How Container Workload Protection Works
editHow Container Workload Protection Works
editVersion |
1.2.6 (View all) |
Compatible Kibana version(s) |
8.11.0 or higher |
Supported Serverless project types |
Security |
Subscription level |
Enterprise |
Level of support |
Elastic |
CWP is powered by a lightweight integration (Defend for Containers BETA) that is bundled and configured by the Elastic Agent. The agent is installed as a daemonset on supported Kubernetes clusters and the integration uses eBPF LSM and tracepoint probes to produce system events. Events are evaluated against eBPF LSM hook points, enabling a configured policy to be evaluated before system activity is allowed to proceed.
The policy determines which system behaviors (for example, process executions, file creations or deletions, etc) will result in an action. Actions are simple: logging the behavior to Elasticsearch, creating an alert in Elasticsearch, or blocking the behavior.
Threat Detection
editThe system ships with a default policy configured featuring two selectors and responses. The first selector is designed to stream process telemetry events to the user’s Elasticsearch cluster. The policy uses the selector allProcesses which specifies fork and exec operations. This selector is mapped to the allProcesses response, which specifies a log action.
The resulting telemetry data is transformed into an ECS document and streamed back to the user’s Elasticsearch cluster, where the Elastic Security SIEM evaluates the data to detect malicious behavior.
Drift Detection & Prevention
editThe second selector is written to detect the modification of existing executables or the creation of new executables within a container (This is how Elastic detects “container drift”). The policy selector is named executableChanges and is mapped to a response section called executableChanges which specifies an alert action.
This policy is configured with an alert response, meaning that when drift conditions are detected, the matching event(s) are collected and written as an alert to the user’s Elasticsearch cluster. A prebuilt rule “escalation rule” in the SIEM watches for these alert documents and raises an alert in the SIEM when drift is detected. This policy can also be modified to block drift operations by changing the response action to block.
Policies
editUsers that want to use the full strength of CWP will benefit to understand the system’s policy syntax, which enables fine-grained policies to be constructed. Policies can be built to precisely match expected container behaviors– disallowing any unexpected behaviors– and thereby substantially hardening the security posture of container workloads.
Policies are composed of selectors and responses. A given policy must contain at least one selector and one response. Currently, the system supports two types of selectors and responses, file and process. Selectors tell the service what system operations to match and have a number of conditions that can be grouped together (using a logical AND operation) to provide precise control. Responses instruct the system on what actions to take when system operations match selectors.
Deployment
editThe service can be deployed in two ways: declaratively using Elastic Agent in standalone mode, or as a managed D4C integration through Fleet. With the former, teams have the flexibility to integrate their policies into Git for an infrastructure-as-code (IoC) approach, streamlining the deployment process and enabling easier management.
You will need to include the following capabilities
under securityContext
in your k8s yaml in order for the service to work.
securityContext: runAsUser: 0 # The following capabilities are needed for 'Defend for containers' integration (cloud-defend) # If you are using this integration, please uncomment these lines before applying. capabilities: add: - BPF # (since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps. - PERFMON # (since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations. - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by 'Defend for Containers' to modify 'rlimit_memlock'
Policy example
editA given policy must contain at least one selector
(file or process) and one response
.
process: selectors: - name: allProcesses operation: [fork, exec] - name: interactiveProcesses operation: [fork, exec] sessionLeaderInteractive: true responses: - match: [allProcesses] actions: [log] - match: [interactiveProcesses] actions: [alert] file: selectors: - name: executableChanges operation: [createExecutable, modifyExecutable] responses: - match: [executableChanges] actions: [alert]
Due to the fact that
file
andprocess
operations happen asynchronously, theirselectors
andresponses
must be managed as separate entities. A file selector cannot be used to trigger a process response and vice versa.
Selectors
editA selector tells the service what system operations to match on and has a number of conditions that can be grouped together (using a logical AND operation) to provide precise control.
- name: exampleFileSelector operation: [createExecutable, modifyExecutable] containerImageName: [nginx] containerImageTag: [latest] targetFilePath: [/usr/bin/**] kubernetesClusterId: [cluster1] kubernetesClusterName: [stagingCluster] kubernetesNamespace: [default] kubernetesPodLabel: [‘production:*’] kubernetesPodName: [‘nginx-pod-*’] ignoreVolumeMounts: true
A selector MUST contain a name and at least one of the following conditions.
Common conditions (available for both file and process selectors)
editName | Description |
---|---|
containerImageFullName |
A list of container full image names to match on. e.g. "docker.io/nginx". |
containerImageName |
A list of container image names to match on. e.g. nginx |
containerImageTag |
A list of container image tags to match on. e.g. latest |
kubernetesClusterId |
A list of kubernetes cluster IDs to match on. For consistency with KSPM, the kube-system namespace uid is used as a cluster ID. |
kubernetesClusterName |
A list of kubernetes cluster names to match on. |
kubernetesNamespace |
A list of kubernetes namespaces to match on. |
kubernetesPodName |
A list of kubernetes pod names to match on. Trailing wildcards supported. |
kubernetesPodLabel |
A list of resource labels. Trailing wildcards supported (value only). e.g. |
For example, the following selector will match attempts to create executables on any portion of a file system, in any container as long as its Pod has the label
environment:production
orservice:auth*
- name: operation: [createExecutable] kubernetesPodLabel: [environment:production, service:auth*]
File Specific Conditions
editName | Description |
---|---|
operation |
The list of system operations to match on. Options include |
ignoreVolumeMounts |
If set, ignores file operations on ALL volume mounts. |
ignoreVolumeFiles |
If set, ignores operations on file mounts only. e.g. mounted files, configMaps, secrets etc… |
targetFilePath |
A list of file paths to include. Paths are absolute and wildcards are supported. |
Consider the following selector example:
- name: targetFilePath: [/usr/bin/echo, /usr/sbin/*, /usr/local/**]
In this example,
-
/usr/bin/echo
will match on theecho
binary, and only this binary -
/usr/local/**
will match on everything recursively under/usr/local/
including/usr/local/bin/something
-
/usr/sbin/*
includes everything that’s a direct child of/usr/sbin
Process Specific Conditions
editName | Description |
---|---|
operation |
The list of system operations to match on. Options include |
processExecutable |
A list of executables (full path included) to match on. e.g. |
processName |
A list of process names (executable basename) to match on. e.g. bash, vi, cat etc… |
sessionLeaderInteractive |
If set to true, will only match on interactive sessions (i.e. sessions with a controlling TTY) |
Responses
editResponses instruct the system on what actions
to take when system operations match selectors
.
A policy can contain one or more responses. Each response is comprised of the following:
responses: - match: [allProcesses] exclude: [excludeSystemDServices] actions: [log] - match: [nefariousActivity] actions: [alert, block]
Response Field | Description |
---|---|
match |
An array of one or more selectors of the same type ( |
exclude |
An optional array of one or more selectors to use as exclusions to everything in match |
actions |
An array of actions to perform (if at least one |
Action | Description |
---|---|
|
Sends events to the |
|
Writes events (file or process) to the |
|
Prevents the system operation from proceeding. This blocking action happens prior to the execution of the event. It is required that the |
Example
editConsider the following yaml.
file: selectors: - name: binDirExeMods operation: - createExecutable - modifyExecutable targetFilePath: - /usr/bin/** - name: etcFileChanges operation: - createFile - modifyFile - deleteFile targetFilePath: - /etc/** - name: nginx containerImageName: - nginx responses: - match: - binDirExeMods - etcFileChanges exclude: - nginx actions: - alert - block
We have three file
selectors. Two are used to match (logically OR’d), and one to exclude.
This could be read as: If an executable is created or modified under /usr/bin or a file is created, modified or deleted under /etc, block and create an alert as long as it’s not an nginx container.
e.g.
IF (binDirExeMods
OR etcFileChanges
) AND NOT nginx
= RUN ACTIONS alert
and block
Process Events
editThe following fields are populated for all events where event.category: process
Field | Examples |
---|---|
2023-03-20T16:03:59.520Z |
|
7829f26d-c2d1-4eaf-a1ac-cd9cb9e12f75 |
|
cloud-defend |
|
8.8.0 |
|
1234567abc |
|
elastic-dev |
|
us-east-1c |
|
webapp-node |
|
123456abc |
|
staging |
|
aws |
|
us-east-1 |
|
cloud_defend.matched_selectors |
[interactiveSessions] |
cloud_defend.package_policy_id |
4c9cbba0-c812-11ed-a8dd-91ec403e4f03 |
cloud_defend.package_policy_revision |
2 |
cloud_defend.hook_point |
[tracepointsched_process_fork,tracepointsched_process_exec, kprobe__taskstats_exit] |
nginx_1 |
|
nginx |
|
latest |
|
cloud_defend.process |
|
default |
|
logs |
|
8.7.0 |
|
fork, exec, end |
|
verified |
|
process |
|
2023-03-20T16:03:59.520Z |
|
cloud_defend.process |
|
3ee85eee-72d9-4e9d-934f-3787952ca830 |
|
2023-03-20T16:04:12Z |
|
event, alert |
|
cloud_defend |
|
start, end, denied |
|
0 |
|
amd64 |
|
815a760f-8153-49e1-9d0b-da0d3b2a468c |
|
1bb9e6a948dfb1c3cd38d1fdc8de4481 |
|
[127.0.0.1, 172.20.0.2, 172.18.0.6] |
|
kibana-node |
|
[32:a9:cc:26:4c:e5, 7a:ec:f0:3e:29:ee] |
|
kibana-node.myapp.co |
|
ubuntu |
|
Ubuntu 20.04.5 |
|
5.10.161+ #1 SMP Thu Jan 5 22:49:42 UTC 2023 |
|
'Linux |
|
ubuntu |
|
linux |
|
20.04.5 |
|
4026531836 |
|
12345 |
|
website |
|
default |
|
172.18.0.6 |
|
orchestrator.resource.annotation |
[note:testing] |
orchestrator.resource.label |
[service:webapp] |
webapp-proxy |
|
DaemonSet, ReplicaSet etc… |
|
pod |
|
[ls, --color=auto] |
|
2023-03-20T16:04:12Z |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
[bash] |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
container |
|
/bin/bash |
|
0 |
|
true |
|
bash |
|
1915529 |
|
false |
|
2023-03-20T16:03:59.520Z |
|
0 |
|
/usr/share/elastic-agent |
|
/usr/bin/ls |
|
[ls, --color=auto] |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
/usr/bin/ls |
|
0 |
|
true |
|
ls |
|
1915529 |
|
true |
|
2023-03-20T16:03:59.520Z |
|
0 |
|
/usr/share/elastic-agent |
|
true |
|
ls |
|
[bash] |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
/bin/bash |
|
0 |
|
true |
|
bash |
|
1915529 |
|
false |
|
2023-03-20T16:03:59.520Z |
|
0 |
|
/usr/share/elastic-agent |
|
1916234 |
|
[{ args: [bash], executable: /bin/bash}] |
|
[bash] |
|
/bin/bash |
|
[bash] |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
/bin/bash |
|
0 |
|
true |
|
bash |
|
1915529 |
|
false |
|
2023-03-20T16:03:59.520Z |
|
0 |
|
/usr/share/elastic-agent |
|
2023-03-20T16:03:59.520Z |
|
/usr/share/elastic-agent |
|
0 |
File Events
editThe following fields are populated for all events where event.category: file
Field | Examples |
---|---|
2023-03-20T16:03:59.520Z |
|
7829f26d-c2d1-4eaf-a1ac-cd9cb9e12f75 |
|
cloud-defend |
|
8.8.0 |
|
1234567abc |
|
elastic-dev |
|
us-east-1c |
|
123456abc |
|
staging |
|
aws |
|
us-east-1 |
|
cloud_defend.matched_selectors |
[binModifications] |
cloud_defend.package_policy_id |
4c9cbba0-c812-11ed-a8dd-91ec403e4f03 |
cloud_defend.package_policy_revision |
2 |
cloud_defend.hook_point |
One of: lsmpath_chmod, lsmpath_mknod, lsmfile_open, lsmpath_truncate, lsmpath_rename, lsmpath_link, lsm__path_unlink |
nginx_1 |
|
nginx |
|
latest |
|
cloud_defend.process |
|
default |
|
logs |
|
8.7.0 |
|
One of: creation, modification, deletion, rename, link, open |
|
verified |
|
process |
|
2023-03-20T16:03:59.520Z |
|
cloud_defend.process |
|
3ee85eee-72d9-4e9d-934f-3787952ca830 |
|
2023-03-20T16:04:12Z |
|
One of: event, alert |
|
cloud_defend |
|
One of: start, end, denied |
|
ts |
|
script.ts |
|
/home/workspace/project/script.ts |
|
0 |
|
amd64 |
|
815a760f-8153-49e1-9d0b-da0d3b2a468c |
|
1bb9e6a948dfb1c3cd38d1fdc8de4481 |
|
[127.0.0.1, 172.20.0.2, 172.18.0.6] |
|
kibana-node |
|
[32:a9:cc:26:4c:e5, 7a:ec:f0:3e:29:ee] |
|
kibana-node.myapp.co |
|
ubuntu |
|
Ubuntu 20.04.5 |
|
5.10.161+ #1 SMP Thu Jan 5 22:49:42 UTC 2023 |
|
'Linux |
|
ubuntu |
|
linux |
|
20.04.5 |
|
4026531836 |
|
12345 |
|
website |
|
default |
|
172.18.0.6 |
|
orchestrator.resource.annotation |
[note:testing] |
orchestrator.resource.label |
[service:webapp] |
webapp-proxy |
|
… |
|
pod |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
/usr/bin/vi |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
true |
|
vi |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
1916234 |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
0 |
|
0 |
Support matrix
editEKS 1.24-1.27 (AL2022) | GKE 1.24-1.27 (COS) | |
---|---|---|
Process event exports |
✅ |
✅ |
File event exports |
✅ |
✅ |
Drift prevention |
✅ |
✅ |
Mount point awareness |
✅ |
✅ |
Process blocking |
✅ |
✅ |
Network event exports |
Coming soon |
Coming soon |
Network blocking |
Coming soon |
Coming soon |
Changelog
editChangelog
Version | Details | Kibana version(s) |
---|---|---|
1.2.6 |
Bug fix (View pull request) |
8.11.0 or higher |
1.2.5 |
Enhancement (View pull request) |
8.11.0 or higher |
1.2.4 |
Enhancement (View pull request) |
8.11.0 or higher |
1.2.3 |
Enhancement (View pull request) |
8.11.0 or higher |
1.2.2 |
Enhancement (View pull request) |
8.11.0 or higher |
1.2.1 |
Enhancement (View pull request) |
8.11.0 or higher |
1.2.1-preview2 |
Enhancement (View pull request) |
— |
1.2.1-preview |
Enhancement (View pull request) |
— |
1.2.0 |
Enhancement (View pull request) |
8.8.0 or higher |
1.2.0-preview |
Enhancement (View pull request) |
— |
1.1.0 |
Enhancement (View pull request) |
8.8.0 or higher |
1.0.7 |
Enhancement (View pull request) |
8.8.0 or higher |
1.0.6 |
Enhancement (View pull request) |
8.8.0 or higher |
1.0.5 |
Enhancement (View pull request) |
8.8.0 or higher |
1.0.4 |
Enhancement (View pull request) |
— |
1.0.3 |
Enhancement (View pull request) |
— |
1.0.2 |
Enhancement (View pull request) |
— |
1.0.1 |
Enhancement (View pull request) |
— |
1.0.0 |
Enhancement (View pull request) |
— |
0.1.1 |
Enhancement (View pull request) |
— |
0.1.0 |
Enhancement (View pull request) |
— |