ZeroLock® Self-Protecting Agent Container

Overview of ZeroLock Self-Protecting Agent Container

Introduction

The Zerolock Self-Protecting Agent Container (SPAC) image forms the base to create a secure and hardened application container that includes self-protection features. The SPAC image is built on top of the Iron Bank Red Hat base image to ensure robust security as well as supporting the Docker, Kubernetes, and OpenShift environments.

Zerolock Agent (ZA) software is the heart of a Linux container protection solution that guards against ransomware, cryptojacking, and data loss. This software solution runs as a separate process, onboarding as a side process, which autonomously handles events non-interactively in the background.

Basic Configuration

Prerequisites

In order to use the container, you must have the following:

A license which is available from ValiCyber Support.
A Linux host OS running on kernel version 3.5 or later.

Environment Variables (-e)

Parameter	Value	Description
ZEROLOCK_CONTAINER_LICENSE_KEY	string	The license key for the ZeroLock Self-Protecting Container Software

Container Capabilities

ZeroLock Self-Protecting Agent Container Software requires the sys_ptrace and net_admin capabilities for monitoring application processes and performing network-related operations. E.g.: Use --privileged or --cap-add=SYS_PTRACE and --cap-add=NET_ADMIN with the Docker CLI to ensure that it has the required permissions.

Container User

ZeroLock Self-Protecting Agent Container software must be run as the root user.

Configuration Parameters

Configuration Parameter	Default Value	Description	Notes
SSHMultifactorEnabled	true	Whether to enable multi-factor authentication for SSH connections	Check the zerolock log for SSH alert
baldurLogSize	524288000	Max allowed log size for the zerolock, stored at /opt/zerolock/zerolock-baldur/log/zerolock_log	Log rotation is available in Zerolock logging and it divides logs into five equal-size files.
blockRuleAutoQuarantine	false	Whether to isolate the container/host from the network if a blocked rule threat is detected
blockRuleModeOps	alert, kill	Actions to be taken when a blocked rule threat is found	Check the zerolock log for threat alert
cacheLocation	/opt/zerolock/zerolock-baldur/backup/	Cache location that stores backup of the files to remediate file system from threat
cacheSize	1048576000	Max allowed cache size, stored at cache location
cjd_enabled	true	Whether to enable cryptojacking detection
cjd_interval	2000	Time interval in milliseconds to evaluate cryptojacking threats
cryptojackingAutoQuarantine	false	Whether to isolate the container/host from the network if a cryptojacking threat is detected
cryptojackingModeOps	alert, doNothing	Actions to be taken when a cryptojacking threat is found	Check the zerolock log for threat alert
detectRansomware	true	Whether to enable ransomware detection
detectTampering	true	Whether to enable tampering detection
enableProgramFilter	true	Only allow executables to run that exist at container startup
isQuarantined	false	Current status if container/host is isolated from the network
network_interval	60000	Time interval in milliseconds to evaluate network processes
ransomwareAutoQuarantine	false	Whether to isolate the container/host from the network if a ransomware threat is detected
ransomwareModeOps	alert, doNothing	Actions to be taken when a ransomware threat is found	Check the zerolock log for threat alert
scanningEnabled	true	Whether to enable scanning for the new processes
tamperingAutoQuarantine	false	Whether to isolate the container/host from the network if a tampering threat is detected
tamperingModeOps	alert, kill	Actions to be taken when a tampering threat is found

Configuring ZeroLock Agent: Modifying Parameters to Meet Your Security Needs

The zerolock-query set command is used to configure the behavior of the ZeroLock Agent described above. To change the configuration of ZeroLock Agent at runtime, you will need to execute the zerolock-query command from within the ZeroLock container as the root user. This can typically be done by using the docker exec command to execute the zerolock-query command inside the container.

Use the following commands to manually change the action on the threat process:

zerolock-query set tamperingModeOps alert,kill

zerolock-query set blockRuleModeOps alert,suspend

zerolock-query set ransomwareModeOps alert,remediate

Action	Description
kill	Kills the threat process tree immediately, terminating the process and any child processes.
suspend	Suspends the process tree but does not terminate the process. This action can be useful for further analysis or investigation.
remediate	Kills the threat process tree and restores the file system changes made by the process.

To view the current configuration parameters for ZeroLock, you can use the zerolock-query get command. For example, you can run the following command to view the current configuration for ransomware detection:

zerolock-query get ransomwareModeOps

Manual Threat Response in ZeroLock: Using zerolock-query to Respond to Detected Threats

You will need to execute the zerolock_query detect_threats command from within the ZeroLock container as the root user. This can typically be done by using the docker exec command to execute the zerolock-query command inside the container.

Use the following command to kill, suspend, or remediate threats collectively:

zerolock-query detect_threats [-undo|-kill|-stop]

To view the available commands and options for the zerolock-query command, you can use the -h option. For example, you can run the following command to view the help information:

zerolock-query -h

It is important to note that modifying the configuration parameters of ZeroLock should be done with care, as incorrect or inappropriate changes can potentially compromise the security of the system. It is recommended you consult the ZeroLock documentation and seek expert advice before making any changes to the default configuration.