Runtime defense for file systems
Prisma Cloud’s runtime defense for container file systems continuously monitors and protects containers from suspicious file system activities and malware.
File system integrity
Prisma Cloud monitors and protects against the following types of suspicious file system activity:
- Changes to binaries or certificates anywhere in the container.
- Changes to SSH administrative account configuration files anywhere in the container.
- Presence of malware anywhere in the container.
Defender monitors container file systems for malicious certs and binaries using data from the Prisma Cloud Intelligence Stream. Console receives the Prisma Cloud feed, and then distributes it to all deployed Defenders. You can optionally supplement the Prisma Cloud feed with your own custom data.
When a file is written to the container file system, Defender compares the MD5 hash of the file to the MD5 hash of known malware. If there is a match, Defender takes the action specified in your rules. Defender also looks for attributes that make files suspicious, including signs they’ve been rigged for anti-analysis.
By default, Defender monitors both the container root file system and any data volumes. Container root file systems reside on the host file system. In this diagram, the running container also has a data volume. It mounts the db/ directory from the host file system into its own root file system. Both locations are monitored by Defender.
The following diagram shows how Prisma Cloud protects containers from malicious files:
File system integrity monitoring
Prisma Cloud ships with a default rule that monitors container file system integrity. You can see this rule under
Defend > Runtime > Container Policy > Default - alert on suspicious runtime behavior. The default rule configures Prisma Cloud to continuously monitor and alert on suspicious file system activities in all running containers in your entire environment or cluster. When a rule is triggered, and the effect is alert, an audit is generated. You can view audits under
Monitor > Events > Container Audits.
File system integrity defense
Create new runtime rules to augment the default rule. Runtime rules enable not only the detection, but also the prevention, of file system integrity violations so that your running containers can be actively defended.
The following procedure shows you how to create a custom rule to ensure file system integrity.
- Go to toDefend > Runtime > Container Policy.
- ClickAdd Rule.
- Enter a name for your rule. Spaces are permitted.
- Specify a scope.For this example, use an image name for one of your running containers and leave wildcards in all the other fields. For example, alpine:latest.
- LeavePrisma Cloud Advanced Threat Protectionenabled. For more information, see TATP.
- Optionally selectKubernetes Attacks. For more information, see Kubernetes attacks.
- Click theFile Systemtab.
- To ensure broad file system protection, setFile system monitoringtoEnabled.
- UnderDenied & Fallback, set the effect when this rule is triggered.
- Alert— Generates an audit and raises an alert when an file system integrity violation is detected. Container continues to run.
- Block— Stops the container when an attempt to violate the file system integrity is detected.Audits are generated and alerts are sent (email, Slack, etc) when the effect isAlert,Prevent, orBlock.
- UnderDenied & Fallback, leave bothChanges to binaries and certificatesandChanges to SSH and admin account configuration filesset toEnabled.
- Rules can augment learned models by explicitly denying folders in the model or explicitly allowing folders that aren’t in the model. The fields for denying or allowing folders are optional. Enter one or more paths. Do not use asterisks. By default, folders in the learned model are allowed, and all other folders are denied.
Recommended For You
Recommended videos not found.