Prisma Cloud Compute: Runtime for File System Prevent is not working
9879
Created On 11/18/19 18:37 PM - Last Modified 04/21/22 19:37 PM
Symptom
With effect set to Prevent in your runtime rule, Twistlock actively defends a container’s file system. There is a scenario where the runtime file system protection will not prevent, and below will give you some ifnormation on this.
Error messages
- You would be able to write a new file to a directory outside the active model.
- You would not receive an audit/incident for this
Environment
- SaaS
- Self-Hosted 19.11 or later
Cause
Steps to confirm the issue
- On a host where a Defender is deployed, get a shell in a running container. For this example, assume a container named alpine is already running:
$ docker exec -it alpine sh
- Navigate to a folder not in the runtime model and run a simulated file system attack.
# echo "an attack" >> attack.sh
sh: can't create attack.sh: Operation not permitted
sh: can't create attack.sh: Operation not permitted
- Review the audit in Monitor > Events > Container Audits
Resolution
- The runtime model must be Active for the running container.
- You must be using a supported storage driver. Prevent is supported for the overlay2 and devicemapper storage drivers. It is not supported for aufs. If you aren’t using overlay2 or devicemapper, set effect to Alert or Block.