Table of contents

Configure runtime security

Runtime security provides visibility into container activity that violates a customizable set of rules. Currently, runtime security includes a set of pre-defined rules that provide visibility into MITRE ATT&CK framework tactics for containers, as well as container drift detection. Container Security can automatically mitigate problems detected by the runtime security feature. If a pod violates any rule during runtime, the issue is mitigated by terminating or isolating the pod based on the ruleset assigned to its Container Security policy.

This feature is compatible with Kubernetes and supports Amazon EKS, Microsoft Azure AKS, Google GKE, and OpenShift. It is currently supported with default and the most recent Linux kernels.

Create a runtime ruleset

After you have access to the runtime security preview, create one or more runtime rulesets. Choose from several managed rules provided by Trend Micro to define a set of rules that you want to enforce.

  1. Open the Trend Micro Cloud One console and select Container Security.
  2. Go to the Runtime Rulesets icon Runtime Rulesets page.
  3. Do one of the following:

    • If this is your first ruleset, click + New runtime rulesets.

      A screen displayed if there are no existing runtime rulesets

    • If this is not your first ruleset, select + New.

      A screen displayed if at least one runtime ruleset exists

  4. Provide the following information:

    • Name: a unique name for the ruleset that will help you to identify it. You cannot change this name after the ruleset is created.
    • Description: an optional description of the ruleset

    Page to enter data to create a runtime ruleset

  5. By default, the ruleset is applied to all pods in a cluster. If you want to limit the ruleset to certain applications, add one or more labels that match against the Kubernetes labels applied to your applications. Container Security will enforce the rules for applications that match the labels you specify:

    1. Click Add Label.
    2. Enter the label key and value to be matched.

      For example, adding a label of app:php will apply the ruleset only to Kubernetes pods labeled with app:php.

  6. Click Add Rule. A dialog box appears, where you select the rules that you want to enforce with this ruleset. After selecting the rules, click Apply.

    To select all rules, select the checkbox in the table heading.

    To get more information about the attack technique that a rule is designed to prevent, search for the MITRE ID (for example T1021.004) on the MITRE site.

  7. The rules you selected appear in your ruleset. For each rule, use the Mitigation dropdown list to select the action that Container Security will take if a running pod violates the rule: log an event and allow the pod to keep running, isolate the pod's network traffic, or terminate the pod.

  8. Click Create to finalize your new ruleset.

Add a ruleset to a policy

Next, create a policy and use the Runtime tab to add one or more rulesets to it. You can also add rulesets to an existing policy. For instructions, see Create a policy.

You will also need to assign the policy to the cluster that you want to protect. This applies the ruleset to the cluster.

Enable runtime security for a cluster

If you haven't yet registered a cluster to Container Security, follow the instructions in Add a cluster.

If you've already registered a cluster to Container Security but didn't enable runtime security, follow the instructions below:

  1. Add runtimeSecurity.enabled=true to your overrides file (usually overrides.yaml):

    cloudOne:
        apiKey: <API_KEY>
        endpoint: <ENDPOINT>
        runtimeSecurity:
            enabled: true
  2. Use the following command to upgrade Container Security:

    helm upgrade \
        trendmicro \
        --namespace trendmicro-system --create-namespace \
        --values overrides.yaml \
        https://github.com/trendmicro/cloudone-container-security-helm/archive/master.tar.gz

View runtime events

When a runtime rule is triggered, it generates an event that you can see on the Events page. See Monitor events.

Disable runtime security

If you want to disable runtime security in a cluster but keep the other aspects of Container Security:

  1. Set runtimeSecurity.enabled=false in your overrides file (usually overrides.yaml).

    cloudOne:
        apiKey: <API_KEY>
        endpoint: <ENDPOINT>
        runtimeSecurity:
            enabled: false
  2. Use the following command to upgrade the Container Security cluster:

    helm upgrade \
        trendmicro \
        --namespace trendmicro-system \
        --values overrides.yaml \
        https://github.com/trendmicro/cloudone-container-security-helm/archive/master.tar.gz

Taints and tolerations

Taints are a Kubernetes concept that allows nodes to repel a set of pods. See Kubernetes documentation for details. If you are using taints, you can use tolerations to ensure that runtime security is applied to tainted nodes. This is done by adding tolerations to your overrides file in the following format:

tolerations:
  scout:
  - key: "key1"
    operator: "Equal"
    value: "value1"
    effect: "NoSchedule"

To add tolerations for all taints (applying runtime security to all nodes, regardless of taints), add the following to your overrides file:

tolerations:
  scout:
  - key: ""
    operator: Exists

Supported Linux kernels major/minor versions

Container Security supports the following kernel version flavors. New kernel releases for these streams will be supported as soon as possible.

Platform Major minor version Flavor
Amazon Linux 2 4.14.x
Amazon Linux 2 5.4.x
Amazon Linux 2 5.10.x
Amazon Linux 2 5.15.x
Red Hat Enterprise Linux CoreOS (RHCOS) 4.18.x
Ubuntu 4.15.x generic
Ubuntu 5.4.x generic
Ubuntu 5.4.x azure
Ubuntu 5.4.x aws
Ubuntu 5.4.x gke
Ubuntu 5.11.x generic
Ubuntu 5.11.x azure
Ubuntu 5.11.x aws
Google Container-Optimized OS (COS) 5.4.x
Google Container-Optimized OS (COS) 5.10.x
Debian 11 5.10.x generic
Bottlerocket 5.10.x