Use process baselining

Identify and address abnormal process executions in your deployments.

In the StackRox Kubernetes Security Platform, you can minimize your risks by using process baselining. It’s a proactive approach to keep your infrastructure secure. The StackRox Kubernetes Security Platform first discovers existing processes and creates a baseline. Then, it operates in the default deny-all mode and only allows processes listed in the baseline to run.

Process baselines

When you install the StackRox Kubernetes Security Platform, there is no default process baseline. As StackRox discovers deployments, it creates a process baseline for every container type in a deployment. Then it adds all discovered processes to their own process baselines.

Process baseline states

During the process discovery phase, all baselines are in an unlocked state.

In an unlocked state:

  • When StackRox discovers a new process, it adds that process to the process baseline.
  • Processes don’t show up as risks and don’t trigger any violations.

After an hour from when StackRox receives the first process indicator from a container in a deployment, it finishes the process discovery phase. At this point:

  • StackRox stops adding processes to the process baselines.
  • New processes (which aren’t in the process baseline) show up as risks but they don’t trigger any violations.

To generate violations, you must manually lock the process baseline. See Lock and unlock process baselines for more details.

In a locked state:

  • StackRox stops adding processes to the process baselines.
  • New processes (which aren’t in the process baseline) trigger violations.

Independent of the locked or unlocked baseline state, you can always add or remove processes from the baseline.

For a deployment, if each pod has multiple containers in it, StackRox creates a process baseline for each container type. For such a deployment, if some baselines are locked and some are unlocked, the baseline status for that deployment shows up as Mixed.

View process baselines

  1. In the StackRox portal, select Risk from the left-hand navigation menu.
  2. Select a deployment from the list of deployments in the default Risk view. Deployment details open in a panel on the right.
  3. In the Deployment details panel, select the Process Discovery tab.
  4. The process baselines are visible under the Spec Container Baselines section.

Add process to baseline

To add a process to the baseline:

  1. In the StackRox portal, select Risk from the left-hand navigation menu.
  2. Select a deployment from the list of deployments in the default Risk view. Deployment details open in a panel on the right.
  3. In the Deployment details panel, select the Process Discovery tab.
  4. Under the Running Processes section, select the Add icon for the process you want to add to the process baseline.

The Add icon is available only for the processes that aren’t in the process baseline.

Remove process from baseline

To remove a process from the baseline:

  1. In the StackRox portal, select Risk from the left-hand navigation menu.
  2. Select a deployment from the list of deployments in the default Risk view. Deployment details open in a panel on the right.
  3. In the Deployment details panel, select the Process Discovery tab.
  4. Under the Spec Container baselines section, select the Remove icon for the process you want to remove from the process baseline.

Lock and unlock process baselines

Lock the baseline to trigger violations for all processes not listed in the baseline and Unlock the baseline to stop triggering violations.

  1. In the StackRox portal, select Risk from the left-hand navigation menu.

  2. Select a deployment from the list of deployments in the default Risk view. Deployment details open in a panel on the right.

  3. In the Deployment details panel, select the Process Discovery tab.

  4. Under the Spec Container baselines section:

    • Click the Lock icon to trigger violations for processes that aren’t in the baseline.
    • Or click the Unlock icon to stop triggering violations for processes that aren’t in the baseline.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.