Alauda Security Service
  • English

    • Default Policies in Alauda Security Service

    Alauda Security Service provides built-in system policies to help you prevent high-risk deployments and respond to runtime incidents in Kubernetes environments. These policies cover common vulnerability, configuration, runtime, and supply chain checks and provide the baseline for day-to-day policy management.

    TOC

    OverviewViewing PoliciesPolicy Table StructureCritical Severity PoliciesHigh Severity PoliciesMedium Severity PoliciesLow Severity PoliciesManaging Default Policies

    Overview

    Default policies cover the full container lifecycle: build, deploy, and runtime. You can review them from Platform Configuration > Policy Management, clone them, and then tailor the cloned copies for your own environment. Default policies cannot be deleted or edited in place.

    The exact policy inventory can vary by release, enabled integrations, and imported content. The tables below summarize the default policies commonly present in supported deployments.

    Viewing Policies

    1. Go to Platform Configuration > Policy Management in the portal.
    2. Review the Policies table and use filters, search, or categories to narrow the list.
    3. Use the row actions or policy details page to view policy logic or clone a default policy.

    Policy Table Structure

    • Policy: Policy name
    • Description: What the policy detects or enforces
    • Status: Enabled or Disabled
    • Severity: Critical, High, Medium, or Low
    • Lifecycle: Build, Deploy, or Runtime

    Critical Severity Policies

    Lifecycle StagePolicy NameDescriptionStatus
    Build/DeployApache Struts: CVE-2017-5638Alerts on images with the CVE-2017-5638 Apache Struts vulnerability.Enabled
    Build/DeployLog4Shell: log4j Remote Code ExecutionAlerts on images with CVE-2021-44228 and CVE-2021-45046 vulnerabilities.Enabled
    Build/DeploySpring4Shell & Spring Cloud FunctionAlerts on images with CVE-2022-22965 (Spring MVC) or CVE-2022-22963 (Spring Cloud).Enabled
    RuntimeIptables Executed in Privileged ContainerAlerts when privileged pods run iptables.Enabled

    High Severity Policies

    Lifecycle StagePolicy NameDescriptionStatus
    Build/DeployFixable CVSS >= 7Alerts on fixable vulnerabilities with CVSS ≥ 7.Disabled
    Build/DeployFixable Severity at least ImportantAlerts on fixable vulnerabilities rated Important or higher.Enabled
    Build/DeployRapid Reset: HTTP/2 DoS VulnerabilityAlerts on images susceptible to HTTP/2 Rapid Reset DoS.Disabled
    Build/DeploySecure Shell (ssh) Port Exposed in ImageAlerts when port 22 is exposed in images.Enabled
    DeployEmergency Deployment AnnotationAlerts on deployments using emergency annotations to bypass admission checks.Enabled
    DeployEnvironment Variable Contains SecretAlerts when environment variables contain 'SECRET'.Enabled
    DeployFixable CVSS >= 6 and PrivilegedAlerts on privileged deployments with fixable CVSS ≥ 6 vulnerabilities.Disabled
    DeployPrivileged Containers with Important and Critical Fixable CVEsAlerts on privileged containers with important/critical fixable vulnerabilities.Enabled
    DeploySecret Mounted as Environment VariableAlerts when secrets are mounted as environment variables.Disabled
    DeploySecure Shell (ssh) Port ExposedAlerts when port 22 is exposed in deployments.Enabled
    RuntimeCryptocurrency Mining Process ExecutionDetects crypto-currency mining processes.Enabled
    Runtimeiptables ExecutionDetects iptables usage in containers.Enabled
    RuntimeKubernetes Actions: Exec into PodAlerts on exec commands run in containers via Kubernetes API.Enabled
    RuntimeLinux Group Add ExecutionDetects groupadd/addgroup usage.Enabled
    RuntimeLinux User Add ExecutionDetects useradd/adduser usage.Enabled
    RuntimeLogin BinariesDetects login attempts.Disabled
    RuntimeNetwork Management ExecutionDetects network configuration commands.Enabled
    Runtimenmap ExecutionAlerts on nmap process execution.Enabled
    RuntimeOpenShift: Kubeadmin Secret AccessedAlerts on kubeadmin secret access.Enabled
    RuntimePassword BinariesDetects password change attempts.Disabled
    RuntimeProcess Targeting Cluster Kubelet EndpointDetects misuse of kubelet/heapster endpoints.Enabled
    RuntimeProcess Targeting Cluster Kubernetes Docker Stats EndpointDetects misuse of docker stats endpoint.Enabled
    RuntimeProcess Targeting Kubernetes Service EndpointDetects misuse of Kubernetes Service API endpoint.Enabled
    RuntimeProcess with UID 0Alerts on processes running as UID 0.Disabled
    RuntimeSecure Shell Server (sshd) ExecutionDetects SSH daemon execution in containers.Enabled
    RuntimeSetUID ProcessesDetects setuid binary usage.Disabled
    RuntimeShadow File ModificationDetects shadow file modifications.Disabled
    RuntimeShell Spawned by Java ApplicationDetects shell spawned as a subprocess of Java apps.Enabled
    RuntimeUnauthorized Network FlowAlerts on anomalous network flows.Enabled
    RuntimeUnauthorized Process ExecutionAlerts on unauthorized process execution in locked baselines.Enabled

    Medium Severity Policies

    Lifecycle StagePolicy NameDescriptionStatus
    BuildDocker CIS 4.4: Ensure images are scanned and rebuiltAlerts if images are not scanned and rebuilt with security patches.Disabled
    Deploy30-Day Scan AgeAlerts if a deployment hasn't been scanned in 30 days.Enabled
    DeployCAP_SYS_ADMIN capability addedAlerts if containers escalate with CAP_SYS_ADMIN.Enabled
    DeployContainer using read-write root filesystemAlerts if containers have read-write root filesystems.Disabled
    DeployContainer with privilege escalation allowedAlerts if containers allow privilege escalation.Enabled
    DeployDeployments should have at least one Ingress Network PolicyAlerts if deployments lack an Ingress Network Policy.Disabled
    DeployDeployments with externally exposed endpointsAlerts if deployments have externally exposed services.Disabled
    DeployDocker CIS 5.1: AppArmor profile enabledAlerts if AppArmor is not enabled.Enabled
    DeployDocker CIS 5.15: Host's process namespace not sharedAlerts if host's process namespace is shared.Enabled
    DeployDocker CIS 5.16: Host's IPC namespace not sharedAlerts if host's IPC namespace is shared.Enabled
    DeployDocker CIS 5.19: Mount propagation mode not enabledAlerts if mount propagation mode is enabled.Enabled
    DeployDocker CIS 5.21: Default seccomp profile not disabledAlerts if seccomp profile is disabled.Disabled
    DeployDocker CIS 5.7: Privileged ports mapped within containersAlerts if privileged ports (<1024) are mapped.Enabled
    DeployDocker CIS 5.9/5.20: Host's network namespace not sharedAlerts if host's network namespace is shared.Enabled
    DeployImages with no scansAlerts if images in deployments are not scanned.Disabled
    RuntimeKubernetes Actions: Port Forward to PodAlerts on port forward requests via Kubernetes API.Enabled
    DeployMount Container Runtime SocketAlerts if container runtime socket is mounted.Enabled
    DeployMounting Sensitive Host DirectoriesAlerts if sensitive host directories are mounted.Enabled
    DeployNo resource requests or limits specifiedAlerts if containers lack resource requests/limits.Enabled
    DeployPod Service Account Token Automatically MountedAlerts if default service account token is mounted unnecessarily.Enabled
    DeployPrivileged ContainerAlerts if containers run in privileged mode.Enabled
    Runtimecrontab ExecutionDetects crontab usage.Enabled
    RuntimeNetcat Execution DetectedDetects netcat usage.Enabled
    RuntimeOpenShift: Central Admin Secret AccessedAlerts on access to Central Admin secret.Enabled
    RuntimeOpenShift: Secret Accessed by Impersonated UserAlerts on secret access by impersonated users.Enabled
    RuntimeRemote File Copy Binary ExecutionAlerts on remote file copy tool execution.Enabled

    Low Severity Policies

    Lifecycle StagePolicy NameDescriptionStatus
    Build/Deploy90-Day Image AgeAlerts if a deployment hasn't been updated in 90 days.Enabled
    Build/DeployADD Command used instead of COPYAlerts if ADD command is used in Dockerfile.Disabled
    Build/DeployAlpine Linux Package Manager (apk) in ImageAlerts if apk is present in images.Enabled
    Build/DeployCurl in ImageAlerts if curl is present in images.Disabled
    Build/DeployDocker CIS 4.1: User for the Container CreatedEnsures containers run as non-root users.Enabled
    Build/DeployDocker CIS 4.7: Alert on Update InstructionEnsures update instructions are not used alone in Dockerfile.Enabled
    Build/DeployInsecure specified in CMDAlerts if 'insecure' is used in command.Enabled
    Build/DeployLatest tagAlerts if images use the 'latest' tag.Enabled
    Build/DeployRed Hat Package Manager in ImageAlerts if Red Hat, Fedora, or CentOS package managers are present.Enabled
    Build/DeployRequired Image LabelAlerts if images are missing required labels.Disabled
    Build/DeployUbuntu Package Manager ExecutionDetects Ubuntu package manager usage.Enabled
    Build/DeployUbuntu Package Manager in ImageAlerts if Debian/Ubuntu package managers are present in images.Enabled
    Build/DeployWget in ImageAlerts if wget is present in images.Disabled
    DeployDrop All CapabilitiesAlerts if deployments do not drop all capabilities.Disabled
    DeployImproper Usage of Orchestrator Secrets VolumeAlerts if Dockerfile uses 'VOLUME /run/secrets'.Enabled
    DeployKubernetes Dashboard DeployedAlerts if a Kubernetes dashboard service is detected.Enabled
    DeployRequired Annotation: EmailAlerts if 'email' annotation is missing.Disabled
    DeployRequired Annotation: Owner/TeamAlerts if 'owner' or 'team' annotation is missing.Disabled
    DeployRequired Label: Owner/TeamAlerts if 'owner' or 'team' label is missing.Disabled
    RuntimeAlpine Linux Package Manager ExecutionAlerts if apk is run at runtime.Enabled
    Runtimechkconfig ExecutionDetects chkconfig usage.Enabled
    RuntimeCompiler Tool ExecutionAlerts if compiler binaries are run at runtime.Enabled
    RuntimeRed Hat Package Manager ExecutionAlerts if Red Hat, Fedora, or CentOS package managers are run at runtime.Enabled
    RuntimeShell ManagementAlerts on shell add/remove commands.Disabled
    Runtimesystemctl ExecutionDetects systemctl usage.Enabled
    Runtimesystemd ExecutionDetects systemd usage.Enabled

    Managing Default Policies

    • Default policies provide broad security coverage.
    • You can view, clone, and edit cloned default policies in the portal.
    • Default policies cannot be deleted or directly modified.