Aquasec v0.8.29, Jul 22 24

Aquasec v0.8.29 published on Monday, Jul 22, 2024 by Pulumiverse

aquasec.getContainerRuntimePolicy

Explore with Pulumi AI

Aquasec v0.8.29 published on Monday, Jul 22, 2024 by Pulumiverse

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aquasec from "@pulumi/aquasec";

const containerRuntimePolicy = aquasec.getContainerRuntimePolicy({
    name: "FunctionRuntimePolicyName",
});
export const containerRuntimePolicyDetails = containerRuntimePolicy;

import pulumi
import pulumi_aquasec as aquasec

container_runtime_policy = aquasec.get_container_runtime_policy(name="FunctionRuntimePolicyName")
pulumi.export("containerRuntimePolicyDetails", container_runtime_policy)

package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumiverse/pulumi-aquasec/sdk/go/aquasec"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		containerRuntimePolicy, err := aquasec.LookupContainerRuntimePolicy(ctx, &aquasec.LookupContainerRuntimePolicyArgs{
			Name: "FunctionRuntimePolicyName",
		}, nil)
		if err != nil {
			return err
		}
		ctx.Export("containerRuntimePolicyDetails", containerRuntimePolicy)
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aquasec = Pulumi.Aquasec;

return await Deployment.RunAsync(() => 
{
    var containerRuntimePolicy = Aquasec.GetContainerRuntimePolicy.Invoke(new()
    {
        Name = "FunctionRuntimePolicyName",
    });

    return new Dictionary<string, object?>
    {
        ["containerRuntimePolicyDetails"] = containerRuntimePolicy,
    };
});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aquasec.AquasecFunctions;
import com.pulumi.aquasec.inputs.GetContainerRuntimePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var containerRuntimePolicy = AquasecFunctions.getContainerRuntimePolicy(GetContainerRuntimePolicyArgs.builder()
            .name("FunctionRuntimePolicyName")
            .build());

        ctx.export("containerRuntimePolicyDetails", containerRuntimePolicy.applyValue(getContainerRuntimePolicyResult -> getContainerRuntimePolicyResult));
    }
}

variables:
  containerRuntimePolicy:
    fn::invoke:
      Function: aquasec:getContainerRuntimePolicy
      Arguments:
        name: FunctionRuntimePolicyName
outputs:
  containerRuntimePolicyDetails: ${containerRuntimePolicy}

Using getContainerRuntimePolicy

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getContainerRuntimePolicy(args: GetContainerRuntimePolicyArgs, opts?: InvokeOptions): Promise<GetContainerRuntimePolicyResult>
function getContainerRuntimePolicyOutput(args: GetContainerRuntimePolicyOutputArgs, opts?: InvokeOptions): Output<GetContainerRuntimePolicyResult>

def get_container_runtime_policy(allowed_executables: Optional[Sequence[GetContainerRuntimePolicyAllowedExecutable]] = None,
                                 allowed_registries: Optional[Sequence[GetContainerRuntimePolicyAllowedRegistry]] = None,
                                 auditing: Optional[GetContainerRuntimePolicyAuditing] = None,
                                 container_exec: Optional[GetContainerRuntimePolicyContainerExec] = None,
                                 file_block: Optional[GetContainerRuntimePolicyFileBlock] = None,
                                 file_integrity_monitorings: Optional[Sequence[GetContainerRuntimePolicyFileIntegrityMonitoring]] = None,
                                 limit_container_privileges: Optional[Sequence[GetContainerRuntimePolicyLimitContainerPrivilege]] = None,
                                 malware_scan_options: Optional[Sequence[GetContainerRuntimePolicyMalwareScanOption]] = None,
                                 name: Optional[str] = None,
                                 port_block: Optional[GetContainerRuntimePolicyPortBlock] = None,
                                 readonly_files: Optional[GetContainerRuntimePolicyReadonlyFiles] = None,
                                 restricted_volumes: Optional[Sequence[GetContainerRuntimePolicyRestrictedVolume]] = None,
                                 opts: Optional[InvokeOptions] = None) -> GetContainerRuntimePolicyResult
def get_container_runtime_policy_output(allowed_executables: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyAllowedExecutableArgs]]]] = None,
                                 allowed_registries: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyAllowedRegistryArgs]]]] = None,
                                 auditing: Optional[pulumi.Input[GetContainerRuntimePolicyAuditingArgs]] = None,
                                 container_exec: Optional[pulumi.Input[GetContainerRuntimePolicyContainerExecArgs]] = None,
                                 file_block: Optional[pulumi.Input[GetContainerRuntimePolicyFileBlockArgs]] = None,
                                 file_integrity_monitorings: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyFileIntegrityMonitoringArgs]]]] = None,
                                 limit_container_privileges: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyLimitContainerPrivilegeArgs]]]] = None,
                                 malware_scan_options: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyMalwareScanOptionArgs]]]] = None,
                                 name: Optional[pulumi.Input[str]] = None,
                                 port_block: Optional[pulumi.Input[GetContainerRuntimePolicyPortBlockArgs]] = None,
                                 readonly_files: Optional[pulumi.Input[GetContainerRuntimePolicyReadonlyFilesArgs]] = None,
                                 restricted_volumes: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyRestrictedVolumeArgs]]]] = None,
                                 opts: Optional[InvokeOptions] = None) -> Output[GetContainerRuntimePolicyResult]

func LookupContainerRuntimePolicy(ctx *Context, args *LookupContainerRuntimePolicyArgs, opts ...InvokeOption) (*LookupContainerRuntimePolicyResult, error)
func LookupContainerRuntimePolicyOutput(ctx *Context, args *LookupContainerRuntimePolicyOutputArgs, opts ...InvokeOption) LookupContainerRuntimePolicyResultOutput

> Note: This function is named LookupContainerRuntimePolicy in the Go SDK.

public static class GetContainerRuntimePolicy 
{
    public static Task<GetContainerRuntimePolicyResult> InvokeAsync(GetContainerRuntimePolicyArgs args, InvokeOptions? opts = null)
    public static Output<GetContainerRuntimePolicyResult> Invoke(GetContainerRuntimePolicyInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetContainerRuntimePolicyResult> getContainerRuntimePolicy(GetContainerRuntimePolicyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet

fn::invoke:
  function: aquasec:index/getContainerRuntimePolicy:getContainerRuntimePolicy
  arguments:
    # arguments dictionary

The following arguments are supported:

Name string: Name of the container runtime policy
AllowedExecutables List<Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyAllowedExecutable>: Allowed executables configuration.
AllowedRegistries List<Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyAllowedRegistry>: Allowed registries configuration.
Auditing Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyAuditing
ContainerExec Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyContainerExec
FileBlock Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyFileBlock
FileIntegrityMonitorings List<Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyFileIntegrityMonitoring>: Configuration for file integrity monitoring.
LimitContainerPrivileges List<Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyLimitContainerPrivilege>: Container privileges configuration.
MalwareScanOptions List<Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyMalwareScanOption>: Configuration for Real-Time Malware Protection.
PortBlock Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyPortBlock
ReadonlyFiles Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyReadonlyFiles
RestrictedVolumes List<Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyRestrictedVolume>: Restricted volumes configuration.

Name string: Name of the container runtime policy
AllowedExecutables []GetContainerRuntimePolicyAllowedExecutable: Allowed executables configuration.
AllowedRegistries []GetContainerRuntimePolicyAllowedRegistry: Allowed registries configuration.
Auditing GetContainerRuntimePolicyAuditing
ContainerExec GetContainerRuntimePolicyContainerExec
FileBlock GetContainerRuntimePolicyFileBlock
FileIntegrityMonitorings []GetContainerRuntimePolicyFileIntegrityMonitoring: Configuration for file integrity monitoring.
LimitContainerPrivileges []GetContainerRuntimePolicyLimitContainerPrivilege: Container privileges configuration.
MalwareScanOptions []GetContainerRuntimePolicyMalwareScanOption: Configuration for Real-Time Malware Protection.
PortBlock GetContainerRuntimePolicyPortBlock
ReadonlyFiles GetContainerRuntimePolicyReadonlyFiles
RestrictedVolumes []GetContainerRuntimePolicyRestrictedVolume: Restricted volumes configuration.

name String: Name of the container runtime policy
allowedExecutables List<GetContainerRuntimePolicyAllowedExecutable>: Allowed executables configuration.
allowedRegistries List<GetContainerRuntimePolicyAllowedRegistry>: Allowed registries configuration.
auditing GetContainerRuntimePolicyAuditing
containerExec GetContainerRuntimePolicyContainerExec
fileBlock GetContainerRuntimePolicyFileBlock
fileIntegrityMonitorings List<GetContainerRuntimePolicyFileIntegrityMonitoring>: Configuration for file integrity monitoring.
limitContainerPrivileges List<GetContainerRuntimePolicyLimitContainerPrivilege>: Container privileges configuration.
malwareScanOptions List<GetContainerRuntimePolicyMalwareScanOption>: Configuration for Real-Time Malware Protection.
portBlock GetContainerRuntimePolicyPortBlock
readonlyFiles GetContainerRuntimePolicyReadonlyFiles
restrictedVolumes List<GetContainerRuntimePolicyRestrictedVolume>: Restricted volumes configuration.

name string: Name of the container runtime policy
allowedExecutables GetContainerRuntimePolicyAllowedExecutable[]: Allowed executables configuration.
allowedRegistries GetContainerRuntimePolicyAllowedRegistry[]: Allowed registries configuration.
auditing GetContainerRuntimePolicyAuditing
containerExec GetContainerRuntimePolicyContainerExec
fileBlock GetContainerRuntimePolicyFileBlock
fileIntegrityMonitorings GetContainerRuntimePolicyFileIntegrityMonitoring[]: Configuration for file integrity monitoring.
limitContainerPrivileges GetContainerRuntimePolicyLimitContainerPrivilege[]: Container privileges configuration.
malwareScanOptions GetContainerRuntimePolicyMalwareScanOption[]: Configuration for Real-Time Malware Protection.
portBlock GetContainerRuntimePolicyPortBlock
readonlyFiles GetContainerRuntimePolicyReadonlyFiles
restrictedVolumes GetContainerRuntimePolicyRestrictedVolume[]: Restricted volumes configuration.

name str: Name of the container runtime policy
allowed_executables Sequence[GetContainerRuntimePolicyAllowedExecutable]: Allowed executables configuration.
allowed_registries Sequence[GetContainerRuntimePolicyAllowedRegistry]: Allowed registries configuration.
auditing GetContainerRuntimePolicyAuditing
container_exec GetContainerRuntimePolicyContainerExec
file_block GetContainerRuntimePolicyFileBlock
file_integrity_monitorings Sequence[GetContainerRuntimePolicyFileIntegrityMonitoring]: Configuration for file integrity monitoring.
limit_container_privileges Sequence[GetContainerRuntimePolicyLimitContainerPrivilege]: Container privileges configuration.
malware_scan_options Sequence[GetContainerRuntimePolicyMalwareScanOption]: Configuration for Real-Time Malware Protection.
port_block GetContainerRuntimePolicyPortBlock
readonly_files GetContainerRuntimePolicyReadonlyFiles
restricted_volumes Sequence[GetContainerRuntimePolicyRestrictedVolume]: Restricted volumes configuration.

name String: Name of the container runtime policy
allowedExecutables List<Property Map>: Allowed executables configuration.
allowedRegistries List<Property Map>: Allowed registries configuration.
auditing Property Map
containerExec Property Map
fileBlock Property Map
fileIntegrityMonitorings List<Property Map>: Configuration for file integrity monitoring.
limitContainerPrivileges List<Property Map>: Container privileges configuration.
malwareScanOptions List<Property Map>: Configuration for Real-Time Malware Protection.
portBlock Property Map
readonlyFiles Property Map
restrictedVolumes List<Property Map>: Restricted volumes configuration.

getContainerRuntimePolicy Result

The following output properties are available:

ApplicationScopes List<string>: Indicates the application scope of the service.
AuditAllNetworkActivity bool: If true, all network activity will be audited.
AuditAllProcessesActivity bool: If true, all process activity will be audited.
AuditFullCommandArguments bool: If true, full command arguments will be audited.
Author string: Username of the account that created the service.
BlockAccessHostNetwork bool: If true, prevent containers from running with access to host network.
BlockAddingCapabilities bool: If true, prevent containers from running with adding capabilities with --cap-add privilege.
BlockContainerExec bool: If true, exec into a container is prevented.
BlockCryptocurrencyMining bool: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
BlockFilelessExec bool: Detect and prevent running in-memory execution
BlockLowPortBinding bool: If true, prevent containers from running with the capability to bind in port lower than 1024.
BlockNonCompliantImages bool: If true, running non-compliant image in the container is prevented.
BlockNonCompliantWorkloads bool: If true, running containers in non-compliant pods is prevented.
BlockNonK8sContainers bool: If true, running non-kubernetes containers is prevented.
BlockPrivilegedContainers bool: If true, prevent containers from running with privileged container capability.
BlockReverseShell bool: If true, reverse shell is prevented.
BlockRootUser bool: If true, prevent containers from running with root user.
BlockUnregisteredImages bool: If true, running images in the container that are not registered in Aqua is prevented.
BlockUseIpcNamespace bool: If true, prevent containers from running with the privilege to use the IPC namespace.
BlockUsePidNamespace bool: If true, prevent containers from running with the privilege to use the PID namespace.
BlockUseUserNamespace bool: If true, prevent containers from running with the privilege to use the user namespace.
BlockUseUtsNamespace bool: If true, prevent containers from running with the privilege to use the UTS namespace.
BlockedCapabilities List<string>: If true, prevents containers from using specific Unix capabilities.
BlockedExecutables List<string>: List of executables that are prevented from running in containers.
BlockedFiles List<string>: List of files that are prevented from being read, modified and executed in the containers.
BlockedInboundPorts List<string>: List of blocked inbound ports.
BlockedOutboundPorts List<string>: List of blocked outbound ports.
BlockedPackages List<string>: Prevent containers from reading, writing, or executing all files in the list of packages.
BlockedVolumes List<string>: List of volumes that are prevented from being mounted in the containers.
ContainerExecAllowedProcesses List<string>: List of processes that will be allowed.
Description string: The description of the container runtime policy
EnableDriftPrevention bool: If true, executables that are not in the original image is prevented from running.
EnableForkGuard bool: If true, fork bombs are prevented in the containers.
EnableIpReputationSecurity bool: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
EnablePortScanDetection bool: If true, detects port scanning behavior in the container.
Enabled bool: Indicates if the runtime policy is enabled or not.
Enforce bool: Indicates that policy should effect container execution (not just for audit).
EnforceAfterDays int: Indicates the number of days after which the runtime policy will be changed to enforce mode.
ExceptionalReadonlyFilesAndDirectories List<string>: List of files and directories to be excluded from the read-only list.
ExecLockdownWhiteLists List<string>: Specify processes that will be allowed
ForkGuardProcessLimit int: Process limit for the fork guard.
Id string: The provider-assigned unique ID for this managed resource.
LimitNewPrivileges bool: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
MonitorSystemTimeChanges bool: If true, system time changes will be monitored.
Name string: Name of the container runtime policy
ReadonlyFilesAndDirectories List<string>: List of files and directories to be restricted as read-only
ReverseShellAllowedIps List<string>: List of IPs/ CIDRs that will be allowed
ReverseShellAllowedProcesses List<string>: List of processes that will be allowed
ScopeExpression string: Logical expression of how to compute the dependency of the scope variables.
ScopeVariables List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyScopeVariable>: List of scope attributes.
AllowedExecutables List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyAllowedExecutable>: Allowed executables configuration.
AllowedRegistries List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyAllowedRegistry>: Allowed registries configuration.
Auditing Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyAuditing
ContainerExec Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyContainerExec
FileBlock Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyFileBlock
FileIntegrityMonitorings List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyFileIntegrityMonitoring>: Configuration for file integrity monitoring.
LimitContainerPrivileges List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyLimitContainerPrivilege>: Container privileges configuration.
MalwareScanOptions List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyMalwareScanOption>: Configuration for Real-Time Malware Protection.
PortBlock Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyPortBlock
ReadonlyFiles Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyReadonlyFiles
RestrictedVolumes List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyRestrictedVolume>: Restricted volumes configuration.

ApplicationScopes []string: Indicates the application scope of the service.
AuditAllNetworkActivity bool: If true, all network activity will be audited.
AuditAllProcessesActivity bool: If true, all process activity will be audited.
AuditFullCommandArguments bool: If true, full command arguments will be audited.
Author string: Username of the account that created the service.
BlockAccessHostNetwork bool: If true, prevent containers from running with access to host network.
BlockAddingCapabilities bool: If true, prevent containers from running with adding capabilities with --cap-add privilege.
BlockContainerExec bool: If true, exec into a container is prevented.
BlockCryptocurrencyMining bool: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
BlockFilelessExec bool: Detect and prevent running in-memory execution
BlockLowPortBinding bool: If true, prevent containers from running with the capability to bind in port lower than 1024.
BlockNonCompliantImages bool: If true, running non-compliant image in the container is prevented.
BlockNonCompliantWorkloads bool: If true, running containers in non-compliant pods is prevented.
BlockNonK8sContainers bool: If true, running non-kubernetes containers is prevented.
BlockPrivilegedContainers bool: If true, prevent containers from running with privileged container capability.
BlockReverseShell bool: If true, reverse shell is prevented.
BlockRootUser bool: If true, prevent containers from running with root user.
BlockUnregisteredImages bool: If true, running images in the container that are not registered in Aqua is prevented.
BlockUseIpcNamespace bool: If true, prevent containers from running with the privilege to use the IPC namespace.
BlockUsePidNamespace bool: If true, prevent containers from running with the privilege to use the PID namespace.
BlockUseUserNamespace bool: If true, prevent containers from running with the privilege to use the user namespace.
BlockUseUtsNamespace bool: If true, prevent containers from running with the privilege to use the UTS namespace.
BlockedCapabilities []string: If true, prevents containers from using specific Unix capabilities.
BlockedExecutables []string: List of executables that are prevented from running in containers.
BlockedFiles []string: List of files that are prevented from being read, modified and executed in the containers.
BlockedInboundPorts []string: List of blocked inbound ports.
BlockedOutboundPorts []string: List of blocked outbound ports.
BlockedPackages []string: Prevent containers from reading, writing, or executing all files in the list of packages.
BlockedVolumes []string: List of volumes that are prevented from being mounted in the containers.
ContainerExecAllowedProcesses []string: List of processes that will be allowed.
Description string: The description of the container runtime policy
EnableDriftPrevention bool: If true, executables that are not in the original image is prevented from running.
EnableForkGuard bool: If true, fork bombs are prevented in the containers.
EnableIpReputationSecurity bool: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
EnablePortScanDetection bool: If true, detects port scanning behavior in the container.
Enabled bool: Indicates if the runtime policy is enabled or not.
Enforce bool: Indicates that policy should effect container execution (not just for audit).
EnforceAfterDays int: Indicates the number of days after which the runtime policy will be changed to enforce mode.
ExceptionalReadonlyFilesAndDirectories []string: List of files and directories to be excluded from the read-only list.
ExecLockdownWhiteLists []string: Specify processes that will be allowed
ForkGuardProcessLimit int: Process limit for the fork guard.
Id string: The provider-assigned unique ID for this managed resource.
LimitNewPrivileges bool: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
MonitorSystemTimeChanges bool: If true, system time changes will be monitored.
Name string: Name of the container runtime policy
ReadonlyFilesAndDirectories []string: List of files and directories to be restricted as read-only
ReverseShellAllowedIps []string: List of IPs/ CIDRs that will be allowed
ReverseShellAllowedProcesses []string: List of processes that will be allowed
ScopeExpression string: Logical expression of how to compute the dependency of the scope variables.
ScopeVariables []GetContainerRuntimePolicyScopeVariable: List of scope attributes.
AllowedExecutables []GetContainerRuntimePolicyAllowedExecutable: Allowed executables configuration.
AllowedRegistries []GetContainerRuntimePolicyAllowedRegistry: Allowed registries configuration.
Auditing GetContainerRuntimePolicyAuditing
ContainerExec GetContainerRuntimePolicyContainerExec
FileBlock GetContainerRuntimePolicyFileBlock
FileIntegrityMonitorings []GetContainerRuntimePolicyFileIntegrityMonitoring: Configuration for file integrity monitoring.
LimitContainerPrivileges []GetContainerRuntimePolicyLimitContainerPrivilege: Container privileges configuration.
MalwareScanOptions []GetContainerRuntimePolicyMalwareScanOption: Configuration for Real-Time Malware Protection.
PortBlock GetContainerRuntimePolicyPortBlock
ReadonlyFiles GetContainerRuntimePolicyReadonlyFiles
RestrictedVolumes []GetContainerRuntimePolicyRestrictedVolume: Restricted volumes configuration.

applicationScopes List<String>: Indicates the application scope of the service.
auditAllNetworkActivity Boolean: If true, all network activity will be audited.
auditAllProcessesActivity Boolean: If true, all process activity will be audited.
auditFullCommandArguments Boolean: If true, full command arguments will be audited.
author String: Username of the account that created the service.
blockAccessHostNetwork Boolean: If true, prevent containers from running with access to host network.
blockAddingCapabilities Boolean: If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec Boolean: If true, exec into a container is prevented.
blockCryptocurrencyMining Boolean: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockFilelessExec Boolean: Detect and prevent running in-memory execution
blockLowPortBinding Boolean: If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantImages Boolean: If true, running non-compliant image in the container is prevented.
blockNonCompliantWorkloads Boolean: If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers Boolean: If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers Boolean: If true, prevent containers from running with privileged container capability.
blockReverseShell Boolean: If true, reverse shell is prevented.
blockRootUser Boolean: If true, prevent containers from running with root user.
blockUnregisteredImages Boolean: If true, running images in the container that are not registered in Aqua is prevented.
blockUseIpcNamespace Boolean: If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace Boolean: If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace Boolean: If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace Boolean: If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities List<String>: If true, prevents containers from using specific Unix capabilities.
blockedExecutables List<String>: List of executables that are prevented from running in containers.
blockedFiles List<String>: List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts List<String>: List of blocked inbound ports.
blockedOutboundPorts List<String>: List of blocked outbound ports.
blockedPackages List<String>: Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes List<String>: List of volumes that are prevented from being mounted in the containers.
containerExecAllowedProcesses List<String>: List of processes that will be allowed.
description String: The description of the container runtime policy
enableDriftPrevention Boolean: If true, executables that are not in the original image is prevented from running.
enableForkGuard Boolean: If true, fork bombs are prevented in the containers.
enableIpReputationSecurity Boolean: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enablePortScanDetection Boolean: If true, detects port scanning behavior in the container.
enabled Boolean: Indicates if the runtime policy is enabled or not.
enforce Boolean: Indicates that policy should effect container execution (not just for audit).
enforceAfterDays Integer: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptionalReadonlyFilesAndDirectories List<String>: List of files and directories to be excluded from the read-only list.
execLockdownWhiteLists List<String>: Specify processes that will be allowed
forkGuardProcessLimit Integer: Process limit for the fork guard.
id String: The provider-assigned unique ID for this managed resource.
limitNewPrivileges Boolean: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
monitorSystemTimeChanges Boolean: If true, system time changes will be monitored.
name String: Name of the container runtime policy
readonlyFilesAndDirectories List<String>: List of files and directories to be restricted as read-only
reverseShellAllowedIps List<String>: List of IPs/ CIDRs that will be allowed
reverseShellAllowedProcesses List<String>: List of processes that will be allowed
scopeExpression String: Logical expression of how to compute the dependency of the scope variables.
scopeVariables List<GetContainerRuntimePolicyScopeVariable>: List of scope attributes.
allowedExecutables List<GetContainerRuntimePolicyAllowedExecutable>: Allowed executables configuration.
allowedRegistries List<GetContainerRuntimePolicyAllowedRegistry>: Allowed registries configuration.
auditing GetContainerRuntimePolicyAuditing
containerExec GetContainerRuntimePolicyContainerExec
fileBlock GetContainerRuntimePolicyFileBlock
fileIntegrityMonitorings List<GetContainerRuntimePolicyFileIntegrityMonitoring>: Configuration for file integrity monitoring.
limitContainerPrivileges List<GetContainerRuntimePolicyLimitContainerPrivilege>: Container privileges configuration.
malwareScanOptions List<GetContainerRuntimePolicyMalwareScanOption>: Configuration for Real-Time Malware Protection.
portBlock GetContainerRuntimePolicyPortBlock
readonlyFiles GetContainerRuntimePolicyReadonlyFiles
restrictedVolumes List<GetContainerRuntimePolicyRestrictedVolume>: Restricted volumes configuration.

applicationScopes string[]: Indicates the application scope of the service.
auditAllNetworkActivity boolean: If true, all network activity will be audited.
auditAllProcessesActivity boolean: If true, all process activity will be audited.
auditFullCommandArguments boolean: If true, full command arguments will be audited.
author string: Username of the account that created the service.
blockAccessHostNetwork boolean: If true, prevent containers from running with access to host network.
blockAddingCapabilities boolean: If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec boolean: If true, exec into a container is prevented.
blockCryptocurrencyMining boolean: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockFilelessExec boolean: Detect and prevent running in-memory execution
blockLowPortBinding boolean: If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantImages boolean: If true, running non-compliant image in the container is prevented.
blockNonCompliantWorkloads boolean: If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers boolean: If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers boolean: If true, prevent containers from running with privileged container capability.
blockReverseShell boolean: If true, reverse shell is prevented.
blockRootUser boolean: If true, prevent containers from running with root user.
blockUnregisteredImages boolean: If true, running images in the container that are not registered in Aqua is prevented.
blockUseIpcNamespace boolean: If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace boolean: If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace boolean: If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace boolean: If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities string[]: If true, prevents containers from using specific Unix capabilities.
blockedExecutables string[]: List of executables that are prevented from running in containers.
blockedFiles string[]: List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts string[]: List of blocked inbound ports.
blockedOutboundPorts string[]: List of blocked outbound ports.
blockedPackages string[]: Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes string[]: List of volumes that are prevented from being mounted in the containers.
containerExecAllowedProcesses string[]: List of processes that will be allowed.
description string: The description of the container runtime policy
enableDriftPrevention boolean: If true, executables that are not in the original image is prevented from running.
enableForkGuard boolean: If true, fork bombs are prevented in the containers.
enableIpReputationSecurity boolean: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enablePortScanDetection boolean: If true, detects port scanning behavior in the container.
enabled boolean: Indicates if the runtime policy is enabled or not.
enforce boolean: Indicates that policy should effect container execution (not just for audit).
enforceAfterDays number: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptionalReadonlyFilesAndDirectories string[]: List of files and directories to be excluded from the read-only list.
execLockdownWhiteLists string[]: Specify processes that will be allowed
forkGuardProcessLimit number: Process limit for the fork guard.
id string: The provider-assigned unique ID for this managed resource.
limitNewPrivileges boolean: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
monitorSystemTimeChanges boolean: If true, system time changes will be monitored.
name string: Name of the container runtime policy
readonlyFilesAndDirectories string[]: List of files and directories to be restricted as read-only
reverseShellAllowedIps string[]: List of IPs/ CIDRs that will be allowed
reverseShellAllowedProcesses string[]: List of processes that will be allowed
scopeExpression string: Logical expression of how to compute the dependency of the scope variables.
scopeVariables GetContainerRuntimePolicyScopeVariable[]: List of scope attributes.
allowedExecutables GetContainerRuntimePolicyAllowedExecutable[]: Allowed executables configuration.
allowedRegistries GetContainerRuntimePolicyAllowedRegistry[]: Allowed registries configuration.
auditing GetContainerRuntimePolicyAuditing
containerExec GetContainerRuntimePolicyContainerExec
fileBlock GetContainerRuntimePolicyFileBlock
fileIntegrityMonitorings GetContainerRuntimePolicyFileIntegrityMonitoring[]: Configuration for file integrity monitoring.
limitContainerPrivileges GetContainerRuntimePolicyLimitContainerPrivilege[]: Container privileges configuration.
malwareScanOptions GetContainerRuntimePolicyMalwareScanOption[]: Configuration for Real-Time Malware Protection.
portBlock GetContainerRuntimePolicyPortBlock
readonlyFiles GetContainerRuntimePolicyReadonlyFiles
restrictedVolumes GetContainerRuntimePolicyRestrictedVolume[]: Restricted volumes configuration.

application_scopes Sequence[str]: Indicates the application scope of the service.
audit_all_network_activity bool: If true, all network activity will be audited.
audit_all_processes_activity bool: If true, all process activity will be audited.
audit_full_command_arguments bool: If true, full command arguments will be audited.
author str: Username of the account that created the service.
block_access_host_network bool: If true, prevent containers from running with access to host network.
block_adding_capabilities bool: If true, prevent containers from running with adding capabilities with --cap-add privilege.
block_container_exec bool: If true, exec into a container is prevented.
block_cryptocurrency_mining bool: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
block_fileless_exec bool: Detect and prevent running in-memory execution
block_low_port_binding bool: If true, prevent containers from running with the capability to bind in port lower than 1024.
block_non_compliant_images bool: If true, running non-compliant image in the container is prevented.
block_non_compliant_workloads bool: If true, running containers in non-compliant pods is prevented.
block_non_k8s_containers bool: If true, running non-kubernetes containers is prevented.
block_privileged_containers bool: If true, prevent containers from running with privileged container capability.
block_reverse_shell bool: If true, reverse shell is prevented.
block_root_user bool: If true, prevent containers from running with root user.
block_unregistered_images bool: If true, running images in the container that are not registered in Aqua is prevented.
block_use_ipc_namespace bool: If true, prevent containers from running with the privilege to use the IPC namespace.
block_use_pid_namespace bool: If true, prevent containers from running with the privilege to use the PID namespace.
block_use_user_namespace bool: If true, prevent containers from running with the privilege to use the user namespace.
block_use_uts_namespace bool: If true, prevent containers from running with the privilege to use the UTS namespace.
blocked_capabilities Sequence[str]: If true, prevents containers from using specific Unix capabilities.
blocked_executables Sequence[str]: List of executables that are prevented from running in containers.
blocked_files Sequence[str]: List of files that are prevented from being read, modified and executed in the containers.
blocked_inbound_ports Sequence[str]: List of blocked inbound ports.
blocked_outbound_ports Sequence[str]: List of blocked outbound ports.
blocked_packages Sequence[str]: Prevent containers from reading, writing, or executing all files in the list of packages.
blocked_volumes Sequence[str]: List of volumes that are prevented from being mounted in the containers.
container_exec_allowed_processes Sequence[str]: List of processes that will be allowed.
description str: The description of the container runtime policy
enable_drift_prevention bool: If true, executables that are not in the original image is prevented from running.
enable_fork_guard bool: If true, fork bombs are prevented in the containers.
enable_ip_reputation_security bool: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enable_port_scan_detection bool: If true, detects port scanning behavior in the container.
enabled bool: Indicates if the runtime policy is enabled or not.
enforce bool: Indicates that policy should effect container execution (not just for audit).
enforce_after_days int: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptional_readonly_files_and_directories Sequence[str]: List of files and directories to be excluded from the read-only list.
exec_lockdown_white_lists Sequence[str]: Specify processes that will be allowed
fork_guard_process_limit int: Process limit for the fork guard.
id str: The provider-assigned unique ID for this managed resource.
limit_new_privileges bool: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
monitor_system_time_changes bool: If true, system time changes will be monitored.
name str: Name of the container runtime policy
readonly_files_and_directories Sequence[str]: List of files and directories to be restricted as read-only
reverse_shell_allowed_ips Sequence[str]: List of IPs/ CIDRs that will be allowed
reverse_shell_allowed_processes Sequence[str]: List of processes that will be allowed
scope_expression str: Logical expression of how to compute the dependency of the scope variables.
scope_variables Sequence[GetContainerRuntimePolicyScopeVariable]: List of scope attributes.
allowed_executables Sequence[GetContainerRuntimePolicyAllowedExecutable]: Allowed executables configuration.
allowed_registries Sequence[GetContainerRuntimePolicyAllowedRegistry]: Allowed registries configuration.
auditing GetContainerRuntimePolicyAuditing
container_exec GetContainerRuntimePolicyContainerExec
file_block GetContainerRuntimePolicyFileBlock
file_integrity_monitorings Sequence[GetContainerRuntimePolicyFileIntegrityMonitoring]: Configuration for file integrity monitoring.
limit_container_privileges Sequence[GetContainerRuntimePolicyLimitContainerPrivilege]: Container privileges configuration.
malware_scan_options Sequence[GetContainerRuntimePolicyMalwareScanOption]: Configuration for Real-Time Malware Protection.
port_block GetContainerRuntimePolicyPortBlock
readonly_files GetContainerRuntimePolicyReadonlyFiles
restricted_volumes Sequence[GetContainerRuntimePolicyRestrictedVolume]: Restricted volumes configuration.

applicationScopes List<String>: Indicates the application scope of the service.
auditAllNetworkActivity Boolean: If true, all network activity will be audited.
auditAllProcessesActivity Boolean: If true, all process activity will be audited.
auditFullCommandArguments Boolean: If true, full command arguments will be audited.
author String: Username of the account that created the service.
blockAccessHostNetwork Boolean: If true, prevent containers from running with access to host network.
blockAddingCapabilities Boolean: If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec Boolean: If true, exec into a container is prevented.
blockCryptocurrencyMining Boolean: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockFilelessExec Boolean: Detect and prevent running in-memory execution
blockLowPortBinding Boolean: If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantImages Boolean: If true, running non-compliant image in the container is prevented.
blockNonCompliantWorkloads Boolean: If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers Boolean: If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers Boolean: If true, prevent containers from running with privileged container capability.
blockReverseShell Boolean: If true, reverse shell is prevented.
blockRootUser Boolean: If true, prevent containers from running with root user.
blockUnregisteredImages Boolean: If true, running images in the container that are not registered in Aqua is prevented.
blockUseIpcNamespace Boolean: If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace Boolean: If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace Boolean: If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace Boolean: If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities List<String>: If true, prevents containers from using specific Unix capabilities.
blockedExecutables List<String>: List of executables that are prevented from running in containers.
blockedFiles List<String>: List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts List<String>: List of blocked inbound ports.
blockedOutboundPorts List<String>: List of blocked outbound ports.
blockedPackages List<String>: Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes List<String>: List of volumes that are prevented from being mounted in the containers.
containerExecAllowedProcesses List<String>: List of processes that will be allowed.
description String: The description of the container runtime policy
enableDriftPrevention Boolean: If true, executables that are not in the original image is prevented from running.
enableForkGuard Boolean: If true, fork bombs are prevented in the containers.
enableIpReputationSecurity Boolean: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enablePortScanDetection Boolean: If true, detects port scanning behavior in the container.
enabled Boolean: Indicates if the runtime policy is enabled or not.
enforce Boolean: Indicates that policy should effect container execution (not just for audit).
enforceAfterDays Number: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptionalReadonlyFilesAndDirectories List<String>: List of files and directories to be excluded from the read-only list.
execLockdownWhiteLists List<String>: Specify processes that will be allowed
forkGuardProcessLimit Number: Process limit for the fork guard.
id String: The provider-assigned unique ID for this managed resource.
limitNewPrivileges Boolean: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
monitorSystemTimeChanges Boolean: If true, system time changes will be monitored.
name String: Name of the container runtime policy
readonlyFilesAndDirectories List<String>: List of files and directories to be restricted as read-only
reverseShellAllowedIps List<String>: List of IPs/ CIDRs that will be allowed
reverseShellAllowedProcesses List<String>: List of processes that will be allowed
scopeExpression String: Logical expression of how to compute the dependency of the scope variables.
scopeVariables List<Property Map>: List of scope attributes.
allowedExecutables List<Property Map>: Allowed executables configuration.
allowedRegistries List<Property Map>: Allowed registries configuration.
auditing Property Map
containerExec Property Map
fileBlock Property Map
fileIntegrityMonitorings List<Property Map>: Configuration for file integrity monitoring.
limitContainerPrivileges List<Property Map>: Container privileges configuration.
malwareScanOptions List<Property Map>: Configuration for Real-Time Malware Protection.
portBlock Property Map
readonlyFiles Property Map
restrictedVolumes List<Property Map>: Restricted volumes configuration.

Supporting Types

GetContainerRuntimePolicyAllowedExecutable

AllowExecutables List<string>: List of allowed executables.
AllowRootExecutables List<string>: List of allowed root executables.
Enabled bool: Whether allowed executables configuration is enabled.
SeparateExecutables bool: Whether to treat executables separately.

AllowExecutables []string: List of allowed executables.
AllowRootExecutables []string: List of allowed root executables.
Enabled bool: Whether allowed executables configuration is enabled.
SeparateExecutables bool: Whether to treat executables separately.

allowExecutables List<String>: List of allowed executables.
allowRootExecutables List<String>: List of allowed root executables.
enabled Boolean: Whether allowed executables configuration is enabled.
separateExecutables Boolean: Whether to treat executables separately.

allowExecutables string[]: List of allowed executables.
allowRootExecutables string[]: List of allowed root executables.
enabled boolean: Whether allowed executables configuration is enabled.
separateExecutables boolean: Whether to treat executables separately.

allow_executables Sequence[str]: List of allowed executables.
allow_root_executables Sequence[str]: List of allowed root executables.
enabled bool: Whether allowed executables configuration is enabled.
separate_executables bool: Whether to treat executables separately.

allowExecutables List<String>: List of allowed executables.
allowRootExecutables List<String>: List of allowed root executables.
enabled Boolean: Whether allowed executables configuration is enabled.
separateExecutables Boolean: Whether to treat executables separately.

GetContainerRuntimePolicyAllowedRegistry

AllowedRegistries List<string>: List of allowed registries.
Enabled bool: Whether allowed registries are enabled.

AllowedRegistries []string: List of allowed registries.
Enabled bool: Whether allowed registries are enabled.

allowedRegistries List<String>: List of allowed registries.
enabled Boolean: Whether allowed registries are enabled.

allowedRegistries string[]: List of allowed registries.
enabled boolean: Whether allowed registries are enabled.

allowed_registries Sequence[str]: List of allowed registries.
enabled bool: Whether allowed registries are enabled.

allowedRegistries List<String>: List of allowed registries.
enabled Boolean: Whether allowed registries are enabled.

GetContainerRuntimePolicyFileIntegrityMonitoring

Enabled bool: If true, file integrity monitoring is enabled.
ExceptionalMonitoredFiles List<string>: List of paths to be excluded from monitoring.
ExceptionalMonitoredFilesProcesses List<string>: List of processes to be excluded from monitoring.
ExceptionalMonitoredFilesUsers List<string>: List of users to be excluded from monitoring.
MonitoredFiles List<string>: List of paths to be monitored.
MonitoredFilesAttributes bool: Whether to monitor file attribute operations.
MonitoredFilesCreate bool: Whether to monitor file create operations.
MonitoredFilesDelete bool: Whether to monitor file delete operations.
MonitoredFilesModify bool: Whether to monitor file modify operations.
MonitoredFilesProcesses List<string>: List of processes associated with monitored files.
MonitoredFilesRead bool: Whether to monitor file read operations.
MonitoredFilesUsers List<string>: List of users associated with monitored files.

Enabled bool: If true, file integrity monitoring is enabled.
ExceptionalMonitoredFiles []string: List of paths to be excluded from monitoring.
ExceptionalMonitoredFilesProcesses []string: List of processes to be excluded from monitoring.
ExceptionalMonitoredFilesUsers []string: List of users to be excluded from monitoring.
MonitoredFiles []string: List of paths to be monitored.
MonitoredFilesAttributes bool: Whether to monitor file attribute operations.
MonitoredFilesCreate bool: Whether to monitor file create operations.
MonitoredFilesDelete bool: Whether to monitor file delete operations.
MonitoredFilesModify bool: Whether to monitor file modify operations.
MonitoredFilesProcesses []string: List of processes associated with monitored files.
MonitoredFilesRead bool: Whether to monitor file read operations.
MonitoredFilesUsers []string: List of users associated with monitored files.

enabled Boolean: If true, file integrity monitoring is enabled.
exceptionalMonitoredFiles List<String>: List of paths to be excluded from monitoring.
exceptionalMonitoredFilesProcesses List<String>: List of processes to be excluded from monitoring.
exceptionalMonitoredFilesUsers List<String>: List of users to be excluded from monitoring.
monitoredFiles List<String>: List of paths to be monitored.
monitoredFilesAttributes Boolean: Whether to monitor file attribute operations.
monitoredFilesCreate Boolean: Whether to monitor file create operations.
monitoredFilesDelete Boolean: Whether to monitor file delete operations.
monitoredFilesModify Boolean: Whether to monitor file modify operations.
monitoredFilesProcesses List<String>: List of processes associated with monitored files.
monitoredFilesRead Boolean: Whether to monitor file read operations.
monitoredFilesUsers List<String>: List of users associated with monitored files.

enabled boolean: If true, file integrity monitoring is enabled.
exceptionalMonitoredFiles string[]: List of paths to be excluded from monitoring.
exceptionalMonitoredFilesProcesses string[]: List of processes to be excluded from monitoring.
exceptionalMonitoredFilesUsers string[]: List of users to be excluded from monitoring.
monitoredFiles string[]: List of paths to be monitored.
monitoredFilesAttributes boolean: Whether to monitor file attribute operations.
monitoredFilesCreate boolean: Whether to monitor file create operations.
monitoredFilesDelete boolean: Whether to monitor file delete operations.
monitoredFilesModify boolean: Whether to monitor file modify operations.
monitoredFilesProcesses string[]: List of processes associated with monitored files.
monitoredFilesRead boolean: Whether to monitor file read operations.
monitoredFilesUsers string[]: List of users associated with monitored files.

enabled bool: If true, file integrity monitoring is enabled.
exceptional_monitored_files Sequence[str]: List of paths to be excluded from monitoring.
exceptional_monitored_files_processes Sequence[str]: List of processes to be excluded from monitoring.
exceptional_monitored_files_users Sequence[str]: List of users to be excluded from monitoring.
monitored_files Sequence[str]: List of paths to be monitored.
monitored_files_attributes bool: Whether to monitor file attribute operations.
monitored_files_create bool: Whether to monitor file create operations.
monitored_files_delete bool: Whether to monitor file delete operations.
monitored_files_modify bool: Whether to monitor file modify operations.
monitored_files_processes Sequence[str]: List of processes associated with monitored files.
monitored_files_read bool: Whether to monitor file read operations.
monitored_files_users Sequence[str]: List of users associated with monitored files.

enabled Boolean: If true, file integrity monitoring is enabled.
exceptionalMonitoredFiles List<String>: List of paths to be excluded from monitoring.
exceptionalMonitoredFilesProcesses List<String>: List of processes to be excluded from monitoring.
exceptionalMonitoredFilesUsers List<String>: List of users to be excluded from monitoring.
monitoredFiles List<String>: List of paths to be monitored.
monitoredFilesAttributes Boolean: Whether to monitor file attribute operations.
monitoredFilesCreate Boolean: Whether to monitor file create operations.
monitoredFilesDelete Boolean: Whether to monitor file delete operations.
monitoredFilesModify Boolean: Whether to monitor file modify operations.
monitoredFilesProcesses List<String>: List of processes associated with monitored files.
monitoredFilesRead Boolean: Whether to monitor file read operations.
monitoredFilesUsers List<String>: List of users associated with monitored files.

GetContainerRuntimePolicyLimitContainerPrivilege

BlockAddCapabilities bool: Whether to block adding capabilities.
Enabled bool: Whether container privilege limitations are enabled.
Ipcmode bool: Whether to limit IPC-related capabilities.
Netmode bool: Whether to limit network-related capabilities.
Pidmode bool: Whether to limit process-related capabilities.
PreventLowPortBinding bool: Whether to prevent low port binding.
PreventRootUser bool: Whether to prevent the use of the root user.
Privileged bool: Whether the container is run in privileged mode.
UseHostUser bool: Whether to use the host user.
Usermode bool: Whether to limit user-related capabilities.
Utsmode bool: Whether to limit UTS-related capabilities.

BlockAddCapabilities bool: Whether to block adding capabilities.
Enabled bool: Whether container privilege limitations are enabled.
Ipcmode bool: Whether to limit IPC-related capabilities.
Netmode bool: Whether to limit network-related capabilities.
Pidmode bool: Whether to limit process-related capabilities.
PreventLowPortBinding bool: Whether to prevent low port binding.
PreventRootUser bool: Whether to prevent the use of the root user.
Privileged bool: Whether the container is run in privileged mode.
UseHostUser bool: Whether to use the host user.
Usermode bool: Whether to limit user-related capabilities.
Utsmode bool: Whether to limit UTS-related capabilities.

blockAddCapabilities Boolean: Whether to block adding capabilities.
enabled Boolean: Whether container privilege limitations are enabled.
ipcmode Boolean: Whether to limit IPC-related capabilities.
netmode Boolean: Whether to limit network-related capabilities.
pidmode Boolean: Whether to limit process-related capabilities.
preventLowPortBinding Boolean: Whether to prevent low port binding.
preventRootUser Boolean: Whether to prevent the use of the root user.
privileged Boolean: Whether the container is run in privileged mode.
useHostUser Boolean: Whether to use the host user.
usermode Boolean: Whether to limit user-related capabilities.
utsmode Boolean: Whether to limit UTS-related capabilities.

blockAddCapabilities boolean: Whether to block adding capabilities.
enabled boolean: Whether container privilege limitations are enabled.
ipcmode boolean: Whether to limit IPC-related capabilities.
netmode boolean: Whether to limit network-related capabilities.
pidmode boolean: Whether to limit process-related capabilities.
preventLowPortBinding boolean: Whether to prevent low port binding.
preventRootUser boolean: Whether to prevent the use of the root user.
privileged boolean: Whether the container is run in privileged mode.
useHostUser boolean: Whether to use the host user.
usermode boolean: Whether to limit user-related capabilities.
utsmode boolean: Whether to limit UTS-related capabilities.

block_add_capabilities bool: Whether to block adding capabilities.
enabled bool: Whether container privilege limitations are enabled.
ipcmode bool: Whether to limit IPC-related capabilities.
netmode bool: Whether to limit network-related capabilities.
pidmode bool: Whether to limit process-related capabilities.
prevent_low_port_binding bool: Whether to prevent low port binding.
prevent_root_user bool: Whether to prevent the use of the root user.
privileged bool: Whether the container is run in privileged mode.
use_host_user bool: Whether to use the host user.
usermode bool: Whether to limit user-related capabilities.
utsmode bool: Whether to limit UTS-related capabilities.

blockAddCapabilities Boolean: Whether to block adding capabilities.
enabled Boolean: Whether container privilege limitations are enabled.
ipcmode Boolean: Whether to limit IPC-related capabilities.
netmode Boolean: Whether to limit network-related capabilities.
pidmode Boolean: Whether to limit process-related capabilities.
preventLowPortBinding Boolean: Whether to prevent low port binding.
preventRootUser Boolean: Whether to prevent the use of the root user.
privileged Boolean: Whether the container is run in privileged mode.
useHostUser Boolean: Whether to use the host user.
usermode Boolean: Whether to limit user-related capabilities.
utsmode Boolean: Whether to limit UTS-related capabilities.

GetContainerRuntimePolicyMalwareScanOption

Action string: Set Action, Defaults to 'Alert' when empty
Enabled bool: Defines if enabled or not
ExcludeDirectories List<string>: List of registry paths to be excluded from being protected.
ExcludeProcesses List<string>: List of registry processes to be excluded from being protected.
IncludeDirectories List<string>: List of registry paths to be excluded from being protected.

Action string: Set Action, Defaults to 'Alert' when empty
Enabled bool: Defines if enabled or not
ExcludeDirectories []string: List of registry paths to be excluded from being protected.
ExcludeProcesses []string: List of registry processes to be excluded from being protected.
IncludeDirectories []string: List of registry paths to be excluded from being protected.

action String: Set Action, Defaults to 'Alert' when empty
enabled Boolean: Defines if enabled or not
excludeDirectories List<String>: List of registry paths to be excluded from being protected.
excludeProcesses List<String>: List of registry processes to be excluded from being protected.
includeDirectories List<String>: List of registry paths to be excluded from being protected.

action string: Set Action, Defaults to 'Alert' when empty
enabled boolean: Defines if enabled or not
excludeDirectories string[]: List of registry paths to be excluded from being protected.
excludeProcesses string[]: List of registry processes to be excluded from being protected.
includeDirectories string[]: List of registry paths to be excluded from being protected.

action str: Set Action, Defaults to 'Alert' when empty
enabled bool: Defines if enabled or not
exclude_directories Sequence[str]: List of registry paths to be excluded from being protected.
exclude_processes Sequence[str]: List of registry processes to be excluded from being protected.
include_directories Sequence[str]: List of registry paths to be excluded from being protected.

action String: Set Action, Defaults to 'Alert' when empty
enabled Boolean: Defines if enabled or not
excludeDirectories List<String>: List of registry paths to be excluded from being protected.
excludeProcesses List<String>: List of registry processes to be excluded from being protected.
includeDirectories List<String>: List of registry paths to be excluded from being protected.