ESET Server Security for Linux – Table of Contents

Container security

Linux servers are often a base for running Docker containers and Docker orchestration tools. The container security feature is part of the real-time file system protection in ESET Server Security for Linux.

ESET Server Security for Linux can detect threats or suspicious activity in a container and block them but cannot eliminate them; meaning, a suspicious script will be blocked from execution but will not be deleted. You can delete it manually.

Real-time file system protection

ESET's real-time file system protection can scan the container in the following phases:

process of building the container image

deploying the container image on a machine protected by ESSL

The activity inside the container is also scanned in real-time for suspicious behavior.

Web access protection

Web access protection is supported only for containers on the host network. Containers on any other network type remain unprotected. All HTTP traffic is scanned automatically when a container is on the host network. To enable scanning of HTTPS traffic, import the ESET-SSL-Filter-CA.pem certificate into the container.

The certificate is located in:

alternatively

On-demand scans

An on-demand scan can clean the infection if the infected file is located at a public mount point and not hidden in a private namespace.

Kubernetes

In Kubernetes with containerd, the deployment of the infected container is detected, and the deployment fails.

Example of file detection in logs:

The pod cannot start and logs the pull error:

In Kubernetes with CRI-O the deployment of the infected container is only detected but not cleaned and a container is started.

Important

When network isolation is active:

Communication between containers on the bridge network is blocked.

Communication from overlay network containers to the host is blocked.

Web access protection does not scan container communication.

At ESET, we tested:

Docker CE

Kubernetes with containerd

Kubernetes with CRI-O