Docs
PackagesAquasec v0.8.27 published on Monday, Jan 29, 2024 by Pulumiverse
aquasec.ContainerRuntimePolicy
Explore with Pulumi AI
Example Usage
Coming soon!
Coming soon!
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aquasec.ContainerRuntimePolicy;
import com.pulumi.aquasec.ContainerRuntimePolicyArgs;
import com.pulumi.aquasec.inputs.ContainerRuntimePolicyFileIntegrityMonitoringArgs;
import com.pulumi.aquasec.inputs.ContainerRuntimePolicyMalwareScanOptionsArgs;
import com.pulumi.aquasec.inputs.ContainerRuntimePolicyScopeVariableArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var containerRuntimePolicy = new ContainerRuntimePolicy("containerRuntimePolicy", ContainerRuntimePolicyArgs.builder()
.allowedExecutables(
"exe",
"bin")
.allowedRegistries(
"registry1",
"registry2")
.applicationScopes("Global")
.auditAllNetworkActivity(true)
.auditAllProcessesActivity(true)
.auditFullCommandArguments(true)
.blockAccessHostNetwork(true)
.blockAddingCapabilities(true)
.blockContainerExec(true)
.blockCryptocurrencyMining(true)
.blockFilelessExec(true)
.blockLowPortBinding(true)
.blockNonCompliantImages(true)
.blockNonCompliantWorkloads(true)
.blockNonK8sContainers(true)
.blockPrivilegedContainers(true)
.blockReverseShell(true)
.blockRootUser(true)
.blockUnregisteredImages(true)
.blockUseIpcNamespace(true)
.blockUsePidNamespace(true)
.blockUseUserNamespace(true)
.blockUseUtsNamespace(true)
.blockedCapabilities(
"AUDIT_CONTROL",
"AUDIT_WRITE")
.blockedExecutables(
"exe1",
"exe2")
.blockedFiles(
"test1",
"test2")
.blockedInboundPorts(
"80",
"8080")
.blockedOutboundPorts(
"90",
"9090")
.blockedPackages(
"pkg",
"pkg2")
.blockedVolumes(
"blocked",
"vol")
.containerExecAllowedProcesses(
"proc1",
"proc2")
.description("container_runtime_policy")
.enableDriftPrevention(true)
.enableForkGuard(true)
.enableIpReputationSecurity(true)
.enablePortScanDetection(true)
.enabled(true)
.enforce(false)
.exceptionalReadonlyFilesAndDirectories(
"readonly2",
"/dir2/")
.fileIntegrityMonitoring(ContainerRuntimePolicyFileIntegrityMonitoringArgs.builder()
.excludedPaths("expaths")
.excludedProcesses("exprocess")
.excludedUsers("expuser")
.monitorAttributes(true)
.monitorCreate(true)
.monitorDelete(true)
.monitorModify(true)
.monitorRead(true)
.monitoredPaths("paths")
.monitoredProcesses("process")
.monitoredUsers("user")
.build())
.forkGuardProcessLimit(13)
.limitNewPrivileges(true)
.malwareScanOptions(ContainerRuntimePolicyMalwareScanOptionsArgs.builder()
.action("alert")
.enabled(true)
.build())
.monitorSystemTimeChanges("true")
.readonlyFilesAndDirectories(
"readonly",
"/dir/")
.reverseShellAllowedIps(
"ip1",
"ip2")
.reverseShellAllowedProcesses(
"proc1",
"proc2")
.scopeExpression("v1 || v2")
.scopeVariables(
ContainerRuntimePolicyScopeVariableArgs.builder()
.attribute("kubernetes.cluster")
.value("default")
.build(),
ContainerRuntimePolicyScopeVariableArgs.builder()
.attribute("kubernetes.label")
.name("app")
.value("aqua")
.build())
.build());
}
}
Coming soon!
Coming soon!
resources:
containerRuntimePolicy:
type: aquasec:ContainerRuntimePolicy
properties:
allowedExecutables:
- exe
- bin
allowedRegistries:
- registry1
- registry2
applicationScopes:
- Global
auditAllNetworkActivity: true
auditAllProcessesActivity: true
auditFullCommandArguments: true
blockAccessHostNetwork: true
blockAddingCapabilities: true
blockContainerExec: true
blockCryptocurrencyMining: true
blockFilelessExec: true
blockLowPortBinding: true
blockNonCompliantImages: true
blockNonCompliantWorkloads: true
blockNonK8sContainers: true
blockPrivilegedContainers: true
blockReverseShell: true
blockRootUser: true
blockUnregisteredImages: true
blockUseIpcNamespace: true
blockUsePidNamespace: true
blockUseUserNamespace: true
blockUseUtsNamespace: true
blockedCapabilities:
- AUDIT_CONTROL
- AUDIT_WRITE
blockedExecutables:
- exe1
- exe2
blockedFiles:
- test1
- test2
blockedInboundPorts:
- '80'
- '8080'
blockedOutboundPorts:
- '90'
- '9090'
blockedPackages:
- pkg
- pkg2
blockedVolumes:
- blocked
- vol
containerExecAllowedProcesses:
- proc1
- proc2
description: container_runtime_policy
enableDriftPrevention: true
enableForkGuard: true
enableIpReputationSecurity: true
enablePortScanDetection: true
enabled: true
enforce: false
exceptionalReadonlyFilesAndDirectories:
- readonly2
- /dir2/
fileIntegrityMonitoring:
excludedPaths:
- expaths
excludedProcesses:
- exprocess
excludedUsers:
- expuser
monitorAttributes: true
monitorCreate: true
monitorDelete: true
monitorModify: true
monitorRead: true
monitoredPaths:
- paths
monitoredProcesses:
- process
monitoredUsers:
- user
forkGuardProcessLimit: 13
limitNewPrivileges: true
malwareScanOptions:
action: alert
enabled: true
monitorSystemTimeChanges: 'true'
readonlyFilesAndDirectories:
- readonly
- /dir/
reverseShellAllowedIps:
- ip1
- ip2
reverseShellAllowedProcesses:
- proc1
- proc2
scopeExpression: v1 || v2
scopeVariables:
- attribute: kubernetes.cluster
value: default
- attribute: kubernetes.label
name: app
value: aqua
Create ContainerRuntimePolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ContainerRuntimePolicy(name: string, args?: ContainerRuntimePolicyArgs, opts?: CustomResourceOptions);@overload
def ContainerRuntimePolicy(resource_name: str,
args: Optional[ContainerRuntimePolicyArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def ContainerRuntimePolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
allowed_executables: Optional[Sequence[ContainerRuntimePolicyAllowedExecutableArgs]] = None,
allowed_registries: Optional[Sequence[ContainerRuntimePolicyAllowedRegistryArgs]] = None,
application_scopes: Optional[Sequence[str]] = None,
audit_all_network_activity: Optional[bool] = None,
audit_all_processes_activity: Optional[bool] = None,
audit_brute_force_login: Optional[bool] = None,
audit_full_command_arguments: Optional[bool] = None,
auditing: Optional[ContainerRuntimePolicyAuditingArgs] = None,
author: Optional[str] = None,
blacklisted_os_users: Optional[ContainerRuntimePolicyBlacklistedOsUsersArgs] = None,
block_access_host_network: Optional[bool] = None,
block_adding_capabilities: Optional[bool] = None,
block_container_exec: Optional[bool] = None,
block_cryptocurrency_mining: Optional[bool] = None,
block_disallowed_images: Optional[bool] = None,
block_fileless_exec: Optional[bool] = None,
block_low_port_binding: Optional[bool] = None,
block_non_compliant_workloads: Optional[bool] = None,
block_non_k8s_containers: Optional[bool] = None,
block_privileged_containers: Optional[bool] = None,
block_root_user: Optional[bool] = None,
block_use_ipc_namespace: Optional[bool] = None,
block_use_pid_namespace: Optional[bool] = None,
block_use_user_namespace: Optional[bool] = None,
block_use_uts_namespace: Optional[bool] = None,
blocked_capabilities: Optional[Sequence[str]] = None,
blocked_executables: Optional[Sequence[str]] = None,
blocked_files: Optional[Sequence[str]] = None,
blocked_inbound_ports: Optional[Sequence[str]] = None,
blocked_outbound_ports: Optional[Sequence[str]] = None,
blocked_packages: Optional[Sequence[str]] = None,
blocked_volumes: Optional[Sequence[str]] = None,
bypass_scopes: Optional[Sequence[ContainerRuntimePolicyBypassScopeArgs]] = None,
container_exec: Optional[ContainerRuntimePolicyContainerExecArgs] = None,
container_exec_allowed_processes: Optional[Sequence[str]] = None,
created: Optional[str] = None,
cve: Optional[str] = None,
default_security_profile: Optional[str] = None,
description: Optional[str] = None,
digest: Optional[str] = None,
drift_preventions: Optional[Sequence[ContainerRuntimePolicyDriftPreventionArgs]] = None,
enable_crypto_mining_dns: Optional[bool] = None,
enable_fork_guard: Optional[bool] = None,
enable_ip_reputation: Optional[bool] = None,
enable_port_scan_protection: Optional[bool] = None,
enabled: Optional[bool] = None,
enforce: Optional[bool] = None,
enforce_after_days: Optional[int] = None,
enforce_scheduler_added_on: Optional[int] = None,
exclude_application_scopes: Optional[Sequence[str]] = None,
executable_blacklists: Optional[Sequence[ContainerRuntimePolicyExecutableBlacklistArgs]] = None,
failed_kubernetes_checks: Optional[ContainerRuntimePolicyFailedKubernetesChecksArgs] = None,
file_block: Optional[ContainerRuntimePolicyFileBlockArgs] = None,
file_integrity_monitoring: Optional[ContainerRuntimePolicyFileIntegrityMonitoringArgs] = None,
fork_guard_process_limit: Optional[int] = None,
image_name: Optional[str] = None,
is_audit_checked: Optional[bool] = None,
is_auto_generated: Optional[bool] = None,
is_ootb_policy: Optional[bool] = None,
lastupdate: Optional[int] = None,
limit_container_privileges: Optional[Sequence[ContainerRuntimePolicyLimitContainerPrivilegeArgs]] = None,
limit_new_privileges: Optional[bool] = None,
linux_capabilities: Optional[ContainerRuntimePolicyLinuxCapabilitiesArgs] = None,
malware_scan_options: Optional[ContainerRuntimePolicyMalwareScanOptionsArgs] = None,
monitor_system_time_changes: Optional[bool] = None,
name: Optional[str] = None,
no_new_privileges: Optional[bool] = None,
only_registered_images: Optional[bool] = None,
package_block: Optional[ContainerRuntimePolicyPackageBlockArgs] = None,
permission: Optional[str] = None,
port_block: Optional[ContainerRuntimePolicyPortBlockArgs] = None,
readonly_files: Optional[ContainerRuntimePolicyReadonlyFilesArgs] = None,
readonly_registry: Optional[ContainerRuntimePolicyReadonlyRegistryArgs] = None,
registry: Optional[str] = None,
registry_access_monitoring: Optional[ContainerRuntimePolicyRegistryAccessMonitoringArgs] = None,
repo_name: Optional[str] = None,
resource_name_: Optional[str] = None,
resource_type: Optional[str] = None,
restricted_volumes: Optional[Sequence[ContainerRuntimePolicyRestrictedVolumeArgs]] = None,
reverse_shell: Optional[ContainerRuntimePolicyReverseShellArgs] = None,
runtime_mode: Optional[int] = None,
runtime_type: Optional[str] = None,
scope_expression: Optional[str] = None,
scope_variables: Optional[Sequence[ContainerRuntimePolicyScopeVariableArgs]] = None,
scopes: Optional[Sequence[ContainerRuntimePolicyScopeArgs]] = None,
system_integrity_protection: Optional[ContainerRuntimePolicySystemIntegrityProtectionArgs] = None,
tripwire: Optional[ContainerRuntimePolicyTripwireArgs] = None,
type: Optional[str] = None,
updated: Optional[str] = None,
version: Optional[str] = None,
vpatch_version: Optional[str] = None,
whitelisted_os_users: Optional[ContainerRuntimePolicyWhitelistedOsUsersArgs] = None)func NewContainerRuntimePolicy(ctx *Context, name string, args *ContainerRuntimePolicyArgs, opts ...ResourceOption) (*ContainerRuntimePolicy, error)public ContainerRuntimePolicy(string name, ContainerRuntimePolicyArgs? args = null, CustomResourceOptions? opts = null)
public ContainerRuntimePolicy(String name, ContainerRuntimePolicyArgs args)
public ContainerRuntimePolicy(String name, ContainerRuntimePolicyArgs args, CustomResourceOptions options)
type: aquasec:ContainerRuntimePolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ContainerRuntimePolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ContainerRuntimePolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ContainerRuntimePolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ContainerRuntimePolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ContainerRuntimePolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var containerRuntimePolicyResource = new Aquasec.ContainerRuntimePolicy("containerRuntimePolicyResource", new()
{
AllowedExecutables = new[]
{
new Aquasec.Inputs.ContainerRuntimePolicyAllowedExecutableArgs
{
AllowExecutables = new[]
{
"string",
},
AllowRootExecutables = new[]
{
"string",
},
Enabled = false,
SeparateExecutables = false,
},
},
AllowedRegistries = new[]
{
new Aquasec.Inputs.ContainerRuntimePolicyAllowedRegistryArgs
{
AllowedRegistries = new[]
{
"string",
},
Enabled = false,
},
},
ApplicationScopes = new[]
{
"string",
},
AuditAllNetworkActivity = false,
AuditAllProcessesActivity = false,
AuditBruteForceLogin = false,
AuditFullCommandArguments = false,
Auditing = new Aquasec.Inputs.ContainerRuntimePolicyAuditingArgs
{
AuditAllNetwork = false,
AuditAllProcesses = false,
AuditFailedLogin = false,
AuditOsUserActivity = false,
AuditProcessCmdline = false,
AuditSuccessLogin = false,
AuditUserAccountManagement = false,
Enabled = false,
},
Author = "string",
BlacklistedOsUsers = new Aquasec.Inputs.ContainerRuntimePolicyBlacklistedOsUsersArgs
{
Enabled = false,
GroupBlackLists = new[]
{
"string",
},
UserBlackLists = new[]
{
"string",
},
},
BlockAccessHostNetwork = false,
BlockAddingCapabilities = false,
BlockContainerExec = false,
BlockCryptocurrencyMining = false,
BlockDisallowedImages = false,
BlockFilelessExec = false,
BlockLowPortBinding = false,
BlockNonCompliantWorkloads = false,
BlockNonK8sContainers = false,
BlockPrivilegedContainers = false,
BlockRootUser = false,
BlockUseIpcNamespace = false,
BlockUsePidNamespace = false,
BlockUseUserNamespace = false,
BlockUseUtsNamespace = false,
BlockedCapabilities = new[]
{
"string",
},
BlockedExecutables = new[]
{
"string",
},
BlockedFiles = new[]
{
"string",
},
BlockedInboundPorts = new[]
{
"string",
},
BlockedOutboundPorts = new[]
{
"string",
},
BlockedPackages = new[]
{
"string",
},
BlockedVolumes = new[]
{
"string",
},
BypassScopes = new[]
{
new Aquasec.Inputs.ContainerRuntimePolicyBypassScopeArgs
{
Enabled = false,
Scopes = new[]
{
new Aquasec.Inputs.ContainerRuntimePolicyBypassScopeScopeArgs
{
Expression = "string",
Variables = new[]
{
new Aquasec.Inputs.ContainerRuntimePolicyBypassScopeScopeVariableArgs
{
Attribute = "string",
Value = "string",
},
},
},
},
},
},
ContainerExec = new Aquasec.Inputs.ContainerRuntimePolicyContainerExecArgs
{
BlockContainerExec = false,
ContainerExecProcWhiteLists = new[]
{
"string",
},
Enabled = false,
ReverseShellIpWhiteLists = new[]
{
"string",
},
},
ContainerExecAllowedProcesses = new[]
{
"string",
},
Created = "string",
Cve = "string",
DefaultSecurityProfile = "string",
Description = "string",
Digest = "string",
DriftPreventions = new[]
{
new Aquasec.Inputs.ContainerRuntimePolicyDriftPreventionArgs
{
Enabled = false,
ExecLockdown = false,
ExecLockdownWhiteLists = new[]
{
"string",
},
ImageLockdown = false,
},
},
EnableCryptoMiningDns = false,
EnableForkGuard = false,
EnableIpReputation = false,
EnablePortScanProtection = false,
Enabled = false,
Enforce = false,
EnforceAfterDays = 0,
EnforceSchedulerAddedOn = 0,
ExcludeApplicationScopes = new[]
{
"string",
},
ExecutableBlacklists = new[]
{
new Aquasec.Inputs.ContainerRuntimePolicyExecutableBlacklistArgs
{
Enabled = false,
Executables = new[]
{
"string",
},
},
},
FailedKubernetesChecks = new Aquasec.Inputs.ContainerRuntimePolicyFailedKubernetesChecksArgs
{
Enabled = false,
FailedChecks = new[]
{
"string",
},
},
FileBlock = new Aquasec.Inputs.ContainerRuntimePolicyFileBlockArgs
{
BlockFilesProcesses = new[]
{
"string",
},
BlockFilesUsers = new[]
{
"string",
},
Enabled = false,
ExceptionalBlockFiles = new[]
{
"string",
},
ExceptionalBlockFilesProcesses = new[]
{
"string",
},
ExceptionalBlockFilesUsers = new[]
{
"string",
},
FilenameBlockLists = new[]
{
"string",
},
},
FileIntegrityMonitoring = new Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoringArgs
{
Enabled = false,
ExceptionalMonitoredFiles = new[]
{
"string",
},
ExceptionalMonitoredFilesProcesses = new[]
{
"string",
},
ExceptionalMonitoredFilesUsers = new[]
{
"string",
},
MonitoredFiles = new[]
{
"string",
},
MonitoredFilesAttributes = false,
MonitoredFilesCreate = false,
MonitoredFilesDelete = false,
MonitoredFilesModify = false,
MonitoredFilesProcesses = new[]
{
"string",
},
MonitoredFilesRead = false,
MonitoredFilesUsers = new[]
{
"string",
},
},
ForkGuardProcessLimit = 0,
ImageName = "string",
IsAuditChecked = false,
IsAutoGenerated = false,
IsOotbPolicy = false,
Lastupdate = 0,
LimitContainerPrivileges = new[]
{
new Aquasec.Inputs.ContainerRuntimePolicyLimitContainerPrivilegeArgs
{
BlockAddCapabilities = false,
Enabled = false,
Ipcmode = false,
Netmode = false,
Pidmode = false,
PreventLowPortBinding = false,
PreventRootUser = false,
Privileged = false,
UseHostUser = false,
Usermode = false,
Utsmode = false,
},
},
LimitNewPrivileges = false,
LinuxCapabilities = new Aquasec.Inputs.ContainerRuntimePolicyLinuxCapabilitiesArgs
{
Enabled = false,
RemoveLinuxCapabilities = new[]
{
"string",
},
},
MalwareScanOptions = new Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptionsArgs
{
Action = "string",
Enabled = false,
ExcludeDirectories = new[]
{
"string",
},
ExcludeProcesses = new[]
{
"string",
},
IncludeDirectories = new[]
{
"string",
},
},
MonitorSystemTimeChanges = false,
Name = "string",
NoNewPrivileges = false,
OnlyRegisteredImages = false,
PackageBlock = new Aquasec.Inputs.ContainerRuntimePolicyPackageBlockArgs
{
BlockPackagesProcesses = new[]
{
"string",
},
BlockPackagesUsers = new[]
{
"string",
},
Enabled = false,
ExceptionalBlockPackagesFiles = new[]
{
"string",
},
ExceptionalBlockPackagesProcesses = new[]
{
"string",
},
ExceptionalBlockPackagesUsers = new[]
{
"string",
},
PackagesBlackLists = new[]
{
"string",
},
},
Permission = "string",
PortBlock = new Aquasec.Inputs.ContainerRuntimePolicyPortBlockArgs
{
BlockInboundPorts = new[]
{
"string",
},
BlockOutboundPorts = new[]
{
"string",
},
Enabled = false,
},
ReadonlyFiles = new Aquasec.Inputs.ContainerRuntimePolicyReadonlyFilesArgs
{
Enabled = false,
ExceptionalReadonlyFiles = new[]
{
"string",
},
ExceptionalReadonlyFilesProcesses = new[]
{
"string",
},
ExceptionalReadonlyFilesUsers = new[]
{
"string",
},
ReadonlyFiles = new[]
{
"string",
},
ReadonlyFilesProcesses = new[]
{
"string",
},
ReadonlyFilesUsers = new[]
{
"string",
},
},
ReadonlyRegistry = new Aquasec.Inputs.ContainerRuntimePolicyReadonlyRegistryArgs
{
Enabled = false,
ExceptionalReadonlyRegistryPaths = new[]
{
"string",
},
ExceptionalReadonlyRegistryProcesses = new[]
{
"string",
},
ExceptionalReadonlyRegistryUsers = new[]
{
"string",
},
ReadonlyRegistryPaths = new[]
{
"string",
},
ReadonlyRegistryProcesses = new[]
{
"string",
},
ReadonlyRegistryUsers = new[]
{
"string",
},
},
Registry = "string",
RegistryAccessMonitoring = new Aquasec.Inputs.ContainerRuntimePolicyRegistryAccessMonitoringArgs
{
Enabled = false,
ExceptionalMonitoredRegistryPaths = new[]
{
"string",
},
ExceptionalMonitoredRegistryProcesses = new[]
{
"string",
},
ExceptionalMonitoredRegistryUsers = new[]
{
"string",
},
MonitoredRegistryAttributes = false,
MonitoredRegistryCreate = false,
MonitoredRegistryDelete = false,
MonitoredRegistryModify = false,
MonitoredRegistryPaths = new[]
{
"string",
},
MonitoredRegistryProcesses = new[]
{
"string",
},
MonitoredRegistryRead = false,
MonitoredRegistryUsers = new[]
{
"string",
},
},
RepoName = "string",
ResourceName = "string",
ResourceType = "string",
RestrictedVolumes = new[]
{
new Aquasec.Inputs.ContainerRuntimePolicyRestrictedVolumeArgs
{
Enabled = false,
Volumes = new[]
{
"string",
},
},
},
ReverseShell = new Aquasec.Inputs.ContainerRuntimePolicyReverseShellArgs
{
BlockReverseShell = false,
Enabled = false,
ReverseShellIpWhiteLists = new[]
{
"string",
},
ReverseShellProcWhiteLists = new[]
{
"string",
},
},
RuntimeMode = 0,
RuntimeType = "string",
ScopeExpression = "string",
ScopeVariables = new[]
{
new Aquasec.Inputs.ContainerRuntimePolicyScopeVariableArgs
{
Attribute = "string",
Value = "string",
Name = "string",
},
},
Scopes = new[]
{
new Aquasec.Inputs.ContainerRuntimePolicyScopeArgs
{
Expression = "string",
Variables = new[]
{
new Aquasec.Inputs.ContainerRuntimePolicyScopeVariableArgs
{
Attribute = "string",
Value = "string",
Name = "string",
},
},
},
},
SystemIntegrityProtection = new Aquasec.Inputs.ContainerRuntimePolicySystemIntegrityProtectionArgs
{
AuditSystemtimeChange = false,
Enabled = false,
MonitorAuditLogIntegrity = false,
WindowsServicesMonitoring = false,
},
Tripwire = new Aquasec.Inputs.ContainerRuntimePolicyTripwireArgs
{
ApplyOns = new[]
{
"string",
},
Enabled = false,
ServerlessApp = "string",
UserId = "string",
UserPassword = "string",
},
Type = "string",
Updated = "string",
Version = "string",
VpatchVersion = "string",
WhitelistedOsUsers = new Aquasec.Inputs.ContainerRuntimePolicyWhitelistedOsUsersArgs
{
Enabled = false,
GroupWhiteLists = new[]
{
"string",
},
UserWhiteLists = new[]
{
"string",
},
},
});
example, err := aquasec.NewContainerRuntimePolicy(ctx, "containerRuntimePolicyResource", &aquasec.ContainerRuntimePolicyArgs{
AllowedExecutables: aquasec.ContainerRuntimePolicyAllowedExecutableArray{
&aquasec.ContainerRuntimePolicyAllowedExecutableArgs{
AllowExecutables: pulumi.StringArray{
pulumi.String("string"),
},
AllowRootExecutables: pulumi.StringArray{
pulumi.String("string"),
},
Enabled: pulumi.Bool(false),
SeparateExecutables: pulumi.Bool(false),
},
},
AllowedRegistries: aquasec.ContainerRuntimePolicyAllowedRegistryArray{
&aquasec.ContainerRuntimePolicyAllowedRegistryArgs{
AllowedRegistries: pulumi.StringArray{
pulumi.String("string"),
},
Enabled: pulumi.Bool(false),
},
},
ApplicationScopes: pulumi.StringArray{
pulumi.String("string"),
},
AuditAllNetworkActivity: pulumi.Bool(false),
AuditAllProcessesActivity: pulumi.Bool(false),
AuditBruteForceLogin: pulumi.Bool(false),
AuditFullCommandArguments: pulumi.Bool(false),
Auditing: &aquasec.ContainerRuntimePolicyAuditingArgs{
AuditAllNetwork: pulumi.Bool(false),
AuditAllProcesses: pulumi.Bool(false),
AuditFailedLogin: pulumi.Bool(false),
AuditOsUserActivity: pulumi.Bool(false),
AuditProcessCmdline: pulumi.Bool(false),
AuditSuccessLogin: pulumi.Bool(false),
AuditUserAccountManagement: pulumi.Bool(false),
Enabled: pulumi.Bool(false),
},
Author: pulumi.String("string"),
BlacklistedOsUsers: &aquasec.ContainerRuntimePolicyBlacklistedOsUsersArgs{
Enabled: pulumi.Bool(false),
GroupBlackLists: pulumi.StringArray{
pulumi.String("string"),
},
UserBlackLists: pulumi.StringArray{
pulumi.String("string"),
},
},
BlockAccessHostNetwork: pulumi.Bool(false),
BlockAddingCapabilities: pulumi.Bool(false),
BlockContainerExec: pulumi.Bool(false),
BlockCryptocurrencyMining: pulumi.Bool(false),
BlockDisallowedImages: pulumi.Bool(false),
BlockFilelessExec: pulumi.Bool(false),
BlockLowPortBinding: pulumi.Bool(false),
BlockNonCompliantWorkloads: pulumi.Bool(false),
BlockNonK8sContainers: pulumi.Bool(false),
BlockPrivilegedContainers: pulumi.Bool(false),
BlockRootUser: pulumi.Bool(false),
BlockUseIpcNamespace: pulumi.Bool(false),
BlockUsePidNamespace: pulumi.Bool(false),
BlockUseUserNamespace: pulumi.Bool(false),
BlockUseUtsNamespace: pulumi.Bool(false),
BlockedCapabilities: pulumi.StringArray{
pulumi.String("string"),
},
BlockedExecutables: pulumi.StringArray{
pulumi.String("string"),
},
BlockedFiles: pulumi.StringArray{
pulumi.String("string"),
},
BlockedInboundPorts: pulumi.StringArray{
pulumi.String("string"),
},
BlockedOutboundPorts: pulumi.StringArray{
pulumi.String("string"),
},
BlockedPackages: pulumi.StringArray{
pulumi.String("string"),
},
BlockedVolumes: pulumi.StringArray{
pulumi.String("string"),
},
BypassScopes: aquasec.ContainerRuntimePolicyBypassScopeArray{
&aquasec.ContainerRuntimePolicyBypassScopeArgs{
Enabled: pulumi.Bool(false),
Scopes: aquasec.ContainerRuntimePolicyBypassScopeScopeArray{
&aquasec.ContainerRuntimePolicyBypassScopeScopeArgs{
Expression: pulumi.String("string"),
Variables: aquasec.ContainerRuntimePolicyBypassScopeScopeVariableArray{
&aquasec.ContainerRuntimePolicyBypassScopeScopeVariableArgs{
Attribute: pulumi.String("string"),
Value: pulumi.String("string"),
},
},
},
},
},
},
ContainerExec: &aquasec.ContainerRuntimePolicyContainerExecArgs{
BlockContainerExec: pulumi.Bool(false),
ContainerExecProcWhiteLists: pulumi.StringArray{
pulumi.String("string"),
},
Enabled: pulumi.Bool(false),
ReverseShellIpWhiteLists: pulumi.StringArray{
pulumi.String("string"),
},
},
ContainerExecAllowedProcesses: pulumi.StringArray{
pulumi.String("string"),
},
Created: pulumi.String("string"),
Cve: pulumi.String("string"),
DefaultSecurityProfile: pulumi.String("string"),
Description: pulumi.String("string"),
Digest: pulumi.String("string"),
DriftPreventions: aquasec.ContainerRuntimePolicyDriftPreventionArray{
&aquasec.ContainerRuntimePolicyDriftPreventionArgs{
Enabled: pulumi.Bool(false),
ExecLockdown: pulumi.Bool(false),
ExecLockdownWhiteLists: pulumi.StringArray{
pulumi.String("string"),
},
ImageLockdown: pulumi.Bool(false),
},
},
EnableCryptoMiningDns: pulumi.Bool(false),
EnableForkGuard: pulumi.Bool(false),
EnableIpReputation: pulumi.Bool(false),
EnablePortScanProtection: pulumi.Bool(false),
Enabled: pulumi.Bool(false),
Enforce: pulumi.Bool(false),
EnforceAfterDays: pulumi.Int(0),
EnforceSchedulerAddedOn: pulumi.Int(0),
ExcludeApplicationScopes: pulumi.StringArray{
pulumi.String("string"),
},
ExecutableBlacklists: aquasec.ContainerRuntimePolicyExecutableBlacklistArray{
&aquasec.ContainerRuntimePolicyExecutableBlacklistArgs{
Enabled: pulumi.Bool(false),
Executables: pulumi.StringArray{
pulumi.String("string"),
},
},
},
FailedKubernetesChecks: &aquasec.ContainerRuntimePolicyFailedKubernetesChecksArgs{
Enabled: pulumi.Bool(false),
FailedChecks: pulumi.StringArray{
pulumi.String("string"),
},
},
FileBlock: &aquasec.ContainerRuntimePolicyFileBlockArgs{
BlockFilesProcesses: pulumi.StringArray{
pulumi.String("string"),
},
BlockFilesUsers: pulumi.StringArray{
pulumi.String("string"),
},
Enabled: pulumi.Bool(false),
ExceptionalBlockFiles: pulumi.StringArray{
pulumi.String("string"),
},
ExceptionalBlockFilesProcesses: pulumi.StringArray{
pulumi.String("string"),
},
ExceptionalBlockFilesUsers: pulumi.StringArray{
pulumi.String("string"),
},
FilenameBlockLists: pulumi.StringArray{
pulumi.String("string"),
},
},
FileIntegrityMonitoring: &aquasec.ContainerRuntimePolicyFileIntegrityMonitoringArgs{
Enabled: pulumi.Bool(false),
ExceptionalMonitoredFiles: pulumi.StringArray{
pulumi.String("string"),
},
ExceptionalMonitoredFilesProcesses: pulumi.StringArray{
pulumi.String("string"),
},
ExceptionalMonitoredFilesUsers: pulumi.StringArray{
pulumi.String("string"),
},
MonitoredFiles: pulumi.StringArray{
pulumi.String("string"),
},
MonitoredFilesAttributes: pulumi.Bool(false),
MonitoredFilesCreate: pulumi.Bool(false),
MonitoredFilesDelete: pulumi.Bool(false),
MonitoredFilesModify: pulumi.Bool(false),
MonitoredFilesProcesses: pulumi.StringArray{
pulumi.String("string"),
},
MonitoredFilesRead: pulumi.Bool(false),
MonitoredFilesUsers: pulumi.StringArray{
pulumi.String("string"),
},
},
ForkGuardProcessLimit: pulumi.Int(0),
ImageName: pulumi.String("string"),
IsAuditChecked: pulumi.Bool(false),
IsAutoGenerated: pulumi.Bool(false),
IsOotbPolicy: pulumi.Bool(false),
Lastupdate: pulumi.Int(0),
LimitContainerPrivileges: aquasec.ContainerRuntimePolicyLimitContainerPrivilegeArray{
&aquasec.ContainerRuntimePolicyLimitContainerPrivilegeArgs{
BlockAddCapabilities: pulumi.Bool(false),
Enabled: pulumi.Bool(false),
Ipcmode: pulumi.Bool(false),
Netmode: pulumi.Bool(false),
Pidmode: pulumi.Bool(false),
PreventLowPortBinding: pulumi.Bool(false),
PreventRootUser: pulumi.Bool(false),
Privileged: pulumi.Bool(false),
UseHostUser: pulumi.Bool(false),
Usermode: pulumi.Bool(false),
Utsmode: pulumi.Bool(false),
},
},
LimitNewPrivileges: pulumi.Bool(false),
LinuxCapabilities: &aquasec.ContainerRuntimePolicyLinuxCapabilitiesArgs{
Enabled: pulumi.Bool(false),
RemoveLinuxCapabilities: pulumi.StringArray{
pulumi.String("string"),
},
},
MalwareScanOptions: &aquasec.ContainerRuntimePolicyMalwareScanOptionsArgs{
Action: pulumi.String("string"),
Enabled: pulumi.Bool(false),
ExcludeDirectories: pulumi.StringArray{
pulumi.String("string"),
},
ExcludeProcesses: pulumi.StringArray{
pulumi.String("string"),
},
IncludeDirectories: pulumi.StringArray{
pulumi.String("string"),
},
},
MonitorSystemTimeChanges: pulumi.Bool(false),
Name: pulumi.String("string"),
NoNewPrivileges: pulumi.Bool(false),
OnlyRegisteredImages: pulumi.Bool(false),
PackageBlock: &aquasec.ContainerRuntimePolicyPackageBlockArgs{
BlockPackagesProcesses: pulumi.StringArray{
pulumi.String("string"),
},
BlockPackagesUsers: pulumi.StringArray{
pulumi.String("string"),
},
Enabled: pulumi.Bool(false),
ExceptionalBlockPackagesFiles: pulumi.StringArray{
pulumi.String("string"),
},
ExceptionalBlockPackagesProcesses: pulumi.StringArray{
pulumi.String("string"),
},
ExceptionalBlockPackagesUsers: pulumi.StringArray{
pulumi.String("string"),
},
PackagesBlackLists: pulumi.StringArray{
pulumi.String("string"),
},
},
Permission: pulumi.String("string"),
PortBlock: &aquasec.ContainerRuntimePolicyPortBlockArgs{
BlockInboundPorts: pulumi.StringArray{
pulumi.String("string"),
},
BlockOutboundPorts: pulumi.StringArray{
pulumi.String("string"),
},
Enabled: pulumi.Bool(false),
},
ReadonlyFiles: &aquasec.ContainerRuntimePolicyReadonlyFilesArgs{
Enabled: pulumi.Bool(false),
ExceptionalReadonlyFiles: pulumi.StringArray{
pulumi.String("string"),
},
ExceptionalReadonlyFilesProcesses: pulumi.StringArray{
pulumi.String("string"),
},
ExceptionalReadonlyFilesUsers: pulumi.StringArray{
pulumi.String("string"),
},
ReadonlyFiles: pulumi.StringArray{
pulumi.String("string"),
},
ReadonlyFilesProcesses: pulumi.StringArray{
pulumi.String("string"),
},
ReadonlyFilesUsers: pulumi.StringArray{
pulumi.String("string"),
},
},
ReadonlyRegistry: &aquasec.ContainerRuntimePolicyReadonlyRegistryArgs{
Enabled: pulumi.Bool(false),
ExceptionalReadonlyRegistryPaths: pulumi.StringArray{
pulumi.String("string"),
},
ExceptionalReadonlyRegistryProcesses: pulumi.StringArray{
pulumi.String("string"),
},
ExceptionalReadonlyRegistryUsers: pulumi.StringArray{
pulumi.String("string"),
},
ReadonlyRegistryPaths: pulumi.StringArray{
pulumi.String("string"),
},
ReadonlyRegistryProcesses: pulumi.StringArray{
pulumi.String("string"),
},
ReadonlyRegistryUsers: pulumi.StringArray{
pulumi.String("string"),
},
},
Registry: pulumi.String("string"),
RegistryAccessMonitoring: &aquasec.ContainerRuntimePolicyRegistryAccessMonitoringArgs{
Enabled: pulumi.Bool(false),
ExceptionalMonitoredRegistryPaths: pulumi.StringArray{
pulumi.String("string"),
},
ExceptionalMonitoredRegistryProcesses: pulumi.StringArray{
pulumi.String("string"),
},
ExceptionalMonitoredRegistryUsers: pulumi.StringArray{
pulumi.String("string"),
},
MonitoredRegistryAttributes: pulumi.Bool(false),
MonitoredRegistryCreate: pulumi.Bool(false),
MonitoredRegistryDelete: pulumi.Bool(false),
MonitoredRegistryModify: pulumi.Bool(false),
MonitoredRegistryPaths: pulumi.StringArray{
pulumi.String("string"),
},
MonitoredRegistryProcesses: pulumi.StringArray{
pulumi.String("string"),
},
MonitoredRegistryRead: pulumi.Bool(false),
MonitoredRegistryUsers: pulumi.StringArray{
pulumi.String("string"),
},
},
RepoName: pulumi.String("string"),
ResourceName: pulumi.String("string"),
ResourceType: pulumi.String("string"),
RestrictedVolumes: aquasec.ContainerRuntimePolicyRestrictedVolumeArray{
&aquasec.ContainerRuntimePolicyRestrictedVolumeArgs{
Enabled: pulumi.Bool(false),
Volumes: pulumi.StringArray{
pulumi.String("string"),
},
},
},
ReverseShell: &aquasec.ContainerRuntimePolicyReverseShellArgs{
BlockReverseShell: pulumi.Bool(false),
Enabled: pulumi.Bool(false),
ReverseShellIpWhiteLists: pulumi.StringArray{
pulumi.String("string"),
},
ReverseShellProcWhiteLists: pulumi.StringArray{
pulumi.String("string"),
},
},
RuntimeMode: pulumi.Int(0),
RuntimeType: pulumi.String("string"),
ScopeExpression: pulumi.String("string"),
ScopeVariables: aquasec.ContainerRuntimePolicyScopeVariableArray{
&aquasec.ContainerRuntimePolicyScopeVariableArgs{
Attribute: pulumi.String("string"),
Value: pulumi.String("string"),
Name: pulumi.String("string"),
},
},
Scopes: aquasec.ContainerRuntimePolicyScopeArray{
&aquasec.ContainerRuntimePolicyScopeArgs{
Expression: pulumi.String("string"),
Variables: aquasec.ContainerRuntimePolicyScopeVariableArray{
&aquasec.ContainerRuntimePolicyScopeVariableArgs{
Attribute: pulumi.String("string"),
Value: pulumi.String("string"),
Name: pulumi.String("string"),
},
},
},
},
SystemIntegrityProtection: &aquasec.ContainerRuntimePolicySystemIntegrityProtectionArgs{
AuditSystemtimeChange: pulumi.Bool(false),
Enabled: pulumi.Bool(false),
MonitorAuditLogIntegrity: pulumi.Bool(false),
WindowsServicesMonitoring: pulumi.Bool(false),
},
Tripwire: &aquasec.ContainerRuntimePolicyTripwireArgs{
ApplyOns: pulumi.StringArray{
pulumi.String("string"),
},
Enabled: pulumi.Bool(false),
ServerlessApp: pulumi.String("string"),
UserId: pulumi.String("string"),
UserPassword: pulumi.String("string"),
},
Type: pulumi.String("string"),
Updated: pulumi.String("string"),
Version: pulumi.String("string"),
VpatchVersion: pulumi.String("string"),
WhitelistedOsUsers: &aquasec.ContainerRuntimePolicyWhitelistedOsUsersArgs{
Enabled: pulumi.Bool(false),
GroupWhiteLists: pulumi.StringArray{
pulumi.String("string"),
},
UserWhiteLists: pulumi.StringArray{
pulumi.String("string"),
},
},
})
var containerRuntimePolicyResource = new ContainerRuntimePolicy("containerRuntimePolicyResource", ContainerRuntimePolicyArgs.builder()
.allowedExecutables(ContainerRuntimePolicyAllowedExecutableArgs.builder()
.allowExecutables("string")
.allowRootExecutables("string")
.enabled(false)
.separateExecutables(false)
.build())
.allowedRegistries(ContainerRuntimePolicyAllowedRegistryArgs.builder()
.allowedRegistries("string")
.enabled(false)
.build())
.applicationScopes("string")
.auditAllNetworkActivity(false)
.auditAllProcessesActivity(false)
.auditBruteForceLogin(false)
.auditFullCommandArguments(false)
.auditing(ContainerRuntimePolicyAuditingArgs.builder()
.auditAllNetwork(false)
.auditAllProcesses(false)
.auditFailedLogin(false)
.auditOsUserActivity(false)
.auditProcessCmdline(false)
.auditSuccessLogin(false)
.auditUserAccountManagement(false)
.enabled(false)
.build())
.author("string")
.blacklistedOsUsers(ContainerRuntimePolicyBlacklistedOsUsersArgs.builder()
.enabled(false)
.groupBlackLists("string")
.userBlackLists("string")
.build())
.blockAccessHostNetwork(false)
.blockAddingCapabilities(false)
.blockContainerExec(false)
.blockCryptocurrencyMining(false)
.blockDisallowedImages(false)
.blockFilelessExec(false)
.blockLowPortBinding(false)
.blockNonCompliantWorkloads(false)
.blockNonK8sContainers(false)
.blockPrivilegedContainers(false)
.blockRootUser(false)
.blockUseIpcNamespace(false)
.blockUsePidNamespace(false)
.blockUseUserNamespace(false)
.blockUseUtsNamespace(false)
.blockedCapabilities("string")
.blockedExecutables("string")
.blockedFiles("string")
.blockedInboundPorts("string")
.blockedOutboundPorts("string")
.blockedPackages("string")
.blockedVolumes("string")
.bypassScopes(ContainerRuntimePolicyBypassScopeArgs.builder()
.enabled(false)
.scopes(ContainerRuntimePolicyBypassScopeScopeArgs.builder()
.expression("string")
.variables(ContainerRuntimePolicyBypassScopeScopeVariableArgs.builder()
.attribute("string")
.value("string")
.build())
.build())
.build())
.containerExec(ContainerRuntimePolicyContainerExecArgs.builder()
.blockContainerExec(false)
.containerExecProcWhiteLists("string")
.enabled(false)
.reverseShellIpWhiteLists("string")
.build())
.containerExecAllowedProcesses("string")
.created("string")
.cve("string")
.defaultSecurityProfile("string")
.description("string")
.digest("string")
.driftPreventions(ContainerRuntimePolicyDriftPreventionArgs.builder()
.enabled(false)
.execLockdown(false)
.execLockdownWhiteLists("string")
.imageLockdown(false)
.build())
.enableCryptoMiningDns(false)
.enableForkGuard(false)
.enableIpReputation(false)
.enablePortScanProtection(false)
.enabled(false)
.enforce(false)
.enforceAfterDays(0)
.enforceSchedulerAddedOn(0)
.excludeApplicationScopes("string")
.executableBlacklists(ContainerRuntimePolicyExecutableBlacklistArgs.builder()
.enabled(false)
.executables("string")
.build())
.failedKubernetesChecks(ContainerRuntimePolicyFailedKubernetesChecksArgs.builder()
.enabled(false)
.failedChecks("string")
.build())
.fileBlock(ContainerRuntimePolicyFileBlockArgs.builder()
.blockFilesProcesses("string")
.blockFilesUsers("string")
.enabled(false)
.exceptionalBlockFiles("string")
.exceptionalBlockFilesProcesses("string")
.exceptionalBlockFilesUsers("string")
.filenameBlockLists("string")
.build())
.fileIntegrityMonitoring(ContainerRuntimePolicyFileIntegrityMonitoringArgs.builder()
.enabled(false)
.exceptionalMonitoredFiles("string")
.exceptionalMonitoredFilesProcesses("string")
.exceptionalMonitoredFilesUsers("string")
.monitoredFiles("string")
.monitoredFilesAttributes(false)
.monitoredFilesCreate(false)
.monitoredFilesDelete(false)
.monitoredFilesModify(false)
.monitoredFilesProcesses("string")
.monitoredFilesRead(false)
.monitoredFilesUsers("string")
.build())
.forkGuardProcessLimit(0)
.imageName("string")
.isAuditChecked(false)
.isAutoGenerated(false)
.isOotbPolicy(false)
.lastupdate(0)
.limitContainerPrivileges(ContainerRuntimePolicyLimitContainerPrivilegeArgs.builder()
.blockAddCapabilities(false)
.enabled(false)
.ipcmode(false)
.netmode(false)
.pidmode(false)
.preventLowPortBinding(false)
.preventRootUser(false)
.privileged(false)
.useHostUser(false)
.usermode(false)
.utsmode(false)
.build())
.limitNewPrivileges(false)
.linuxCapabilities(ContainerRuntimePolicyLinuxCapabilitiesArgs.builder()
.enabled(false)
.removeLinuxCapabilities("string")
.build())
.malwareScanOptions(ContainerRuntimePolicyMalwareScanOptionsArgs.builder()
.action("string")
.enabled(false)
.excludeDirectories("string")
.excludeProcesses("string")
.includeDirectories("string")
.build())
.monitorSystemTimeChanges(false)
.name("string")
.noNewPrivileges(false)
.onlyRegisteredImages(false)
.packageBlock(ContainerRuntimePolicyPackageBlockArgs.builder()
.blockPackagesProcesses("string")
.blockPackagesUsers("string")
.enabled(false)
.exceptionalBlockPackagesFiles("string")
.exceptionalBlockPackagesProcesses("string")
.exceptionalBlockPackagesUsers("string")
.packagesBlackLists("string")
.build())
.permission("string")
.portBlock(ContainerRuntimePolicyPortBlockArgs.builder()
.blockInboundPorts("string")
.blockOutboundPorts("string")
.enabled(false)
.build())
.readonlyFiles(ContainerRuntimePolicyReadonlyFilesArgs.builder()
.enabled(false)
.exceptionalReadonlyFiles("string")
.exceptionalReadonlyFilesProcesses("string")
.exceptionalReadonlyFilesUsers("string")
.readonlyFiles("string")
.readonlyFilesProcesses("string")
.readonlyFilesUsers("string")
.build())
.readonlyRegistry(ContainerRuntimePolicyReadonlyRegistryArgs.builder()
.enabled(false)
.exceptionalReadonlyRegistryPaths("string")
.exceptionalReadonlyRegistryProcesses("string")
.exceptionalReadonlyRegistryUsers("string")
.readonlyRegistryPaths("string")
.readonlyRegistryProcesses("string")
.readonlyRegistryUsers("string")
.build())
.registry("string")
.registryAccessMonitoring(ContainerRuntimePolicyRegistryAccessMonitoringArgs.builder()
.enabled(false)
.exceptionalMonitoredRegistryPaths("string")
.exceptionalMonitoredRegistryProcesses("string")
.exceptionalMonitoredRegistryUsers("string")
.monitoredRegistryAttributes(false)
.monitoredRegistryCreate(false)
.monitoredRegistryDelete(false)
.monitoredRegistryModify(false)
.monitoredRegistryPaths("string")
.monitoredRegistryProcesses("string")
.monitoredRegistryRead(false)
.monitoredRegistryUsers("string")
.build())
.repoName("string")
.resourceName("string")
.resourceType("string")
.restrictedVolumes(ContainerRuntimePolicyRestrictedVolumeArgs.builder()
.enabled(false)
.volumes("string")
.build())
.reverseShell(ContainerRuntimePolicyReverseShellArgs.builder()
.blockReverseShell(false)
.enabled(false)
.reverseShellIpWhiteLists("string")
.reverseShellProcWhiteLists("string")
.build())
.runtimeMode(0)
.runtimeType("string")
.scopeExpression("string")
.scopeVariables(ContainerRuntimePolicyScopeVariableArgs.builder()
.attribute("string")
.value("string")
.name("string")
.build())
.scopes(ContainerRuntimePolicyScopeArgs.builder()
.expression("string")
.variables(ContainerRuntimePolicyScopeVariableArgs.builder()
.attribute("string")
.value("string")
.name("string")
.build())
.build())
.systemIntegrityProtection(ContainerRuntimePolicySystemIntegrityProtectionArgs.builder()
.auditSystemtimeChange(false)
.enabled(false)
.monitorAuditLogIntegrity(false)
.windowsServicesMonitoring(false)
.build())
.tripwire(ContainerRuntimePolicyTripwireArgs.builder()
.applyOns("string")
.enabled(false)
.serverlessApp("string")
.userId("string")
.userPassword("string")
.build())
.type("string")
.updated("string")
.version("string")
.vpatchVersion("string")
.whitelistedOsUsers(ContainerRuntimePolicyWhitelistedOsUsersArgs.builder()
.enabled(false)
.groupWhiteLists("string")
.userWhiteLists("string")
.build())
.build());
container_runtime_policy_resource = aquasec.ContainerRuntimePolicy("containerRuntimePolicyResource",
allowed_executables=[aquasec.ContainerRuntimePolicyAllowedExecutableArgs(
allow_executables=["string"],
allow_root_executables=["string"],
enabled=False,
separate_executables=False,
)],
allowed_registries=[aquasec.ContainerRuntimePolicyAllowedRegistryArgs(
allowed_registries=["string"],
enabled=False,
)],
application_scopes=["string"],
audit_all_network_activity=False,
audit_all_processes_activity=False,
audit_brute_force_login=False,
audit_full_command_arguments=False,
auditing=aquasec.ContainerRuntimePolicyAuditingArgs(
audit_all_network=False,
audit_all_processes=False,
audit_failed_login=False,
audit_os_user_activity=False,
audit_process_cmdline=False,
audit_success_login=False,
audit_user_account_management=False,
enabled=False,
),
author="string",
blacklisted_os_users=aquasec.ContainerRuntimePolicyBlacklistedOsUsersArgs(
enabled=False,
group_black_lists=["string"],
user_black_lists=["string"],
),
block_access_host_network=False,
block_adding_capabilities=False,
block_container_exec=False,
block_cryptocurrency_mining=False,
block_disallowed_images=False,
block_fileless_exec=False,
block_low_port_binding=False,
block_non_compliant_workloads=False,
block_non_k8s_containers=False,
block_privileged_containers=False,
block_root_user=False,
block_use_ipc_namespace=False,
block_use_pid_namespace=False,
block_use_user_namespace=False,
block_use_uts_namespace=False,
blocked_capabilities=["string"],
blocked_executables=["string"],
blocked_files=["string"],
blocked_inbound_ports=["string"],
blocked_outbound_ports=["string"],
blocked_packages=["string"],
blocked_volumes=["string"],
bypass_scopes=[aquasec.ContainerRuntimePolicyBypassScopeArgs(
enabled=False,
scopes=[aquasec.ContainerRuntimePolicyBypassScopeScopeArgs(
expression="string",
variables=[aquasec.ContainerRuntimePolicyBypassScopeScopeVariableArgs(
attribute="string",
value="string",
)],
)],
)],
container_exec=aquasec.ContainerRuntimePolicyContainerExecArgs(
block_container_exec=False,
container_exec_proc_white_lists=["string"],
enabled=False,
reverse_shell_ip_white_lists=["string"],
),
container_exec_allowed_processes=["string"],
created="string",
cve="string",
default_security_profile="string",
description="string",
digest="string",
drift_preventions=[aquasec.ContainerRuntimePolicyDriftPreventionArgs(
enabled=False,
exec_lockdown=False,
exec_lockdown_white_lists=["string"],
image_lockdown=False,
)],
enable_crypto_mining_dns=False,
enable_fork_guard=False,
enable_ip_reputation=False,
enable_port_scan_protection=False,
enabled=False,
enforce=False,
enforce_after_days=0,
enforce_scheduler_added_on=0,
exclude_application_scopes=["string"],
executable_blacklists=[aquasec.ContainerRuntimePolicyExecutableBlacklistArgs(
enabled=False,
executables=["string"],
)],
failed_kubernetes_checks=aquasec.ContainerRuntimePolicyFailedKubernetesChecksArgs(
enabled=False,
failed_checks=["string"],
),
file_block=aquasec.ContainerRuntimePolicyFileBlockArgs(
block_files_processes=["string"],
block_files_users=["string"],
enabled=False,
exceptional_block_files=["string"],
exceptional_block_files_processes=["string"],
exceptional_block_files_users=["string"],
filename_block_lists=["string"],
),
file_integrity_monitoring=aquasec.ContainerRuntimePolicyFileIntegrityMonitoringArgs(
enabled=False,
exceptional_monitored_files=["string"],
exceptional_monitored_files_processes=["string"],
exceptional_monitored_files_users=["string"],
monitored_files=["string"],
monitored_files_attributes=False,
monitored_files_create=False,
monitored_files_delete=False,
monitored_files_modify=False,
monitored_files_processes=["string"],
monitored_files_read=False,
monitored_files_users=["string"],
),
fork_guard_process_limit=0,
image_name="string",
is_audit_checked=False,
is_auto_generated=False,
is_ootb_policy=False,
lastupdate=0,
limit_container_privileges=[aquasec.ContainerRuntimePolicyLimitContainerPrivilegeArgs(
block_add_capabilities=False,
enabled=False,
ipcmode=False,
netmode=False,
pidmode=False,
prevent_low_port_binding=False,
prevent_root_user=False,
privileged=False,
use_host_user=False,
usermode=False,
utsmode=False,
)],
limit_new_privileges=False,
linux_capabilities=aquasec.ContainerRuntimePolicyLinuxCapabilitiesArgs(
enabled=False,
remove_linux_capabilities=["string"],
),
malware_scan_options=aquasec.ContainerRuntimePolicyMalwareScanOptionsArgs(
action="string",
enabled=False,
exclude_directories=["string"],
exclude_processes=["string"],
include_directories=["string"],
),
monitor_system_time_changes=False,
name="string",
no_new_privileges=False,
only_registered_images=False,
package_block=aquasec.ContainerRuntimePolicyPackageBlockArgs(
block_packages_processes=["string"],
block_packages_users=["string"],
enabled=False,
exceptional_block_packages_files=["string"],
exceptional_block_packages_processes=["string"],
exceptional_block_packages_users=["string"],
packages_black_lists=["string"],
),
permission="string",
port_block=aquasec.ContainerRuntimePolicyPortBlockArgs(
block_inbound_ports=["string"],
block_outbound_ports=["string"],
enabled=False,
),
readonly_files=aquasec.ContainerRuntimePolicyReadonlyFilesArgs(
enabled=False,
exceptional_readonly_files=["string"],
exceptional_readonly_files_processes=["string"],
exceptional_readonly_files_users=["string"],
readonly_files=["string"],
readonly_files_processes=["string"],
readonly_files_users=["string"],
),
readonly_registry=aquasec.ContainerRuntimePolicyReadonlyRegistryArgs(
enabled=False,
exceptional_readonly_registry_paths=["string"],
exceptional_readonly_registry_processes=["string"],
exceptional_readonly_registry_users=["string"],
readonly_registry_paths=["string"],
readonly_registry_processes=["string"],
readonly_registry_users=["string"],
),
registry="string",
registry_access_monitoring=aquasec.ContainerRuntimePolicyRegistryAccessMonitoringArgs(
enabled=False,
exceptional_monitored_registry_paths=["string"],
exceptional_monitored_registry_processes=["string"],
exceptional_monitored_registry_users=["string"],
monitored_registry_attributes=False,
monitored_registry_create=False,
monitored_registry_delete=False,
monitored_registry_modify=False,
monitored_registry_paths=["string"],
monitored_registry_processes=["string"],
monitored_registry_read=False,
monitored_registry_users=["string"],
),
repo_name="string",
resource_name_="string",
resource_type="string",
restricted_volumes=[aquasec.ContainerRuntimePolicyRestrictedVolumeArgs(
enabled=False,
volumes=["string"],
)],
reverse_shell=aquasec.ContainerRuntimePolicyReverseShellArgs(
block_reverse_shell=False,
enabled=False,
reverse_shell_ip_white_lists=["string"],
reverse_shell_proc_white_lists=["string"],
),
runtime_mode=0,
runtime_type="string",
scope_expression="string",
scope_variables=[aquasec.ContainerRuntimePolicyScopeVariableArgs(
attribute="string",
value="string",
name="string",
)],
scopes=[aquasec.ContainerRuntimePolicyScopeArgs(
expression="string",
variables=[aquasec.ContainerRuntimePolicyScopeVariableArgs(
attribute="string",
value="string",
name="string",
)],
)],
system_integrity_protection=aquasec.ContainerRuntimePolicySystemIntegrityProtectionArgs(
audit_systemtime_change=False,
enabled=False,
monitor_audit_log_integrity=False,
windows_services_monitoring=False,
),
tripwire=aquasec.ContainerRuntimePolicyTripwireArgs(
apply_ons=["string"],
enabled=False,
serverless_app="string",
user_id="string",
user_password="string",
),
type="string",
updated="string",
version="string",
vpatch_version="string",
whitelisted_os_users=aquasec.ContainerRuntimePolicyWhitelistedOsUsersArgs(
enabled=False,
group_white_lists=["string"],
user_white_lists=["string"],
))
const containerRuntimePolicyResource = new aquasec.ContainerRuntimePolicy("containerRuntimePolicyResource", {
allowedExecutables: [{
allowExecutables: ["string"],
allowRootExecutables: ["string"],
enabled: false,
separateExecutables: false,
}],
allowedRegistries: [{
allowedRegistries: ["string"],
enabled: false,
}],
applicationScopes: ["string"],
auditAllNetworkActivity: false,
auditAllProcessesActivity: false,
auditBruteForceLogin: false,
auditFullCommandArguments: false,
auditing: {
auditAllNetwork: false,
auditAllProcesses: false,
auditFailedLogin: false,
auditOsUserActivity: false,
auditProcessCmdline: false,
auditSuccessLogin: false,
auditUserAccountManagement: false,
enabled: false,
},
author: "string",
blacklistedOsUsers: {
enabled: false,
groupBlackLists: ["string"],
userBlackLists: ["string"],
},
blockAccessHostNetwork: false,
blockAddingCapabilities: false,
blockContainerExec: false,
blockCryptocurrencyMining: false,
blockDisallowedImages: false,
blockFilelessExec: false,
blockLowPortBinding: false,
blockNonCompliantWorkloads: false,
blockNonK8sContainers: false,
blockPrivilegedContainers: false,
blockRootUser: false,
blockUseIpcNamespace: false,
blockUsePidNamespace: false,
blockUseUserNamespace: false,
blockUseUtsNamespace: false,
blockedCapabilities: ["string"],
blockedExecutables: ["string"],
blockedFiles: ["string"],
blockedInboundPorts: ["string"],
blockedOutboundPorts: ["string"],
blockedPackages: ["string"],
blockedVolumes: ["string"],
bypassScopes: [{
enabled: false,
scopes: [{
expression: "string",
variables: [{
attribute: "string",
value: "string",
}],
}],
}],
containerExec: {
blockContainerExec: false,
containerExecProcWhiteLists: ["string"],
enabled: false,
reverseShellIpWhiteLists: ["string"],
},
containerExecAllowedProcesses: ["string"],
created: "string",
cve: "string",
defaultSecurityProfile: "string",
description: "string",
digest: "string",
driftPreventions: [{
enabled: false,
execLockdown: false,
execLockdownWhiteLists: ["string"],
imageLockdown: false,
}],
enableCryptoMiningDns: false,
enableForkGuard: false,
enableIpReputation: false,
enablePortScanProtection: false,
enabled: false,
enforce: false,
enforceAfterDays: 0,
enforceSchedulerAddedOn: 0,
excludeApplicationScopes: ["string"],
executableBlacklists: [{
enabled: false,
executables: ["string"],
}],
failedKubernetesChecks: {
enabled: false,
failedChecks: ["string"],
},
fileBlock: {
blockFilesProcesses: ["string"],
blockFilesUsers: ["string"],
enabled: false,
exceptionalBlockFiles: ["string"],
exceptionalBlockFilesProcesses: ["string"],
exceptionalBlockFilesUsers: ["string"],
filenameBlockLists: ["string"],
},
fileIntegrityMonitoring: {
enabled: false,
exceptionalMonitoredFiles: ["string"],
exceptionalMonitoredFilesProcesses: ["string"],
exceptionalMonitoredFilesUsers: ["string"],
monitoredFiles: ["string"],
monitoredFilesAttributes: false,
monitoredFilesCreate: false,
monitoredFilesDelete: false,
monitoredFilesModify: false,
monitoredFilesProcesses: ["string"],
monitoredFilesRead: false,
monitoredFilesUsers: ["string"],
},
forkGuardProcessLimit: 0,
imageName: "string",
isAuditChecked: false,
isAutoGenerated: false,
isOotbPolicy: false,
lastupdate: 0,
limitContainerPrivileges: [{
blockAddCapabilities: false,
enabled: false,
ipcmode: false,
netmode: false,
pidmode: false,
preventLowPortBinding: false,
preventRootUser: false,
privileged: false,
useHostUser: false,
usermode: false,
utsmode: false,
}],
limitNewPrivileges: false,
linuxCapabilities: {
enabled: false,
removeLinuxCapabilities: ["string"],
},
malwareScanOptions: {
action: "string",
enabled: false,
excludeDirectories: ["string"],
excludeProcesses: ["string"],
includeDirectories: ["string"],
},
monitorSystemTimeChanges: false,
name: "string",
noNewPrivileges: false,
onlyRegisteredImages: false,
packageBlock: {
blockPackagesProcesses: ["string"],
blockPackagesUsers: ["string"],
enabled: false,
exceptionalBlockPackagesFiles: ["string"],
exceptionalBlockPackagesProcesses: ["string"],
exceptionalBlockPackagesUsers: ["string"],
packagesBlackLists: ["string"],
},
permission: "string",
portBlock: {
blockInboundPorts: ["string"],
blockOutboundPorts: ["string"],
enabled: false,
},
readonlyFiles: {
enabled: false,
exceptionalReadonlyFiles: ["string"],
exceptionalReadonlyFilesProcesses: ["string"],
exceptionalReadonlyFilesUsers: ["string"],
readonlyFiles: ["string"],
readonlyFilesProcesses: ["string"],
readonlyFilesUsers: ["string"],
},
readonlyRegistry: {
enabled: false,
exceptionalReadonlyRegistryPaths: ["string"],
exceptionalReadonlyRegistryProcesses: ["string"],
exceptionalReadonlyRegistryUsers: ["string"],
readonlyRegistryPaths: ["string"],
readonlyRegistryProcesses: ["string"],
readonlyRegistryUsers: ["string"],
},
registry: "string",
registryAccessMonitoring: {
enabled: false,
exceptionalMonitoredRegistryPaths: ["string"],
exceptionalMonitoredRegistryProcesses: ["string"],
exceptionalMonitoredRegistryUsers: ["string"],
monitoredRegistryAttributes: false,
monitoredRegistryCreate: false,
monitoredRegistryDelete: false,
monitoredRegistryModify: false,
monitoredRegistryPaths: ["string"],
monitoredRegistryProcesses: ["string"],
monitoredRegistryRead: false,
monitoredRegistryUsers: ["string"],
},
repoName: "string",
resourceName: "string",
resourceType: "string",
restrictedVolumes: [{
enabled: false,
volumes: ["string"],
}],
reverseShell: {
blockReverseShell: false,
enabled: false,
reverseShellIpWhiteLists: ["string"],
reverseShellProcWhiteLists: ["string"],
},
runtimeMode: 0,
runtimeType: "string",
scopeExpression: "string",
scopeVariables: [{
attribute: "string",
value: "string",
name: "string",
}],
scopes: [{
expression: "string",
variables: [{
attribute: "string",
value: "string",
name: "string",
}],
}],
systemIntegrityProtection: {
auditSystemtimeChange: false,
enabled: false,
monitorAuditLogIntegrity: false,
windowsServicesMonitoring: false,
},
tripwire: {
applyOns: ["string"],
enabled: false,
serverlessApp: "string",
userId: "string",
userPassword: "string",
},
type: "string",
updated: "string",
version: "string",
vpatchVersion: "string",
whitelistedOsUsers: {
enabled: false,
groupWhiteLists: ["string"],
userWhiteLists: ["string"],
},
});
type: aquasec:ContainerRuntimePolicy
properties:
allowedExecutables:
- allowExecutables:
- string
allowRootExecutables:
- string
enabled: false
separateExecutables: false
allowedRegistries:
- allowedRegistries:
- string
enabled: false
applicationScopes:
- string
auditAllNetworkActivity: false
auditAllProcessesActivity: false
auditBruteForceLogin: false
auditFullCommandArguments: false
auditing:
auditAllNetwork: false
auditAllProcesses: false
auditFailedLogin: false
auditOsUserActivity: false
auditProcessCmdline: false
auditSuccessLogin: false
auditUserAccountManagement: false
enabled: false
author: string
blacklistedOsUsers:
enabled: false
groupBlackLists:
- string
userBlackLists:
- string
blockAccessHostNetwork: false
blockAddingCapabilities: false
blockContainerExec: false
blockCryptocurrencyMining: false
blockDisallowedImages: false
blockFilelessExec: false
blockLowPortBinding: false
blockNonCompliantWorkloads: false
blockNonK8sContainers: false
blockPrivilegedContainers: false
blockRootUser: false
blockUseIpcNamespace: false
blockUsePidNamespace: false
blockUseUserNamespace: false
blockUseUtsNamespace: false
blockedCapabilities:
- string
blockedExecutables:
- string
blockedFiles:
- string
blockedInboundPorts:
- string
blockedOutboundPorts:
- string
blockedPackages:
- string
blockedVolumes:
- string
bypassScopes:
- enabled: false
scopes:
- expression: string
variables:
- attribute: string
value: string
containerExec:
blockContainerExec: false
containerExecProcWhiteLists:
- string
enabled: false
reverseShellIpWhiteLists:
- string
containerExecAllowedProcesses:
- string
created: string
cve: string
defaultSecurityProfile: string
description: string
digest: string
driftPreventions:
- enabled: false
execLockdown: false
execLockdownWhiteLists:
- string
imageLockdown: false
enableCryptoMiningDns: false
enableForkGuard: false
enableIpReputation: false
enablePortScanProtection: false
enabled: false
enforce: false
enforceAfterDays: 0
enforceSchedulerAddedOn: 0
excludeApplicationScopes:
- string
executableBlacklists:
- enabled: false
executables:
- string
failedKubernetesChecks:
enabled: false
failedChecks:
- string
fileBlock:
blockFilesProcesses:
- string
blockFilesUsers:
- string
enabled: false
exceptionalBlockFiles:
- string
exceptionalBlockFilesProcesses:
- string
exceptionalBlockFilesUsers:
- string
filenameBlockLists:
- string
fileIntegrityMonitoring:
enabled: false
exceptionalMonitoredFiles:
- string
exceptionalMonitoredFilesProcesses:
- string
exceptionalMonitoredFilesUsers:
- string
monitoredFiles:
- string
monitoredFilesAttributes: false
monitoredFilesCreate: false
monitoredFilesDelete: false
monitoredFilesModify: false
monitoredFilesProcesses:
- string
monitoredFilesRead: false
monitoredFilesUsers:
- string
forkGuardProcessLimit: 0
imageName: string
isAuditChecked: false
isAutoGenerated: false
isOotbPolicy: false
lastupdate: 0
limitContainerPrivileges:
- blockAddCapabilities: false
enabled: false
ipcmode: false
netmode: false
pidmode: false
preventLowPortBinding: false
preventRootUser: false
privileged: false
useHostUser: false
usermode: false
utsmode: false
limitNewPrivileges: false
linuxCapabilities:
enabled: false
removeLinuxCapabilities:
- string
malwareScanOptions:
action: string
enabled: false
excludeDirectories:
- string
excludeProcesses:
- string
includeDirectories:
- string
monitorSystemTimeChanges: false
name: string
noNewPrivileges: false
onlyRegisteredImages: false
packageBlock:
blockPackagesProcesses:
- string
blockPackagesUsers:
- string
enabled: false
exceptionalBlockPackagesFiles:
- string
exceptionalBlockPackagesProcesses:
- string
exceptionalBlockPackagesUsers:
- string
packagesBlackLists:
- string
permission: string
portBlock:
blockInboundPorts:
- string
blockOutboundPorts:
- string
enabled: false
readonlyFiles:
enabled: false
exceptionalReadonlyFiles:
- string
exceptionalReadonlyFilesProcesses:
- string
exceptionalReadonlyFilesUsers:
- string
readonlyFiles:
- string
readonlyFilesProcesses:
- string
readonlyFilesUsers:
- string
readonlyRegistry:
enabled: false
exceptionalReadonlyRegistryPaths:
- string
exceptionalReadonlyRegistryProcesses:
- string
exceptionalReadonlyRegistryUsers:
- string
readonlyRegistryPaths:
- string
readonlyRegistryProcesses:
- string
readonlyRegistryUsers:
- string
registry: string
registryAccessMonitoring:
enabled: false
exceptionalMonitoredRegistryPaths:
- string
exceptionalMonitoredRegistryProcesses:
- string
exceptionalMonitoredRegistryUsers:
- string
monitoredRegistryAttributes: false
monitoredRegistryCreate: false
monitoredRegistryDelete: false
monitoredRegistryModify: false
monitoredRegistryPaths:
- string
monitoredRegistryProcesses:
- string
monitoredRegistryRead: false
monitoredRegistryUsers:
- string
repoName: string
resourceName: string
resourceType: string
restrictedVolumes:
- enabled: false
volumes:
- string
reverseShell:
blockReverseShell: false
enabled: false
reverseShellIpWhiteLists:
- string
reverseShellProcWhiteLists:
- string
runtimeMode: 0
runtimeType: string
scopeExpression: string
scopeVariables:
- attribute: string
name: string
value: string
scopes:
- expression: string
variables:
- attribute: string
name: string
value: string
systemIntegrityProtection:
auditSystemtimeChange: false
enabled: false
monitorAuditLogIntegrity: false
windowsServicesMonitoring: false
tripwire:
applyOns:
- string
enabled: false
serverlessApp: string
userId: string
userPassword: string
type: string
updated: string
version: string
vpatchVersion: string
whitelistedOsUsers:
enabled: false
groupWhiteLists:
- string
userWhiteLists:
- string
ContainerRuntimePolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The ContainerRuntimePolicy resource accepts the following input properties:
- Allowed
Executables List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Allowed Executable> - Allowed executables configuration.
- Allowed
Registries List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Allowed Registry> - List of allowed registries.
- Application
Scopes List<string> - Indicates the application scope of the service.
- Audit
All boolNetwork Activity - If true, all network activity will be audited.
- Audit
All boolProcesses Activity - If true, all process activity will be audited.
- Audit
Brute boolForce Login - Detects brute force login attempts
- Audit
Full boolCommand Arguments - If true, full command arguments will be audited.
- Auditing
Pulumiverse.
Aquasec. Inputs. Container Runtime Policy Auditing - string
- Username of the account that created the service.
- Blacklisted
Os Pulumiverse.Users Aquasec. Inputs. Container Runtime Policy Blacklisted Os Users - Block
Access boolHost Network - If true, prevent containers from running with access to host network.
- Block
Adding boolCapabilities - If true, prevent containers from running with adding capabilities with
--cap-addprivilege. - Block
Container boolExec - If true, exec into a container is prevented.
- Block
Cryptocurrency boolMining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- Block
Disallowed boolImages - Block
Fileless boolExec - Detect and prevent running in-memory execution
- Block
Low boolPort Binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- Block
Non boolCompliant Workloads - If true, running containers in non-compliant pods is prevented.
- Block
Non boolK8s Containers - If true, running non-kubernetes containers is prevented.
- Block
Privileged boolContainers - If true, prevent containers from running with privileged container capability.
- Block
Root boolUser - If true, prevent containers from running with root user.
- Block
Use boolIpc Namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- Block
Use boolPid Namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- Block
Use boolUser Namespace - If true, prevent containers from running with the privilege to use the user namespace.
- Block
Use boolUts Namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- Blocked
Capabilities List<string> - If true, prevents containers from using specific Unix capabilities.
- Blocked
Executables List<string> - List of executables that are prevented from running in containers.
- Blocked
Files List<string> - List of files that are prevented from being read, modified and executed in the containers.
- Blocked
Inbound List<string>Ports - List of blocked inbound ports.
- Blocked
Outbound List<string>Ports - List of blocked outbound ports.
- Blocked
Packages List<string> - Prevent containers from reading, writing, or executing all files in the list of packages.
- Blocked
Volumes List<string> - List of volumes that are prevented from being mounted in the containers.
- Bypass
Scopes List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Bypass Scope> - Bypass scope configuration.
- Container
Exec Pulumiverse.Aquasec. Inputs. Container Runtime Policy Container Exec - Container
Exec List<string>Allowed Processes - List of processes that will be allowed.
- Created string
- Cve string
- Default
Security stringProfile - Description string
- The description of the container runtime policy
- Digest string
- Drift
Preventions List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Drift Prevention> - Drift prevention configuration.
- Enable
Crypto boolMining Dns - Enable
Fork boolGuard - If true, fork bombs are prevented in the containers.
- Enable
Ip boolReputation - Enable
Port boolScan Protection - Enabled bool
- Whether allowed executables configuration is enabled.
- Enforce bool
- Indicates that policy should effect container execution (not just for audit).
- Enforce
After intDays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- Enforce
Scheduler intAdded On - Exclude
Application List<string>Scopes - List of excluded application scopes.
- Executable
Blacklists List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Executable Blacklist> - Executable blacklist configuration.
- Failed
Kubernetes Pulumiverse.Checks Aquasec. Inputs. Container Runtime Policy Failed Kubernetes Checks - File
Block Pulumiverse.Aquasec. Inputs. Container Runtime Policy File Block - File
Integrity Pulumiverse.Monitoring Aquasec. Inputs. Container Runtime Policy File Integrity Monitoring - Configuration for file integrity monitoring.
- Fork
Guard intProcess Limit - Process limit for the fork guard.
- Image
Name string - Is
Audit boolChecked - Is
Auto boolGenerated - Is
Ootb boolPolicy - Lastupdate int
- Limit
Container List<Pulumiverse.Privileges Aquasec. Inputs. Container Runtime Policy Limit Container Privilege> - Container privileges configuration.
- Limit
New boolPrivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- Linux
Capabilities Pulumiverse.Aquasec. Inputs. Container Runtime Policy Linux Capabilities - Malware
Scan Pulumiverse.Options Aquasec. Inputs. Container Runtime Policy Malware Scan Options - Configuration for Real-Time Malware Protection.
- Monitor
System boolTime Changes - If true, system time changes will be monitored.
- Name string
- Name assigned to the attribute.
- No
New boolPrivileges - Only
Registered boolImages - Package
Block Pulumiverse.Aquasec. Inputs. Container Runtime Policy Package Block - Permission string
- Port
Block Pulumiverse.Aquasec. Inputs. Container Runtime Policy Port Block - Readonly
Files Pulumiverse.Aquasec. Inputs. Container Runtime Policy Readonly Files - Readonly
Registry Pulumiverse.Aquasec. Inputs. Container Runtime Policy Readonly Registry - Registry string
- Registry
Access Pulumiverse.Monitoring Aquasec. Inputs. Container Runtime Policy Registry Access Monitoring - Repo
Name string - Resource
Name string - Resource
Type string - Restricted
Volumes List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Restricted Volume> - Restricted volumes configuration.
- Reverse
Shell Pulumiverse.Aquasec. Inputs. Container Runtime Policy Reverse Shell - Runtime
Mode int - Runtime
Type string - Scope
Expression string - Logical expression of how to compute the dependency of the scope variables.
- Scope
Variables List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Scope Variable> - List of scope attributes.
- Scopes
List<Pulumiverse.
Aquasec. Inputs. Container Runtime Policy Scope> - Scope configuration.
- System
Integrity Pulumiverse.Protection Aquasec. Inputs. Container Runtime Policy System Integrity Protection - Tripwire
Pulumiverse.
Aquasec. Inputs. Container Runtime Policy Tripwire - Type string
- Updated string
- Version string
- Vpatch
Version string - Whitelisted
Os Pulumiverse.Users Aquasec. Inputs. Container Runtime Policy Whitelisted Os Users
- Allowed
Executables []ContainerRuntime Policy Allowed Executable Args - Allowed executables configuration.
- Allowed
Registries []ContainerRuntime Policy Allowed Registry Args - List of allowed registries.
- Application
Scopes []string - Indicates the application scope of the service.
- Audit
All boolNetwork Activity - If true, all network activity will be audited.
- Audit
All boolProcesses Activity - If true, all process activity will be audited.
- Audit
Brute boolForce Login - Detects brute force login attempts
- Audit
Full boolCommand Arguments - If true, full command arguments will be audited.
- Auditing
Container
Runtime Policy Auditing Args - string
- Username of the account that created the service.
- Blacklisted
Os ContainerUsers Runtime Policy Blacklisted Os Users Args - Block
Access boolHost Network - If true, prevent containers from running with access to host network.
- Block
Adding boolCapabilities - If true, prevent containers from running with adding capabilities with
--cap-addprivilege. - Block
Container boolExec - If true, exec into a container is prevented.
- Block
Cryptocurrency boolMining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- Block
Disallowed boolImages - Block
Fileless boolExec - Detect and prevent running in-memory execution
- Block
Low boolPort Binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- Block
Non boolCompliant Workloads - If true, running containers in non-compliant pods is prevented.
- Block
Non boolK8s Containers - If true, running non-kubernetes containers is prevented.
- Block
Privileged boolContainers - If true, prevent containers from running with privileged container capability.
- Block
Root boolUser - If true, prevent containers from running with root user.
- Block
Use boolIpc Namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- Block
Use boolPid Namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- Block
Use boolUser Namespace - If true, prevent containers from running with the privilege to use the user namespace.
- Block
Use boolUts Namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- Blocked
Capabilities []string - If true, prevents containers from using specific Unix capabilities.
- Blocked
Executables []string - List of executables that are prevented from running in containers.
- Blocked
Files []string - List of files that are prevented from being read, modified and executed in the containers.
- Blocked
Inbound []stringPorts - List of blocked inbound ports.
- Blocked
Outbound []stringPorts - List of blocked outbound ports.
- Blocked
Packages []string - Prevent containers from reading, writing, or executing all files in the list of packages.
- Blocked
Volumes []string - List of volumes that are prevented from being mounted in the containers.
- Bypass
Scopes []ContainerRuntime Policy Bypass Scope Args - Bypass scope configuration.
- Container
Exec ContainerRuntime Policy Container Exec Args - Container
Exec []stringAllowed Processes - List of processes that will be allowed.
- Created string
- Cve string
- Default
Security stringProfile - Description string
- The description of the container runtime policy
- Digest string
- Drift
Preventions []ContainerRuntime Policy Drift Prevention Args - Drift prevention configuration.
- Enable
Crypto boolMining Dns - Enable
Fork boolGuard - If true, fork bombs are prevented in the containers.
- Enable
Ip boolReputation - Enable
Port boolScan Protection - Enabled bool
- Whether allowed executables configuration is enabled.
- Enforce bool
- Indicates that policy should effect container execution (not just for audit).
- Enforce
After intDays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- Enforce
Scheduler intAdded On - Exclude
Application []stringScopes - List of excluded application scopes.
- Executable
Blacklists []ContainerRuntime Policy Executable Blacklist Args - Executable blacklist configuration.
- Failed
Kubernetes ContainerChecks Runtime Policy Failed Kubernetes Checks Args - File
Block ContainerRuntime Policy File Block Args - File
Integrity ContainerMonitoring Runtime Policy File Integrity Monitoring Args - Configuration for file integrity monitoring.
- Fork
Guard intProcess Limit - Process limit for the fork guard.
- Image
Name string - Is
Audit boolChecked - Is
Auto boolGenerated - Is
Ootb boolPolicy - Lastupdate int
- Limit
Container []ContainerPrivileges Runtime Policy Limit Container Privilege Args - Container privileges configuration.
- Limit
New boolPrivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- Linux
Capabilities ContainerRuntime Policy Linux Capabilities Args - Malware
Scan ContainerOptions Runtime Policy Malware Scan Options Args - Configuration for Real-Time Malware Protection.
- Monitor
System boolTime Changes - If true, system time changes will be monitored.
- Name string
- Name assigned to the attribute.
- No
New boolPrivileges - Only
Registered boolImages - Package
Block ContainerRuntime Policy Package Block Args - Permission string
- Port
Block ContainerRuntime Policy Port Block Args - Readonly
Files ContainerRuntime Policy Readonly Files Args - Readonly
Registry ContainerRuntime Policy Readonly Registry Args - Registry string
- Registry
Access ContainerMonitoring Runtime Policy Registry Access Monitoring Args - Repo
Name string - Resource
Name string - Resource
Type string - Restricted
Volumes []ContainerRuntime Policy Restricted Volume Args - Restricted volumes configuration.
- Reverse
Shell ContainerRuntime Policy Reverse Shell Args - Runtime
Mode int - Runtime
Type string - Scope
Expression string - Logical expression of how to compute the dependency of the scope variables.
- Scope
Variables []ContainerRuntime Policy Scope Variable Args - List of scope attributes.
- Scopes
[]Container
Runtime Policy Scope Args - Scope configuration.
- System
Integrity ContainerProtection Runtime Policy System Integrity Protection Args - Tripwire
Container
Runtime Policy Tripwire Args - Type string
- Updated string
- Version string
- Vpatch
Version string - Whitelisted
Os ContainerUsers Runtime Policy Whitelisted Os Users Args
- allowed
Executables List<ContainerRuntime Policy Allowed Executable> - Allowed executables configuration.
- allowed
Registries List<ContainerRuntime Policy Allowed Registry> - List of allowed registries.
- application
Scopes List<String> - Indicates the application scope of the service.
- audit
All BooleanNetwork Activity - If true, all network activity will be audited.
- audit
All BooleanProcesses Activity - If true, all process activity will be audited.
- audit
Brute BooleanForce Login - Detects brute force login attempts
- audit
Full BooleanCommand Arguments - If true, full command arguments will be audited.
- auditing
Container
Runtime Policy Auditing - String
- Username of the account that created the service.
- blacklisted
Os ContainerUsers Runtime Policy Blacklisted Os Users - block
Access BooleanHost Network - If true, prevent containers from running with access to host network.
- block
Adding BooleanCapabilities - If true, prevent containers from running with adding capabilities with
--cap-addprivilege. - block
Container BooleanExec - If true, exec into a container is prevented.
- block
Cryptocurrency BooleanMining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Disallowed BooleanImages - block
Fileless BooleanExec - Detect and prevent running in-memory execution
- block
Low BooleanPort Binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non BooleanCompliant Workloads - If true, running containers in non-compliant pods is prevented.
- block
Non BooleanK8s Containers - If true, running non-kubernetes containers is prevented.
- block
Privileged BooleanContainers - If true, prevent containers from running with privileged container capability.
- block
Root BooleanUser - If true, prevent containers from running with root user.
- block
Use BooleanIpc Namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use BooleanPid Namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use BooleanUser Namespace - If true, prevent containers from running with the privilege to use the user namespace.
- block
Use BooleanUts Namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities List<String> - If true, prevents containers from using specific Unix capabilities.
- blocked
Executables List<String> - List of executables that are prevented from running in containers.
- blocked
Files List<String> - List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound List<String>Ports - List of blocked inbound ports.
- blocked
Outbound List<String>Ports - List of blocked outbound ports.
- blocked
Packages List<String> - Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes List<String> - List of volumes that are prevented from being mounted in the containers.
- bypass
Scopes List<ContainerRuntime Policy Bypass Scope> - Bypass scope configuration.
- container
Exec ContainerRuntime Policy Container Exec - container
Exec List<String>Allowed Processes - List of processes that will be allowed.
- created String
- cve String
- default
Security StringProfile - description String
- The description of the container runtime policy
- digest String
- drift
Preventions List<ContainerRuntime Policy Drift Prevention> - Drift prevention configuration.
- enable
Crypto BooleanMining Dns - enable
Fork BooleanGuard - If true, fork bombs are prevented in the containers.
- enable
Ip BooleanReputation - enable
Port BooleanScan Protection - enabled Boolean
- Whether allowed executables configuration is enabled.
- enforce Boolean
- Indicates that policy should effect container execution (not just for audit).
- enforce
After IntegerDays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- enforce
Scheduler IntegerAdded On - exclude
Application List<String>Scopes - List of excluded application scopes.
- executable
Blacklists List<ContainerRuntime Policy Executable Blacklist> - Executable blacklist configuration.
- failed
Kubernetes ContainerChecks Runtime Policy Failed Kubernetes Checks - file
Block ContainerRuntime Policy File Block - file
Integrity ContainerMonitoring Runtime Policy File Integrity Monitoring - Configuration for file integrity monitoring.
- fork
Guard IntegerProcess Limit - Process limit for the fork guard.
- image
Name String - is
Audit BooleanChecked - is
Auto BooleanGenerated - is
Ootb BooleanPolicy - lastupdate Integer
- limit
Container List<ContainerPrivileges Runtime Policy Limit Container Privilege> - Container privileges configuration.
- limit
New BooleanPrivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- linux
Capabilities ContainerRuntime Policy Linux Capabilities - malware
Scan ContainerOptions Runtime Policy Malware Scan Options - Configuration for Real-Time Malware Protection.
- monitor
System BooleanTime Changes - If true, system time changes will be monitored.
- name String
- Name assigned to the attribute.
- no
New BooleanPrivileges - only
Registered BooleanImages - package
Block ContainerRuntime Policy Package Block - permission String
- port
Block ContainerRuntime Policy Port Block - readonly
Files ContainerRuntime Policy Readonly Files - readonly
Registry ContainerRuntime Policy Readonly Registry - registry String
- registry
Access ContainerMonitoring Runtime Policy Registry Access Monitoring - repo
Name String - resource
Name String - resource
Type String - restricted
Volumes List<ContainerRuntime Policy Restricted Volume> - Restricted volumes configuration.
- reverse
Shell ContainerRuntime Policy Reverse Shell - runtime
Mode Integer - runtime
Type String - scope
Expression String - Logical expression of how to compute the dependency of the scope variables.
- scope
Variables List<ContainerRuntime Policy Scope Variable> - List of scope attributes.
- scopes
List<Container
Runtime Policy Scope> - Scope configuration.
- system
Integrity ContainerProtection Runtime Policy System Integrity Protection - tripwire
Container
Runtime Policy Tripwire - type String
- updated String
- version String
- vpatch
Version String - whitelisted
Os ContainerUsers Runtime Policy Whitelisted Os Users
- allowed
Executables ContainerRuntime Policy Allowed Executable[] - Allowed executables configuration.
- allowed
Registries ContainerRuntime Policy Allowed Registry[] - List of allowed registries.
- application
Scopes string[] - Indicates the application scope of the service.
- audit
All booleanNetwork Activity - If true, all network activity will be audited.
- audit
All booleanProcesses Activity - If true, all process activity will be audited.
- audit
Brute booleanForce Login - Detects brute force login attempts
- audit
Full booleanCommand Arguments - If true, full command arguments will be audited.
- auditing
Container
Runtime Policy Auditing - string
- Username of the account that created the service.
- blacklisted
Os ContainerUsers Runtime Policy Blacklisted Os Users - block
Access booleanHost Network - If true, prevent containers from running with access to host network.
- block
Adding booleanCapabilities - If true, prevent containers from running with adding capabilities with
--cap-addprivilege. - block
Container booleanExec - If true, exec into a container is prevented.
- block
Cryptocurrency booleanMining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Disallowed booleanImages - block
Fileless booleanExec - Detect and prevent running in-memory execution
- block
Low booleanPort Binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non booleanCompliant Workloads - If true, running containers in non-compliant pods is prevented.
- block
Non booleanK8s Containers - If true, running non-kubernetes containers is prevented.
- block
Privileged booleanContainers - If true, prevent containers from running with privileged container capability.
- block
Root booleanUser - If true, prevent containers from running with root user.
- block
Use booleanIpc Namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use booleanPid Namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use booleanUser Namespace - If true, prevent containers from running with the privilege to use the user namespace.
- block
Use booleanUts Namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities string[] - If true, prevents containers from using specific Unix capabilities.
- blocked
Executables string[] - List of executables that are prevented from running in containers.
- blocked
Files string[] - List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound string[]Ports - List of blocked inbound ports.
- blocked
Outbound string[]Ports - List of blocked outbound ports.
- blocked
Packages string[] - Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes string[] - List of volumes that are prevented from being mounted in the containers.
- bypass
Scopes ContainerRuntime Policy Bypass Scope[] - Bypass scope configuration.
- container
Exec ContainerRuntime Policy Container Exec - container
Exec string[]Allowed Processes - List of processes that will be allowed.
- created string
- cve string
- default
Security stringProfile - description string
- The description of the container runtime policy
- digest string
- drift
Preventions ContainerRuntime Policy Drift Prevention[] - Drift prevention configuration.
- enable
Crypto booleanMining Dns - enable
Fork booleanGuard - If true, fork bombs are prevented in the containers.
- enable
Ip booleanReputation - enable
Port booleanScan Protection - enabled boolean
- Whether allowed executables configuration is enabled.
- enforce boolean
- Indicates that policy should effect container execution (not just for audit).
- enforce
After numberDays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- enforce
Scheduler numberAdded On - exclude
Application string[]Scopes - List of excluded application scopes.
- executable
Blacklists ContainerRuntime Policy Executable Blacklist[] - Executable blacklist configuration.
- failed
Kubernetes ContainerChecks Runtime Policy Failed Kubernetes Checks - file
Block ContainerRuntime Policy File Block - file
Integrity ContainerMonitoring Runtime Policy File Integrity Monitoring - Configuration for file integrity monitoring.
- fork
Guard numberProcess Limit - Process limit for the fork guard.
- image
Name string - is
Audit booleanChecked - is
Auto booleanGenerated - is
Ootb booleanPolicy - lastupdate number
- limit
Container ContainerPrivileges Runtime Policy Limit Container Privilege[] - Container privileges configuration.
- limit
New booleanPrivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- linux
Capabilities ContainerRuntime Policy Linux Capabilities - malware
Scan ContainerOptions Runtime Policy Malware Scan Options - Configuration for Real-Time Malware Protection.
- monitor
System booleanTime Changes - If true, system time changes will be monitored.
- name string
- Name assigned to the attribute.
- no
New booleanPrivileges - only
Registered booleanImages - package
Block ContainerRuntime Policy Package Block - permission string
- port
Block ContainerRuntime Policy Port Block - readonly
Files ContainerRuntime Policy Readonly Files - readonly
Registry ContainerRuntime Policy Readonly Registry - registry string
- registry
Access ContainerMonitoring Runtime Policy Registry Access Monitoring - repo
Name string - resource
Name string - resource
Type string - restricted
Volumes ContainerRuntime Policy Restricted Volume[] - Restricted volumes configuration.
- reverse
Shell ContainerRuntime Policy Reverse Shell - runtime
Mode number - runtime
Type string - scope
Expression string - Logical expression of how to compute the dependency of the scope variables.
- scope
Variables ContainerRuntime Policy Scope Variable[] - List of scope attributes.
- scopes
Container
Runtime Policy Scope[] - Scope configuration.
- system
Integrity ContainerProtection Runtime Policy System Integrity Protection - tripwire
Container
Runtime Policy Tripwire - type string
- updated string
- version string
- vpatch
Version string - whitelisted
Os ContainerUsers Runtime Policy Whitelisted Os Users
- allowed_
executables Sequence[ContainerRuntime Policy Allowed Executable Args] - Allowed executables configuration.
- allowed_
registries Sequence[ContainerRuntime Policy Allowed Registry Args] - List of allowed registries.
- application_
scopes Sequence[str] - Indicates the application scope of the service.
- audit_
all_ boolnetwork_ activity - If true, all network activity will be audited.
- audit_
all_ boolprocesses_ activity - If true, all process activity will be audited.
- audit_
brute_ boolforce_ login - Detects brute force login attempts
- audit_
full_ boolcommand_ arguments - If true, full command arguments will be audited.
- auditing
Container
Runtime Policy Auditing Args - str
- Username of the account that created the service.
- blacklisted_
os_ Containerusers Runtime Policy Blacklisted Os Users Args - block_
access_ boolhost_ network - If true, prevent containers from running with access to host network.
- block_
adding_ boolcapabilities - If true, prevent containers from running with adding capabilities with
--cap-addprivilege. - block_
container_ boolexec - If true, exec into a container is prevented.
- block_
cryptocurrency_ boolmining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block_
disallowed_ boolimages - block_
fileless_ boolexec - Detect and prevent running in-memory execution
- block_
low_ boolport_ binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- block_
non_ boolcompliant_ workloads - If true, running containers in non-compliant pods is prevented.
- block_
non_ boolk8s_ containers - If true, running non-kubernetes containers is prevented.
- block_
privileged_ boolcontainers - If true, prevent containers from running with privileged container capability.
- block_
root_ booluser - If true, prevent containers from running with root user.
- block_
use_ boolipc_ namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- block_
use_ boolpid_ namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- block_
use_ booluser_ namespace - If true, prevent containers from running with the privilege to use the user namespace.
- block_
use_ booluts_ namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked_
capabilities Sequence[str] - If true, prevents containers from using specific Unix capabilities.
- blocked_
executables Sequence[str] - List of executables that are prevented from running in containers.
- blocked_
files Sequence[str] - List of files that are prevented from being read, modified and executed in the containers.
- blocked_
inbound_ Sequence[str]ports - List of blocked inbound ports.
- blocked_
outbound_ Sequence[str]ports - List of blocked outbound ports.
- blocked_
packages Sequence[str] - Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked_
volumes Sequence[str] - List of volumes that are prevented from being mounted in the containers.
- bypass_
scopes Sequence[ContainerRuntime Policy Bypass Scope Args] - Bypass scope configuration.
- container_
exec ContainerRuntime Policy Container Exec Args - container_
exec_ Sequence[str]allowed_ processes - List of processes that will be allowed.
- created str
- cve str
- default_
security_ strprofile - description str
- The description of the container runtime policy
- digest str
- drift_
preventions Sequence[ContainerRuntime Policy Drift Prevention Args] - Drift prevention configuration.
- enable_
crypto_ boolmining_ dns - enable_
fork_ boolguard - If true, fork bombs are prevented in the containers.
- enable_
ip_ boolreputation - enable_
port_ boolscan_ protection - enabled bool
- Whether allowed executables configuration is enabled.
- enforce bool
- Indicates that policy should effect container execution (not just for audit).
- enforce_
after_ intdays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- enforce_
scheduler_ intadded_ on - exclude_
application_ Sequence[str]scopes - List of excluded application scopes.
- executable_
blacklists Sequence[ContainerRuntime Policy Executable Blacklist Args] - Executable blacklist configuration.
- failed_
kubernetes_ Containerchecks Runtime Policy Failed Kubernetes Checks Args - file_
block ContainerRuntime Policy File Block Args - file_
integrity_ Containermonitoring Runtime Policy File Integrity Monitoring Args - Configuration for file integrity monitoring.
- fork_
guard_ intprocess_ limit - Process limit for the fork guard.
- image_
name str - is_
audit_ boolchecked - is_
auto_ boolgenerated - is_
ootb_ boolpolicy - lastupdate int
- limit_
container_ Sequence[Containerprivileges Runtime Policy Limit Container Privilege Args] - Container privileges configuration.
- limit_
new_ boolprivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- linux_
capabilities ContainerRuntime Policy Linux Capabilities Args - malware_
scan_ Containeroptions Runtime Policy Malware Scan Options Args - Configuration for Real-Time Malware Protection.
- monitor_
system_ booltime_ changes - If true, system time changes will be monitored.
- name str
- Name assigned to the attribute.
- no_
new_ boolprivileges - only_
registered_ boolimages - package_
block ContainerRuntime Policy Package Block Args - permission str
- port_
block ContainerRuntime Policy Port Block Args - readonly_
files ContainerRuntime Policy Readonly Files Args - readonly_
registry ContainerRuntime Policy Readonly Registry Args - registry str
- registry_
access_ Containermonitoring Runtime Policy Registry Access Monitoring Args - repo_
name str - resource_
name str - resource_
type str - restricted_
volumes Sequence[ContainerRuntime Policy Restricted Volume Args] - Restricted volumes configuration.
- reverse_
shell ContainerRuntime Policy Reverse Shell Args - runtime_
mode int - runtime_
type str - scope_
expression str - Logical expression of how to compute the dependency of the scope variables.
- scope_
variables Sequence[ContainerRuntime Policy Scope Variable Args] - List of scope attributes.
- scopes
Sequence[Container
Runtime Policy Scope Args] - Scope configuration.
- system_
integrity_ Containerprotection Runtime Policy System Integrity Protection Args - tripwire
Container
Runtime Policy Tripwire Args - type str
- updated str
- version str
- vpatch_
version str - whitelisted_
os_ Containerusers Runtime Policy Whitelisted Os Users Args
- allowed
Executables List<Property Map> - Allowed executables configuration.
- allowed
Registries List<Property Map> - List of allowed registries.
- application
Scopes List<String> - Indicates the application scope of the service.
- audit
All BooleanNetwork Activity - If true, all network activity will be audited.
- audit
All BooleanProcesses Activity - If true, all process activity will be audited.
- audit
Brute BooleanForce Login - Detects brute force login attempts
- audit
Full BooleanCommand Arguments - If true, full command arguments will be audited.
- auditing Property Map
- String
- Username of the account that created the service.
- blacklisted
Os Property MapUsers - block
Access BooleanHost Network - If true, prevent containers from running with access to host network.
- block
Adding BooleanCapabilities - If true, prevent containers from running with adding capabilities with
--cap-addprivilege. - block
Container BooleanExec - If true, exec into a container is prevented.
- block
Cryptocurrency BooleanMining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Disallowed BooleanImages - block
Fileless BooleanExec - Detect and prevent running in-memory execution
- block
Low BooleanPort Binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non BooleanCompliant Workloads - If true, running containers in non-compliant pods is prevented.
- block
Non BooleanK8s Containers - If true, running non-kubernetes containers is prevented.
- block
Privileged BooleanContainers - If true, prevent containers from running with privileged container capability.
- block
Root BooleanUser - If true, prevent containers from running with root user.
- block
Use BooleanIpc Namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use BooleanPid Namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use BooleanUser Namespace - If true, prevent containers from running with the privilege to use the user namespace.
- block
Use BooleanUts Namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities List<String> - If true, prevents containers from using specific Unix capabilities.
- blocked
Executables List<String> - List of executables that are prevented from running in containers.
- blocked
Files List<String> - List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound List<String>Ports - List of blocked inbound ports.
- blocked
Outbound List<String>Ports - List of blocked outbound ports.
- blocked
Packages List<String> - Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes List<String> - List of volumes that are prevented from being mounted in the containers.
- bypass
Scopes List<Property Map> - Bypass scope configuration.
- container
Exec Property Map - container
Exec List<String>Allowed Processes - List of processes that will be allowed.
- created String
- cve String
- default
Security StringProfile - description String
- The description of the container runtime policy
- digest String
- drift
Preventions List<Property Map> - Drift prevention configuration.
- enable
Crypto BooleanMining Dns - enable
Fork BooleanGuard - If true, fork bombs are prevented in the containers.
- enable
Ip BooleanReputation - enable
Port BooleanScan Protection - enabled Boolean
- Whether allowed executables configuration is enabled.
- enforce Boolean
- Indicates that policy should effect container execution (not just for audit).
- enforce
After NumberDays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- enforce
Scheduler NumberAdded On - exclude
Application List<String>Scopes - List of excluded application scopes.
- executable
Blacklists List<Property Map> - Executable blacklist configuration.
- failed
Kubernetes Property MapChecks - file
Block Property Map - file
Integrity Property MapMonitoring - Configuration for file integrity monitoring.
- fork
Guard NumberProcess Limit - Process limit for the fork guard.
- image
Name String - is
Audit BooleanChecked - is
Auto BooleanGenerated - is
Ootb BooleanPolicy - lastupdate Number
- limit
Container List<Property Map>Privileges - Container privileges configuration.
- limit
New BooleanPrivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- linux
Capabilities Property Map - malware
Scan Property MapOptions - Configuration for Real-Time Malware Protection.
- monitor
System BooleanTime Changes - If true, system time changes will be monitored.
- name String
- Name assigned to the attribute.
- no
New BooleanPrivileges - only
Registered BooleanImages - package
Block Property Map - permission String
- port
Block Property Map - readonly
Files Property Map - readonly
Registry Property Map - registry String
- registry
Access Property MapMonitoring - repo
Name String - resource
Name String - resource
Type String - restricted
Volumes List<Property Map> - Restricted volumes configuration.
- reverse
Shell Property Map - runtime
Mode Number - runtime
Type String - scope
Expression String - Logical expression of how to compute the dependency of the scope variables.
- scope
Variables List<Property Map> - List of scope attributes.
- scopes List<Property Map>
- Scope configuration.
- system
Integrity Property MapProtection - tripwire Property Map
- type String
- updated String
- version String
- vpatch
Version String - whitelisted
Os Property MapUsers
Outputs
All input properties are implicitly available as output properties. Additionally, the ContainerRuntimePolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing ContainerRuntimePolicy Resource
Get an existing ContainerRuntimePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ContainerRuntimePolicyState, opts?: CustomResourceOptions): ContainerRuntimePolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
allowed_executables: Optional[Sequence[ContainerRuntimePolicyAllowedExecutableArgs]] = None,
allowed_registries: Optional[Sequence[ContainerRuntimePolicyAllowedRegistryArgs]] = None,
application_scopes: Optional[Sequence[str]] = None,
audit_all_network_activity: Optional[bool] = None,
audit_all_processes_activity: Optional[bool] = None,
audit_brute_force_login: Optional[bool] = None,
audit_full_command_arguments: Optional[bool] = None,
auditing: Optional[ContainerRuntimePolicyAuditingArgs] = None,
author: Optional[str] = None,
blacklisted_os_users: Optional[ContainerRuntimePolicyBlacklistedOsUsersArgs] = None,
block_access_host_network: Optional[bool] = None,
block_adding_capabilities: Optional[bool] = None,
block_container_exec: Optional[bool] = None,
block_cryptocurrency_mining: Optional[bool] = None,
block_disallowed_images: Optional[bool] = None,
block_fileless_exec: Optional[bool] = None,
block_low_port_binding: Optional[bool] = None,
block_non_compliant_workloads: Optional[bool] = None,
block_non_k8s_containers: Optional[bool] = None,
block_privileged_containers: Optional[bool] = None,
block_root_user: Optional[bool] = None,
block_use_ipc_namespace: Optional[bool] = None,
block_use_pid_namespace: Optional[bool] = None,
block_use_user_namespace: Optional[bool] = None,
block_use_uts_namespace: Optional[bool] = None,
blocked_capabilities: Optional[Sequence[str]] = None,
blocked_executables: Optional[Sequence[str]] = None,
blocked_files: Optional[Sequence[str]] = None,
blocked_inbound_ports: Optional[Sequence[str]] = None,
blocked_outbound_ports: Optional[Sequence[str]] = None,
blocked_packages: Optional[Sequence[str]] = None,
blocked_volumes: Optional[Sequence[str]] = None,
bypass_scopes: Optional[Sequence[ContainerRuntimePolicyBypassScopeArgs]] = None,
container_exec: Optional[ContainerRuntimePolicyContainerExecArgs] = None,
container_exec_allowed_processes: Optional[Sequence[str]] = None,
created: Optional[str] = None,
cve: Optional[str] = None,
default_security_profile: Optional[str] = None,
description: Optional[str] = None,
digest: Optional[str] = None,
drift_preventions: Optional[Sequence[ContainerRuntimePolicyDriftPreventionArgs]] = None,
enable_crypto_mining_dns: Optional[bool] = None,
enable_fork_guard: Optional[bool] = None,
enable_ip_reputation: Optional[bool] = None,
enable_port_scan_protection: Optional[bool] = None,
enabled: Optional[bool] = None,
enforce: Optional[bool] = None,
enforce_after_days: Optional[int] = None,
enforce_scheduler_added_on: Optional[int] = None,
exclude_application_scopes: Optional[Sequence[str]] = None,
executable_blacklists: Optional[Sequence[ContainerRuntimePolicyExecutableBlacklistArgs]] = None,
failed_kubernetes_checks: Optional[ContainerRuntimePolicyFailedKubernetesChecksArgs] = None,
file_block: Optional[ContainerRuntimePolicyFileBlockArgs] = None,
file_integrity_monitoring: Optional[ContainerRuntimePolicyFileIntegrityMonitoringArgs] = None,
fork_guard_process_limit: Optional[int] = None,
image_name: Optional[str] = None,
is_audit_checked: Optional[bool] = None,
is_auto_generated: Optional[bool] = None,
is_ootb_policy: Optional[bool] = None,
lastupdate: Optional[int] = None,
limit_container_privileges: Optional[Sequence[ContainerRuntimePolicyLimitContainerPrivilegeArgs]] = None,
limit_new_privileges: Optional[bool] = None,
linux_capabilities: Optional[ContainerRuntimePolicyLinuxCapabilitiesArgs] = None,
malware_scan_options: Optional[ContainerRuntimePolicyMalwareScanOptionsArgs] = None,
monitor_system_time_changes: Optional[bool] = None,
name: Optional[str] = None,
no_new_privileges: Optional[bool] = None,
only_registered_images: Optional[bool] = None,
package_block: Optional[ContainerRuntimePolicyPackageBlockArgs] = None,
permission: Optional[str] = None,
port_block: Optional[ContainerRuntimePolicyPortBlockArgs] = None,
readonly_files: Optional[ContainerRuntimePolicyReadonlyFilesArgs] = None,
readonly_registry: Optional[ContainerRuntimePolicyReadonlyRegistryArgs] = None,
registry: Optional[str] = None,
registry_access_monitoring: Optional[ContainerRuntimePolicyRegistryAccessMonitoringArgs] = None,
repo_name: Optional[str] = None,
resource_name: Optional[str] = None,
resource_type: Optional[str] = None,
restricted_volumes: Optional[Sequence[ContainerRuntimePolicyRestrictedVolumeArgs]] = None,
reverse_shell: Optional[ContainerRuntimePolicyReverseShellArgs] = None,
runtime_mode: Optional[int] = None,
runtime_type: Optional[str] = None,
scope_expression: Optional[str] = None,
scope_variables: Optional[Sequence[ContainerRuntimePolicyScopeVariableArgs]] = None,
scopes: Optional[Sequence[ContainerRuntimePolicyScopeArgs]] = None,
system_integrity_protection: Optional[ContainerRuntimePolicySystemIntegrityProtectionArgs] = None,
tripwire: Optional[ContainerRuntimePolicyTripwireArgs] = None,
type: Optional[str] = None,
updated: Optional[str] = None,
version: Optional[str] = None,
vpatch_version: Optional[str] = None,
whitelisted_os_users: Optional[ContainerRuntimePolicyWhitelistedOsUsersArgs] = None) -> ContainerRuntimePolicyfunc GetContainerRuntimePolicy(ctx *Context, name string, id IDInput, state *ContainerRuntimePolicyState, opts ...ResourceOption) (*ContainerRuntimePolicy, error)public static ContainerRuntimePolicy Get(string name, Input<string> id, ContainerRuntimePolicyState? state, CustomResourceOptions? opts = null)public static ContainerRuntimePolicy get(String name, Output<String> id, ContainerRuntimePolicyState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Allowed
Executables List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Allowed Executable> - Allowed executables configuration.
- Allowed
Registries List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Allowed Registry> - List of allowed registries.
- Application
Scopes List<string> - Indicates the application scope of the service.
- Audit
All boolNetwork Activity - If true, all network activity will be audited.
- Audit
All boolProcesses Activity - If true, all process activity will be audited.
- Audit
Brute boolForce Login - Detects brute force login attempts
- Audit
Full boolCommand Arguments - If true, full command arguments will be audited.
- Auditing
Pulumiverse.
Aquasec. Inputs. Container Runtime Policy Auditing - string
- Username of the account that created the service.
- Blacklisted
Os Pulumiverse.Users Aquasec. Inputs. Container Runtime Policy Blacklisted Os Users - Block
Access boolHost Network - If true, prevent containers from running with access to host network.
- Block
Adding boolCapabilities - If true, prevent containers from running with adding capabilities with
--cap-addprivilege. - Block
Container boolExec - If true, exec into a container is prevented.
- Block
Cryptocurrency boolMining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- Block
Disallowed boolImages - Block
Fileless boolExec - Detect and prevent running in-memory execution
- Block
Low boolPort Binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- Block
Non boolCompliant Workloads - If true, running containers in non-compliant pods is prevented.
- Block
Non boolK8s Containers - If true, running non-kubernetes containers is prevented.
- Block
Privileged boolContainers - If true, prevent containers from running with privileged container capability.
- Block
Root boolUser - If true, prevent containers from running with root user.
- Block
Use boolIpc Namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- Block
Use boolPid Namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- Block
Use boolUser Namespace - If true, prevent containers from running with the privilege to use the user namespace.
- Block
Use boolUts Namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- Blocked
Capabilities List<string> - If true, prevents containers from using specific Unix capabilities.
- Blocked
Executables List<string> - List of executables that are prevented from running in containers.
- Blocked
Files List<string> - List of files that are prevented from being read, modified and executed in the containers.
- Blocked
Inbound List<string>Ports - List of blocked inbound ports.
- Blocked
Outbound List<string>Ports - List of blocked outbound ports.
- Blocked
Packages List<string> - Prevent containers from reading, writing, or executing all files in the list of packages.
- Blocked
Volumes List<string> - List of volumes that are prevented from being mounted in the containers.
- Bypass
Scopes List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Bypass Scope> - Bypass scope configuration.
- Container
Exec Pulumiverse.Aquasec. Inputs. Container Runtime Policy Container Exec - Container
Exec List<string>Allowed Processes - List of processes that will be allowed.
- Created string
- Cve string
- Default
Security stringProfile - Description string
- The description of the container runtime policy
- Digest string
- Drift
Preventions List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Drift Prevention> - Drift prevention configuration.
- Enable
Crypto boolMining Dns - Enable
Fork boolGuard - If true, fork bombs are prevented in the containers.
- Enable
Ip boolReputation - Enable
Port boolScan Protection - Enabled bool
- Whether allowed executables configuration is enabled.
- Enforce bool
- Indicates that policy should effect container execution (not just for audit).
- Enforce
After intDays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- Enforce
Scheduler intAdded On - Exclude
Application List<string>Scopes - List of excluded application scopes.
- Executable
Blacklists List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Executable Blacklist> - Executable blacklist configuration.
- Failed
Kubernetes Pulumiverse.Checks Aquasec. Inputs. Container Runtime Policy Failed Kubernetes Checks - File
Block Pulumiverse.Aquasec. Inputs. Container Runtime Policy File Block - File
Integrity Pulumiverse.Monitoring Aquasec. Inputs. Container Runtime Policy File Integrity Monitoring - Configuration for file integrity monitoring.
- Fork
Guard intProcess Limit - Process limit for the fork guard.
- Image
Name string - Is
Audit boolChecked - Is
Auto boolGenerated - Is
Ootb boolPolicy - Lastupdate int
- Limit
Container List<Pulumiverse.Privileges Aquasec. Inputs. Container Runtime Policy Limit Container Privilege> - Container privileges configuration.
- Limit
New boolPrivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- Linux
Capabilities Pulumiverse.Aquasec. Inputs. Container Runtime Policy Linux Capabilities - Malware
Scan Pulumiverse.Options Aquasec. Inputs. Container Runtime Policy Malware Scan Options - Configuration for Real-Time Malware Protection.
- Monitor
System boolTime Changes - If true, system time changes will be monitored.
- Name string
- Name assigned to the attribute.
- No
New boolPrivileges - Only
Registered boolImages - Package
Block Pulumiverse.Aquasec. Inputs. Container Runtime Policy Package Block - Permission string
- Port
Block Pulumiverse.Aquasec. Inputs. Container Runtime Policy Port Block - Readonly
Files Pulumiverse.Aquasec. Inputs. Container Runtime Policy Readonly Files - Readonly
Registry Pulumiverse.Aquasec. Inputs. Container Runtime Policy Readonly Registry - Registry string
- Registry
Access Pulumiverse.Monitoring Aquasec. Inputs. Container Runtime Policy Registry Access Monitoring - Repo
Name string - Resource
Name string - Resource
Type string - Restricted
Volumes List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Restricted Volume> - Restricted volumes configuration.
- Reverse
Shell Pulumiverse.Aquasec. Inputs. Container Runtime Policy Reverse Shell - Runtime
Mode int - Runtime
Type string - Scope
Expression string - Logical expression of how to compute the dependency of the scope variables.
- Scope
Variables List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Scope Variable> - List of scope attributes.
- Scopes
List<Pulumiverse.
Aquasec. Inputs. Container Runtime Policy Scope> - Scope configuration.
- System
Integrity Pulumiverse.Protection Aquasec. Inputs. Container Runtime Policy System Integrity Protection - Tripwire
Pulumiverse.
Aquasec. Inputs. Container Runtime Policy Tripwire - Type string
- Updated string
- Version string
- Vpatch
Version string - Whitelisted
Os Pulumiverse.Users Aquasec. Inputs. Container Runtime Policy Whitelisted Os Users
- Allowed
Executables []ContainerRuntime Policy Allowed Executable Args - Allowed executables configuration.
- Allowed
Registries []ContainerRuntime Policy Allowed Registry Args - List of allowed registries.
- Application
Scopes []string - Indicates the application scope of the service.
- Audit
All boolNetwork Activity - If true, all network activity will be audited.
- Audit
All boolProcesses Activity - If true, all process activity will be audited.
- Audit
Brute boolForce Login - Detects brute force login attempts
- Audit
Full boolCommand Arguments - If true, full command arguments will be audited.
- Auditing
Container
Runtime Policy Auditing Args - string
- Username of the account that created the service.
- Blacklisted
Os ContainerUsers Runtime Policy Blacklisted Os Users Args - Block
Access boolHost Network - If true, prevent containers from running with access to host network.
- Block
Adding boolCapabilities - If true, prevent containers from running with adding capabilities with
--cap-addprivilege. - Block
Container boolExec - If true, exec into a container is prevented.
- Block
Cryptocurrency boolMining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- Block
Disallowed boolImages - Block
Fileless boolExec - Detect and prevent running in-memory execution
- Block
Low boolPort Binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- Block
Non boolCompliant Workloads - If true, running containers in non-compliant pods is prevented.
- Block
Non boolK8s Containers - If true, running non-kubernetes containers is prevented.
- Block
Privileged boolContainers - If true, prevent containers from running with privileged container capability.
- Block
Root boolUser - If true, prevent containers from running with root user.
- Block
Use boolIpc Namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- Block
Use boolPid Namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- Block
Use boolUser Namespace - If true, prevent containers from running with the privilege to use the user namespace.
- Block
Use boolUts Namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- Blocked
Capabilities []string - If true, prevents containers from using specific Unix capabilities.
- Blocked
Executables []string - List of executables that are prevented from running in containers.
- Blocked
Files []string - List of files that are prevented from being read, modified and executed in the containers.
- Blocked
Inbound []stringPorts - List of blocked inbound ports.
- Blocked
Outbound []stringPorts - List of blocked outbound ports.
- Blocked
Packages []string - Prevent containers from reading, writing, or executing all files in the list of packages.
- Blocked
Volumes []string - List of volumes that are prevented from being mounted in the containers.
- Bypass
Scopes []ContainerRuntime Policy Bypass Scope Args - Bypass scope configuration.
- Container
Exec ContainerRuntime Policy Container Exec Args - Container
Exec []stringAllowed Processes - List of processes that will be allowed.
- Created string
- Cve string
- Default
Security stringProfile - Description string
- The description of the container runtime policy
- Digest string
- Drift
Preventions []ContainerRuntime Policy Drift Prevention Args - Drift prevention configuration.
- Enable
Crypto boolMining Dns - Enable
Fork boolGuard - If true, fork bombs are prevented in the containers.
- Enable
Ip boolReputation - Enable
Port boolScan Protection - Enabled bool
- Whether allowed executables configuration is enabled.
- Enforce bool
- Indicates that policy should effect container execution (not just for audit).
- Enforce
After intDays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- Enforce
Scheduler intAdded On - Exclude
Application []stringScopes - List of excluded application scopes.
- Executable
Blacklists []ContainerRuntime Policy Executable Blacklist Args - Executable blacklist configuration.
- Failed
Kubernetes ContainerChecks Runtime Policy Failed Kubernetes Checks Args - File
Block ContainerRuntime Policy File Block Args - File
Integrity ContainerMonitoring Runtime Policy File Integrity Monitoring Args - Configuration for file integrity monitoring.
- Fork
Guard intProcess Limit - Process limit for the fork guard.
- Image
Name string - Is
Audit boolChecked - Is
Auto boolGenerated - Is
Ootb boolPolicy - Lastupdate int
- Limit
Container []ContainerPrivileges Runtime Policy Limit Container Privilege Args - Container privileges configuration.
- Limit
New boolPrivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- Linux
Capabilities ContainerRuntime Policy Linux Capabilities Args - Malware
Scan ContainerOptions Runtime Policy Malware Scan Options Args - Configuration for Real-Time Malware Protection.
- Monitor
System boolTime Changes - If true, system time changes will be monitored.
- Name string
- Name assigned to the attribute.
- No
New boolPrivileges - Only
Registered boolImages - Package
Block ContainerRuntime Policy Package Block Args - Permission string
- Port
Block ContainerRuntime Policy Port Block Args - Readonly
Files ContainerRuntime Policy Readonly Files Args - Readonly
Registry ContainerRuntime Policy Readonly Registry Args - Registry string
- Registry
Access ContainerMonitoring Runtime Policy Registry Access Monitoring Args - Repo
Name string - Resource
Name string - Resource
Type string - Restricted
Volumes []ContainerRuntime Policy Restricted Volume Args - Restricted volumes configuration.
- Reverse
Shell ContainerRuntime Policy Reverse Shell Args - Runtime
Mode int - Runtime
Type string - Scope
Expression string - Logical expression of how to compute the dependency of the scope variables.
- Scope
Variables []ContainerRuntime Policy Scope Variable Args - List of scope attributes.
- Scopes
[]Container
Runtime Policy Scope Args - Scope configuration.
- System
Integrity ContainerProtection Runtime Policy System Integrity Protection Args - Tripwire
Container
Runtime Policy Tripwire Args - Type string
- Updated string
- Version string
- Vpatch
Version string - Whitelisted
Os ContainerUsers Runtime Policy Whitelisted Os Users Args
- allowed
Executables List<ContainerRuntime Policy Allowed Executable> - Allowed executables configuration.
- allowed
Registries List<ContainerRuntime Policy Allowed Registry> - List of allowed registries.
- application
Scopes List<String> - Indicates the application scope of the service.
- audit
All BooleanNetwork Activity - If true, all network activity will be audited.
- audit
All BooleanProcesses Activity - If true, all process activity will be audited.
- audit
Brute BooleanForce Login - Detects brute force login attempts
- audit
Full BooleanCommand Arguments - If true, full command arguments will be audited.
- auditing
Container
Runtime Policy Auditing - String
- Username of the account that created the service.
- blacklisted
Os ContainerUsers Runtime Policy Blacklisted Os Users - block
Access BooleanHost Network - If true, prevent containers from running with access to host network.
- block
Adding BooleanCapabilities - If true, prevent containers from running with adding capabilities with
--cap-addprivilege. - block
Container BooleanExec - If true, exec into a container is prevented.
- block
Cryptocurrency BooleanMining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Disallowed BooleanImages - block
Fileless BooleanExec - Detect and prevent running in-memory execution
- block
Low BooleanPort Binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non BooleanCompliant Workloads - If true, running containers in non-compliant pods is prevented.
- block
Non BooleanK8s Containers - If true, running non-kubernetes containers is prevented.
- block
Privileged BooleanContainers - If true, prevent containers from running with privileged container capability.
- block
Root BooleanUser - If true, prevent containers from running with root user.
- block
Use BooleanIpc Namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use BooleanPid Namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use BooleanUser Namespace - If true, prevent containers from running with the privilege to use the user namespace.
- block
Use BooleanUts Namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities List<String> - If true, prevents containers from using specific Unix capabilities.
- blocked
Executables List<String> - List of executables that are prevented from running in containers.
- blocked
Files List<String> - List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound List<String>Ports - List of blocked inbound ports.
- blocked
Outbound List<String>Ports - List of blocked outbound ports.
- blocked
Packages List<String> - Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes List<String> - List of volumes that are prevented from being mounted in the containers.
- bypass
Scopes List<ContainerRuntime Policy Bypass Scope> - Bypass scope configuration.
- container
Exec ContainerRuntime Policy Container Exec - container
Exec List<String>Allowed Processes - List of processes that will be allowed.
- created String
- cve String
- default
Security StringProfile - description String
- The description of the container runtime policy
- digest String
- drift
Preventions List<ContainerRuntime Policy Drift Prevention> - Drift prevention configuration.
- enable
Crypto BooleanMining Dns - enable
Fork BooleanGuard - If true, fork bombs are prevented in the containers.
- enable
Ip BooleanReputation - enable
Port BooleanScan Protection - enabled Boolean
- Whether allowed executables configuration is enabled.
- enforce Boolean
- Indicates that policy should effect container execution (not just for audit).
- enforce
After IntegerDays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- enforce
Scheduler IntegerAdded On - exclude
Application List<String>Scopes - List of excluded application scopes.
- executable
Blacklists List<ContainerRuntime Policy Executable Blacklist> - Executable blacklist configuration.
- failed
Kubernetes ContainerChecks Runtime Policy Failed Kubernetes Checks - file
Block ContainerRuntime Policy File Block - file
Integrity ContainerMonitoring Runtime Policy File Integrity Monitoring - Configuration for file integrity monitoring.
- fork
Guard IntegerProcess Limit - Process limit for the fork guard.
- image
Name String - is
Audit BooleanChecked - is
Auto BooleanGenerated - is
Ootb BooleanPolicy - lastupdate Integer
- limit
Container List<ContainerPrivileges Runtime Policy Limit Container Privilege> - Container privileges configuration.
- limit
New BooleanPrivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- linux
Capabilities ContainerRuntime Policy Linux Capabilities - malware
Scan ContainerOptions Runtime Policy Malware Scan Options - Configuration for Real-Time Malware Protection.
- monitor
System BooleanTime Changes - If true, system time changes will be monitored.
- name String
- Name assigned to the attribute.
- no
New BooleanPrivileges - only
Registered BooleanImages - package
Block ContainerRuntime Policy Package Block - permission String
- port
Block ContainerRuntime Policy Port Block - readonly
Files ContainerRuntime Policy Readonly Files - readonly
Registry ContainerRuntime Policy Readonly Registry - registry String
- registry
Access ContainerMonitoring Runtime Policy Registry Access Monitoring - repo
Name String - resource
Name String - resource
Type String - restricted
Volumes List<ContainerRuntime Policy Restricted Volume> - Restricted volumes configuration.
- reverse
Shell ContainerRuntime Policy Reverse Shell - runtime
Mode Integer - runtime
Type String - scope
Expression String - Logical expression of how to compute the dependency of the scope variables.
- scope
Variables List<ContainerRuntime Policy Scope Variable> - List of scope attributes.
- scopes
List<Container
Runtime Policy Scope> - Scope configuration.
- system
Integrity ContainerProtection Runtime Policy System Integrity Protection - tripwire
Container
Runtime Policy Tripwire - type String
- updated String
- version String
- vpatch
Version String - whitelisted
Os ContainerUsers Runtime Policy Whitelisted Os Users
- allowed
Executables ContainerRuntime Policy Allowed Executable[] - Allowed executables configuration.
- allowed
Registries ContainerRuntime Policy Allowed Registry[] - List of allowed registries.
- application
Scopes string[] - Indicates the application scope of the service.
- audit
All booleanNetwork Activity - If true, all network activity will be audited.
- audit
All booleanProcesses Activity - If true, all process activity will be audited.
- audit
Brute booleanForce Login - Detects brute force login attempts
- audit
Full booleanCommand Arguments - If true, full command arguments will be audited.
- auditing
Container
Runtime Policy Auditing - string
- Username of the account that created the service.
- blacklisted
Os ContainerUsers Runtime Policy Blacklisted Os Users - block
Access booleanHost Network - If true, prevent containers from running with access to host network.
- block
Adding booleanCapabilities - If true, prevent containers from running with adding capabilities with
--cap-addprivilege. - block
Container booleanExec - If true, exec into a container is prevented.
- block
Cryptocurrency booleanMining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Disallowed booleanImages - block
Fileless booleanExec - Detect and prevent running in-memory execution
- block
Low booleanPort Binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non booleanCompliant Workloads - If true, running containers in non-compliant pods is prevented.
- block
Non booleanK8s Containers - If true, running non-kubernetes containers is prevented.
- block
Privileged booleanContainers - If true, prevent containers from running with privileged container capability.
- block
Root booleanUser - If true, prevent containers from running with root user.
- block
Use booleanIpc Namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use booleanPid Namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use booleanUser Namespace - If true, prevent containers from running with the privilege to use the user namespace.
- block
Use booleanUts Namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities string[] - If true, prevents containers from using specific Unix capabilities.
- blocked
Executables string[] - List of executables that are prevented from running in containers.
- blocked
Files string[] - List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound string[]Ports - List of blocked inbound ports.
- blocked
Outbound string[]Ports - List of blocked outbound ports.
- blocked
Packages string[] - Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes string[] - List of volumes that are prevented from being mounted in the containers.
- bypass
Scopes ContainerRuntime Policy Bypass Scope[] - Bypass scope configuration.
- container
Exec ContainerRuntime Policy Container Exec - container
Exec string[]Allowed Processes - List of processes that will be allowed.
- created string
- cve string
- default
Security stringProfile - description string
- The description of the container runtime policy
- digest string
- drift
Preventions ContainerRuntime Policy Drift Prevention[] - Drift prevention configuration.
- enable
Crypto booleanMining Dns - enable
Fork booleanGuard - If true, fork bombs are prevented in the containers.
- enable
Ip booleanReputation - enable
Port booleanScan Protection - enabled boolean
- Whether allowed executables configuration is enabled.
- enforce boolean
- Indicates that policy should effect container execution (not just for audit).
- enforce
After numberDays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- enforce
Scheduler numberAdded On - exclude
Application string[]Scopes - List of excluded application scopes.
- executable
Blacklists ContainerRuntime Policy Executable Blacklist[] - Executable blacklist configuration.
- failed
Kubernetes ContainerChecks Runtime Policy Failed Kubernetes Checks - file
Block ContainerRuntime Policy File Block - file
Integrity ContainerMonitoring Runtime Policy File Integrity Monitoring - Configuration for file integrity monitoring.
- fork
Guard numberProcess Limit - Process limit for the fork guard.
- image
Name string - is
Audit booleanChecked - is
Auto booleanGenerated - is
Ootb booleanPolicy - lastupdate number
- limit
Container ContainerPrivileges Runtime Policy Limit Container Privilege[] - Container privileges configuration.
- limit
New booleanPrivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- linux
Capabilities ContainerRuntime Policy Linux Capabilities - malware
Scan ContainerOptions Runtime Policy Malware Scan Options - Configuration for Real-Time Malware Protection.
- monitor
System booleanTime Changes - If true, system time changes will be monitored.
- name string
- Name assigned to the attribute.
- no
New booleanPrivileges - only
Registered booleanImages - package
Block ContainerRuntime Policy Package Block - permission string
- port
Block ContainerRuntime Policy Port Block - readonly
Files ContainerRuntime Policy Readonly Files - readonly
Registry ContainerRuntime Policy Readonly Registry - registry string
- registry
Access ContainerMonitoring Runtime Policy Registry Access Monitoring - repo
Name string - resource
Name string - resource
Type string - restricted
Volumes ContainerRuntime Policy Restricted Volume[] - Restricted volumes configuration.
- reverse
Shell ContainerRuntime Policy Reverse Shell - runtime
Mode number - runtime
Type string - scope
Expression string - Logical expression of how to compute the dependency of the scope variables.
- scope
Variables ContainerRuntime Policy Scope Variable[] - List of scope attributes.
- scopes
Container
Runtime Policy Scope[] - Scope configuration.
- system
Integrity ContainerProtection Runtime Policy System Integrity Protection - tripwire
Container
Runtime Policy Tripwire - type string
- updated string
- version string
- vpatch
Version string - whitelisted
Os ContainerUsers Runtime Policy Whitelisted Os Users
- allowed_
executables Sequence[ContainerRuntime Policy Allowed Executable Args] - Allowed executables configuration.
- allowed_
registries Sequence[ContainerRuntime Policy Allowed Registry Args] - List of allowed registries.
- application_
scopes Sequence[str] - Indicates the application scope of the service.
- audit_
all_ boolnetwork_ activity - If true, all network activity will be audited.
- audit_
all_ boolprocesses_ activity - If true, all process activity will be audited.
- audit_
brute_ boolforce_ login - Detects brute force login attempts
- audit_
full_ boolcommand_ arguments - If true, full command arguments will be audited.
- auditing
Container
Runtime Policy Auditing Args - str
- Username of the account that created the service.
- blacklisted_
os_ Containerusers Runtime Policy Blacklisted Os Users Args - block_
access_ boolhost_ network - If true, prevent containers from running with access to host network.
- block_
adding_ boolcapabilities - If true, prevent containers from running with adding capabilities with
--cap-addprivilege. - block_
container_ boolexec - If true, exec into a container is prevented.
- block_
cryptocurrency_ boolmining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block_
disallowed_ boolimages - block_
fileless_ boolexec - Detect and prevent running in-memory execution
- block_
low_ boolport_ binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- block_
non_ boolcompliant_ workloads - If true, running containers in non-compliant pods is prevented.
- block_
non_ boolk8s_ containers - If true, running non-kubernetes containers is prevented.
- block_
privileged_ boolcontainers - If true, prevent containers from running with privileged container capability.
- block_
root_ booluser - If true, prevent containers from running with root user.
- block_
use_ boolipc_ namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- block_
use_ boolpid_ namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- block_
use_ booluser_ namespace - If true, prevent containers from running with the privilege to use the user namespace.
- block_
use_ booluts_ namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked_
capabilities Sequence[str] - If true, prevents containers from using specific Unix capabilities.
- blocked_
executables Sequence[str] - List of executables that are prevented from running in containers.
- blocked_
files Sequence[str] - List of files that are prevented from being read, modified and executed in the containers.
- blocked_
inbound_ Sequence[str]ports - List of blocked inbound ports.
- blocked_
outbound_ Sequence[str]ports - List of blocked outbound ports.
- blocked_
packages Sequence[str] - Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked_
volumes Sequence[str] - List of volumes that are prevented from being mounted in the containers.
- bypass_
scopes Sequence[ContainerRuntime Policy Bypass Scope Args] - Bypass scope configuration.
- container_
exec ContainerRuntime Policy Container Exec Args - container_
exec_ Sequence[str]allowed_ processes - List of processes that will be allowed.
- created str
- cve str
- default_
security_ strprofile - description str
- The description of the container runtime policy
- digest str
- drift_
preventions Sequence[ContainerRuntime Policy Drift Prevention Args] - Drift prevention configuration.
- enable_
crypto_ boolmining_ dns - enable_
fork_ boolguard - If true, fork bombs are prevented in the containers.
- enable_
ip_ boolreputation - enable_
port_ boolscan_ protection - enabled bool
- Whether allowed executables configuration is enabled.
- enforce bool
- Indicates that policy should effect container execution (not just for audit).
- enforce_
after_ intdays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- enforce_
scheduler_ intadded_ on - exclude_
application_ Sequence[str]scopes - List of excluded application scopes.
- executable_
blacklists Sequence[ContainerRuntime Policy Executable Blacklist Args] - Executable blacklist configuration.
- failed_
kubernetes_ Containerchecks Runtime Policy Failed Kubernetes Checks Args - file_
block ContainerRuntime Policy File Block Args - file_
integrity_ Containermonitoring Runtime Policy File Integrity Monitoring Args - Configuration for file integrity monitoring.
- fork_
guard_ intprocess_ limit - Process limit for the fork guard.
- image_
name str - is_
audit_ boolchecked - is_
auto_ boolgenerated - is_
ootb_ boolpolicy - lastupdate int
- limit_
container_ Sequence[Containerprivileges Runtime Policy Limit Container Privilege Args] - Container privileges configuration.
- limit_
new_ boolprivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- linux_
capabilities ContainerRuntime Policy Linux Capabilities Args - malware_
scan_ Containeroptions Runtime Policy Malware Scan Options Args - Configuration for Real-Time Malware Protection.
- monitor_
system_ booltime_ changes - If true, system time changes will be monitored.
- name str
- Name assigned to the attribute.
- no_
new_ boolprivileges - only_
registered_ boolimages - package_
block ContainerRuntime Policy Package Block Args - permission str
- port_
block ContainerRuntime Policy Port Block Args - readonly_
files ContainerRuntime Policy Readonly Files Args - readonly_
registry ContainerRuntime Policy Readonly Registry Args - registry str
- registry_
access_ Containermonitoring Runtime Policy Registry Access Monitoring Args - repo_
name str - resource_
name str - resource_
type str - restricted_
volumes Sequence[ContainerRuntime Policy Restricted Volume Args] - Restricted volumes configuration.
- reverse_
shell ContainerRuntime Policy Reverse Shell Args - runtime_
mode int - runtime_
type str - scope_
expression str - Logical expression of how to compute the dependency of the scope variables.
- scope_
variables Sequence[ContainerRuntime Policy Scope Variable Args] - List of scope attributes.
- scopes
Sequence[Container
Runtime Policy Scope Args] - Scope configuration.
- system_
integrity_ Containerprotection Runtime Policy System Integrity Protection Args - tripwire
Container
Runtime Policy Tripwire Args - type str
- updated str
- version str
- vpatch_
version str - whitelisted_
os_ Containerusers Runtime Policy Whitelisted Os Users Args
- allowed
Executables List<Property Map> - Allowed executables configuration.
- allowed
Registries List<Property Map> - List of allowed registries.
- application
Scopes List<String> - Indicates the application scope of the service.
- audit
All BooleanNetwork Activity - If true, all network activity will be audited.
- audit
All BooleanProcesses Activity - If true, all process activity will be audited.
- audit
Brute BooleanForce Login - Detects brute force login attempts
- audit
Full BooleanCommand Arguments - If true, full command arguments will be audited.
- auditing Property Map
- String
- Username of the account that created the service.
- blacklisted
Os Property MapUsers - block
Access BooleanHost Network - If true, prevent containers from running with access to host network.
- block
Adding BooleanCapabilities - If true, prevent containers from running with adding capabilities with
--cap-addprivilege. - block
Container BooleanExec - If true, exec into a container is prevented.
- block
Cryptocurrency BooleanMining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Disallowed BooleanImages - block
Fileless BooleanExec - Detect and prevent running in-memory execution
- block
Low BooleanPort Binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non BooleanCompliant Workloads - If true, running containers in non-compliant pods is prevented.
- block
Non BooleanK8s Containers - If true, running non-kubernetes containers is prevented.
- block
Privileged BooleanContainers - If true, prevent containers from running with privileged container capability.
- block
Root BooleanUser - If true, prevent containers from running with root user.
- block
Use BooleanIpc Namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use BooleanPid Namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use BooleanUser Namespace - If true, prevent containers from running with the privilege to use the user namespace.
- block
Use BooleanUts Namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities List<String> - If true, prevents containers from using specific Unix capabilities.
- blocked
Executables List<String> - List of executables that are prevented from running in containers.
- blocked
Files List<String> - List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound List<String>Ports - List of blocked inbound ports.
- blocked
Outbound List<String>Ports - List of blocked outbound ports.
- blocked
Packages List<String> - Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes List<String> - List of volumes that are prevented from being mounted in the containers.
- bypass
Scopes List<Property Map> - Bypass scope configuration.
- container
Exec Property Map - container
Exec List<String>Allowed Processes - List of processes that will be allowed.
- created String
- cve String
- default
Security StringProfile - description String
- The description of the container runtime policy
- digest String
- drift
Preventions List<Property Map> - Drift prevention configuration.
- enable
Crypto BooleanMining Dns - enable
Fork BooleanGuard - If true, fork bombs are prevented in the containers.
- enable
Ip BooleanReputation - enable
Port BooleanScan Protection - enabled Boolean
- Whether allowed executables configuration is enabled.
- enforce Boolean
- Indicates that policy should effect container execution (not just for audit).
- enforce
After NumberDays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- enforce
Scheduler NumberAdded On - exclude
Application List<String>Scopes - List of excluded application scopes.
- executable
Blacklists List<Property Map> - Executable blacklist configuration.
- failed
Kubernetes Property MapChecks - file
Block Property Map - file
Integrity Property MapMonitoring - Configuration for file integrity monitoring.
- fork
Guard NumberProcess Limit - Process limit for the fork guard.
- image
Name String - is
Audit BooleanChecked - is
Auto BooleanGenerated - is
Ootb BooleanPolicy - lastupdate Number
- limit
Container List<Property Map>Privileges - Container privileges configuration.
- limit
New BooleanPrivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- linux
Capabilities Property Map - malware
Scan Property MapOptions - Configuration for Real-Time Malware Protection.
- monitor
System BooleanTime Changes - If true, system time changes will be monitored.
- name String
- Name assigned to the attribute.
- no
New BooleanPrivileges - only
Registered BooleanImages - package
Block Property Map - permission String
- port
Block Property Map - readonly
Files Property Map - readonly
Registry Property Map - registry String
- registry
Access Property MapMonitoring - repo
Name String - resource
Name String - resource
Type String - restricted
Volumes List<Property Map> - Restricted volumes configuration.
- reverse
Shell Property Map - runtime
Mode Number - runtime
Type String - scope
Expression String - Logical expression of how to compute the dependency of the scope variables.
- scope
Variables List<Property Map> - List of scope attributes.
- scopes List<Property Map>
- Scope configuration.
- system
Integrity Property MapProtection - tripwire Property Map
- type String
- updated String
- version String
- vpatch
Version String - whitelisted
Os Property MapUsers
Supporting Types
ContainerRuntimePolicyAllowedExecutable, ContainerRuntimePolicyAllowedExecutableArgs
- Allow
Executables List<string> - List of allowed executables.
- Allow
Root List<string>Executables - List of allowed root executables.
- Enabled bool
- Whether allowed executables configuration is enabled.
- Separate
Executables bool - Whether to treat executables separately.
- Allow
Executables []string - List of allowed executables.
- Allow
Root []stringExecutables - List of allowed root executables.
- Enabled bool
- Whether allowed executables configuration is enabled.
- Separate
Executables bool - Whether to treat executables separately.
- allow
Executables List<String> - List of allowed executables.
- allow
Root List<String>Executables - List of allowed root executables.
- enabled Boolean
- Whether allowed executables configuration is enabled.
- separate
Executables Boolean - Whether to treat executables separately.
- allow
Executables string[] - List of allowed executables.
- allow
Root string[]Executables - List of allowed root executables.
- enabled boolean
- Whether allowed executables configuration is enabled.
- separate
Executables boolean - Whether to treat executables separately.
- allow_
executables Sequence[str] - List of allowed executables.
- allow_
root_ Sequence[str]executables - List of allowed root executables.
- enabled bool
- Whether allowed executables configuration is enabled.
- separate_
executables bool - Whether to treat executables separately.
- allow
Executables List<String> - List of allowed executables.
- allow
Root List<String>Executables - List of allowed root executables.
- enabled Boolean
- Whether allowed executables configuration is enabled.
- separate
Executables Boolean - Whether to treat executables separately.
ContainerRuntimePolicyAllowedRegistry, ContainerRuntimePolicyAllowedRegistryArgs
- Allowed
Registries List<string> - List of allowed registries.
- Enabled bool
- Whether allowed registries are enabled.
- Allowed
Registries []string - List of allowed registries.
- Enabled bool
- Whether allowed registries are enabled.
- allowed
Registries List<String> - List of allowed registries.
- enabled Boolean
- Whether allowed registries are enabled.
- allowed
Registries string[] - List of allowed registries.
- enabled boolean
- Whether allowed registries are enabled.
- allowed_
registries Sequence[str] - List of allowed registries.
- enabled bool
- Whether allowed registries are enabled.
- allowed
Registries List<String> - List of allowed registries.
- enabled Boolean
- Whether allowed registries are enabled.
ContainerRuntimePolicyAuditing, ContainerRuntimePolicyAuditingArgs
- Audit
All boolNetwork - Audit
All boolProcesses - Audit
Failed boolLogin - Audit
Os boolUser Activity - Audit
Process boolCmdline - Audit
Success boolLogin - Audit
User boolAccount Management - Enabled bool
- Audit
All boolNetwork - Audit
All boolProcesses - Audit
Failed boolLogin - Audit
Os boolUser Activity - Audit
Process boolCmdline - Audit
Success boolLogin - Audit
User boolAccount Management - Enabled bool
- audit
All BooleanNetwork - audit
All BooleanProcesses - audit
Failed BooleanLogin - audit
Os BooleanUser Activity - audit
Process BooleanCmdline - audit
Success BooleanLogin - audit
User BooleanAccount Management - enabled Boolean
- audit
All booleanNetwork - audit
All booleanProcesses - audit
Failed booleanLogin - audit
Os booleanUser Activity - audit
Process booleanCmdline - audit
Success booleanLogin - audit
User booleanAccount Management - enabled boolean
- audit_
all_ boolnetwork - audit_
all_ boolprocesses - audit_
failed_ boollogin - audit_
os_ booluser_ activity - audit_
process_ boolcmdline - audit_
success_ boollogin - audit_
user_ boolaccount_ management - enabled bool
- audit
All BooleanNetwork - audit
All BooleanProcesses - audit
Failed BooleanLogin - audit
Os BooleanUser Activity - audit
Process BooleanCmdline - audit
Success BooleanLogin - audit
User BooleanAccount Management - enabled Boolean
ContainerRuntimePolicyBlacklistedOsUsers, ContainerRuntimePolicyBlacklistedOsUsersArgs
- Enabled bool
- Group
Black List<string>Lists - User
Black List<string>Lists
- Enabled bool
- Group
Black []stringLists - User
Black []stringLists
- enabled Boolean
- group
Black List<String>Lists - user
Black List<String>Lists
- enabled boolean
- group
Black string[]Lists - user
Black string[]Lists
- enabled bool
- group_
black_ Sequence[str]lists - user_
black_ Sequence[str]lists
- enabled Boolean
- group
Black List<String>Lists - user
Black List<String>Lists
ContainerRuntimePolicyBypassScope, ContainerRuntimePolicyBypassScopeArgs
- Enabled bool
- Whether bypassing the scope is enabled.
- Scopes
List<Pulumiverse.
Aquasec. Inputs. Container Runtime Policy Bypass Scope Scope> - Scope configuration.
- Enabled bool
- Whether bypassing the scope is enabled.
- Scopes
[]Container
Runtime Policy Bypass Scope Scope - Scope configuration.
- enabled Boolean
- Whether bypassing the scope is enabled.
- scopes
List<Container
Runtime Policy Bypass Scope Scope> - Scope configuration.
- enabled boolean
- Whether bypassing the scope is enabled.
- scopes
Container
Runtime Policy Bypass Scope Scope[] - Scope configuration.
- enabled bool
- Whether bypassing the scope is enabled.
- scopes
Sequence[Container
Runtime Policy Bypass Scope Scope] - Scope configuration.
- enabled Boolean
- Whether bypassing the scope is enabled.
- scopes List<Property Map>
- Scope configuration.
ContainerRuntimePolicyBypassScopeScope, ContainerRuntimePolicyBypassScopeScopeArgs
- Expression string
- Scope expression.
- Variables
List<Pulumiverse.
Aquasec. Inputs. Container Runtime Policy Bypass Scope Scope Variable> - List of variables in the scope.
- Expression string
- Scope expression.
- Variables
[]Container
Runtime Policy Bypass Scope Scope Variable - List of variables in the scope.
- expression String
- Scope expression.
- variables
List<Container
Runtime Policy Bypass Scope Scope Variable> - List of variables in the scope.
- expression string
- Scope expression.
- variables
Container
Runtime Policy Bypass Scope Scope Variable[] - List of variables in the scope.
- expression str
- Scope expression.
- variables
Sequence[Container
Runtime Policy Bypass Scope Scope Variable] - List of variables in the scope.
- expression String
- Scope expression.
- variables List<Property Map>
- List of variables in the scope.
ContainerRuntimePolicyBypassScopeScopeVariable, ContainerRuntimePolicyBypassScopeScopeVariableArgs
ContainerRuntimePolicyContainerExec, ContainerRuntimePolicyContainerExecArgs
- Block
Container boolExec - Container
Exec List<string>Proc White Lists - Enabled bool
- Reverse
Shell List<string>Ip White Lists
- Block
Container boolExec - Container
Exec []stringProc White Lists - Enabled bool
- Reverse
Shell []stringIp White Lists
- block
Container BooleanExec - container
Exec List<String>Proc White Lists - enabled Boolean
- reverse
Shell List<String>Ip White Lists
- block
Container booleanExec - container
Exec string[]Proc White Lists - enabled boolean
- reverse
Shell string[]Ip White Lists
- block_
container_ boolexec - container_
exec_ Sequence[str]proc_ white_ lists - enabled bool
- reverse_
shell_ Sequence[str]ip_ white_ lists
- block
Container BooleanExec - container
Exec List<String>Proc White Lists - enabled Boolean
- reverse
Shell List<String>Ip White Lists
ContainerRuntimePolicyDriftPrevention, ContainerRuntimePolicyDriftPreventionArgs
- Enabled bool
- Whether drift prevention is enabled.
- Exec
Lockdown bool - Whether to lockdown execution drift.
- Exec
Lockdown List<string>White Lists - List of items in the execution lockdown white list.
- Image
Lockdown bool - Whether to lockdown image drift.
- Enabled bool
- Whether drift prevention is enabled.
- Exec
Lockdown bool - Whether to lockdown execution drift.
- Exec
Lockdown []stringWhite Lists - List of items in the execution lockdown white list.
- Image
Lockdown bool - Whether to lockdown image drift.
- enabled Boolean
- Whether drift prevention is enabled.
- exec
Lockdown Boolean - Whether to lockdown execution drift.
- exec
Lockdown List<String>White Lists - List of items in the execution lockdown white list.
- image
Lockdown Boolean - Whether to lockdown image drift.
- enabled boolean
- Whether drift prevention is enabled.
- exec
Lockdown boolean - Whether to lockdown execution drift.
- exec
Lockdown string[]White Lists - List of items in the execution lockdown white list.
- image
Lockdown boolean - Whether to lockdown image drift.
- enabled bool
- Whether drift prevention is enabled.
- exec_
lockdown bool - Whether to lockdown execution drift.
- exec_
lockdown_ Sequence[str]white_ lists - List of items in the execution lockdown white list.
- image_
lockdown bool - Whether to lockdown image drift.
- enabled Boolean
- Whether drift prevention is enabled.
- exec
Lockdown Boolean - Whether to lockdown execution drift.
- exec
Lockdown List<String>White Lists - List of items in the execution lockdown white list.
- image
Lockdown Boolean - Whether to lockdown image drift.
ContainerRuntimePolicyExecutableBlacklist, ContainerRuntimePolicyExecutableBlacklistArgs
- Enabled bool
- Whether the executable blacklist is enabled.
- Executables List<string>
- List of blacklisted executables.
- Enabled bool
- Whether the executable blacklist is enabled.
- Executables []string
- List of blacklisted executables.
- enabled Boolean
- Whether the executable blacklist is enabled.
- executables List<String>
- List of blacklisted executables.
- enabled boolean
- Whether the executable blacklist is enabled.
- executables string[]
- List of blacklisted executables.
- enabled bool
- Whether the executable blacklist is enabled.
- executables Sequence[str]
- List of blacklisted executables.
- enabled Boolean
- Whether the executable blacklist is enabled.
- executables List<String>
- List of blacklisted executables.
ContainerRuntimePolicyFailedKubernetesChecks, ContainerRuntimePolicyFailedKubernetesChecksArgs
- Enabled bool
- Failed
Checks List<string>
- Enabled bool
- Failed
Checks []string
- enabled Boolean
- failed
Checks List<String>
- enabled boolean
- failed
Checks string[]
- enabled bool
- failed_
checks Sequence[str]
- enabled Boolean
- failed
Checks List<String>
ContainerRuntimePolicyFileBlock, ContainerRuntimePolicyFileBlockArgs
- Block
Files List<string>Processes - Block
Files List<string>Users - Enabled bool
- Exceptional
Block List<string>Files - Exceptional
Block List<string>Files Processes - Exceptional
Block List<string>Files Users - Filename
Block List<string>Lists
- Block
Files []stringProcesses - Block
Files []stringUsers - Enabled bool
- Exceptional
Block []stringFiles - Exceptional
Block []stringFiles Processes - Exceptional
Block []stringFiles Users - Filename
Block []stringLists
- block
Files List<String>Processes - block
Files List<String>Users - enabled Boolean
- exceptional
Block List<String>Files - exceptional
Block List<String>Files Processes - exceptional
Block List<String>Files Users - filename
Block List<String>Lists
- block
Files string[]Processes - block
Files string[]Users - enabled boolean
- exceptional
Block string[]Files - exceptional
Block string[]Files Processes - exceptional
Block string[]Files Users - filename
Block string[]Lists
- block_
files_ Sequence[str]processes - block_
files_ Sequence[str]users - enabled bool
- exceptional_
block_ Sequence[str]files - exceptional_
block_ Sequence[str]files_ processes - exceptional_
block_ Sequence[str]files_ users - filename_
block_ Sequence[str]lists
- block
Files List<String>Processes - block
Files List<String>Users - enabled Boolean
- exceptional
Block List<String>Files - exceptional
Block List<String>Files Processes - exceptional
Block List<String>Files Users - filename
Block List<String>Lists
ContainerRuntimePolicyFileIntegrityMonitoring, ContainerRuntimePolicyFileIntegrityMonitoringArgs
- Enabled bool
- If true, file integrity monitoring is enabled.
- Exceptional
Monitored List<string>Files - List of paths to be excluded from monitoring.
- Exceptional
Monitored List<string>Files Processes - List of processes to be excluded from monitoring.
- Exceptional
Monitored List<string>Files Users - List of users to be excluded from monitoring.
- Monitored
Files List<string> - List of paths to be monitored.
- Monitored
Files boolAttributes - Whether to monitor file attribute operations.
- Monitored
Files boolCreate - Whether to monitor file create operations.
- Monitored
Files boolDelete - Whether to monitor file delete operations.
- Monitored
Files boolModify - Whether to monitor file modify operations.
- Monitored
Files List<string>Processes - List of processes associated with monitored files.
- Monitored
Files boolRead - Whether to monitor file read operations.
- Monitored
Files List<string>Users - List of users associated with monitored files.
- Enabled bool
- If true, file integrity monitoring is enabled.
- Exceptional
Monitored []stringFiles - List of paths to be excluded from monitoring.
- Exceptional
Monitored []stringFiles Processes - List of processes to be excluded from monitoring.
- Exceptional
Monitored []stringFiles Users - List of users to be excluded from monitoring.
- Monitored
Files []string - List of paths to be monitored.
- Monitored
Files boolAttributes - Whether to monitor file attribute operations.
- Monitored
Files boolCreate - Whether to monitor file create operations.
- Monitored
Files boolDelete - Whether to monitor file delete operations.
- Monitored
Files boolModify - Whether to monitor file modify operations.
- Monitored
Files []stringProcesses - List of processes associated with monitored files.
- Monitored
Files boolRead - Whether to monitor file read operations.
- Monitored
Files []stringUsers - List of users associated with monitored files.
- enabled Boolean
- If true, file integrity monitoring is enabled.
- exceptional
Monitored List<String>Files - List of paths to be excluded from monitoring.
- exceptional
Monitored List<String>Files Processes - List of processes to be excluded from monitoring.
- exceptional
Monitored List<String>Files Users - List of users to be excluded from monitoring.
- monitored
Files List<String> - List of paths to be monitored.
- monitored
Files BooleanAttributes - Whether to monitor file attribute operations.
- monitored
Files BooleanCreate - Whether to monitor file create operations.
- monitored
Files BooleanDelete - Whether to monitor file delete operations.
- monitored
Files BooleanModify - Whether to monitor file modify operations.
- monitored
Files List<String>Processes - List of processes associated with monitored files.
- monitored
Files BooleanRead - Whether to monitor file read operations.
- monitored
Files List<String>Users - List of users associated with monitored files.
- enabled boolean
- If true, file integrity monitoring is enabled.
- exceptional
Monitored string[]Files - List of paths to be excluded from monitoring.
- exceptional
Monitored string[]Files Processes - List of processes to be excluded from monitoring.
- exceptional
Monitored string[]Files Users - List of users to be excluded from monitoring.
- monitored
Files string[] - List of paths to be monitored.
- monitored
Files booleanAttributes - Whether to monitor file attribute operations.
- monitored
Files booleanCreate - Whether to monitor file create operations.
- monitored
Files booleanDelete - Whether to monitor file delete operations.
- monitored
Files booleanModify - Whether to monitor file modify operations.
- monitored
Files string[]Processes - List of processes associated with monitored files.
- monitored
Files booleanRead - Whether to monitor file read operations.
- monitored
Files string[]Users - List of users associated with monitored files.
- enabled bool
- If true, file integrity monitoring is enabled.
- exceptional_
monitored_ Sequence[str]files - List of paths to be excluded from monitoring.
- exceptional_
monitored_ Sequence[str]files_ processes - List of processes to be excluded from monitoring.
- exceptional_
monitored_ Sequence[str]files_ users - List of users to be excluded from monitoring.
- monitored_
files Sequence[str] - List of paths to be monitored.
- monitored_
files_ boolattributes - Whether to monitor file attribute operations.
- monitored_
files_ boolcreate - Whether to monitor file create operations.
- monitored_
files_ booldelete - Whether to monitor file delete operations.
- monitored_
files_ boolmodify - Whether to monitor file modify operations.
- monitored_
files_ Sequence[str]processes - List of processes associated with monitored files.
- monitored_
files_ boolread - Whether to monitor file read operations.
- monitored_
files_ Sequence[str]users - List of users associated with monitored files.
- enabled Boolean
- If true, file integrity monitoring is enabled.
- exceptional
Monitored List<String>Files - List of paths to be excluded from monitoring.
- exceptional
Monitored List<String>Files Processes - List of processes to be excluded from monitoring.
- exceptional
Monitored List<String>Files Users - List of users to be excluded from monitoring.
- monitored
Files List<String> - List of paths to be monitored.
- monitored
Files BooleanAttributes - Whether to monitor file attribute operations.
- monitored
Files BooleanCreate - Whether to monitor file create operations.
- monitored
Files BooleanDelete - Whether to monitor file delete operations.
- monitored
Files BooleanModify - Whether to monitor file modify operations.
- monitored
Files List<String>Processes - List of processes associated with monitored files.
- monitored
Files BooleanRead - Whether to monitor file read operations.
- monitored
Files List<String>Users - List of users associated with monitored files.
ContainerRuntimePolicyLimitContainerPrivilege, ContainerRuntimePolicyLimitContainerPrivilegeArgs
- Block
Add boolCapabilities - Whether to block adding capabilities.
- Enabled bool
- Whether container privilege limitations are enabled.
- Ipcmode bool
- Whether to limit IPC-related capabilities.
- Netmode bool
- Whether to limit network-related capabilities.
- Pidmode bool
- Whether to limit process-related capabilities.
- Prevent
Low boolPort Binding - Whether to prevent low port binding.
- Prevent
Root boolUser - Whether to prevent the use of the root user.
- Privileged bool
- Whether the container is run in privileged mode.
- Use
Host boolUser - Whether to use the host user.
- Usermode bool
- Whether to limit user-related capabilities.
- Utsmode bool
- Whether to limit UTS-related capabilities.
- Block
Add boolCapabilities - Whether to block adding capabilities.
- Enabled bool
- Whether container privilege limitations are enabled.
- Ipcmode bool
- Whether to limit IPC-related capabilities.
- Netmode bool
- Whether to limit network-related capabilities.
- Pidmode bool
- Whether to limit process-related capabilities.
- Prevent
Low boolPort Binding - Whether to prevent low port binding.
- Prevent
Root boolUser - Whether to prevent the use of the root user.
- Privileged bool
- Whether the container is run in privileged mode.
- Use
Host boolUser - Whether to use the host user.
- Usermode bool
- Whether to limit user-related capabilities.
- Utsmode bool
- Whether to limit UTS-related capabilities.
- block
Add BooleanCapabilities - Whether to block adding capabilities.
- enabled Boolean
- Whether container privilege limitations are enabled.
- ipcmode Boolean
- Whether to limit IPC-related capabilities.
- netmode Boolean
- Whether to limit network-related capabilities.
- pidmode Boolean
- Whether to limit process-related capabilities.
- prevent
Low BooleanPort Binding - Whether to prevent low port binding.
- prevent
Root BooleanUser - Whether to prevent the use of the root user.
- privileged Boolean
- Whether the container is run in privileged mode.
- use
Host BooleanUser - Whether to use the host user.
- usermode Boolean
- Whether to limit user-related capabilities.
- utsmode Boolean
- Whether to limit UTS-related capabilities.
- block
Add booleanCapabilities - Whether to block adding capabilities.
- enabled boolean
- Whether container privilege limitations are enabled.
- ipcmode boolean
- Whether to limit IPC-related capabilities.
- netmode boolean
- Whether to limit network-related capabilities.
- pidmode boolean
- Whether to limit process-related capabilities.
- prevent
Low booleanPort Binding - Whether to prevent low port binding.
- prevent
Root booleanUser - Whether to prevent the use of the root user.
- privileged boolean
- Whether the container is run in privileged mode.
- use
Host booleanUser - Whether to use the host user.
- usermode boolean
- Whether to limit user-related capabilities.
- utsmode boolean
- Whether to limit UTS-related capabilities.
- block_
add_ boolcapabilities - Whether to block adding capabilities.
- enabled bool
- Whether container privilege limitations are enabled.
- ipcmode bool
- Whether to limit IPC-related capabilities.
- netmode bool
- Whether to limit network-related capabilities.
- pidmode bool
- Whether to limit process-related capabilities.
- prevent_
low_ boolport_ binding - Whether to prevent low port binding.
- prevent_
root_ booluser - Whether to prevent the use of the root user.
- privileged bool
- Whether the container is run in privileged mode.
- use_
host_ booluser - Whether to use the host user.
- usermode bool
- Whether to limit user-related capabilities.
- utsmode bool
- Whether to limit UTS-related capabilities.
- block
Add BooleanCapabilities - Whether to block adding capabilities.
- enabled Boolean
- Whether container privilege limitations are enabled.
- ipcmode Boolean
- Whether to limit IPC-related capabilities.
- netmode Boolean
- Whether to limit network-related capabilities.
- pidmode Boolean
- Whether to limit process-related capabilities.
- prevent
Low BooleanPort Binding - Whether to prevent low port binding.
- prevent
Root BooleanUser - Whether to prevent the use of the root user.
- privileged Boolean
- Whether the container is run in privileged mode.
- use
Host BooleanUser - Whether to use the host user.
- usermode Boolean
- Whether to limit user-related capabilities.
- utsmode Boolean
- Whether to limit UTS-related capabilities.
ContainerRuntimePolicyLinuxCapabilities, ContainerRuntimePolicyLinuxCapabilitiesArgs
- Enabled bool
- Remove
Linux List<string>Capabilities
- Enabled bool
- Remove
Linux []stringCapabilities
- enabled Boolean
- remove
Linux List<String>Capabilities
- enabled boolean
- remove
Linux string[]Capabilities
- enabled bool
- remove_
linux_ Sequence[str]capabilities
- enabled Boolean
- remove
Linux List<String>Capabilities
ContainerRuntimePolicyMalwareScanOptions, ContainerRuntimePolicyMalwareScanOptionsArgs
- Action string
- Set Action, Defaults to 'Alert' when empty
- Enabled bool
- Defines if enabled or not
- Exclude
Directories List<string> - List of registry paths to be excluded from being protected.
- Exclude
Processes List<string> - List of registry processes to be excluded from being protected.
- Include
Directories List<string> - List of registry paths to be excluded from being protected.
- Action string
- Set Action, Defaults to 'Alert' when empty
- Enabled bool
- Defines if enabled or not
- Exclude
Directories []string - List of registry paths to be excluded from being protected.
- Exclude
Processes []string - List of registry processes to be excluded from being protected.
- Include
Directories []string - List of registry paths to be excluded from being protected.
- action String
- Set Action, Defaults to 'Alert' when empty
- enabled Boolean
- Defines if enabled or not
- exclude
Directories List<String> - List of registry paths to be excluded from being protected.
- exclude
Processes List<String> - List of registry processes to be excluded from being protected.
- include
Directories List<String> - List of registry paths to be excluded from being protected.
- action string
- Set Action, Defaults to 'Alert' when empty
- enabled boolean
- Defines if enabled or not
- exclude
Directories string[] - List of registry paths to be excluded from being protected.
- exclude
Processes string[] - List of registry processes to be excluded from being protected.
- include
Directories string[] - List of registry paths to be excluded from being protected.
- action str
- Set Action, Defaults to 'Alert' when empty
- enabled bool
- Defines if enabled or not
- exclude_
directories Sequence[str] - List of registry paths to be excluded from being protected.
- exclude_
processes Sequence[str] - List of registry processes to be excluded from being protected.
- include_
directories Sequence[str] - List of registry paths to be excluded from being protected.
- action String
- Set Action, Defaults to 'Alert' when empty
- enabled Boolean
- Defines if enabled or not
- exclude
Directories List<String> - List of registry paths to be excluded from being protected.
- exclude
Processes List<String> - List of registry processes to be excluded from being protected.
- include
Directories List<String> - List of registry paths to be excluded from being protected.
ContainerRuntimePolicyPackageBlock, ContainerRuntimePolicyPackageBlockArgs
- Block
Packages List<string>Processes - Block
Packages List<string>Users - Enabled bool
- Exceptional
Block List<string>Packages Files - Exceptional
Block List<string>Packages Processes - Exceptional
Block List<string>Packages Users - Packages
Black List<string>Lists
- Block
Packages []stringProcesses - Block
Packages []stringUsers - Enabled bool
- Exceptional
Block []stringPackages Files - Exceptional
Block []stringPackages Processes - Exceptional
Block []stringPackages Users - Packages
Black []stringLists
- block
Packages List<String>Processes - block
Packages List<String>Users - enabled Boolean
- exceptional
Block List<String>Packages Files - exceptional
Block List<String>Packages Processes - exceptional
Block List<String>Packages Users - packages
Black List<String>Lists
- block
Packages string[]Processes - block
Packages string[]Users - enabled boolean
- exceptional
Block string[]Packages Files - exceptional
Block string[]Packages Processes - exceptional
Block string[]Packages Users - packages
Black string[]Lists
- block_
packages_ Sequence[str]processes - block_
packages_ Sequence[str]users - enabled bool
- exceptional_
block_ Sequence[str]packages_ files - exceptional_
block_ Sequence[str]packages_ processes - exceptional_
block_ Sequence[str]packages_ users - packages_
black_ Sequence[str]lists
- block
Packages List<String>Processes - block
Packages List<String>Users - enabled Boolean
- exceptional
Block List<String>Packages Files - exceptional
Block List<String>Packages Processes - exceptional
Block List<String>Packages Users - packages
Black List<String>Lists
ContainerRuntimePolicyPortBlock, ContainerRuntimePolicyPortBlockArgs
- Block
Inbound List<string>Ports - Block
Outbound List<string>Ports - Enabled bool
- Block
Inbound []stringPorts - Block
Outbound []stringPorts - Enabled bool
- block
Inbound List<String>Ports - block
Outbound List<String>Ports - enabled Boolean
- block
Inbound string[]Ports - block
Outbound string[]Ports - enabled boolean
- block_
inbound_ Sequence[str]ports - block_
outbound_ Sequence[str]ports - enabled bool
- block
Inbound List<String>Ports - block
Outbound List<String>Ports - enabled Boolean
ContainerRuntimePolicyReadonlyFiles, ContainerRuntimePolicyReadonlyFilesArgs
- Enabled bool
- Exceptional
Readonly List<string>Files - Exceptional
Readonly List<string>Files Processes - Exceptional
Readonly List<string>Files Users - Readonly
Files List<string> - Readonly
Files List<string>Processes - Readonly
Files List<string>Users
- Enabled bool
- Exceptional
Readonly []stringFiles - Exceptional
Readonly []stringFiles Processes - Exceptional
Readonly []stringFiles Users - Readonly
Files []string - Readonly
Files []stringProcesses - Readonly
Files []stringUsers
- enabled Boolean
- exceptional
Readonly List<String>Files - exceptional
Readonly List<String>Files Processes - exceptional
Readonly List<String>Files Users - readonly
Files List<String> - readonly
Files List<String>Processes - readonly
Files List<String>Users
- enabled boolean
- exceptional
Readonly string[]Files - exceptional
Readonly string[]Files Processes - exceptional
Readonly string[]Files Users - readonly
Files string[] - readonly
Files string[]Processes - readonly
Files string[]Users
- enabled bool
- exceptional_
readonly_ Sequence[str]files - exceptional_
readonly_ Sequence[str]files_ processes - exceptional_
readonly_ Sequence[str]files_ users - readonly_
files Sequence[str] - readonly_
files_ Sequence[str]processes - readonly_
files_ Sequence[str]users
- enabled Boolean
- exceptional
Readonly List<String>Files - exceptional
Readonly List<String>Files Processes - exceptional
Readonly List<String>Files Users - readonly
Files List<String> - readonly
Files List<String>Processes - readonly
Files List<String>Users
ContainerRuntimePolicyReadonlyRegistry, ContainerRuntimePolicyReadonlyRegistryArgs
- Enabled bool
- Exceptional
Readonly List<string>Registry Paths - Exceptional
Readonly List<string>Registry Processes - Exceptional
Readonly List<string>Registry Users - Readonly
Registry List<string>Paths - Readonly
Registry List<string>Processes - Readonly
Registry List<string>Users
- Enabled bool
- Exceptional
Readonly []stringRegistry Paths - Exceptional
Readonly []stringRegistry Processes - Exceptional
Readonly []stringRegistry Users - Readonly
Registry []stringPaths - Readonly
Registry []stringProcesses - Readonly
Registry []stringUsers
- enabled Boolean
- exceptional
Readonly List<String>Registry Paths - exceptional
Readonly List<String>Registry Processes - exceptional
Readonly List<String>Registry Users - readonly
Registry List<String>Paths - readonly
Registry List<String>Processes - readonly
Registry List<String>Users
- enabled boolean
- exceptional
Readonly string[]Registry Paths - exceptional
Readonly string[]Registry Processes - exceptional
Readonly string[]Registry Users - readonly
Registry string[]Paths - readonly
Registry string[]Processes - readonly
Registry string[]Users
- enabled bool
- exceptional_
readonly_ Sequence[str]registry_ paths - exceptional_
readonly_ Sequence[str]registry_ processes - exceptional_
readonly_ Sequence[str]registry_ users - readonly_
registry_ Sequence[str]paths - readonly_
registry_ Sequence[str]processes - readonly_
registry_ Sequence[str]users
- enabled Boolean
- exceptional
Readonly List<String>Registry Paths - exceptional
Readonly List<String>Registry Processes - exceptional
Readonly List<String>Registry Users - readonly
Registry List<String>Paths - readonly
Registry List<String>Processes - readonly
Registry List<String>Users
ContainerRuntimePolicyRegistryAccessMonitoring, ContainerRuntimePolicyRegistryAccessMonitoringArgs
- Enabled bool
- Exceptional
Monitored List<string>Registry Paths - Exceptional
Monitored List<string>Registry Processes - Exceptional
Monitored List<string>Registry Users - Monitored
Registry boolAttributes - Monitored
Registry boolCreate - Monitored
Registry boolDelete - Monitored
Registry boolModify - Monitored
Registry List<string>Paths - Monitored
Registry List<string>Processes - Monitored
Registry boolRead - Monitored
Registry List<string>Users
- Enabled bool
- Exceptional
Monitored []stringRegistry Paths - Exceptional
Monitored []stringRegistry Processes - Exceptional
Monitored []stringRegistry Users - Monitored
Registry boolAttributes - Monitored
Registry boolCreate - Monitored
Registry boolDelete - Monitored
Registry boolModify - Monitored
Registry []stringPaths - Monitored
Registry []stringProcesses - Monitored
Registry boolRead - Monitored
Registry []stringUsers
- enabled Boolean
- exceptional
Monitored List<String>Registry Paths - exceptional
Monitored List<String>Registry Processes - exceptional
Monitored List<String>Registry Users - monitored
Registry BooleanAttributes - monitored
Registry BooleanCreate - monitored
Registry BooleanDelete - monitored
Registry BooleanModify - monitored
Registry List<String>Paths - monitored
Registry List<String>Processes - monitored
Registry BooleanRead - monitored
Registry List<String>Users
- enabled boolean
- exceptional
Monitored string[]Registry Paths - exceptional
Monitored string[]Registry Processes - exceptional
Monitored string[]Registry Users - monitored
Registry booleanAttributes - monitored
Registry booleanCreate - monitored
Registry booleanDelete - monitored
Registry booleanModify - monitored
Registry string[]Paths - monitored
Registry string[]Processes - monitored
Registry booleanRead - monitored
Registry string[]Users
- enabled bool
- exceptional_
monitored_ Sequence[str]registry_ paths - exceptional_
monitored_ Sequence[str]registry_ processes - exceptional_
monitored_ Sequence[str]registry_ users - monitored_
registry_ boolattributes - monitored_
registry_ boolcreate - monitored_
registry_ booldelete - monitored_
registry_ boolmodify - monitored_
registry_ Sequence[str]paths - monitored_
registry_ Sequence[str]processes - monitored_
registry_ boolread - monitored_
registry_ Sequence[str]users
- enabled Boolean
- exceptional
Monitored List<String>Registry Paths - exceptional
Monitored List<String>Registry Processes - exceptional
Monitored List<String>Registry Users - monitored
Registry BooleanAttributes - monitored
Registry BooleanCreate - monitored
Registry BooleanDelete - monitored
Registry BooleanModify - monitored
Registry List<String>Paths - monitored
Registry List<String>Processes - monitored
Registry BooleanRead - monitored
Registry List<String>Users
ContainerRuntimePolicyRestrictedVolume, ContainerRuntimePolicyRestrictedVolumeArgs
ContainerRuntimePolicyReverseShell, ContainerRuntimePolicyReverseShellArgs
- Block
Reverse boolShell - Enabled bool
- Reverse
Shell List<string>Ip White Lists - Reverse
Shell List<string>Proc White Lists
- Block
Reverse boolShell - Enabled bool
- Reverse
Shell []stringIp White Lists - Reverse
Shell []stringProc White Lists
- block
Reverse BooleanShell - enabled Boolean
- reverse
Shell List<String>Ip White Lists - reverse
Shell List<String>Proc White Lists
- block
Reverse booleanShell - enabled boolean
- reverse
Shell string[]Ip White Lists - reverse
Shell string[]Proc White Lists
- block_
reverse_ boolshell - enabled bool
- reverse_
shell_ Sequence[str]ip_ white_ lists - reverse_
shell_ Sequence[str]proc_ white_ lists
- block
Reverse BooleanShell - enabled Boolean
- reverse
Shell List<String>Ip White Lists - reverse
Shell List<String>Proc White Lists
ContainerRuntimePolicyScope, ContainerRuntimePolicyScopeArgs
- Expression string
- Scope expression.
- Variables
List<Pulumiverse.
Aquasec. Inputs. Container Runtime Policy Scope Variable> - List of variables in the scope.
- Expression string
- Scope expression.
- Variables
[]Container
Runtime Policy Scope Variable - List of variables in the scope.
- expression String
- Scope expression.
- variables
List<Container
Runtime Policy Scope Variable> - List of variables in the scope.
- expression string
- Scope expression.
- variables
Container
Runtime Policy Scope Variable[] - List of variables in the scope.
- expression str
- Scope expression.
- variables
Sequence[Container
Runtime Policy Scope Variable] - List of variables in the scope.
- expression String
- Scope expression.
- variables List<Property Map>
- List of variables in the scope.
ContainerRuntimePolicyScopeVariable, ContainerRuntimePolicyScopeVariableArgs
ContainerRuntimePolicySystemIntegrityProtection, ContainerRuntimePolicySystemIntegrityProtectionArgs
- Audit
Systemtime boolChange - Enabled bool
- Monitor
Audit boolLog Integrity - Windows
Services boolMonitoring
- Audit
Systemtime boolChange - Enabled bool
- Monitor
Audit boolLog Integrity - Windows
Services boolMonitoring
- audit
Systemtime BooleanChange - enabled Boolean
- monitor
Audit BooleanLog Integrity - windows
Services BooleanMonitoring
- audit
Systemtime booleanChange - enabled boolean
- monitor
Audit booleanLog Integrity - windows
Services booleanMonitoring
- audit
Systemtime BooleanChange - enabled Boolean
- monitor
Audit BooleanLog Integrity - windows
Services BooleanMonitoring
ContainerRuntimePolicyTripwire, ContainerRuntimePolicyTripwireArgs
- Apply
Ons List<string> - Enabled bool
- Serverless
App string - User
Id string - User
Password string
- Apply
Ons []string - Enabled bool
- Serverless
App string - User
Id string - User
Password string
- apply
Ons List<String> - enabled Boolean
- serverless
App String - user
Id String - user
Password String
- apply
Ons string[] - enabled boolean
- serverless
App string - user
Id string - user
Password string
- apply_
ons Sequence[str] - enabled bool
- serverless_
app str - user_
id str - user_
password str
- apply
Ons List<String> - enabled Boolean
- serverless
App String - user
Id String - user
Password String
ContainerRuntimePolicyWhitelistedOsUsers, ContainerRuntimePolicyWhitelistedOsUsersArgs
- Enabled bool
- Group
White List<string>Lists - User
White List<string>Lists
- Enabled bool
- Group
White []stringLists - User
White []stringLists
- enabled Boolean
- group
White List<String>Lists - user
White List<String>Lists
- enabled boolean
- group
White string[]Lists - user
White string[]Lists
- enabled bool
- group_
white_ Sequence[str]lists - user_
white_ Sequence[str]lists
- enabled Boolean
- group
White List<String>Lists - user
White List<String>Lists
Package Details
- Repository
- aquasec pulumiverse/pulumi-aquasec
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
aquasecTerraform Provider.