of tool is often used by attackers for downloading tools, detecting information, further infiltration, etc. It is rarely used by service processes. | |
Using specific network tools in the container | This type of tool is often used by attackers for downloading tools, detecting information, further infiltration, etc. It is rarely used by service processes. | |
Executing sensitive commands | This kind of behavior is usually an attempt by an attacker to obtain high privileges by exploiting setuid after obtaining a low-privilege shell. | |
Searching private key behaviors | The attacker searches for an exploitable private key to log in and hack the corresponding server. | |
Suspected contanerd escape | A suspected process is found. It is suspected that the hacker exploits CVE-2020-15257 for escape. Please check whether it was hacking. | |
Suspected modification namespace escape | A suspected process is found. It is suspected that the hacker achieves container escape by changing the container namespace to the host namespace after obtaining the host privileges. Please check whether it was hacking. | |
Executing the remote file transfer command | Attackers often exploit this command to download backdoors or upload sensitive information. | |
Creating a soft connection to a sensitive file | This command is often exploited by attackers to escalate privileges. It is rarely exploited by service processes. | |
Escalating privileges by using Dirty COW | Exploit the race condition vulnerability of the Linux system during Copy On Write to escalate privileges. Attackers can exploit this vulnerability to escalate the administrator privileges and control the server. | |
Exploiting the sudo vulnerability in the container | Exploit CVE-2019-14287 to escalate privileges. | |
Exploiting the kubectl cp vulnerability | Exploiting CVE-2019-1002101, regarding kubectl cp vulnerability exploitation | |
Java memory horse | The attacker exploits the Java defect to dynamically change the code segment in the memory of Java program and inject the remote control backdoor program to realize the remote control. This behavior is concealed and is not spilled to the disk. | |
Starting the mining program | Attackers implant the mining program on the server, occupying a large amount of computing resources on the server for mining. This may cause risks such as slow service processes and jamming. | |
Starting a remote Trojan | The attacker leaves a remote control backdoor after a successful invasion to facilitate continuous infiltration. | |
Executing the command with setuid bit | This kind of behavior is usually an attempt by an attacker to obtain high privileges by exploiting setuid after obtaining a low-privilege shell. | |
Camouflaging k8s containers | This kind of behavior is usually related to a malicious container disguised for attackers. | |
Starting container mount directory | When the container is mounted with some risk directories, some key files in the host can be modified in the container, resulting in a risk of escaping or escalating privileges. | |
Starting the container with sensitive privileges | This kind of behavior is likely to increase the risk of escape. | |
Utilizing tunnels | This method is often used by attackers for downloading data, probing information, etc. | |
Suspected exploiting of the CVE-2021-3156 vulnerability | Exploit CVE-2021-3156 to escalate privileges. | |
Suspected exploiting of the CVE-2021-25741 vulnerability | Exploiting CVE-2021-25741, the attacker can mount a directory with a specified subPath configuration in a container through a software link to escape to a host-sensitive directory. | |
Suspected exploiting of the CVE-2022-0492 vulnerability | Exploiting CVE-2022-0492, the attacker can bypass the namespace isolation and result in container escape. | |
Executing malicious scripts | Malicious script execution is found in the container. Please check whether it is a hacking behavior. | |
Executing malicious memory codes | Malicious memory code execution is found in the container. Please check whether it is a hacking behavior. | |
Suspected webshell execution command | A suspected webshell execution command is found in the container. | |
Executing malicious scripts by crond | Executing malicious scripts by crond is found in the container. Please check whether it is a hacking behavior. | |
Suspected exploiting of the DIND (docker-in-docker) escape vulnerability | When a container is mounted with docker.sock or its root directory and if docker is installed in the container, the attacker can exploit docker to contact docker.sock and create a container and mount the host-sensitive directory to achieve container escape. | |
Suspected CVE-2018-15664 escape | A suspected process is found. It is suspected that the hacker exploits docker cp to escape. Please check whether it is a hacking behavior. | |
Suspected escape by using a privileged container to mount device | A suspected process is found. It is suspected that the hacker exploits a privileged container to mount the device to escape. Please check whether it is a hacking behavior. | |
Suspected container escape | It is found that the files in the container are executed by the host process, resulting in the risk of container escape. Please confirm whether it is a hacking behavior. | |
Removing large volume data from the disk | This kind of behavior is usually an attacker's operation of destroying data or clearing traces, or it may be log cleaning by a service process. Please conduct further confirmation according to the details. | |
Executing malicious scripts | Malicious script execution is found in the container. Please check whether it is a hacking behavior. | |
Executing malicious scripts by crond | Executing malicious scripts by crond is found in the container. Please check whether it is a hacking behavior. | |
Mounting the proc directory in the container | It is found that the /proc directory inside the container is mounted. Check whether the container is started by a hacker. | |
Adding setuid privileges | Add setuid privileges to the file. | |
Reading and Writing Files | Exploiting the runc escape vulnerability | It is suspected that the runc escape vulnerability CVE-2019-5736 is utilized. |
Malicious files found in a container | This kind of behavior is usually about viruses, Trojan horses, and other files with destructive behavior. | |
Tampering with scheduled tasks | This kind of behavior is usually a malicious operation by an attacker. | |
Exploiting the docker-cp vulnerability | Exploiting CVE-2019-14271, a privilege escalation vulnerability about docker cp. | |
Suspected exploitation of the CVE-2021-4034 vulnerability | Exploit the CVE-2021-4034 to escalate privileges. | |
Operating sensitive files | This kind of behavior can modify executable files into destructive files. | |
Tampering with executable files in the container | This kind of behavior can modify executable files into destructive files. | |
Suspected mount-procfs container escape | The /proc/sys/kernel/core_pattern file is used for the memory data dump when the process crashes. When the first character is a pipe character, the subsequent part will be parsed and run with the command line. | |
Suspected rewriting of the devices.allow escape | A suspected process is found. It is suspected that the hacker rewrites devices.allow to escape. Please check whether it is a hacking behavior. | |
Network Activities | Bounce shell operation | This command is often exploited by attackers to bypass firewall rules and remotely control the server. |
Brute force cracking of container | This kind of behavior is typically an attempt by an attacker to obtain privileges on the targeted service. | |
File Content | - | You can custom file content for detection. |
Host Exception | Entering the pod via docker exec | Enter the pod via kubectl exec, which is not allowed in some cases. |
Entering the container via docker_exec | Enter the pod via docker exec, which is not allowed in some cases. | |
Bounce shell operation | This command is often exploited by attackers to bypass firewall rules and remotely control the server. | |
Tampering with runc | This kind of behavior may be an escape behavior. | |
High-risk system calling | This behavior may cause an attack exploitation. | |
Using specific network tools on the host | This type of tool is often used by attackers for downloading tools, detecting information, further infiltration, etc. It is rarely used by service processes. |