Editing runtime autoprofile settings
To edit autoprofile parameters:
- In Policies → Runtime policies → Autoprofiles section, click the name of the autoprofile in the list of created container runtime autoprofiles.
- If necessary, in the displayed sidebar, on the General information tab, edit the values of one, multiple, or all of the following parameters:
- Autoprofile status. Use the Verified/Not verified toggle switch to change the autoprofile status to Verified or Not verified.
- Name of the runtime autoprofile. You can specify a custom autoprofile name to replace the name automatically generated by the solution.
- Description of the runtime autoprofile. By default, no description is added when autoprofiling.
- Under Parameters, edit the network status monitoring parameters as follows:
- File threat protection. If necessary, use the Disabled/Enabled toggle switch to enable or disable File Threat Protection. By default, the settings under File Threat Protection are disabled.
- Restrict container executable files. You can specify specific file names and paths to block, as well as specify exceptions.
If processes are running inside containers in the relevant build, the solution performs the following actions:
- When events are detected in processes in Audit and Enforce mode, the solution activates the Block specified executable files setting and all unique paths are indicated in the Executables or path field.
- If there are no events in processes in Audit and Enforce mode, the solution applies the Block all executable files setting.
- If it detects events other than the above, the solution activates the Allow exclusions setting and specifies all unique path values in the Executables or path field.
- Restrict inbound network connections. If necessary, you can use the Disabled/Enabled toggle switch to disable the ability to restrict inbound connections of the container.
If inbound traffic is observed in containers in the relevant build, the solution performs the following actions:
- When events related to inbound connections are detected in Audit and Enforce mode, the solution activates the Restrict inbound network connections setting.
- If there are no events related to inbound traffic in Audit and Enforce mode, or if other events are detected, the solution activates the Allow exclusions option. The Sources, TCP ports and UDP ports fields contain all the unique recipients of inbound connections.
- Restrict outbound network connections. If necessary, you can use the Disabled/Enabled toggle switch to disable the ability to restrict outbound connections of the container.
If outbound traffic is observed in containers in the relevant build, the solution performs the following actions:
- When events related to outbound connections are detected in Audit and Enforce mode, the solution activates the Restrict outbound network connections setting.
- If there are no events related to inbound traffic in Audit and Enforce mode, or if other events are detected, the solution activates the Allow exclusions option. The Sources, TCP ports and UDP ports fields specify all unique outbound connection sources.
- File operations. You can edit the settings for monitoring file operations in the container.
If actions are observed inside the containers in the relevant build, upon detection of file management events in Audit and Enforce mode, the solution activates the File operations setting. In this case, all unique paths are indicated in the Path field, and the check boxes of all detected operation types are selected in the Operation type field.
You can also click Add rule to add rules to be applied when monitoring file operations.
If a setting is enabled in the Settings section, the solution determines the specific build of the image and scans all containers deployed from that build.
- Save changes to the autoprofile by doing one of the following:
- To save without changing the autoprofile status to Verified, click Save.
- To save and change the status of the autoprofile to Verified, click Save and verify.