• Product

      Product

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary Webinars Whitepapers Workshops Latest Blogs Documentation
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost
      Next-Gen AppSec Series
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
  • LOGIN
Cisco Logo Deepfactor is now part of Cisco | Learn more
Learn more
Deepfactor Logo
  • Product

      Product

      Use Cases

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary
      Webinars Whitepapers Workshops Latest Blogs Documentation
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps
      Whitepaper
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
LOGIN
Deepfactor's Application Security Platform will no longer be offered for sale or renewal effective September 20, 2024.

Getting Started

  • QuickStart Guide
  • Install Deepfactor CLI
  • Deepfactor Support Matrix

Tutorials

  • SBOM & SCA
    • Artifact Releases
    • Deepfactor Scanner
    • Integrate Deepfactor scanner in your CI/CD pipelines
    • Scanning container images from private registries using Deepfactor CLI
    • Scan container images in K8s cluster
      • Scanning images from private registries in K8s cluster using Deepfactor
      • Scanning container images from private registries with basic authentication support in K8s
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS Fargate
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS EC2
  • Runtime Security
    • Introduction to Deepfactor Runtime Security
    • Deepfactor CLI Reference
    • Kubernetes workload
      • Run your Kubernetes workload with Deepfactor
      • Install Deepfactor Mutating Webhook
      • Configure Deepfactor Kubernetes admission webhook
      • Install Deepfactor K8s webhook on EKS Fargate
      • Selecting the pods you want to run with Deepfactor
      • Configuring application name, component name and component version in K8s webhook
      • Install Deepfactor mutating admission webhook using Argo CD
      • Install Deepfactor portal & webhook using Argo CD and vault
      • Use image pull secret for Runtime images
    • Containers/Other orchestration platforms
      • Run your Container Images with Deepfactor
      • Run containers in ECS with Deepfactor
    • Non-containerized workloads
      • Running non-containerized applications with Deepfactor

Deepfactor Platform

  • Introduction to Deepfactor
  • Alert Policies
  • Alert States and Triaging Flows
  • Deepfactor’s Correlation Capabilities
  • Organization and Teams
  • Role Based Access Control
  • Insights Knowledge Base
    • Privilege Separation and Privilege Dropping
    • Buffer Overflow Alerts
  • Knowledge Base
    • Deepfactor scan errors
    • K8s Webhook & Runtime Troubleshooting Guide
    • Tools for viewing CycloneDX and SPDX SBOMs
    • Graceful handling of pod restarts
    • Deepfactor telemetry events
    • Deepfactor Instrumentation Warning Messages
    • Best Practices for running your applications with Deepfactor in production environments
    • Golang Specific Notes
    • How to access Deepfactor Portal in different AWS subnet types
    • How the Deepfactor Management Portal Communicates With The Outside World
    • Language Specific Agents (LSA)
    • Mixed libc environments
    • Sensitive Information and Secrets in Process Environment Remediation
    • Running HAProxy with Deepfactor
    • Augmenting Alert Evidence with Runtime Stack Traces
  • FAQs
    • General FAQs
    • Open Source Disclosure

Integrations

  • Single Sign On (SSO) for authentication to Deepfactor
  • Integrate Jira with Deepfactor
  • Integrate Slack with Deepfactor
  • Okta
  • Deepfactor HTTPS webhook

Self managed Deepfactor portal

  • Deepfactor Portal architecture & deployment options
  • Install Self managed Deepfactor portal
    • Kubernetes Cluster
      • Prerequisites for deploying Deepfactor portal in Kubernetes Cluster
      • Deploying Deepfactor Portal in your Kubernetes Cluster
      • Install Deepfactor portal using Helm
      • Customizing Deepfactor portal deployment
        • Customizing your Deepfactor Portal Deployment in K8s
        • Deploy Deepfactor Portal With Resource Limits
        • Deploying Deepfactor Portal using external IP
        • Deepfactor Portal Installation with Existing Ingress Controller
    • AWS EC2
      • Prerequisites for installing Deepfactor Portal in AWS Cloud
      • Deploying Deepfactor on AWS using CFT
      • Install AWS Certificate Manager(ACM) certificate on Deepfactor portal EC2 instance
    • VMWare vSphere
      • Deepfactor Portal Proxy Configuration for OVA deployments
      • Prerequisites for deploying Deepfactor portal in VWware vSphere
      • Deploying Deepfactor on VMware vSphere
  • Manage Deepfactor Portal
    • Using Deepfactor APIs
    • Managing Users
    • Updating your Deepfactor Portal
    • Updating Deepfactor portal certificate
  • Deepfactor Portal Certificate
    • Generate certificate using cert-manager for Deepfactor portal
    • Create self-signed certificate for Deepfactor Portal on your K8s cluster
    • Create AWS Private CA Certificate for Deepfactor Portal on your K8s cluster
    • Create Let’s Encrypt certificate for Deepfactor Portal on your K8s cluster

Release Notes

  • Deepfactor Release Notes
  • Home
  • Docs
  • Tutorials
  • Runtime Security

Introduction to Deepfactor Runtime Security

Introduction #

Runtime security involves monitoring and analyzing activities within applications, enabling the detection of insecure behaviors across various facets like file operations, network communications, process execution, and memory usage. Ideally, runtime security controls should be integrated throughout the application development process, identifying and addressing security risks during development and testing stages prior to deployment in production environments. Nonetheless, organizations should also adopt a defense-in-depth approach, continuously monitoring applications in production to guard against both new zero-day vulnerabilities and known vulnerabilities that might have been overlooked during development. By actively observing high-risk behavior in real time, DevOps and security teams can promptly identify and respond to potential security threats, while mitigating application vulnerabilities. This approach facilitates comprehensive visibility into workloads, enabling the detection of malicious activities, unauthorized access attempts, anomalous behavior, and other indicators of compromise.

5 Reasons To Implement Runtime Security #

  1. Detect and Mitigate Real-Time attacks

  2. Identify and remediate vulnerabilities before deployment

  3. Compliance and regulatory requirements

  4. Defense-in-Depth Approach

  5. Reduce Software Composition Analysis noise and false positives with runtime usage and reachability

You can find more information about runtime security, challenges in implementing it and how makes it easy for organizations to adopt it in our whitepaper, Next-Generation Container Runtime Security.

Deepfactor Runtime Security #

The Deepfactor Developer Security platform offers a modern approach to runtime security that provides runtime security analysis during development and testing, runtime correlation with SCA and container scanning, and runtime monitoring during production. Deepfactor has developed a unique, patented approach to API interception that provides rich insight into application behavior to help developers, QA engineers, and security teams find and fix vulnerabilities faster. Deepfactor dynamically injects a small library in the user space of each container’s operating system that monitors hundreds of system calls, library calls, and Web APIs. In addition, Deepfactor auto-detects languages and inserts language-specific interception that provide a deeper level of analysis (to provide language-aware stack traces for Java and Python, for example). Deepfactor is able to correlate the low-level telemetry information with higher level language-specific information to not only detect vulnerabilities but also provide pinpoint locations in the code where the developer can focus. This makes it easier for developers to identify the root of the issue and remediate it quickly, without having to manually triage and debug the issue. This approach not only saves developers time but also motivates them to adopt the tool since it provides results with minimal effort.

With a single command, Deepfactor seamlessly loads a robust language-agnostic library into cloud native workloads and environments to provide comprehensive container runtime security. Deepfactor can be deployed in the cloud or on-premises with self-managed Kubernetes, managed Kubernetes (e.g. EKS Fargate), non-Kubernetes container orchestration tools (e.g. Amazon ECS, Docker Swarm, Lambda), and traditional monolithic non-containerized applications. With Deepfactor, there are no host-based agents to install, no sidecar containers, and no kernel modules to install, simplifying and accelerating deployment.

Runtime security controls in Deepfactor #

Deepfactor has developed a flexible rule engine which makes it possible for us to quickly add alert rules to detect anomalous/suspicious behaviors. Our team of experienced security professionals have curated an extensive set of rules which are documented below. This list is dynamic and we keep introducing new alert rules to detect new suspicious behaviors based on new vulnerabilities and internal/external security research.

Title

Description

Security Category

Compliance Category

PCI

SOC2 Type II

NIST

Alert on outgoing connection to selected countries

This control defines a list of countries. When an outgoing connection is made to a country in the list, an alert will be generated.

Insecure Network Behavior

Secure Network

1.2.1

CC6.6

CA-3(5),SC-7(5),SC-7(11)

Alert on incoming connection from selected countries

This control configures the list of countries that will trigger an alert when an incoming connection is made from a country in the list.

Insecure Network Behavior

Secure Network

1.2.1

CC6.6

CA-3(5),SC-7(5),SC-7(11)

Alert if the application makes an outgoing connection to an address not previously resolved via DNS

If enabled, this control will trigger an alert if the instance attempts to create an outgoing connection to any IP address that it did not receive as a response from a previous DNS query. It is uncommon for applications to make connections to raw IP addresses; such behavior is sometimes seen when an attacker compromises an application, however.

Insecure Network Behavior

Secure Network

1.3

SC-7(8)

Alert if application receives a connection from an IP address not defined in the CIDR allowlist

If enabled, this policy will generate an alert if the application receives a connection from an IP address not defined in the CIDR allowlist (eg, an incoming connection from outside the application’s private network). By default, the allowlist contains the CIDRs referenced from RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and CG NAT RFC6598 (100.64.0.0/10). However, you can edit the allowlist and enter any valid CIDRs depending upon your application’s network environment.

Insecure Network Behavior

Secure Network

1.2.1

CC6.6

CA-3(5),SC-7(5),SC-7(11)

Alert if application makes an outbound connection to an IP address not defined in the CIDR allowlist

If enabled, this policy will generate an alert if the application initiates an outbound network connection to an IP address not defined in the CIDR allowlist (eg, a connection to a host outside the application’s private network). By default, the allowlist contains the CIDRs referenced from RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and CG NAT RFC6598 (100.64.0.0/10). However, you can edit the allowlist and enter any valid CIDRs depending upon your application’s network environment.

Insecure Network Behavior

Secure Network

1.2.1

CC6.6

CA-3(5),SC-7(5),SC-7(11)

Alert when files with long pathnames are being opened

If enabled, this control will alert if an open of a filename whose length exceeds 1024 characters is attempted.

Improper Use Of System Calls

Alert on usage of ioctl (device I/O control)

If enabled, this control will cause an alert to be generated when the application uses the ioctl library/system call. This is an indication that the application is attempting to control a hardware device (or pseudo-device). Use of this function by network-facing services is uncommon, and may indicate the application has been attacked.

Improper Use Of System Calls

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert on execution of suspicious process

If enabled, this control will cause an alert to be generated when the application attempts to execute certain sensitive programs. These programs (for example, ‘passwd’ or various shells), are generally not used by common network-facing services and may indicate the application has been attacked and coerced into executing a program on the attacker’s behalf. The default list provided contains common exfiltration tools used by an attacker.

Insecure Execution

Alert if program executes a new process from an uncommon path

If enabled, this control will generate an alert if a process executes a new program from a directory not typically associated with executable code (for example, /var, /tmp, /etc). Well written applications will not do this; this behavior can be seen if an attacker locates a writable directory in which shellcode can be placed, and uses that location as a staging point to further compromise an application.

Insecure Execution

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert if process UID changes unexpectedly

If enabled, this control will alert if the user ID associated with the application changed unexpectedly without the application requesting such a change. This may indicate application compromise or a LPE (local privilege escalation).

Privilege Escalation

Security Monitoring

10.6-10.6.2

CC7.2

Alert if process GID changes unexpectedly

If enabled, this control will alert if the group ID associated with the application changed unexpectedly without the application requesting such a change. This may indicate application compromise or a LPE (local privilege escalation).

Privilege Escalation

Security Monitoring

10.6-10.6.2

CC7.2

Alert on use of setuid

If enabled, this control will generate an alert if the application uses the setuid or seteuid APIs.

Privilege Escalation

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert on use of setgid

If enabled, this control will generate an alert if the application uses the setgid or setegid APIs.

Privilege Escalation

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert when attempting to terminate another process

If enabled, this control will generate an alert if the application attempts to signal another application with SIGKILL or SIGABRT. This may be used by an attacker to terminate a variety of security products by terminating their daemon or monitoring processes.

Insecure Execution

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert when application uses unsafe string APIs

If enabled, this control will generate an alert when the application uses unsafe string manipulation APIs (eg, APIs which do not do proper string length checking). These APIs are notorious for causing buffer overflow vulnerabilities, making it much easier for an attacker to take control of an application.

Buffer Overflow

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert when application uses unsafe random number APIs

If enabled, this control will generate an alert when the application uses unsafe random number generation APIs. Many applications rely on APIs for generating random numbers that are actually deterministic, creating a scenario that can weaken software that utilizes encryption or otherwise depends on strong entropy.

Insecure Execution

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert on use of setfsuid

If enabled, this control will generate an alert if the application uses the setfsuid/setfsgid APIs.

Privilege Escalation

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert on use of setreuid/setgroups

If enabled, this control will generate an alert if the application uses the setreuid/setregid/setresuid/setresgid/setgroups APIs.

Privilege Escalation

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert if application changes LD_LIBRARY_PATH after startup

If enabled, this control will generate an alert when the application alters the LD_LIBRARY_PATH environment variable after program start. This may indicate the application is possibly using incorrect library versions.

Privilege Escalation

Alert if a process is running with elevated permissions (root)

If enabled, an alert will be raised if a process in the application is detected as running as root (uid 0 or group 0).

Insecure Execution

Security Monitoring

10.6-10.6.2

CC7.2

Indicate if the application closes already closed sockets/files

If enabled, this control will generate an alert if the application issues a close() API request on a socket or file descriptor that is either invalid or already closed.

Improper Use Of System Calls

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert when files are truncated in /var/log

If enabled, this control will generate an alert when a file is truncated in /var/log. This may be an indication that an attacker is attempting to prune system or application logs or otherwise manipulate log content.

Insecure File System Behavior

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert when files are deleted in selected directories

If enabled, this control will generate an alert when a file is deleted in the specified directories. Deleting files in /var folder may be an indication that an attacker is attempting to prune system or application logs or otherwise manipulate log content.

Remote Code Execution

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert when files are modified in suspicious path

If enabled, this control will generate an alert when a file is modified in suspicious path. This may be an indication that an attacker is attempting to prune system or application logs or otherwise manipulate log content.

Insecure File System Behavior

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert when sensitive files are read

If enabled, this control will generate an alert when a sensitive file is opened for reading.

Insecure File System Behavior

Secure Configuration

2.2.2

CM-7

Alert when application writes to files in /proc

If enabled, this control will generate an alert when an application attempts to write to files in /proc. Files in /proc can be used to alter system behavior and are generally not written to by well written applications.

Insecure File System Behavior

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert when application writes to files in /sys

If enabled, this control will generate an alert when an application attempts to write to files in /sys. Files in /sys can be used to alter system behavior and are generally not written to by well written applications.

Insecure File System Behavior

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert when application uses the mknod API

If enabled, this control will generate an alert when an application uses the mknod API. The mknod api is used to create device special files, which can be used to subsequently alter hardware behavior.

Insecure File System Behavior

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert if application adds executable permission to a file

If enabled, this control will generate an alert if the application attempts to update the permissions of a file with ‘X’ (executable) bit set. This may be an attempt by an attacker to create shellcode on the machine.

Remote Code Execution

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert if application creates a file with executable permissions

If enabled, this control will generate an alert if the application attempts to create a file whose ‘X’ (executable) bit is set. This may be an attempt by an attacker to create shellcode on the machine.

Remote Code Execution

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert on memory W^X violation

If enabled, this control will generate an alert if the application attempts to allocate memory with both writable and executable permissions simultaneously. Allocating W+X memory is a technique used by attackers when uploading shellcode into a hollowed process (a process that has been the victim of a previous vulnerability exploit).

Remote Code Execution

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert when a program requests allocation of uninitialized memory

If enabled, this control will generate an alert if the application attempts to allocate memory and have the operating system not clear the memory first.

Insecure Memory Behavior

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert if program loads a library that is not part of a package (at program start time)

If enabled, this control will generate an alert if a process loads a library that was not installed via the operating system’s package manager (apt/yum/dnf, for example). This technique is sometimes used by an attacker to load executable code that was placed on the machine surreptitiously or through covert means.

Insecure Library Behavior

Security Monitoring

10.6-10.6.2

CC7.2

Alert if program loads a library from a uncommon path

If enabled, this control will generate an alert if a process loads a library from a directory not typically associated with library or executable code (for example, /var, /tmp, /etc). Well written applications will not do this; this behavior can be seen if an attacker locates a writable directory in which shellcode can be placed, and uses that location as a staging point to further compromise an application.

Insecure Library Behavior

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert if the LD_PRELOAD environment variable contains suspicious entries

If enabled, this control will generate an alert if a process is executed using an LD_PRELOAD environment variable setting that contains directories not typically associated with library or executable code (for example, /var, /tmp, /etc). Well written applications will not do this; this behavior can be seen if an attacker locates a writable directory in which shellcode can be placed, and uses that location as a staging point to further compromise an application.

Insecure Execution

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert if the LD_LIBRARY_PATH environment variable contains suspicious entries

If enabled, this control will generate an alert if a process is executed using an LD_LIBRARY_PATH environment variable setting that contains directories not typically associated with library or executable code (for example, /var, /tmp, /etc). Well written applications will not do this; this behavior can be seen if an attacker locates a writable directory in which shellcode can be placed, and uses that location as a staging point to further compromise an application.

Insecure Execution

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert if program loads a library that is not part of a package (during run)

If enabled, this control will generate an alert if a process loads a library that was not installed via the operating system’s package manager (apt/yum/dnf, for example). This technique is sometimes used by an attacker to load executable code that was placed on the machine surreptitiously or through covert means.

Insecure Library Behavior

Security Monitoring

10.6-10.6.2

CC7.2

Alert when uncommon/risky environment variable names detected

If enabled, this control will generate an alert if environment variables commonly used in debugging environments or environment variables used for authentication are detected. This may indicate a mistake or improperly configured environment.

Insecure Execution

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Alert when uncommon/risky environment variable values detected

If enabled, this control will generate an alert on application start when any environment variable’s value matches the patterns defined in the control.

Secrets

Secure Configuration

3.5-3.5.4,3.6-3.6.8

CC6.1

Alert if an EOL (end-of-life) OS distribution is detected

If enabled, this control will alert if the node on which the application is running is using a distribution that is out of support (End Of Life).

End Of Life

Vulnerability Management

6.2.b

SI-2,SI-3(2)

Alert when a directory under a system binary directory is created

If enabled, this control will generate an alert if an application creates a directory under a system binary directory.

Insecure File System Behavior

Alert when a file under a system binary directory is renamed or removed

If enabled, this control will generate an alert if an application renames or removes a file under a system binary directory.

Insecure File System Behavior

Alert when a directory is created under root (/) or the root user’s home directory (/root)

If enabled, this control will generate an alert if an application creates a directory under root (/) or the root user’s home directory (/root).

Insecure File System Behavior

Alert when an SSH configuration file is modified

If enabled, this control will generate an alert if an application modifies an SSH configuration file.

Insecure File System Behavior

Alert when a shell configuration file is read by a non-shell program

If enabled, this control will generate an alert if a shell configuration file is read by a non-shell program.

Insecure Execution

Alert when a cron job is scheduled by writing to /etc/cron

If enabled, this control will generate an alert if a cron job is scheduled by writing to /etc/cron

Insecure File System Behavior

Alert when a cron job is scheduled by running crontab

If enabled, this control will generate an alert if a cron job is scheduled by running crontab

Insecure Execution

Alert when a repository list is changed

If enabled, this control will generate an alert if a repository list is changed.

Insecure Execution

Alert when an outbound SSH connection is made

If enabled, this control will generate an alert if an outbound SSH connection is made to an IP address not listed in the alert policy.

Insecure Network Behavior

Alert when an SSH configuration file is read

If enabled, this control will generate an alert if an application reads an SSH configuration file.

Insecure File System Behavior

Alert when a database program launches another process

If enabled, this control will generate an alert if a database program launches another process

Insecure Execution

Alert when a process performs network operations that typically does not do so

If enabled, this control will generate an alert if a process performs network operations that typically does not do so

Insecure Network Behavior

Alert when a user management process is launched

If enabled, this control will generate an alert if a user management process is launched

Insecure Execution

Alert when a device node is created under /dev

If enabled, this control will generate an alert if a device node is created under /dev

Insecure Execution

Alert when an application contacts a cloud metadata service

If enabled, this control will generate an alert if a process contacts a cloud metadata service

Insecure Network Behavior

Alert when netcat is launched

If enabled, this control will generate an alert if netcat is launched

Insecure Execution

Alert when the shell history is cleared

If enabled, this control will generate an alert if the shell history is cleared

Insecure File System Behavior

Application created/renamed hidden files or directories

If enabled, this control will generate an alert if an application creates or renames a file or directory with a name that starts with a dot

Insecure File System Behavior

Alert when a remote copy application launched

If enabled, this control will generate an alert if a remote copy application is launched

Insecure Execution

Use of setns to change thread namespace

If enabled, this control will cause an alert to be generated when the application is in a container and uses the setns api to change its thread namespace. This may indicate an attempt to escape the container sandbox.

Privilege Escalation

Security Monitoring

10.6-10.6.2

CC7.2

Application launched pkexec

If enabled, this control will cause an alert to be generated when the application launches the pkexec process

Privilege Escalation

Security Monitoring

10.6-10.6.2

CC7.2

Application launched a shell

If enabled, this control will cause an alert to be generated when the application launches a shell process (for example, bash, ksh, csh, dash, etc).

Insecure Execution

UDP traffic detected

If enabled, this control will cause an alert to be generated when the application listens or prepares to transmit data using the UDP protocol. The UDP protocol is not a common protocol for normal Internet-facing web applications and may indicate the application has been compromised.

Insecure Network Behavior

Secure Network

1.2.1

CC6.6

CA-3(5),SC-7(5),SC-7(11)

Application redirected its input/output to a socket

If enabled, this control will cause an alert to be generated when the application redirects stdin/stdout to a connected socket.

Insecure Execution

Security Monitoring

10.6-10.6.2

CC7.2

Application created a hard link over a sensitive file

If enabled, this control will cause an alert to be generated when the application creates a filesystem hard link over a sensitive file

Insecure File System Behavior

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Process launched with disallowed HTTP_PROXY setting

If enabled, this control will cause an alert to be generated when a process is started whose HTTP_PROXY environment is set to a disallowed value

Insecure Network Behavior

Secure Network

1.2.1

CC6.6

CA-3(5),SC-7(5),SC-7(11)

Kernel module inserted

If enabled, this control will cause an alert to be generated when a process inserts/loads (or attempts to insert/load) a kernel module.

Improper Use Of System Calls

Secure Coding

6.5.1

PI1.1-5

SA-1,SA-15

Page fault requested to be delievered to userfaultfd handler

If enabled, this control will cause an alert to be generated when the application requests page fault notifications to be delivered to a usermode process (userfaultfd api)

Insecure Execution

Package manager process launched

If enabled, this control will cause an alert to be generated when an attempt is made to launch a package manager process (dpkg, rpm, etc).

Insecure Execution

Was this article helpful?
Still stuck? How can we help?

How can we help?

Updated on September 6, 2023
Deepfactor CLI Reference

Powered by BetterDocs

Table of Contents
  • Introduction
  • 5 Reasons To Implement Runtime Security
  • Deepfactor Runtime Security
  • Runtime security controls in Deepfactor
Deepfactor Icon

Deepfactor is a next-gen application security platform, using static container scan data + runtime analysis to prioritize vulnerabilities to those representing true risk to a business—based on reachability, runtime usage, deployment context, and exploit maturity.

Product Pricing Resources Company Documentation Login

SUBSCRIBE TO OUR NEWSLETTER!

Sign Up
LinkedIn Icon YouTube Icon GitHub Icon Twitter Icon

© 2025 Deepfactor, Inc. All Rights Reserved.

Privacy Statement | Terms of Service | Open Source Disclosure