Run-time policies

Understand how to identify and stop malicious containers.

Use the examples in this section to understand how run-time policies meet requirements for threat detection and prevention and incident investigation and response.

1. Block containers that use package managers

Package managers install or modify the installed software on a Linux host. Using a package manager such as apt (Ubuntu), apk (Alpine), or yum (RedHat) to modify a running container violates the immutable principle of containers.

You can use the StackRox Kubernetes Security Platform policies to detect and eliminate such run-time violations. These policies use kernel instrumentation to detect running processes and instruct Kubernetes to terminate the pod for enforcement. Replacing the affected pod keeps attackers from gaining a foothold in your environment while making sure Kubernetes accurately reflects the state of your applications.

Using Kubernetes to enforce run-time policy is preferable to enforcing rules directly within containers or in the container engine because it avoids the disconnect between the state that Kubernetes is maintaining and the state in which the container is operating. Since a run-time policy may detect only part of an attacker’s activity inside a container, removing the container eliminates the attack itself.

  1. Navigate to Platform Configuration > System Policies.
  2. In the Policies view, enter Ubuntu in the filter box and press Enter.
  3. Select the Ubuntu Package Manager Execution policy.
  4. In the policy information panel header, select Edit.
  5. Turn on the Enable Policy toggle and review other policy attributes.
  6. Select Next in the panel header to review the policy.
  7. Select Next again to review the enforcement options.
  8. Select On for runtime enforcement behavior.
  9. Select Save.

To test the policy, run the following commands:

  1. Start a container with package manager:

    Copy
    kubectl run tmp-shell --labels="app=tmp-shell" --rm -i --tty --image ubuntu:18.04 -- /bin/bash
  2. After the container starts and you get a running shell, try to run the package manager:

    Copy
    root@tmp-shell-65c98c7766-66fpw:/# apt update

    When you run this command, the StackRox Kubernetes Security Platform evaluates the run-time policy and terminates the container.

  3. You get the following error:

    Copy
    root@tmp-shell-65c98c7766-vf8wv:/# Session ended, resume using 'kubectl attach tmp-shell-65c98c7766-vf8wv -c tmp-shell -i -t' command when the pod is running
    deployment.apps "tmp-shell" deleted
  4. While the container is terminating, you can check its details by using the following command:

    Copy
    kubectl describe pod -l app=tmp-shell
    
    Events:
      Type    Reason     Age   From                                              Message
      ----    ------     ----  ----                                              -------
      Normal  Scheduled  88s   default-scheduler                                 Successfully assigned default/tmp-shell-7b59d58854-kvkd7 to gke-cluster1-default-pool-13528726-ml91
      Normal  Pulled     87s   kubelet, gke-cluster1-default-pool-13528726-ml91  Container image "ubuntu:18.04" already present on machine
      Normal  Created    87s   kubelet, gke-cluster1-default-pool-13528726-ml91  Created container
      Normal  Started    87s   kubelet, gke-cluster1-default-pool-13528726-ml91  Started container
      Normal  Killing    2s    kubelet, gke-cluster1-default-pool-13528726-ml91  Killing container with id docker://tmp-shell:Need to kill Pod

To view violation details in the StackRox Portal:

  1. Select Violations from the left-hand navigation menu.
  2. Enter tmp-shell in the filter box and press Enter.
  3. Select the tmp-shell violation.
  4. Review violation details in the information panel.

If you have integrated StackRox with other tools such as PagerDuty, Jira, Splunk, or generic webhook, the StackRox Kubernetes Security Platform also sends these violation alerts to them. You can also access them by using the API.

After you address this violation, you can remove it from the violation list by marking it as resolved. To do this:

  1. Move your mouse over to the violation row and select the checkmark icon in the pop-up actions.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.