Runtime defense for file systems
Prisma Cloud’s runtime defense for container file systems continuously monitors and protects containers from suspicious file system activities and malware.
File system integrity
Prisma Cloud monitors and protects against the following types of suspicious file system activity:
- Changes to any file in folders not in the runtime model.
- Changes to binaries or certificates anywhere in the container.
- Changes to SSH administrative account configuration files anywhere in the container.
- Presence of malware anywhere in the container.
Malware protection
Defender monitors container file systems for malicious certs and binaries using data from the Prisma Cloud Intelligence Stream.
Console receives the Prisma Cloud feed, and then distributes it to all deployed Defenders.
You can optionally supplement the Prisma Cloud feed with your own custom data.
When a file is written to the container file system, Defender compares the MD5 hash of the file to the MD5 hash of known malware.
If there is a match, Defender takes the action specified in your rules.
By default, Defender monitors both the container root file system and any data volumes.
Container root file systems reside on the host file system.
In this diagram, the running container also has a data volume.
It mounts the db/ directory from the host file system into its own root file system.
Both locations are monitored by Defender.
The following diagram shows how Prisma Cloud protects containers from malicious files:
File system integrity monitoring
Prisma Cloud ships with a default rule that monitors container file system integrity.
You can see this rule under
Defend > Runtime > Container Policy > Default - alert on suspicious runtime behavior
.
The default rule configures Prisma Cloud to continuously monitor and alert on suspicious file system activities in all running containers in your entire environment or cluster.
When a rule is triggered, and the effect is alert, an audit is generated.
You can view audits under Monitor > Events > Container Audits
.File system integrity defense
Create new runtime rules to augment the default rule.
Runtime rules enable not only the detection, but also the prevention, of file system integrity violations so that your running containers can be actively defended.
Rule order and pattern matching are critical when designing policy.
The following procedure shows you how to create a custom rule to ensure file system integrity.
- Go to toDefend > Runtime > Container Policy.
- ClickAdd Rule.
- Enter a name for your rule. Spaces are permitted.
- Specify a filter. For this example, just use an image name for one of your running containers and leave all the other fields as '*'. For my example, I am using a running container based on alpine:latest image.
- LeavePrisma Cloud Advanced Threat Protectionenabled. For more information, see TATP.
- Optionally selectDetect Kubernetes Attacks. For more information, see Kubernetes attacks.
- Click theFile Systemtab.
- To ensure broad file system protection, leave bothMonitor all changes to binaries and certificatesandMonitor all SSH administrative account configuration filesenabled.
- Set the effect when this rule is triggered. For this example, selectPrevent.
- Disable— Defender does not provide any protection for file system.
- Alert— Generates an audit and raises an alert when an file system integrity violation is detected. Container continues to run.
- Prevent— Prevents any attempt to violate file system integrity. Container continues to run. For more information, see discrete blocking.
- Block— Stops the container when an attempt to violate the file system integrity is detected.Audits are generated and alerts are sent (email, Slack, etc) when the effect isAlert,Prevent, orBlock.Rules can augment learned models by blacklisting folders in the model or whitelisting folders that aren’t in the model. The fields for blacklisting or whitelisting folders are optional. Enter one or more paths. Do not use asterisks. By default, folders in the learned model are whitelisted, and all other folders are blacklisted.
