Kaspersky Container Security
- Kaspersky Container Security 2.0 Help
- About the Kaspersky Container Security platform
- Solution architecture
- Standard deployment schemes
- Preparing to install the solution
- Solution installation
- Installing the basic business logic module and scanner
- First launch of the Management Console
- Viewing and accepting the End User License Agreement
- Checking solution functionality
- Agent deployment
- Viewing and editing agent groups
- Configuring a proxy server
- Connecting to external data storage resources
- Installing private fixes
- Removing the solution
- Updating the solution
- Solution interface
- Licensing the solution
- Data provisioning
- Working with clusters
- View the list of clusters
- Namespaces in the cluster
- Pods in the cluster
- Visualization of cluster resources
- Working with images from registers
- Investigating security events
- Analyzing container forensics
- Searching container forensics
- Detailed information about a running process
- Detailed information about file operations
- Details information about network traffic
- Detailed information about detected malicious objects
- Restrictions on runtime policies
- Investigating container forensics while accounting for adjacent events
- Analyzing detected vulnerabilities
- Analyzing container forensics
- Integration with third-party resources
- Setting up integration with external image registries
- Minimum sufficient rights for integration with registries
- Working with public registries without authorization
- Adding integrations with external image registries
- Viewing information about integrations with registries
- Deleting integration with external registry
- Harbor integration
- Creating an integration upon Harbor request
- Viewing and editing the Harbor External Integration settings
- Rescanning
- Integration with CI/CD
- Artifact scanning in CI/CD processes
- Configuring integration with GitLab CI/CD
- Configuring integration with Jenkins CI/CD
- Configuring integration with TeamCity CI/CD
- Defining the path to container images
- Monitoring the integrity and origin of images
- Running the scanner in SBOM mode
- Running the scanner in lite SBOM mode
- Getting scan results in JSON or HTML format
- Specifying secrets when starting a scan
- Configuring integration with image signature validators
- Setting up integration with notification outputs
- Configuring LDAP server integration
- Configuring integration with SIEM systems
- Integrating with HashiCorp Vault
- Setting up integration with external image registries
- Security policies configuration
- Scanner policies
- Assurance policies
- Response policies
- Runtime policies
- Creating a runtime policy
- Editing runtime policy settings
- Managing container runtime profiles
- Managing runtime autoprofiles
- Deleting policies
- Compliance check
- Configuring and generating reports
- File Threat Protection
- Users, roles, and scopes
- Managing users
- About user roles
- Working with system roles
- Displaying list of roles
- About scopes
- Scopes and enforcement of security policies
- Switching between scopes
- Adding users, roles, and scopes
- Resetting password for user accounts
- Changing settings for users, roles, and scopes
- Removing users, roles, and scopes
- Using Kaspersky Container Security OpenAPI
- Security event log
- Information about the status of solution components
- Ensuring safety and reliability of components
- Managing the dynamics of data accumulation
- Backing up and restoring data
- Contacting Technical Support
- Sources of information about the application
- Limitations and warnings
- Vulnerabilities in third-party services
- Glossary
- Third party code information
- Trademark notices
- ATT&CK MITRE Terms of Use
Creating a database for Kaspersky Container Security
To create a database for Kaspersky Container Security,
In ClickHouse on your workstation, run the following command:
CREATE DATABASE IF NOT EXISTS kcs
where kcs is the name of the database for Kaspersky Container Security.
To configure the settings of the created database for Kaspersky Container Security:
- Add users and define their authorization method. To do this, you must do the following:
- Add the following users:
- a user with rights to read data received by the Kaspersky Container Security core (reader).
<roles><kcs_reader_role><grants><query>GRANT SELECT ON kcs.*</query></grants></kcs_reader_role> - a user with rights to write data from external agent requests (writer).
<roles><kcs_writer_role><grants><query>GRANT CREATE TABLE, INSERT, ALTER, UPDATE ON kcs.*</query><query>GRANT SELECT (source_ip, source_port, source_alias, dest_ip, dest_port, dest_alias, protocol, severity, action, event_time, count, type) ON kcs.node_agent_events</query></grants></kcs_writer_role>
- a user with rights to read data received by the Kaspersky Container Security core (reader).
- Specify the user authorization method: with a password or with a certificate.
Example of configuring users with password authentication
<clickhouse>...<kcsuser-write><password>*********</password><networks><ip>::/0</ip></networks>...<grants><query>GRANT kcs_writer_role</query></grants></kcsuser-write><kcsuser-read><password>*********</password><networks><ip>::/0</ip></networks>...<grants><query>GRANT kcs_reader_role</query></grants></kcsuser-read>...<roles><kcs_reader_role><grants><query>GRANT SELECT ON kcs.*</query></grants></kcs_reader_role><kcs_writer_role><grants><query>GRANT CREATE TABLE, INSERT, ALTER, UPDATE ON kcs.*</query><query>GRANT SELECT (source_ip, source_port, source_alias, dest_ip, dest_port, dest_alias, protocol, severity, action, event_time, count, type) ON kcs.node_agent_events</query></grants></kcs_writer_role>...</roles>...</clickhouse>Example of configuring users with certificate authentication
<clickhouse>...<kcsuser-write><ssl_certificates><common_name>kcsuser-write</common_name></ssl_certificates><networks><ip>::/0</ip></networks>...<grants><query>GRANT kcs_writer_role</query></grants></kcsuser-write><kcsuser-read><ssl_certificates><common_name>kcsuser-read</common_name></ssl_certificates><networks><ip>::/0</ip></networks>...<grants><query>GRANT kcs_reader_role</query></grants></kcsuser-read>...<roles><kcs_reader_role><grants><query>GRANT SELECT ON kcs.*</query></grants></kcs_reader_role><kcs_writer_role><grants><query>GRANT CREATE TABLE, INSERT, ALTER, UPDATE ON kcs.*</query><query>GRANT SELECT (source_ip, source_port, source_alias, dest_ip, dest_port, dest_alias, protocol, severity, action, event_time, count, type) ON kcs.node_agent_events</query></grants></kcs_writer_role>...</roles>...</clickhouse>
- Add the following users:
- Specify disks for short-term and long-term data storage. When working with ClickHouse, Kaspersky Container Security can store large amounts of data with various retention periods. By default, the major part of events is stored for a maximum of 30 minutes, whereas information about incidents is stored for up to 90 days. Since event recording requires a considerable resources to ensure high recording speed and disk space provision, it is recommended to use different disks for short-term and long-term data storage.
Example of configuring data storage settings
<clickhouse>
...
<storage_configuration>
<disks>
<kcs_disk_hot>
<path>/etc/clickhouse/hot/</path>
</kcs_disk_hot>
<kcs_disk_cold>
<path>/etc/clickhouse/cold/</path>
</kcs_disk_cold>
</disks>
<policies>
<kcs_default>
<volumes>
<default>
<disk>kcs_disk_hot</disk>
</default>
<cold>
<disk>kcs_disk_cold</disk>
</cold>
</volumes>
</kcs_default>
</policies>
</storage_configuration>
...
</clickhouse>