1. Overview

With effect set to Prevent in your runtime rule, Prisma Cloud actively defends a container’s file system. There is a scenario where the runtime file system protection will not prevent, and below will give you some ifnormation on this.

2. Error messages

  1. You would be able to write a new file to a directory outside the active model.

  2. You would not receive an audit/incident for this

3. Steps to confirm the issue

  1. On a host where a Defender is deployed, get a shell in a running container. For this example, assume a container named alpine is already running:

    $ docker exec -it alpine sh
  2. Navigate to a folder not in the runtime model and run a simulated file system attack.

    # echo "an attack" >> attack.sh
    sh: can't create attack.sh: Operation not permitted
  3. Review the audit in Monitor > Events > Container Audits.

    runtime defense prevent alert

4. Troubleshooting steps

  • The runtime model must be Active for the running container.

  • You must be using a supported storage driver. Prevent is supported for the overlay2 and devicemapper storage drivers. It is not supported for aufs. If you aren’t using overlay2 or devicemapper, set effect to Alert or Block.