Defend for Containers

Elastic Defend for Containers (BETA) provides cloud-native runtime protections for containerized environments.

Version
1.2.6 (View all)
Compatible Kibana version(s)
8.11.0 or higher
Supported Serverless project types

Security
Subscription level
Enterprise
Level of support
Elastic

CWP is powered by a lightweight integration (Defend for Containers BETA) that is bundled and configured by the Elastic Agent. The agent is installed as a daemonset on supported Kubernetes clusters and the integration uses eBPF LSM and tracepoint probes to produce system events. Events are evaluated against eBPF LSM hook points, enabling a configured policy to be evaluated before system activity is allowed to proceed.

The policy determines which system behaviors (for example, process executions, file creations or deletions, etc) will result in an action. Actions are simple: logging the behavior to Elasticsearch, creating an alert in Elasticsearch, or blocking the behavior.

Threat Detection

The system ships with a default policy configured featuring two selectors and responses. The first selector is designed to stream process telemetry events to the user’s Elasticsearch cluster. The policy uses the selector allProcesses which specifies fork and exec operations. This selector is mapped to the allProcesses response, which specifies a log action.

The resulting telemetry data is transformed into an ECS document and streamed back to the user’s Elasticsearch cluster, where the Elastic Security SIEM evaluates the data to detect malicious behavior.

Drift Detection & Prevention

The second selector is written to detect the modification of existing executables or the creation of new executables within a container (This is how Elastic detects “container drift”). The policy selector is named executableChanges and is mapped to a response section called executableChanges which specifies an alert action.

This policy is configured with an alert response, meaning that when drift conditions are detected, the matching event(s) are collected and written as an alert to the user’s Elasticsearch cluster. A prebuilt rule “escalation rule” in the SIEM watches for these alert documents and raises an alert in the SIEM when drift is detected. This policy can also be modified to block drift operations by changing the response action to block.

Policies

Users that want to use the full strength of CWP will benefit to understand the system’s policy syntax, which enables fine-grained policies to be constructed. Policies can be built to precisely match expected container behaviors– disallowing any unexpected behaviors– and thereby substantially hardening the security posture of container workloads.

Policies are composed of selectors and responses. A given policy must contain at least one selector and one response. Currently, the system supports two types of selectors and responses, file and process. Selectors tell the service what system operations to match and have a number of conditions that can be grouped together (using a logical AND operation) to provide precise control. Responses instruct the system on what actions to take when system operations match selectors.

Deployment

The service can be deployed in two ways: declaratively using Elastic Agent in standalone mode, or as a managed D4C integration through Fleet. With the former, teams have the flexibility to integrate their policies into Git for an infrastructure-as-code (IoC) approach, streamlining the deployment process and enabling easier management.

Note: You will need to include the following capabilities under securityContext in your k8s yaml in order for the service to work.

securityContext:
    runAsUser: 0
    # The following capabilities are needed for 'Defend for containers' integration (cloud-defend)
    # If you are using this integration, please uncomment these lines before applying.
    capabilities:
      add:
        - BPF # (since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps.
        - PERFMON # (since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations.
        - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by 'Defend for Containers' to modify 'rlimit_memlock'

Policy example

A given policy must contain at least one selector (file or process) and one response.

  process:
    selectors:
      - name: allProcesses
        operation: [fork, exec]
      - name: interactiveProcesses
        operation: [fork, exec]
        sessionLeaderInteractive: true
    responses:
      - match: [allProcesses]
        actions: [log]
      - match: [interactiveProcesses]
        actions: [alert]
  file:
    selectors:
      - name: executableChanges
        operation: [createExecutable, modifyExecutable]
    responses:
      - match: [executableChanges]
        actions: [alert]

Due to the fact that file and process operations happen asynchronously, their selectors and responses must be managed as separate entities. A file selector cannot be used to trigger a process response and vice versa.

Selectors

A selector tells the service what system operations to match on and has a number of conditions that can be grouped together (using a logical AND operation) to provide precise control.

  - name: exampleFileSelector
    operation: [createExecutable, modifyExecutable]
    containerImageName: [nginx]
    containerImageTag: [latest]
    targetFilePath: [/usr/bin/**]
    kubernetesClusterId: [cluster1]
    kubernetesClusterName: [stagingCluster]
    kubernetesNamespace: [default]
    kubernetesPodLabel: [‘production:*’]
    kubernetesPodName: [‘nginx-pod-*’]
    ignoreVolumeMounts: true

A selector MUST contain a name and at least one of the following conditions.

Common conditions (available for both file and process selectors)

NameDescription
containerImageFullName
A list of container full image names to match on. e.g. "docker.io/nginx".
containerImageName
A list of container image names to match on. e.g. nginx
containerImageTag
A list of container image tags to match on. e.g. latest
kubernetesClusterId
A list of kubernetes cluster IDs to match on. For consistency with KSPM, the 'kube-system' namespace uid is used as a cluster ID.
kubernetesClusterName
A list of kubernetes cluster names to match on.
kubernetesNamespace
A list of kubernetes namespaces to match on.
kubernetesPodName
A list of kubernetes pod names to match on. Trailing wildcards supported.
kubernetesPodLabel
A list of resource labels. Trailing wildcards supported (value only). e.g. key1:val*

 

For example, the following selector will match attempts to create executables on any portion of a file system, in any container as long as its Pod has the label environment:production or service:auth*

- name:
  operation: [createExecutable]
  kubernetesPodLabel: [environment:production, service:auth*]

File Specific Conditions

NameDescription
operation
The list of system operations to match on. Options include createExecutable, modifyExecutable, createFile, modifyFile, deleteFile.
ignoreVolumeMounts
If set, ignores file operations on ALL volume mounts.
ignoreVolumeFiles
If set, ignores operations on file mounts only. e.g. mounted files, configMaps, secrets etc...
targetFilePath
A list of file paths to include. Paths are absolute and wildcards are supported.

 

Consider the following selector example:

- name:
  targetFilePath: [/usr/bin/echo, /usr/sbin/*, /usr/local/**]

In this example,

  • /usr/bin/echo will match on the echo binary, and only this binary
  • /usr/local/** will match on everything recursively under /usr/local/ including /usr/local/bin/something
  • /usr/sbin/* includes everything that’s a direct child of /usr/sbin

Process Specific Conditions

NameDescription
operation
The list of system operations to match on. Options include fork and exec.
processExecutable
A list of executables (full path included) to match on. e.g. /usr/bin/cat. Wildcard support is same as targetFilePath above.
processName
A list of process names (executable basename) to match on. e.g. 'bash', 'vi', 'cat' etc...
sessionLeaderInteractive
If set to true, will only match on interactive sessions (i.e. sessions with a controlling TTY)

Responses

Responses instruct the system on what actions to take when system operations match selectors.

A policy can contain one or more responses. Each response is comprised of the following:

responses:
  - match: [allProcesses]
    exclude: [excludeSystemDServices]
    actions: [log]
  - match: [nefariousActivity]
    actions: [alert, block]
Response FieldDescription
match
An array of one or more selectors of the same type (file or process).
exclude
An optional array of one or more selectors to use as exclusions to everything in 'match'
actions
An array of actions to perform (if at least one match and none of the exclude selectors match). Options include log, alert and block.

 

ActionDescription
log
Sends events to the logs-cloud_defend.file-* data stream for file responses, and the logs-cloud_defend.process-* data stream for process responses.
alert
Writes events (file or process) to the logs-cloud_defend.alerts-* data stream.
block
Prevents the system operation from proceeding. This blocking action happens prior to the execution of the event. It is required that the alert action be set if block is enabled.

Example

Consider the following yaml.

file:
  selectors:
    - name: binDirExeMods
      operation:
        - createExecutable
        - modifyExecutable
      targetFilePath:
        - /usr/bin/**
    - name: etcFileChanges
      operation:
        - createFile
        - modifyFile
        - deleteFile
      targetFilePath:
        - /etc/**
    - name: nginx
      containerImageName:
        - nginx

  responses:
    - match:
        - binDirExeMods
        - etcFileChanges
      exclude:
        - nginx
      actions:
        - alert
        - block

We have three file selectors. Two are used to match (logically OR'd), and one to exclude.

This could be read as: If an executable is created or modified under /usr/bin or a file is created, modified or deleted under /etc, block and create an alert as long as it's not an nginx container.

e.g.

IF (binDirExeMods OR etcFileChanges) AND NOT nginx = RUN ACTIONS alert and block

Process Events

The following fields are populated for all events where event.category: process

FieldExamples
'2023-03-20T16:03:59.520Z'
'7829f26d-c2d1-4eaf-a1ac-cd9cb9e12f75'
'cloud-defend'
'8.8.0'
'1234567abc'
'elastic-dev'
us-east-1c
'webapp-node'
'123456abc'
'staging'
aws
'us-east-1'
cloud_defend.matched_selectors
['interactiveSessions']
cloud_defend.package_policy_id
'4c9cbba0-c812-11ed-a8dd-91ec403e4f03'
cloud_defend.package_policy_revision
2
cloud_defend.hook_point
['tracepoint__sched_process_fork','tracepoint__sched_process_exec', 'kprobe__taskstats_exit']
nginx_1
nginx
latest
'cloud_defend.process'
'default'
'logs'
8.7.0
'fork', 'exec', 'end'
'verified'
'process'
'2023-03-20T16:03:59.520Z'
'cloud_defend.process'
'3ee85eee-72d9-4e9d-934f-3787952ca830'
'2023-03-20T16:04:12Z'
'event', 'alert'
'cloud_defend'
'start', 'end', 'denied'
'0'
'amd64'
'815a760f-8153-49e1-9d0b-da0d3b2a468c'
'1bb9e6a948dfb1c3cd38d1fdc8de4481'
['127.0.0.1', '172.20.0.2', '172.18.0.6']
'kibana-node'
['32:a9:cc:26:4c:e5', '7a:ec:f0:3e:29:ee']
'kibana-node.myapp.co'
'ubuntu'
'Ubuntu 20.04.5'
'5.10.161+ #1 SMP Thu Jan 5 22:49:42 UTC 2023'
'Linux
'ubuntu'
'linux'
'20.04.5'
4026531836
'12345'
'website'
default
'172.18.0.6'
orchestrator.resource.annotation
['note:testing']
orchestrator.resource.label
['service:webapp']
webapp-proxy
'DaemonSet', 'ReplicaSet' etc...
pod
['ls', '--color=auto']
'2023-03-20T16:04:12Z'
'NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ=='
['bash']
'NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ=='
'container'
'/bin/bash'
'0'
true
'bash'
1915529
false
'2023-03-20T16:03:59.520Z'
'0'
'/usr/share/elastic-agent'
'/usr/bin/ls'
['ls', '--color=auto']
'NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ=='
'/usr/bin/ls'
'0'
true
'ls'
1915529
true
'2023-03-20T16:03:59.520Z'
'0'
'/usr/share/elastic-agent'
true
'ls'
['bash']
'NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ=='
'/bin/bash'
'0'
true
'bash'
1915529
false
'2023-03-20T16:03:59.520Z'
'0'
'/usr/share/elastic-agent'
1916234
[{ args: ['bash'], executable: '/bin/bash'}]
['bash']
'/bin/bash'
['bash']
'NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ=='
'/bin/bash'
'0'
true
'bash'
1915529
false
'2023-03-20T16:03:59.520Z'
'0'
'/usr/share/elastic-agent'
'2023-03-20T16:03:59.520Z'
'/usr/share/elastic-agent'
'0'

File Events

The following fields are populated for all events where event.category: file

FieldExamples
'2023-03-20T16:03:59.520Z'
'7829f26d-c2d1-4eaf-a1ac-cd9cb9e12f75'
'cloud-defend'
'8.8.0'
'1234567abc'
'elastic-dev'
us-east-1c
'123456abc'
'staging'
aws
'us-east-1'
cloud_defend.matched_selectors
['binModifications']
cloud_defend.package_policy_id
4c9cbba0-c812-11ed-a8dd-91ec403e4f03
cloud_defend.package_policy_revision
2
cloud_defend.hook_point
One of: lsm__path_chmod, lsm__path_mknod, lsm__file_open, lsm__path_truncate, lsm__path_rename, lsm__path_link, lsm__path_unlink
nginx_1
nginx
latest
'cloud_defend.process'
'default'
'logs'
8.7.0
One of: 'creation', 'modification', 'deletion', 'rename', 'link', 'open'
'verified'
'process'
'2023-03-20T16:03:59.520Z'
'cloud_defend.process'
'3ee85eee-72d9-4e9d-934f-3787952ca830'
'2023-03-20T16:04:12Z'
One of: 'event', 'alert'
'cloud_defend'
One of: 'start', 'end', 'denied'
ts
script.ts
/home/workspace/project/script.ts
'0'
'amd64'
'815a760f-8153-49e1-9d0b-da0d3b2a468c'
'1bb9e6a948dfb1c3cd38d1fdc8de4481'
['127.0.0.1', '172.20.0.2', '172.18.0.6']
'kibana-node'
['32:a9:cc:26:4c:e5', '7a:ec:f0:3e:29:ee']
'kibana-node.myapp.co'
'ubuntu'
'Ubuntu 20.04.5'
'5.10.161+ #1 SMP Thu Jan 5 22:49:42 UTC 2023'
'Linux
'ubuntu'
'linux'
'20.04.5'
4026531836
'12345'
'website'
default
'172.18.0.6'
orchestrator.resource.annotation
['note:testing']
orchestrator.resource.label
['service:webapp']
webapp-proxy
...
pod
'NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ=='
'NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ=='
'/usr/bin/vi'
'NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ=='
true
'vi'
'NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ=='
1916234
'NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ=='
'0'
'0'

Support matrix

 EKS 1.24-1.27 (AL2022)GKE 1.24-1.27 (COS)
Process event exports
File event exports
Drift prevention
Mount point awareness
Process blocking
Network event exports
Coming soon
Coming soon
Network blocking
Coming soon
Coming soon

Changelog

VersionDetailsKibana version(s)

1.2.6

Bug fix View pull request
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.11.0 or higher

1.2.5

Enhancement View pull request
Update integration support matrix

8.11.0 or higher

1.2.4

Enhancement View pull request
Fix integration subscription tier

8.11.0 or higher

1.2.3

Enhancement View pull request
Changed owners

8.11.0 or higher

1.2.2

Enhancement View pull request
Add security capability

8.11.0 or higher

1.2.1

Enhancement View pull request
Update ECS reference

8.11.0 or higher

1.2.1-preview2

Enhancement View pull request
Updates manifest format version to 3.0.0. lifecycle.yml files added.

1.2.1-preview

Enhancement View pull request
Adds metrics-cloud_defend.heartbeat index

1.2.0

Enhancement View pull request
Release - Updates documentation to allow for new 'process blocking' feature.

8.8.0 or higher

1.2.0-preview

Enhancement View pull request
Updates documentation to allow for new 'process blocking' feature.

1.1.0

Enhancement View pull request
Ensure event.kind is correctly set for pipeline errors.

8.8.0 or higher

1.0.7

Enhancement View pull request
Documentation fix.

8.8.0 or higher

1.0.6

Enhancement View pull request
Documentation updates. Removed kubernetesPodId.

8.8.0 or higher

1.0.5

Enhancement View pull request
Documentation updates.

8.8.0 or higher

1.0.4

Enhancement View pull request
Updated orchestrator.resource.label and annotation to use keyword type.

1.0.3

Enhancement View pull request
Added kubernetes as a category. Renamed trace_point to hook_point

1.0.2

Enhancement View pull request
Added mapping for cloud_defend.trace_point. Fixed host.name and host.hostname examples, and added cloud.instance.name to field list in README.

1.0.1

Enhancement View pull request
Default policy updated to include new file/process selector schema.

1.0.0

Enhancement View pull request
Adds process and file datastreams to track telemetry.

0.1.1

Enhancement View pull request
This version now works e2e with the cloud-defend service.

0.1.0

Enhancement View pull request
Initial draft of the package