Topics on this page
Configure runtime security
Runtime security provides visibility into container activity that violates a customizable set of rules. Currently, runtime security includes a set of pre-defined rules that provide visibility into MITRE ATT&CK framework tactics for containers, as well as container drift detection. Container Security can automatically mitigate problems detected by the runtime security feature. If a pod violates any rule during runtime, the issue is mitigated by terminating or isolating the pod based on the ruleset assigned to its Container Security policy.
This feature is compatible with Kubernetes and supports Amazon EKS, Microsoft Azure AKS, Google GKE, and OpenShift. It is currently supported with default and the most recent Linux kernels.
Create a runtime ruleset
After you have access to the runtime security preview, create one or more runtime rulesets. Choose from several managed rules provided by Trend Micro to define a set of rules that you want to enforce.
- Open the Trend Micro Cloud One console and select Container Security.
- Go to the
Runtime Rulesets page. -
Do one of the following:
-
If this is your first ruleset, click + New runtime rulesets.
-
If this is not your first ruleset, select + New.
-
-
Provide the following information:
- Name: a unique name for the ruleset that will help you to identify it. You cannot change this name after the ruleset is created.
- Description: an optional description of the ruleset
-
By default, the ruleset is applied to all pods in a cluster. If you want to limit the ruleset to certain applications, add one or more labels that match against the Kubernetes labels applied to your applications. Container Security will enforce the rules for applications that match the labels you specify:
- Click Add Label.
-
Enter the label key and value to be matched.
For example, adding a label of
app:phpwill apply the ruleset only to Kubernetes pods labeled withapp:php.
-
Click Add Rule. A dialog box appears, where you select the rules that you want to enforce with this ruleset. After selecting the rules, click Apply.
To select all rules, select the checkbox in the table heading.
To get more information about the attack technique that a rule is designed to prevent, search for the MITRE ID (for example
T1021.004) on the MITRE site. -
The rules you selected appear in your ruleset. For each rule, use the Mitigation dropdown list to select the action that Container Security will take if a running pod violates the rule: log an event and allow the pod to keep running, isolate the pod's network traffic, or terminate the pod.
-
Click Create to finalize your new ruleset.
Add a ruleset to a policy
Next, create a policy and use the Runtime tab to add one or more rulesets to it. You can also add rulesets to an existing policy. For instructions, see Create a policy.
You will also need to assign the policy to the cluster that you want to protect. This applies the ruleset to the cluster.
Enable runtime security for a cluster
If you haven't yet registered a cluster to Container Security, follow the instructions in Add a cluster.
If you've already registered a cluster to Container Security but didn't enable runtime security, follow the instructions below:
-
Add
runtimeSecurity.enabled=trueto your overrides file (usuallyoverrides.yaml):cloudOne: apiKey: <API_KEY> endpoint: <ENDPOINT> runtimeSecurity: enabled: true -
Use the following command to upgrade Container Security:
helm upgrade \ trendmicro \ --namespace trendmicro-system --create-namespace \ --values overrides.yaml \ https://github.com/trendmicro/cloudone-container-security-helm/archive/master.tar.gz
View runtime events
When a runtime rule is triggered, it generates an event that you can see on the Events page. See Monitor events.
Disable runtime security
If you want to disable runtime security in a cluster but keep the other aspects of Container Security:
-
Set
runtimeSecurity.enabled=falsein your overrides file (usuallyoverrides.yaml).cloudOne: apiKey: <API_KEY> endpoint: <ENDPOINT> runtimeSecurity: enabled: false -
Use the following command to upgrade the Container Security cluster:
helm upgrade \ trendmicro \ --namespace trendmicro-system \ --values overrides.yaml \ https://github.com/trendmicro/cloudone-container-security-helm/archive/master.tar.gz
Taints and tolerations
Taints are a Kubernetes concept that allows nodes to repel a set of pods. See Kubernetes documentation for details. If you are using taints, you can use tolerations to ensure that runtime security is applied to tainted nodes. This is done by adding tolerations to your overrides file in the following format:
tolerations:
scout:
- key: "key1"
operator: "Equal"
value: "value1"
effect: "NoSchedule"To add tolerations for all taints (applying runtime security to all nodes, regardless of taints), add the following to your overrides file:
tolerations:
scout:
- key: ""
operator: ExistsSupported Linux kernels major/minor versions
Container Security supports the following kernel version flavors. New kernel releases for these streams will be supported as soon as possible.
| Platform | Major minor version | Flavor |
|---|---|---|
| Amazon Linux 2 | 4.14.x | |
| Amazon Linux 2 | 5.4.x | |
| Amazon Linux 2 | 5.10.x | |
| Amazon Linux 2 | 5.15.x | |
| Red Hat Enterprise Linux CoreOS (RHCOS) | 4.18.x | |
| Ubuntu | 4.15.x | generic |
| Ubuntu | 5.4.x | generic |
| Ubuntu | 5.4.x | azure |
| Ubuntu | 5.4.x | aws |
| Ubuntu | 5.4.x | gke |
| Ubuntu | 5.11.x | generic |
| Ubuntu | 5.11.x | azure |
| Ubuntu | 5.11.x | aws |
| Google Container-Optimized OS (COS) | 5.4.x | |
| Google Container-Optimized OS (COS) | 5.10.x | |
| Debian 11 | 5.10.x | generic |
| Bottlerocket | 5.10.x |