Creating a runtime profile

To add a container runtime profile:

1. Under Policies → Runtime policies → Container runtime profiles, click the Add profile button.

   The profile settings input window opens.

2. Enter a name for the runtime profile and, if necessary, a description.
3. In the Scopes drop-down list, select one or more scopes.

   Scopes in runtime profiles allow profiles to be used correctly in runtime policies.

4. Under File Threat Protection, use the Disabled / Enabled toggle to activate File Threat Protection. It is used to find and analyze potential file threats, and provides security for containerized objects, such as archives and email files.

   When a runtime profile is applied with the File Threat Protection component enabled, Kaspersky Container Security activates real-time file threat protection on all nodes within the scopes defined for that policy. The configuration of the deployed agents depends on the settings that you specify for File Threat Protection. You can configure the File Threat Protection settings by clicking the File Threat Protection settings button on the Container runtime profiles tab in the Policies → Runtime section.

5. In the Restrict container executable files section, use the Disabled / Enabled toggle switch to restrict executable files according to rules. In the list, select the blocking option that guarantees optimal container performance:
   • Block process from all executable files - application blocks all executable files from starting while the container is running.
   • Block specified executable files - application blocks the executable files that you select in the Block the specified executable files field. You can block all executable files or a list of specific executable files. You must specify the full original path to the executable file (for example, /bin/php). You can also use an * mask (for example, /bin/*) to apply a rule to an entire directory and its subdirectories.

     You can fine-tune the list of allowed and blocked executable files by specifying exclusions for blocking rules. For example, you can specifically exclude the path /bin/cat for a rule applied to /bin/*. In this case, all executable files from the directory /bin/ will be blocked from running except the /bin/cat application.

     Example path to executable files

     Specifying the direct path to executable binary files:

     /bin/bash

     Specifying a directory using a * mask:

     /bin/*

     In this example, all executable files from subdirectories of the /bin/ directory are allowed to run.

     When working with the busybox binary that is delivered with many basic container images (such as alpine), you must take into account that busybox contains a set of commands to fetch applications without an explicit specification of such applications. For example, the ls command is used to fetch the /bin/ls executable file, which in turn is a symbolic link to /bin/busybox. In this case, you must specify the path to the executable file as follows: /bin/busybox/ls (that is, you must concatenate the original path of the /bin/busybox executable file and its ls command with the / symbol).

     If you select the Allow exclusions check box, the application will block all executable files except those specified in the Allow exclusions field when a container is started and running.

     All rules and exceptions specified for this group of parameters are regular expressions (regexp). The solution uses the specified patterns and indicators to find all files that match a specific regular expression.

6. In the Restrict ingress container connections section, use the Disabled / Enabled toggle switch to activate the capability to restrict inbound connections of a container. When this restriction is active, Kaspersky Container Security will block all sources of inbound connections except those that you specified as exclusions.

   If you select the Allow exclusions check box, you can specify the parameters of one or more allowed sources of inbound network connections. To define exclusions, you must specify at least one of the following parameters:

   • Sources. In the Sources field, enter an IP address or a range of IP addresses for the inbound connection source in CIDR4 or CIDR6 notation.
   • In the TCP ports field and in the UDP ports field, enter a specific port or range of ports for the connection.

     If you need to specify multiple ports, use a comma, e.g. 8080, 8082.

     If you do not specify a value for the ports, the application will allow a connection over all ports.

7. In the Restrict egress container connections section, use the Disabled / Enabled toggle switch to activate the capability to restrict outbound connections for defined destinations.

   If you select the Allow exclusions check box, you can specify the parameters of one or more allowed destinations for outbound network connections. To define exclusions, you must specify at least one of the following parameters:

   • Destinations. In the Destinations field, enter an IP address or a range of IP addresses for an outbound connection destination in CIDR4 or CIDR6 notation, or the web address (URL) of a destination.
   • In the TCP ports field and in the UDP ports field, enter a specific port or range of ports for the connection.

     If you need to specify multiple ports, use a comma, e.g. 8080, 8082.

     If you do not specify a value for the ports, the application will allow a connection over all ports.

8. In the File operations sections, use the Disabled / Enabled switch to enable the ability to monitor file operations in the container. To do this, specify values for the following settings:
   • Path. Paths to files or folders can be specified with or without a forward slash (/) at the end of the path. You can allow access to all subdirectories by placing an asterisk (*) after the forward slash (/) at the end of the path.

     When specifying paths to files, only enter full paths that begin with a forward slash.

   • If necessary, in the Exclusions field, you can specify paths to files for which file operations will not be monitored.
   • Operation type. You can specify the file operations that the solution monitors when the runtime policy is applied. To do this, use the check box to select one or more of the following operation types:
     • Create — The solution logs all file creation operations in the specified directories.
     • Open - the solution logs all file opening operations.
     • Read — The solution logs file read operations.
     • Write — The solution logs information about changes saved in files.
     • Rename or move — The solution logs operations that change the name of files or move files to other folders.
     • Delete — The solution logs information about the deletion of files or folders from the specified directories.
     • Change access permissions — The solution logs information about changes in the rights to access files and directories.
     • Change ownership — The solution monitors operations that change the owner of a file or folder in the specified directory.

   If necessary, add rules for monitoring file operations using the Add rule button. The solution will apply multiple file operation monitoring rules within a single runtime policy.

   For file operations, only Audit mode is supported. If the Enforce mode is specified in the applicable runtime policy, file operations are performed in Audit mode.

9. Click the Add button.

The added runtime profile is displayed in the Policies → Runtime policies → Container runtime profiles section.

Page top