Managing container runtime profiles

When implementing runtime policies, Kaspersky Container Security can apply user-defined rules for monitoring processes and the network. To do so, add runtime profiles to the appropriate runtime policies. Runtime profiles are essentially lists of restrictions for containers. Image profiles define the settings for secure image deployment and safe activities of an application deployed from an image. The actions assigned in profiles can significantly reduce the capabilities of cybercriminals who could potentially infiltrate a facility, and can improve security during the runtime operation of containers.

The following settings specify restrictions in an image profile:

Executable files that should be blocked.
Network restrictions for inbound and outbound connections.

The list of configured profiles is displayed as a table on the Container runtime profiles tab under Policies → Runtime policies. In this section, you can also do the following:

Create new container runtime profiles. Open the profile settings window by clicking the Add profile button above the list.
Edit profile settings by clicking the link in the runtime profile name.
Delete runtime profiles.

In this section

Creating a runtime profile

Examples of configured runtime profiles

Changing runtime profile settings

Deleting a runtime profile

Page top

Creating a runtime profile

To add a container runtime profile:

Under Policies → Runtime policies → Container runtime profiles, click the Add profile button.
The profile settings input window opens.
Enter a name for the runtime profile and, if necessary, a description.
In the Restrict container executable files section, use the Disabled / Enabled toggle switch to restrict executable files according to rules. In the list, select the blocking option that guarantees optimal container performance:
- Block process from all executable files - application blocks all executable files from starting while the container is running.
- Block specified executable files - application blocks the executable files that you select in the Block the specified executable files field. You can block all executable files or a list of specific executable files. You can also use an * mask (for example, /bin/*) to apply a rule to an entire directory and its subdirectories.
  You can fine-tune the list of allowed and blocked executable files by specifying exclusions for blocking rules. For example, you can specifically exclude the path /bin/cat for a rule applied to /bin/*. In this case, all executable files from the directory /bin/ will be blocked from running except the /bin/cat application.
  
  Example path to executable files
  
  Specifying the direct path to executable binary files:
  
  /bin/bash
  
  Specifying a directory using a * mask:
  
  /bin/*
  
  In this example, all executable files from subdirectories of the /bin/ directory are allowed to run.
  
  If you select the Allow exclusions check box, the application will block all executable files except those specified in the Allow exclusions field when a container is started and running.
  
  All rules and exceptions specified for this group of parameters are regular expressions (regexp). The solution uses the specified patterns and indicators to find all files that match a specific regular expression.
In the Restrict ingress container connections section, use the Disabled / Enabled toggle switch to activate the capability to restrict inbound connections of a container. When this restriction is active, Kaspersky Container Security will block all sources of inbound connections except those that you specified as exclusions.
If you select the Allow exclusions check box, you can specify the parameters of one or more allowed sources of inbound network connections. To define exclusions, you must specify at least one of the following parameters:
- Sources. In the Sources field, enter an IP address or a range of IP addresses for the inbound connection source in CIDR4 or CIDR6 notation.
- In the TCP ports field and in the UDP ports field, enter a specific port or range of ports for the connection.
  If you need to specify multiple ports, use a comma, e.g. 8080, 8082.
  
  If you do not specify a value for the ports, the application will allow a connection over all ports.
In the Restrict egress container connections section, use the Disabled / Enabled toggle switch to activate the capability to restrict outbound connections for defined destinations.
If you select the Allow exclusions check box, you can specify the parameters of one or more allowed destinations for outbound network connections. To define exclusions, you must specify at least one of the following parameters:
- Destinations. In the Destinations field, enter an IP address or a range of IP addresses for an outbound connection destination in CIDR4 or CIDR6 notation, or the web address (URL) of a destination.
- In the TCP ports field and in the UDP ports field, enter a specific port or range of ports for the connection.
  If you need to specify multiple ports, use a comma, e.g. 8080, 8082.
  
  If you do not specify a value for the ports, the application will allow a connection to be made through all ports.
Click Save.

The added runtime profile is displayed in the Policies → Runtime policies → Container runtime profiles section.

Page top

Examples of configured runtime profiles

The table below presents a few of the images that are most frequently used by the application, and the settings for their configured restrictions in runtime profiles.

Images and their configured settings

Image name	Restrict container executable modules	Restrict network connections
Nginx	Allowed executable file: `/usr/sbin/nginx`	Block outbound connections
Mysql	Allowed executable files: `/usr/bin/awk` `/bin/sleep` `/usr/bin/mawk` `/bin/mkdir` `/usr/bin/mysql` `/bin/chown` `/usr/bin/mysql_tzinfo_to_sql` `/bin/bash` `/bin/sed` `/usr/sbin/mysqld`	Block outbound connections
Wordpress	Allowed executable files: `/bin/dash` `/usr/bin/mawk` `/usr/bin/cut` `/bin/bash` `/usr/local/bin/php` `/usr/bin/head` `/usr/bin/sha1sum` `/bin/tar` `/bin/sed` `/bin/rm` `/usr/bin/awk` `/bin/sh` `/usr/sbin/apache2` `/bin/chown` `/usr/local/bin/apache2-foreground` `/bin/ls` `/bin/cat`
Node	Allowed executable file: `/usr/local/bin/node`	Block outbound connections
MongoDB	Allowed executable files: `/bin/chown` `/usr/local/bin/gosu` `/usr/bin/mongod` `/usr/bin/mongos` `/usr/bin/mongo` `/usr/bin/id` `/bin/bash` `/usr/bin/numactl` `/bin/dash` `/bin/sh`
HAProxy	Allowed executable files: `/bin/dash` `/usr/bin/which` `/usr/local/sbin/haproxy` `/bin/busyboxal/sbin/haproxy-systemd-wrapper` `/usr/loc`
Hipache	Allowed executable files: `/usr/bin/python2.7` `/usr/bin/nodejs` `/usr/bin/redis-server` `/bin/dash` `/usr/local/bin/hipache`
Drupal	Allowed executable files: `/bin/bash` `/bin/rm` `/usr/sbin/apache2`
Redis	Allowed executable files: `/bin/bash` `/bin/chown` `/usr/local/bin/gosu` `/usr/bin/id` `/usr/local/bin/redis-server` `/bin/sh` `/bin/dash` `/sbin/redis-cli` `/bin/redis-cli` `/usr/sbin/redis-cli` `/usr/bin/redis-cli` `/usr/local/sbin/redis-cli` `/usr/local/bin/redis-cli` `/bin/busybox`	Block outbound connections
Tomcat	Allowed executable files: `/usr/bin/tty` `/bin/uname` `/usr/bin/dirname` `/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java` `/bin/dash` `/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java`	Block outbound connections
Celery	Allowed executable files: `/bin/dash` `/sbin/ldconfig` `/bin/uname` `/usr/local/bin/python3.4` `/bin/sh`

Page top

Changing runtime profile settings

To change container runtime profile settings:

Under Policies → Runtime policies → Container runtime profiles, click the name of the profile in the list of existing container runtime profiles.
In the window that opens, change the values of one or more of the following settings:
- Name of the runtime profile.
- Description of the runtime profile.
- Restrict container executable files.
- Restrict inbound network connections.
- Restrict outbound network connections.
Click Save.

Changes made to runtime profile settings are immediately applied to the running container and affect its operation.

Page top

Deleting a runtime profile

To delete a container runtime profile:

In the table of configured runtime profiles under Policies → Runtime policies → Image profiles, click the delete icon () in the row containing the name of the profile that you want to delete.
In the window that opens, confirm the action.

Page top

Contents

Managing container runtime profiles

Creating a runtime profile

Examples of configured runtime profiles

Changing runtime profile settings

Deleting a runtime profile