Without secure hosts, you cannot run secure containers. In Twistlock 2.4, Twistlock extends our host protection to protect hosts from unexpected behavior in both known and new services.
Twistlock will define each service by the capabilities that the service requires. For new services, these capabilities are determined by machine learning the first time the service is run on a host protected by Twistlock. For example, here are the capabilities for dockerd, the underlying daemon for Docker:
Capabilities define the expected system and administrative actions that the service will take.
When a service requests a capability that isn’t in its model, Twistlock will generate an audit:
In this case, an HTTP server executed the useradd command, which is included in the USERS_ADMIN capability. This is out of the model for the http-server service (obviously, I hope).
We can also create rules that prevent this behavior:
With this rule in place, further attempts to exploit http-server are blocked:
Improvements to host protection allow Twistlock to more precisely model the actual activity of background services, resulting in more comprehensive preventive runtime defense while also demonstrating lower false positive rates.
- Twistlock Product
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
6 Tips for Secure Data Management for Containers
One of the main reasons why containers have become so popular is that ...
OpenShift Internal Registry: Populating Registry Scans with Twistlock
Twistlock uses the Docker v2 Registry catalog API call to inventory im...
Better Together: Protecting Docker Registries with Twistlock and JFrog Artifactory
In a containerized devops lifecycle, a registry such as JFrog Artifact...
Support for Emerging Container Runtimes: RunC, containerd, cri-o and Beyond
In the beginning there was lxc… or maybe Solaris Zones, or BSD J...
Twistlock Jenkins Plugin and Time-Based Vulnerability Blocking : 2.4 Deep Dive
Twistlock has provided the ability to seamlessly integrate security in...