BehaviorModeling Mode [Experimental]

Introduction

The BehaviorModeling mode is an experimental feature. You can utilize the BehaviorModeling mode to gather behavior data of the target workloads over a specified duration. Once the modeling is completed, vArmor will generate an ArmorProfileModel object to store the model of the target workloads.

The model generated by the BehaviorModeling mode can also be used to analyze which built-in rules can be applied to harden the target application. Or guide to minimize the securityContext configurations of workload.

Requirements

vArmor currently leverages a built-in BPF tracer and the Linux's audit system to capture application behavior.

The requirements for the BehaviorModeling mode are as follows.

1. containerd v1.6.0 and above.

2. BTF (BPF Type Format) must be enabled.

3. Upgrade vArmor

   • Enable the BehaviorModeling feature with --set behaviorModeling.enabled=true

   • Use the --set "agent.args={--auditLogPaths=FILE_PATH|FILE_PATH}" argument to specify the audit log file or determine the search order yourself.

   helm upgrade varmor varmor-0.5.11.tgz \
       --namespace varmor --create-namespace \
       --set image.registry="elkeid-cn-beijing.cr.volces.com" \
       --set behaviorModeling.enabled=true

   Note:

   • vArmor sequentially checks whether the files /var/log/audit/audit.log and /var/log/kern.log exist, and monitors the first valid file to consume AppArmor and Seccomp audit events for violation auditing and behavioral modeling. If you are using auditd, the audit events of AppArmor and Seccomp will be stored by default in /var/log/audit/audit.log. Otherwise they will be stored in /var/log/kern.log.

   • The BehaviorModeling feature in vArmor agent requires additional resources.

     resources:
       limits:
         cpu: 2
         memory: 2Gi
       requests:
         cpu: 500m
         memory: 500Mi