Alauda Container Security

Default Policies in Alauda Container Security

Alauda Container Security offers a set of default policies to help you prevent high-risk deployments and respond to runtime incidents in your Kubernetes environment. These policies are designed to identify security issues and enforce best practices across your clusters.

TOC

OverviewViewing PoliciesPolicy Table StructureCritical Severity PoliciesHigh Severity PoliciesMedium Severity PoliciesLow Severity PoliciesManaging Default Policies

Overview

Default policies cover the entire container lifecycle: build, deploy, and runtime. You can view, clone, and edit these policies in the Alauda Container Security portal. Default policies cannot be deleted or directly modified.

Viewing Policies

  1. Go to Platform Configuration > Policy Management in the portal.
  2. The Policies view lists all default and custom policies, including their status, severity, and lifecycle stage.

Policy Table Structure

  • Policy: Policy name
  • Description: What the policy detects or enforces
  • Status: Enabled or Disabled
  • Severity: Critical, High, Medium, or Low
  • Lifecycle: Build, Deploy, or Runtime

Critical Severity Policies

Lifecycle StagePolicy NameDescriptionStatus
Build/DeployApache Struts: CVE-2017-5638Alerts on images with the CVE-2017-5638 Apache Struts vulnerability.Enabled
Build/DeployLog4Shell: log4j Remote Code ExecutionAlerts on images with CVE-2021-44228 and CVE-2021-45046 vulnerabilities.Enabled
Build/DeploySpring4Shell & Spring Cloud FunctionAlerts on images with CVE-2022-22965 (Spring MVC) or CVE-2022-22963 (Spring Cloud).Enabled
RuntimeIptables Executed in Privileged ContainerAlerts when privileged pods run iptables.Enabled

High Severity Policies

Lifecycle StagePolicy NameDescriptionStatus
Build/DeployFixable CVSS >= 7Alerts on fixable vulnerabilities with CVSS ≥ 7.Disabled
Build/DeployFixable Severity at least ImportantAlerts on fixable vulnerabilities rated Important or higher.Enabled
Build/DeployRapid Reset: HTTP/2 DoS VulnerabilityAlerts on images susceptible to HTTP/2 Rapid Reset DoS.Disabled
Build/DeploySecure Shell (ssh) Port Exposed in ImageAlerts when port 22 is exposed in images.Enabled
DeployEmergency Deployment AnnotationAlerts on deployments using emergency annotations to bypass admission checks.Enabled
DeployEnvironment Variable Contains SecretAlerts when environment variables contain 'SECRET'.Enabled
DeployFixable CVSS >= 6 and PrivilegedAlerts on privileged deployments with fixable CVSS ≥ 6 vulnerabilities.Disabled
DeployPrivileged Containers with Important and Critical Fixable CVEsAlerts on privileged containers with important/critical fixable vulnerabilities.Enabled
DeploySecret Mounted as Environment VariableAlerts when secrets are mounted as environment variables.Disabled
DeploySecure Shell (ssh) Port ExposedAlerts when port 22 is exposed in deployments.Enabled
RuntimeCryptocurrency Mining Process ExecutionDetects crypto-currency mining processes.Enabled
Runtimeiptables ExecutionDetects iptables usage in containers.Enabled
RuntimeKubernetes Actions: Exec into PodAlerts on exec commands run in containers via Kubernetes API.Enabled
RuntimeLinux Group Add ExecutionDetects groupadd/addgroup usage.Enabled
RuntimeLinux User Add ExecutionDetects useradd/adduser usage.Enabled
RuntimeLogin BinariesDetects login attempts.Disabled
RuntimeNetwork Management ExecutionDetects network configuration commands.Enabled
Runtimenmap ExecutionAlerts on nmap process execution.Enabled
RuntimeOpenShift: Kubeadmin Secret AccessedAlerts on kubeadmin secret access.Enabled
RuntimePassword BinariesDetects password change attempts.Disabled
RuntimeProcess Targeting Cluster Kubelet EndpointDetects misuse of kubelet/heapster endpoints.Enabled
RuntimeProcess Targeting Cluster Kubernetes Docker Stats EndpointDetects misuse of docker stats endpoint.Enabled
RuntimeProcess Targeting Kubernetes Service EndpointDetects misuse of Kubernetes Service API endpoint.Enabled
RuntimeProcess with UID 0Alerts on processes running as UID 0.Disabled
RuntimeSecure Shell Server (sshd) ExecutionDetects SSH daemon execution in containers.Enabled
RuntimeSetUID ProcessesDetects setuid binary usage.Disabled
RuntimeShadow File ModificationDetects shadow file modifications.Disabled
RuntimeShell Spawned by Java ApplicationDetects shell spawned as a subprocess of Java apps.Enabled
RuntimeUnauthorized Network FlowAlerts on anomalous network flows.Enabled
RuntimeUnauthorized Processed ExecutionAlerts on unauthorized process execution in locked baselines.Enabled

Medium Severity Policies

Lifecycle StagePolicy NameDescriptionStatus
BuildDocker CIS 4.4: Ensure images are scanned and rebuiltAlerts if images are not scanned and rebuilt with security patches.Disabled
Deploy30-Day Scan AgeAlerts if a deployment hasn't been scanned in 30 days.Enabled
DeployCAP_SYS_ADMIN capability addedAlerts if containers escalate with CAP_SYS_ADMIN.Enabled
DeployContainer using read-write root filesystemAlerts if containers have read-write root filesystems.Disabled
DeployContainer with privilege escalation allowedAlerts if containers allow privilege escalation.Enabled
DeployDeployments should have at least one Ingress Network PolicyAlerts if deployments lack an Ingress Network Policy.Disabled
DeployDeployments with externally exposed endpointsAlerts if deployments have externally exposed services.Disabled
DeployDocker CIS 5.1: AppArmor profile enabledAlerts if AppArmor is not enabled.Enabled
DeployDocker CIS 5.15: Host's process namespace not sharedAlerts if host's process namespace is shared.Enabled
DeployDocker CIS 5.16: Host's IPC namespace not sharedAlerts if host's IPC namespace is shared.Enabled
DeployDocker CIS 5.19: Mount propagation mode not enabledAlerts if mount propagation mode is enabled.Enabled
DeployDocker CIS 5.21: Default seccomp profile not disabledAlerts if seccomp profile is disabled.Disabled
DeployDocker CIS 5.7: Privileged ports mapped within containersAlerts if privileged ports (<1024) are mapped.Enabled
DeployDocker CIS 5.9/5.20: Host's network namespace not sharedAlerts if host's network namespace is shared.Enabled
DeployImages with no scansAlerts if images in deployments are not scanned.Disabled
RuntimeKubernetes Actions: Port Forward to PodAlerts on port forward requests via Kubernetes API.Enabled
DeployMount Container Runtime SocketAlerts if container runtime socket is mounted.Enabled
DeployMounting Sensitive Host DirectoriesAlerts if sensitive host directories are mounted.Enabled
DeployNo resource requests or limits specifiedAlerts if containers lack resource requests/limits.Enabled
DeployPod Service Account Token Automatically MountedAlerts if default service account token is mounted unnecessarily.Enabled
DeployPrivileged ContainerAlerts if containers run in privileged mode.Enabled
Runtimecrontab ExecutionDetects crontab usage.Enabled
RuntimeNetcat Execution DetectedDetects netcat usage.Enabled
RuntimeOpenShift: Central Admin Secret AccessedAlerts on access to Central Admin secret.Enabled
RuntimeOpenShift: Secret Accessed by Impersonated UserAlerts on secret access by impersonated users.Enabled
RuntimeRemote File Copy Binary ExecutionAlerts on remote file copy tool execution.Enabled

Low Severity Policies

Lifecycle StagePolicy NameDescriptionStatus
Build/Deploy90-Day Image AgeAlerts if a deployment hasn't been updated in 90 days.Enabled
Build/DeployADD Command used instead of COPYAlerts if ADD command is used in Dockerfile.Disabled
Build/DeployAlpine Linux Package Manager (apk) in ImageAlerts if apk is present in images.Enabled
Build/DeployCurl in ImageAlerts if curl is present in images.Disabled
Build/DeployDocker CIS 4.1: User for the Container CreatedEnsures containers run as non-root users.Enabled
Build/DeployDocker CIS 4.7: Alert on Update InstructionEnsures update instructions are not used alone in Dockerfile.Enabled
Build/DeployInsecure specified in CMDAlerts if 'insecure' is used in command.Enabled
Build/DeployLatest tagAlerts if images use the 'latest' tag.Enabled
Build/DeployRed Hat Package Manager in ImageAlerts if Red Hat, Fedora, or CentOS package managers are present.Enabled
Build/DeployRequired Image LabelAlerts if images are missing required labels.Disabled
Build/DeployUbuntu Package Manager ExecutionDetects Ubuntu package manager usage.Enabled
Build/DeployUbuntu Package Manager in ImageAlerts if Debian/Ubuntu package managers are present in images.Enabled
Build/DeployWget in ImageAlerts if wget is present in images.Disabled
DeployDrop All CapabilitiesAlerts if deployments do not drop all capabilities.Disabled
DeployImproper Usage of Orchestrator Secrets VolumeAlerts if Dockerfile uses 'VOLUME /run/secrets'.Enabled
DeployKubernetes Dashboard DeployedAlerts if a Kubernetes dashboard service is detected.Enabled
DeployRequired Annotation: EmailAlerts if 'email' annotation is missing.Disabled
DeployRequired Annotation: Owner/TeamAlerts if 'owner' or 'team' annotation is missing.Disabled
DeployRequired Label: Owner/TeamAlerts if 'owner' or 'team' label is missing.Disabled
RuntimeAlpine Linux Package Manager ExecutionAlerts if apk is run at runtime.Enabled
Runtimechkconfig ExecutionDetects chkconfig usage.Enabled
RuntimeCompiler Tool ExecutionAlerts if compiler binaries are run at runtime.Enabled
RuntimeRed Hat Package Manager ExecutionAlerts if Red Hat, Fedora, or CentOS package managers are run at runtime.Enabled
RuntimeShell ManagementAlerts on shell add/remove commands.Disabled
Runtimesystemctl ExecutionDetects systemctl usage.Enabled
Runtimesystemd ExecutionDetects systemd usage.Enabled

Managing Default Policies

  • Default policies provide broad security coverage.
  • You can view, clone, and edit cloned default policies in the portal.
  • Default policies cannot be deleted or directly modified.

Note: Default policies are not supported with the policies-as-code feature.