Halo Container Secure Features

Container Security Features: All the unified security controls you need to automate container security, built on a unified cloud security and compliance platform.

Container Registries

Container Registry Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of the server workload hosting your container registry, and the registry application, based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes – and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

How it works

Policy templates are provided for different versions of Windows and Linux operating systems. These policy templates allow rapid compliance with a number of standards, while allowing customization for the individual environment. Custom policies can also be created from scratch by the user to target the registry application.

Policies can be stacked so that all the right policies apply to each server workload. For example, a global OS policy can be applied to all Linux workloads, while an additional policy could be added for DTR or jFrog registries. At workload boot time, the Halo microagent runs applicable policy checks and reports findings to the Halo Cloud.

The Halo Cloud analyzes the findings against the policy and provides a report of the results. The report includes the pass/fail results for each policy rule. For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Server Secure can be used for self-hosted registries such as private Docker registries and jFrog, while Cloud Secure can be used for IaaS registry services such as ECR.

Policies Used

  • CIS Benchmark for Amazon Linux
  • CIS Benchmark CentOS
  • CIS Benchmark Debian
  • CIS Benchmark for Windows Server 2008 R2 through 2019
  • CIS Benchmark for Oracle Linux
  • CIS Benchmark Red Hat Enterprise Linux
  • CIS Benchmark for Ubuntu
  • CloudPassage AWS ECR Best Practices
  • Custom policies to evaluate the configuration of self-hosted registry software

Container Registry Software Vulnerability Assessment

Key use cases

Obtain a software vulnerability assessment of the server workload hosting your container registry, and the registry application, that is based on Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD).

Prioritize the most critical issues for remediation.

Find any workloads with a specific software/version installed, those having a specific CVE, or missing a specific Windows KB (patch).

Continuously monitor and assess for software vulnerabilities over the lifetime of the server workload.

How it works

At workload boot time, the Halo microagent inventories the operating system to discover its installed applications and provides this data to the Halo Cloud. In turn, the Halo Cloud evaluates the reported operating system and applications for CVEs according to the NVD, and provides a report of the results.

The report includes the inventory of software and any CVEs that apply, along with the Common Vulnerability Scoring System (CVSS) score for each CVE.

For each software having one or more CVEs, Halo logs an event, alerts the right user, and creates an issue to track the problem until it is remediated. Exceptions can be created for those CVEs that the user cannot fix.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo detects added and removed software, reassesses for applicable CVEs, and updates existing issues with the latest findings; if existing CVEs have been remediated, their corresponding issues are marked as resolved.

Related Features

Requires Server Secure.

Policies Used

No policies required.

Container Registry Integrity Monitoring

Key use cases

Confirm the integrity of the server workload hosting your container registry, the registry itself, and new workloads against their source image, and detect unauthorized changes made to workload applications by checking for changes to important files and registry keys.

How it works

Policy templates are provided for Windows and Linux applications that specify critical files and registry keys to monitor in order to detect unauthorized changes. These policy templates allow you to quickly configure integrity monitoring for compliance and intrusion detection initiatives.

Custom policies can also be created from scratch by the user. For each policy, baselines can be created based on the source image. As workloads are deployed, the Halo microagent creates SHA-256 cryptographic hashes of the files and registry keys specified by the policy, in addition to permissions for each object, and sends the information to Halo. These are compared to baselines and a report is provided with the results.

The report includes the pass/fail results for each object in the scan. Files that have had permissions or data modified, have been added, or have been removed as compared to the baseline, will generate failed findings. For each failed finding, Halo optionally alerts the right user and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • Core Registry Keys (Windows Server 2008 R2 through 2019)
  • Core System Files (Amazon Linux)
  • Core System Files (CentOS)
  • Core System Files (Debian)
  • Core System Files (Oracle Linux)
  • Core System Files (Red Hat)
  • Core System Files (Ubuntu)
  • Linux Privilege Escalation Detection
  • Custom policies to monitor the integrity of the registry and artifacts

Container Registry Event Monitoring

Key use cases

Automatically monitor and collect significant security-related events from server workloads hosting your container registry, and the registry itself, that could indicate misuse, misconfiguration, or compromise.

Detect unwanted behavior such as modification of application-level objects, changes to audit policies, errors, and cross-site scripting (xss) attacks.

Integrate event monitoring with your Security Information Event Management (SIEM) tools for long term storage and correlation with events from other devices.

Comply with PCI and other regulations and standards which require continuous monitoring of system logs.

How it works

Policies can be created for applications that specify log files and events to collect in order to detect and alert on unwanted activity. These policies allow you to quickly configure server event monitoring for compliance and intrusion detection initiatives.

When the workload is active, the Halo microagent scans the specified logs for events matching the policy every 5 minutes. Events matching the policy are collected and sent to the Halo Cloud where they are enriched with other information collected about the server including facts and IaaS metadata.

The Halo Portal optionally alerts the user and creates an issue indicating that the event should be investigated. Users can view and obtain a history of significant server events using the Event viewer in the Portal, or through the REST API.

Related Features

Not applicable.

Policies Used

  • Core System (Amazon Linux)
  • Core System (CentOS)
  • Core System (Debian)
  • Core System (Red Hat)
  • Core System (Ubuntu)
  • Core System (Windows Server 2008 R2 through 2019)
  • Auditd – Integrity policy
  • Auditd – Abnormal behavior policy
  • Auditd – Access policy
  • Auditd – Configuration policy
  • Auditd – Cryptographic policy
  • Auditd – Daemon policy
  • Auditd – Storage policy
  • Auditd – System policy
  • Auditd – Malicious Activity policy
  • Custom policies to monitor events from the registry software

Container Registry Inventory

Key use cases

Gain visibility to container image repositories, tags, and images in your registries.

Continuously monitor your registries for new repositories and images to maintain a complete inventory.

Understand the inventory of container images across the environment. View inventory by repository, registry, images in use by live containers, and query to find images by tag, base operating system, and other attributes.

Combine with runtime container inspection to identify those images which are actually in use.

How it works

The Halo registry connector connects to your container registries to discover and inventory repositories, tags, and images and provides this information to the Halo Cloud.

The Halo Portal provides a report of the repositories for each registry, repository tags, and how many container images are included in each repository. Users can specify repositories to proactively monitor images within those repositories.

When the Halo microagent is configured for Docker inspection, running containers are correlated to their source image so that users can understand which images are in use and whether any vulnerable images are in use by running containers.

Related Features

Not applicable.

Policies Used

No policies required.

Container Software

Container Software Inventory

Key use cases

Obtain a software vulnerability assessment for each container that is based on Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD).

Identify vulnerable containers and prioritize containers with the most critical issues for remediation.

View software package inventories for any container.

How it works

For each container, a software inventory and vulnerability assessment is performed by locating the source image in the Halo container image inventory, and correlating the information about the container with its source image, and provides a report of the results.

The report includes the inventory of software and any CVEs that apply, along with the Common Vulnerability Scoring System (CVSS) score for each CVE.

Related Features

Correlating containers to their source image requires use of the Container registry inventory feature.

Policies Used

No policies required.

Container Software Vulnerability Assessment

Key use cases

Obtain a software vulnerability assessment for each container that is based on Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD).

Identify vulnerable containers and prioritize containers with the most critical issues for remediation.

View software package inventories for any container.

How it works

For each container, a software vulnerability assessment is performed by locating the source image in the Halo container image inventory, and correlating the information about the container with its source image, and provides a report of the results.

The report includes the inventory of software and any CVEs that apply, along with the Common Vulnerability Scoring System (CVSS) score for each CVE.

Related Features

Not applicable.

Policies Used

Correlating containers to their source image requires use of the Container registry inventory feature.

Container Hosts

Container Host Inventory

Key use cases

Gain visibility to container hosts such as Docker servers and Kubernetes nodes residing in IaaS and other data center environments, consolidated in a single view.

Maintain an up-to-date inventory as servers are deployed and decommissioned.

Query the inventory to report on servers by 40+ data attributes such as operating system, operating system version, IaaS account, availability zone, region, and tags, no matter where they are hosted. These 40+ data attributes that can be combined into powerful inventory views that can be saved for repeated use. Includes server metadata and user-defined tags for AWS, Azure, GCP, and OpenStack.

See summarizations of servers and server components (architecture, kernel, operating system distribution, installed packages, running processes, local user accounts and privileges, network services, network traffic patterns, local firewall policies, IaaS platform metadata, user-defined IaaS tags, and more) across cloud and data center environments.

How it works

The Halo microagent is deployed on each container host, either as software or containerized.

The Halo microagent continuously monitors the container host and its internal components. Facts about the container host’s operating system and operating system version, kernel version, architecture, configured interfaces, IP addresses, and cloud provider metadata are collected hourly and transmitted to the Halo Cloud.

Related Features

Requires Cloud Secure to query by tags and to identify server workloads deployed without a Halo microagent.

Policies Used

No policies required.

Container Host Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of container hosts such as Docker servers and Kubernetes nodes based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice. Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

Secure the Docker and Kubernetes master and worker node files to prevent tampering and compromise.

How it works

Policy templates are provided for different versions of Linux operating systems and for container orchestration tools such as Docker and Kubernetes. These policy templates allow rapid compliance with a number of standards while allowing customization for the individual environment.

Custom policies can also be created from scratch by the user.

Policies can be stacked so that all the right policies apply to each server workload. For example, a global OS policy can be applied to all Linux workloads, while an additional policy could be added for servers in the PCI cardholder data environment.

Deployed to the container host as either software or a container, the Halo microagent runs applicable policy checks and reports findings to the Halo Cloud. The Halo Cloud analyzes the findings against the policy and provides a report of the results.

The report includes the pass/fail results for each policy rule. For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • CIS Benchmark for Amazon Linux
  • CIS Benchmark for CentOS
  • CIS Benchmark for Debian
  • CIS Benchmark for Red Hat Enterprise Linux
  • CIS Benchmark for Ubuntu
  • CIS Benchmark for CoreOS
  • CIS Benchmark for Docker
  • CIS Benchmark for Kubernetes

Container Host Software Inventory

Key use cases

Obtain a software vulnerability assessment of Docker servers and Kubernetes nodes that is based on Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD).

Prioritize the most critical issues for remediation.

View software package inventories across all servers or for a single server.

Find any workloads with a specific software/version installed, those having a specific CVE, or missing a specific Windows KB (patch).

Continuously monitor and assess for software vulnerabilities over the lifetime of the server workload.

How it works

Deployed to the container host as either software or a container, the Halo microagent inventories the operating system and its installed applications, and provides this data to the Halo Cloud.

In turn, the Halo Cloud evaluates the reported operating system and applications for CVEs according to the NVD and provides a report of the results.

The report includes the inventory of software and any CVEs that apply, along with the Common Vulnerability Scoring System (CVSS) score for each CVE. For each software having one or more CVEs, Halo logs an event, alerts the right user, and creates an issue to track the problem until it is remediated.

Exceptions can be created for those CVEs that the user cannot fix.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo detects added and removed software, reassesses for applicable CVEs, and updates existing issues with the latest findings; if existing CVEs have been remediated, their corresponding issues are marked as resolved.

Related Features

Not applicable.

Policies Used

No policies required.

Container Host Software Vulnerability Assessment

Key use cases

Obtain a software vulnerability assessment of Docker servers and Kubernetes nodes that is based on Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD).

Prioritize the most critical issues for remediation.

View software package inventories across all servers or for a single server. Find any workloads with a specific software/version installed, those having a specific CVE, or missing a specific Windows KB (patch).

Continuously monitor and assess for software vulnerabilities over the lifetime of the server workload

How it works

Deployed to the container host as either software or a container, the Halo microagent inventories the operating system and its installed applications, and provides this data to the Halo Cloud.

In turn, the Halo Cloud evaluates the reported operating system and applications for CVEs according to the NVD, and provides a report of the results.

The report includes the inventory of software and any CVEs that apply, along with the Common Vulnerability Scoring System (CVSS) score for each CVE. For each software having one or more CVEs, Halo logs an event, alerts the right user, and creates an issue to track the problem until it is remediated.

Exceptions can be created for those CVEs that the user cannot fix.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo detects added and removed software, reassesses for applicable CVEs, and updates existing issues with the latest findings; if existing CVEs have been remediated, their corresponding issues are marked as resolved.

Related Features

Not applicable.

Policies Used

No policies required.

Container Host File Integrity Monitoring

Key use cases

Confirm the integrity of Docker servers and Kubernetes nodes against their source image, and detect unauthorized changes made to a running workload by checking for changes to important system files and registry keys.

How it works

Policy templates are provided for different versions of Linux operating systems and for container orchestration tools such as Docker and Kubernetes that specify critical system files to monitor in order to detect unauthorized changes. These policy templates allow you to quickly configure integrity monitoring for compliance and intrusion detection initiatives.

Custom policies can also be created from scratch by the user.

For each policy, baselines can be created based on the source image. As workloads are deployed, the Halo microagent creates SHA-256 cryptographic hashes of the files and registry keys specified by the policy, in addition to permissions for each object, and sends the information to the Halo Cloud. These are compared to baselines and a report is provided with the results.

The report includes the pass/fail results for each object in the scan. Files that have had permissions or data modified, have been added, or have been removed as compared to the baseline will generate failed findings.

For each failed finding, Halo optionally alerts the right user and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • Core System Files (Amazon Linux)
  • Core System Files (CentOS)
  • Core System Files (Red Hat)
  • Core System Files (Ubuntu)
  • Kubernetes Master and Worker Node

Container Host Event Monitoring

Key use cases

Automatically monitor and collect significant security-related events from container hosts such as Docker servers and Kubernetes nodes that could indicate misuse, misconfiguration, or compromise.

Detect unwanted behavior such as attempted logins to immutable systems, logins as specific users such as “root” or “administrator,” privileged changes, addition/deletion/modification of user accounts, changes to audit policies, installation/de-installation of software.

Collect and alert on events related to the Kubernetes API server.

Integrate event monitoring with your Security Information Event Management (SIEM) tools for long term storage and correlation with events from other devices.

Comply with PCI and other regulations and standards which require continuous monitoring of system logs.

How it works

Policy templates are provided for different versions of Linux operating systems and for container orchestration tools such as Docker and Kubernetes that specify log files and events to collect in order to detect and alert on unwanted activity. These policies allow you to quickly configure server event monitoring for compliance and intrusion detection initiatives.

Custom policies can also be created from scratch by the user.

Deployed to the container host as either software or a container, the Halo microagent scans the specified logs for events matching the policy every 5 minutes. Events matching the policy are collected and sent to the Halo Cloud where they are enriched with other information collected about the server including facts and IaaS metadata.

The Halo Portal optionally alerts the user and creates an issue indicating that the event should be investigated. Users can view and obtain a history of significant server events using the Event viewer in the Portal, or through the REST API.

Related Features

Not applicable.

Policies Used

  • Core System (Amazon Linux)
  • Core System (CentOS)
  • Core System (Red Hat)
  • Core System (Ubuntu)
  • Kubernetes kube-apiserver audit log policy

Container Host Traffic Inventory

Key use cases

Obtain an inventory of network traffic to and from container hosts such as Docker servers and Kubernetes nodes.

Obtain an inventory of network traffic for a group of workloads that are part of the same application.

How it works

Deployed to the container host as either software or a container, the Halo microagent begins to periodically sample the network traffic to and from the container host and keeps a history of all TCP and UDP traffic flows observed for 30 days.

The Halo Portal provides a report of the traffic observed, including the responsible user, process, local and destination ports, local and destination IP addresses, and IP address geolocations.

Users can query this information across the environment to find server workloads using unauthorized ports or communicating with unauthorized IP addresses.

Subsequent scans occur periodically every 15 minutes.

Related Features

Not applicable.

Policies Used

No policies required.

Container Host Traffic Visualization

Key use cases

Obtain an inventory of network traffic to and from container hosts such as Docker servers and Kubernetes nodes.

Visualize the inventory of network traffic for a group of workloads that are part of the same application.

Identify anomalous traffic per workload or across a group of workloads.

How it works

Deployed to the container host as either software or a container, the Halo microagent begins to periodically sample the network traffic to and from the container host and keeps a history of all TCP and UDP traffic flows observed for 30 days.

The Halo Portal provides a report of the traffic observed, including the responsible user, process, local and destination ports, local and destination IP addresses, and IP address geolocations. This information can be visualized in a graph to see common or anomalous patterns either per-workload or across a group of workloads.

Users can query this information across the environment to find server workloads using unauthorized ports or communicating with unauthorized IP addresses.

Subsequent scans occur periodically every 15 minutes.

Related Features

Not applicable.

Policies Used

No policies required.

Images and Inventory

Automated Container Inventory

Key use cases

Gain visibility to Linux container workloads residing in IaaS and other data center environments, consolidated in a single view.

Maintain an up-to-date inventory as containers are deployed and decommissioned.

Query the inventory to report on containers by data attributes such as tags, source image, and container host.

Find containers launched as privileged or writable.

Use the container inventory to determine which container images are actually in use, and whether containers are based on the current repository image, and whether they are “rogue”, meaning they came from an unknown image.

See summarizations of containers across the environment and drill down for details.

See details and history of any container including software, processes, ports, and Docker inspect.

How it works

The Halo microagent is deployed on each container host, either as software or containerized.

With container inspection enabled, the Halo microagent continuously monitors the container runtime (Docker) for container events and transmits this information to the Halo Cloud where it is correlated with information about the container based on its source registry and image.

Related Features

Correlating containers to their source image requires use of the Container registry inventory feature.

Policies Used

No policies required.

Container Image Software Inventory

Key use cases

Obtain a software vulnerability assessment for each container image that is based on Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD).

Prioritize the most critical issues for remediation.

View software package inventories for a single image or across all images, and search for specific packages across all images.

How it works

For each container image discovered by the Halo registry connector, a software vulnerability assessment is performed. The image is instantiated on the registry connector machine with a Halo microagent inserted; the micro-agent inventories the image and any software packages, and provides this data to the Halo Cloud.

In turn, the Halo Cloud evaluates the reported packages for CVEs according to the NVD and provides a report of the results. The report includes the inventory of software and any CVEs that apply, along with the Common Vulnerability Scoring System (CVSS) score for each CVE.

For each software having one or more CVEs, Halo logs an event, alerts the right user, and creates an issue to track the problem until it is remediated.

Related Features

Not applicable.

Policies Used

No policies required.