Creating a runtime profile

To add a container runtime profile:

1. Under Policies → Runtime policies → Container runtime profiles, click the Add profile button.

   The profile settings input window opens.

2. Enter a name for the runtime profile and, if necessary, a description.
3. In the Scopes drop-down list, select one or more scopes.

   Scopes in runtime profiles allow profiles to be used correctly in runtime policies.

4. Under Restrict events, specify the following settings:
   1. Container processes: use the Disabled / Enabled toggle switch to restrict executable files in accordance with rules. In the list, select the blocking option that guarantees optimal container performance:
      • Block process from all executable files - application blocks all executable files from starting while the container is running.
      • Block specified executable files - application blocks the executable files that you select in the Block the specified executable files field. You can block all executable files or a list of specific executable files. You must specify the full direct path to the executable file (for example, /bin/php). However, you can specify a directory using a * mask, for example, /bin/*, which lets you apply the rule to the entire directory and its subdirectories and allow all executable files in subdirectories of the /bin directory.

        You can fine-tune the list of allowed and blocked executable files by specifying exclusions for blocking rules. For example, you can specifically exclude the path /bin/cat for a rule applied to /bin/*. In this case, all executable files from the directory /bin/ will be blocked from running except the /bin/cat application.

        You can specify executable files so that fast processes are synchronously blocked in containers.

        When working with the busybox binary that is delivered with many basic container images (such as alpine), you must take into account that busybox contains a set of commands to fetch applications without an explicit specification of such applications. For example, the ls command is used to fetch the /bin/ls executable file, which in turn is a symbolic link to /bin/busybox. In this case, you must specify the path to the executable file as follows: /bin/busybox/ls (that is, you must concatenate the original path of the /bin/busybox executable file and its ls command with the / symbol).

        If you select the Allow exclusions check box, the application will block all executable files except those specified in the Allow exclusions field when a container is started and running.

        All rules and exceptions specified for this group of parameters are regular expressions (regexp). The solution uses the specified patterns and indicators to find all files that match a specific regular expression.

        If Cilium CNI is used, you must specify the Cilium CNI rules in rules and exceptions, in addition to the CIDR and FQDN. This allows the solution to process Cilium service information and distinguish it from CIDRs, FQDNs, and other labels in the single input field.

   2. Ingress container connections: use the Disabled / Enabled toggle switch to activate the ability to restrict ingress connections of a container. When this restriction is active, Kaspersky Container Security will block all sources of inbound connections except those that you specified as exclusions.

      Enabled ingress network connection settings are not applied if the profile is specified in an Audit runtime policy that has been started for a Cilium CNI cluster.

      If you select the Allow exclusions check box, you can specify the parameters of one or more allowed sources of inbound network connections. To define exclusions, you must specify at least one of the following parameters:

      • Sources. In the Sources field, enter an IP address or a range of IP addresses for the inbound connection source in CIDR4 or CIDR6 notation.
      • In the TCP ports field and in the UDP ports field, enter a specific port or range of ports for the connection.

        If you do not specify a value for the ports, the application will allow a connection over all ports.

      • Reputation. Use the buttons to select the reputation statuses of the ingress connection. Reputation can be assigned based on the local reputation list of Kaspersky Container Security or your user-defined reputation list.
   3. Egress container connections: use the Disabled / Enabled toggle switch to activate the ability to restrict egress connections for the specified destinations.

      Enabled egress network connection settings are not applied if the profile is specified in an Audit runtime policy that has been started for a Cilium CNI cluster.

      If you select the Allow exclusions check box, you can specify the parameters of one or more allowed destinations for outbound network connections. To define exclusions, you must specify at least one of the following parameters:

      • Destinations. In the Destinations field, enter an IP address or a range of IP addresses for an outbound connection destination in CIDR4 or CIDR6 notation, or the web address (URL) of a destination.
      • In the TCP ports field and in the UDP ports field, enter a specific port or range of ports for the connection.

        If you do not specify a value for the ports, the application will allow a connection over all ports.

      • Reputation. Use the buttons to select the reputation statuses of the egress connection. Reputation can be assigned based on the local reputation list of Kaspersky Container Security or your user-defined reputation list.
   4. Threats identified with File Threat Protection: use the Disabled / Enabled toggle switch to activate the File Threat Protection component. It is used to find and analyze potential file threats, and provides security for containerized objects, such as archives and email files.

      When a runtime profile is applied with the File Threat Protection component enabled, Kaspersky Container Security activates real-time file threat protection on all nodes within the scopes defined for that policy. The configuration of the deployed agents depends on the settings that you specify for File Threat Protection. You can configure the File Threat Protection settings by clicking the File Threat Protection settings button on the Container runtime profiles tab in the Policies → Runtime section.

   5. File operations: use the Disabled / Enabled toggle switch to enable the ability to monitor file operations in the container. To do this, specify values for the following settings:
      • Path. Paths to files or folders can be specified with or without a forward slash (/) at the end of the path. You can allow access to all subdirectories by placing an asterisk (*) after the forward slash (/) at the end of the path.

        When specifying paths to files, only enter full paths that begin with a forward slash.

      • If necessary, in the Exclusions field, you can specify paths to files for which file operations will not be monitored.
      • Operation type. You can specify the file operations that the solution monitors when the runtime policy is applied. To do this, use the check box to select one or more of the following operation types:
        • Open - the solution logs all file opening operations.
        • Create — The solution logs all file creation operations in the specified directories.
        • Read — The solution logs file read operations.
        • Write — The solution logs information about changes saved in files.
        • Rename or move — The solution logs operations that change the name of files or move files to other folders.
        • Delete — The solution logs information about the deletion of files or folders from the specified directories.
        • Change access permissions — The solution logs information about changes in the rights to access files and directories.
        • Change ownership — The solution monitors operations that change the owner of a file or folder in the specified directory.

      If necessary, add rules for monitoring file operations using the Add rule button. The solution will apply multiple file operation monitoring rules within a single runtime policy.

      For file operations, only Audit mode is supported. If the Enforce mode is specified in the applicable runtime policy, file operations are performed in Audit mode.

   6. Listening on ports: use the Disabled / Enabled toggle switch to enable the ability to monitor the ports of the container being opened. The solution detects the binding of an IP address to a port and records these events in the list of container forensics for analysis. To do this, select one of the following options:
      • Listen on specified ports. If you select this option, in the Ports field, you need to specify one or more ports which you want to be monitored.

        This option is selected by default.

      • Listen on all ports except specified. If you select this option, in the Ports field, you need to specify one or more ports which you do not want to be monitored.
      • Listen on all ports. The solution monitors the opening of all ports in the container.

      Only the Audit mode is supported for port monitoring. If the Enforce mode is specified in the applicable runtime policy, file operations are performed in Audit mode.

   By default, the Disabled / Enabled toggle switches for all options are disabled.

5. Click the Add button.

The added runtime profile is displayed in the Policies → Runtime policies → Container runtime profiles section.

Page top