#Default Policies in Alauda Container Security
Alauda Container Security offers a set of default policies to help you prevent high-risk deployments and respond to runtime incidents in your Kubernetes environment. These policies are designed to identify security issues and enforce best practices across your clusters.
#TOC
#Overview
Default policies cover the entire container lifecycle: build, deploy, and runtime. You can view, clone, and edit these policies in the Alauda Container Security portal. Default policies cannot be deleted or directly modified.
#Viewing Policies
- Go to Platform Configuration > Policy Management in the portal.
- The Policies view lists all default and custom policies, including their status, severity, and lifecycle stage.
#Policy Table Structure
- Policy: Policy name
- Description: What the policy detects or enforces
- Status: Enabled or Disabled
- Severity: Critical, High, Medium, or Low
- Lifecycle: Build, Deploy, or Runtime
#Critical Severity Policies
| Lifecycle Stage | Policy Name | Description | Status |
|---|---|---|---|
| Build/Deploy | Apache Struts: CVE-2017-5638 | Alerts on images with the CVE-2017-5638 Apache Struts vulnerability. | Enabled |
| Build/Deploy | Log4Shell: log4j Remote Code Execution | Alerts on images with CVE-2021-44228 and CVE-2021-45046 vulnerabilities. | Enabled |
| Build/Deploy | Spring4Shell & Spring Cloud Function | Alerts on images with CVE-2022-22965 (Spring MVC) or CVE-2022-22963 (Spring Cloud). | Enabled |
| Runtime | Iptables Executed in Privileged Container | Alerts when privileged pods run iptables. | Enabled |
#High Severity Policies
| Lifecycle Stage | Policy Name | Description | Status |
|---|---|---|---|
| Build/Deploy | Fixable CVSS >= 7 | Alerts on fixable vulnerabilities with CVSS ≥ 7. | Disabled |
| Build/Deploy | Fixable Severity at least Important | Alerts on fixable vulnerabilities rated Important or higher. | Enabled |
| Build/Deploy | Rapid Reset: HTTP/2 DoS Vulnerability | Alerts on images susceptible to HTTP/2 Rapid Reset DoS. | Disabled |
| Build/Deploy | Secure Shell (ssh) Port Exposed in Image | Alerts when port 22 is exposed in images. | Enabled |
| Deploy | Emergency Deployment Annotation | Alerts on deployments using emergency annotations to bypass admission checks. | Enabled |
| Deploy | Environment Variable Contains Secret | Alerts when environment variables contain 'SECRET'. | Enabled |
| Deploy | Fixable CVSS >= 6 and Privileged | Alerts on privileged deployments with fixable CVSS ≥ 6 vulnerabilities. | Disabled |
| Deploy | Privileged Containers with Important and Critical Fixable CVEs | Alerts on privileged containers with important/critical fixable vulnerabilities. | Enabled |
| Deploy | Secret Mounted as Environment Variable | Alerts when secrets are mounted as environment variables. | Disabled |
| Deploy | Secure Shell (ssh) Port Exposed | Alerts when port 22 is exposed in deployments. | Enabled |
| Runtime | Cryptocurrency Mining Process Execution | Detects crypto-currency mining processes. | Enabled |
| Runtime | iptables Execution | Detects iptables usage in containers. | Enabled |
| Runtime | Kubernetes Actions: Exec into Pod | Alerts on exec commands run in containers via Kubernetes API. | Enabled |
| Runtime | Linux Group Add Execution | Detects groupadd/addgroup usage. | Enabled |
| Runtime | Linux User Add Execution | Detects useradd/adduser usage. | Enabled |
| Runtime | Login Binaries | Detects login attempts. | Disabled |
| Runtime | Network Management Execution | Detects network configuration commands. | Enabled |
| Runtime | nmap Execution | Alerts on nmap process execution. | Enabled |
| Runtime | OpenShift: Kubeadmin Secret Accessed | Alerts on kubeadmin secret access. | Enabled |
| Runtime | Password Binaries | Detects password change attempts. | Disabled |
| Runtime | Process Targeting Cluster Kubelet Endpoint | Detects misuse of kubelet/heapster endpoints. | Enabled |
| Runtime | Process Targeting Cluster Kubernetes Docker Stats Endpoint | Detects misuse of docker stats endpoint. | Enabled |
| Runtime | Process Targeting Kubernetes Service Endpoint | Detects misuse of Kubernetes Service API endpoint. | Enabled |
| Runtime | Process with UID 0 | Alerts on processes running as UID 0. | Disabled |
| Runtime | Secure Shell Server (sshd) Execution | Detects SSH daemon execution in containers. | Enabled |
| Runtime | SetUID Processes | Detects setuid binary usage. | Disabled |
| Runtime | Shadow File Modification | Detects shadow file modifications. | Disabled |
| Runtime | Shell Spawned by Java Application | Detects shell spawned as a subprocess of Java apps. | Enabled |
| Runtime | Unauthorized Network Flow | Alerts on anomalous network flows. | Enabled |
| Runtime | Unauthorized Processed Execution | Alerts on unauthorized process execution in locked baselines. | Enabled |
#Medium Severity Policies
| Lifecycle Stage | Policy Name | Description | Status |
|---|---|---|---|
| Build | Docker CIS 4.4: Ensure images are scanned and rebuilt | Alerts if images are not scanned and rebuilt with security patches. | Disabled |
| Deploy | 30-Day Scan Age | Alerts if a deployment hasn't been scanned in 30 days. | Enabled |
| Deploy | CAP_SYS_ADMIN capability added | Alerts if containers escalate with CAP_SYS_ADMIN. | Enabled |
| Deploy | Container using read-write root filesystem | Alerts if containers have read-write root filesystems. | Disabled |
| Deploy | Container with privilege escalation allowed | Alerts if containers allow privilege escalation. | Enabled |
| Deploy | Deployments should have at least one Ingress Network Policy | Alerts if deployments lack an Ingress Network Policy. | Disabled |
| Deploy | Deployments with externally exposed endpoints | Alerts if deployments have externally exposed services. | Disabled |
| Deploy | Docker CIS 5.1: AppArmor profile enabled | Alerts if AppArmor is not enabled. | Enabled |
| Deploy | Docker CIS 5.15: Host's process namespace not shared | Alerts if host's process namespace is shared. | Enabled |
| Deploy | Docker CIS 5.16: Host's IPC namespace not shared | Alerts if host's IPC namespace is shared. | Enabled |
| Deploy | Docker CIS 5.19: Mount propagation mode not enabled | Alerts if mount propagation mode is enabled. | Enabled |
| Deploy | Docker CIS 5.21: Default seccomp profile not disabled | Alerts if seccomp profile is disabled. | Disabled |
| Deploy | Docker CIS 5.7: Privileged ports mapped within containers | Alerts if privileged ports (<1024) are mapped. | Enabled |
| Deploy | Docker CIS 5.9/5.20: Host's network namespace not shared | Alerts if host's network namespace is shared. | Enabled |
| Deploy | Images with no scans | Alerts if images in deployments are not scanned. | Disabled |
| Runtime | Kubernetes Actions: Port Forward to Pod | Alerts on port forward requests via Kubernetes API. | Enabled |
| Deploy | Mount Container Runtime Socket | Alerts if container runtime socket is mounted. | Enabled |
| Deploy | Mounting Sensitive Host Directories | Alerts if sensitive host directories are mounted. | Enabled |
| Deploy | No resource requests or limits specified | Alerts if containers lack resource requests/limits. | Enabled |
| Deploy | Pod Service Account Token Automatically Mounted | Alerts if default service account token is mounted unnecessarily. | Enabled |
| Deploy | Privileged Container | Alerts if containers run in privileged mode. | Enabled |
| Runtime | crontab Execution | Detects crontab usage. | Enabled |
| Runtime | Netcat Execution Detected | Detects netcat usage. | Enabled |
| Runtime | OpenShift: Central Admin Secret Accessed | Alerts on access to Central Admin secret. | Enabled |
| Runtime | OpenShift: Secret Accessed by Impersonated User | Alerts on secret access by impersonated users. | Enabled |
| Runtime | Remote File Copy Binary Execution | Alerts on remote file copy tool execution. | Enabled |
#Low Severity Policies
| Lifecycle Stage | Policy Name | Description | Status |
|---|---|---|---|
| Build/Deploy | 90-Day Image Age | Alerts if a deployment hasn't been updated in 90 days. | Enabled |
| Build/Deploy | ADD Command used instead of COPY | Alerts if ADD command is used in Dockerfile. | Disabled |
| Build/Deploy | Alpine Linux Package Manager (apk) in Image | Alerts if apk is present in images. | Enabled |
| Build/Deploy | Curl in Image | Alerts if curl is present in images. | Disabled |
| Build/Deploy | Docker CIS 4.1: User for the Container Created | Ensures containers run as non-root users. | Enabled |
| Build/Deploy | Docker CIS 4.7: Alert on Update Instruction | Ensures update instructions are not used alone in Dockerfile. | Enabled |
| Build/Deploy | Insecure specified in CMD | Alerts if 'insecure' is used in command. | Enabled |
| Build/Deploy | Latest tag | Alerts if images use the 'latest' tag. | Enabled |
| Build/Deploy | Red Hat Package Manager in Image | Alerts if Red Hat, Fedora, or CentOS package managers are present. | Enabled |
| Build/Deploy | Required Image Label | Alerts if images are missing required labels. | Disabled |
| Build/Deploy | Ubuntu Package Manager Execution | Detects Ubuntu package manager usage. | Enabled |
| Build/Deploy | Ubuntu Package Manager in Image | Alerts if Debian/Ubuntu package managers are present in images. | Enabled |
| Build/Deploy | Wget in Image | Alerts if wget is present in images. | Disabled |
| Deploy | Drop All Capabilities | Alerts if deployments do not drop all capabilities. | Disabled |
| Deploy | Improper Usage of Orchestrator Secrets Volume | Alerts if Dockerfile uses 'VOLUME /run/secrets'. | Enabled |
| Deploy | Kubernetes Dashboard Deployed | Alerts if a Kubernetes dashboard service is detected. | Enabled |
| Deploy | Required Annotation: Email | Alerts if 'email' annotation is missing. | Disabled |
| Deploy | Required Annotation: Owner/Team | Alerts if 'owner' or 'team' annotation is missing. | Disabled |
| Deploy | Required Label: Owner/Team | Alerts if 'owner' or 'team' label is missing. | Disabled |
| Runtime | Alpine Linux Package Manager Execution | Alerts if apk is run at runtime. | Enabled |
| Runtime | chkconfig Execution | Detects chkconfig usage. | Enabled |
| Runtime | Compiler Tool Execution | Alerts if compiler binaries are run at runtime. | Enabled |
| Runtime | Red Hat Package Manager Execution | Alerts if Red Hat, Fedora, or CentOS package managers are run at runtime. | Enabled |
| Runtime | Shell Management | Alerts on shell add/remove commands. | Disabled |
| Runtime | systemctl Execution | Detects systemctl usage. | Enabled |
| Runtime | systemd Execution | Detects systemd usage. | Enabled |
#Managing Default Policies
- Default policies provide broad security coverage.
- You can view, clone, and edit cloned default policies in the portal.
- Default policies cannot be deleted or directly modified.
Note: Default policies are not supported with the policies-as-code feature.