Runtime for File System Prevent is not working
With effect set to Prevent in your runtime rule, Prisma Cloud actively defends a container’s file system. There is a scenario where the runtime file system protection will not prevent, and below will give you some ifnormation on this.
You would be able to write a new file to a directory outside the active model.
You would not receive an audit/incident for this
On a host where a Defender is deployed, get a shell in a running container. For this example, assume a container named alpine is already running:
$ docker exec -it alpine sh
Navigate to a folder not in the runtime model and run a simulated file system attack.
# echo "an attack" >> attack.sh sh: can't create attack.sh: Operation not permitted
Review the audit in Monitor > Events > Container Audits.