tencent cloud

Tencent Container Security Service

Release Notes
Product Introduction
Overview
Strengths
Use Cases
Features and Versions
Purchase Guide
Applying for Trial
Purchasing Pro Edition
Purchasing Image Scan
Purchasing Log Analysis
Getting Started
Operation Guide
Security Overview
Asset Management
Vulnerability Detection
Image Risk Management
Cluster Risk Management
Baseline Management
Runtime Security
Advanced Defense
Policy Management
Protection Switch
Alarm Settings
Log Analysis
Hybrid Cloud Installation Guide
Compromised Container Isolation
Log Field Data Parsing
Practical Tutorial
Mirror Vulnerability Scanning and Vulnerability Management
Troubleshooting
Offline Linux Client
Troubleshooting for Cluster Access
API Documentation
History
Introduction
API Category
Making API Requests
Network Security APIs
Cluster Security APIs
Security Compliance APIs
Runtime security - High-risk syscalls
Runtime Security - Reverse Shell APIs
Runtime Security APIs
Alert Settings APIs
Advanced prevention - K8s API abnormal requests
Asset Management APIs
Security Operations - Log Analysis APIs
Runtime Security - Trojan Call APIs
Runtime Security - Container Escape APIs
Image Security APIs
Billing APIs
Data Types
Error Codes
FAQs
TCSS Policy
Privacy Policy
Data Processing And Security Agreement
Contact Us
Glossary
DocumentationTencent Container Security ServiceProduct IntroductionUse Cases

Use Cases

PDF
Focus Mode
Font Size
Last updated: 2024-01-23 15:35:06

Container image protection

Images are vulnerable to application vulnerabilities, viruses, trojans, and sensitive information leakage. TCSS supports thorough image checks throughout the lifecycle from build and shipping to running. It can detect security risks to images and control image running. It also allows you to customize rules to protect images.


Container escape attack detection

Containers are poorly isolated, and attackers can utilize sensitive path mounting and vulnerabilities to escape to the host, which directly affects the confidentiality, integrity, and availability of the underlying infrastructure. TCSS supports detecting a variety of escapes, such as:
Escape caused by the container running in privileged mode.
Container escape caused by dangerous mounting (mounting of the Docker socket and proc file system of the host).
Privilege escalation caused by the switch from a general account to a root account during the container process.
Capability privilege escalation during the container process.
Mount file namespace isolation broken during the container process.
Blocklist limits broken by seccomp syscall during the container process.
Modification of a host file not mounted to the container during the process (such as CVE-2019-5736).

Previous Topic: StrengthsNext Topic: Features and Versions

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback