aquasec.getContainerRuntimePolicy

Aquasec v0.8.29, Jul 22 24

Viewing docs for Aquasec v0.8.29
published on Monday, Jul 22, 2024 by Pulumiverse

Schema (JSON)

pulumiverse/pulumi-aquasec

Viewing docs for Aquasec v0.8.29
published on Monday, Jul 22, 2024 by Pulumiverse

Schema (JSON)

pulumiverse/pulumi-aquasec

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aquasec from "@pulumi/aquasec";

const containerRuntimePolicy = aquasec.getContainerRuntimePolicy({
    name: "FunctionRuntimePolicyName",
});
export const containerRuntimePolicyDetails = containerRuntimePolicy;

import pulumi
import pulumi_aquasec as aquasec

container_runtime_policy = aquasec.get_container_runtime_policy(name="FunctionRuntimePolicyName")
pulumi.export("containerRuntimePolicyDetails", container_runtime_policy)

package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumiverse/pulumi-aquasec/sdk/go/aquasec"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		containerRuntimePolicy, err := aquasec.LookupContainerRuntimePolicy(ctx, &aquasec.LookupContainerRuntimePolicyArgs{
			Name: "FunctionRuntimePolicyName",
		}, nil)
		if err != nil {
			return err
		}
		ctx.Export("containerRuntimePolicyDetails", containerRuntimePolicy)
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aquasec = Pulumi.Aquasec;

return await Deployment.RunAsync(() => 
{
    var containerRuntimePolicy = Aquasec.GetContainerRuntimePolicy.Invoke(new()
    {
        Name = "FunctionRuntimePolicyName",
    });

    return new Dictionary<string, object?>
    {
        ["containerRuntimePolicyDetails"] = containerRuntimePolicy,
    };
});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aquasec.AquasecFunctions;
import com.pulumi.aquasec.inputs.GetContainerRuntimePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var containerRuntimePolicy = AquasecFunctions.getContainerRuntimePolicy(GetContainerRuntimePolicyArgs.builder()
            .name("FunctionRuntimePolicyName")
            .build());

        ctx.export("containerRuntimePolicyDetails", containerRuntimePolicy.applyValue(getContainerRuntimePolicyResult -> getContainerRuntimePolicyResult));
    }
}

variables:
  containerRuntimePolicy:
    fn::invoke:
      Function: aquasec:getContainerRuntimePolicy
      Arguments:
        name: FunctionRuntimePolicyName
outputs:
  containerRuntimePolicyDetails: ${containerRuntimePolicy}

Using getContainerRuntimePolicy

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getContainerRuntimePolicy(args: GetContainerRuntimePolicyArgs, opts?: InvokeOptions): Promise<GetContainerRuntimePolicyResult>
function getContainerRuntimePolicyOutput(args: GetContainerRuntimePolicyOutputArgs, opts?: InvokeOptions): Output<GetContainerRuntimePolicyResult>

def get_container_runtime_policy(allowed_executables: Optional[Sequence[GetContainerRuntimePolicyAllowedExecutable]] = None,
                                 allowed_registries: Optional[Sequence[GetContainerRuntimePolicyAllowedRegistry]] = None,
                                 auditing: Optional[GetContainerRuntimePolicyAuditing] = None,
                                 container_exec: Optional[GetContainerRuntimePolicyContainerExec] = None,
                                 file_block: Optional[GetContainerRuntimePolicyFileBlock] = None,
                                 file_integrity_monitorings: Optional[Sequence[GetContainerRuntimePolicyFileIntegrityMonitoring]] = None,
                                 limit_container_privileges: Optional[Sequence[GetContainerRuntimePolicyLimitContainerPrivilege]] = None,
                                 malware_scan_options: Optional[Sequence[GetContainerRuntimePolicyMalwareScanOption]] = None,
                                 name: Optional[str] = None,
                                 port_block: Optional[GetContainerRuntimePolicyPortBlock] = None,
                                 readonly_files: Optional[GetContainerRuntimePolicyReadonlyFiles] = None,
                                 restricted_volumes: Optional[Sequence[GetContainerRuntimePolicyRestrictedVolume]] = None,
                                 opts: Optional[InvokeOptions] = None) -> GetContainerRuntimePolicyResult
def get_container_runtime_policy_output(allowed_executables: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyAllowedExecutableArgs]]]] = None,
                                 allowed_registries: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyAllowedRegistryArgs]]]] = None,
                                 auditing: Optional[pulumi.Input[GetContainerRuntimePolicyAuditingArgs]] = None,
                                 container_exec: Optional[pulumi.Input[GetContainerRuntimePolicyContainerExecArgs]] = None,
                                 file_block: Optional[pulumi.Input[GetContainerRuntimePolicyFileBlockArgs]] = None,
                                 file_integrity_monitorings: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyFileIntegrityMonitoringArgs]]]] = None,
                                 limit_container_privileges: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyLimitContainerPrivilegeArgs]]]] = None,
                                 malware_scan_options: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyMalwareScanOptionArgs]]]] = None,
                                 name: Optional[pulumi.Input[str]] = None,
                                 port_block: Optional[pulumi.Input[GetContainerRuntimePolicyPortBlockArgs]] = None,
                                 readonly_files: Optional[pulumi.Input[GetContainerRuntimePolicyReadonlyFilesArgs]] = None,
                                 restricted_volumes: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyRestrictedVolumeArgs]]]] = None,
                                 opts: Optional[InvokeOptions] = None) -> Output[GetContainerRuntimePolicyResult]

func LookupContainerRuntimePolicy(ctx *Context, args *LookupContainerRuntimePolicyArgs, opts ...InvokeOption) (*LookupContainerRuntimePolicyResult, error)
func LookupContainerRuntimePolicyOutput(ctx *Context, args *LookupContainerRuntimePolicyOutputArgs, opts ...InvokeOption) LookupContainerRuntimePolicyResultOutput

> Note: This function is named LookupContainerRuntimePolicy in the Go SDK.

public static class GetContainerRuntimePolicy 
{
    public static Task<GetContainerRuntimePolicyResult> InvokeAsync(GetContainerRuntimePolicyArgs args, InvokeOptions? opts = null)
    public static Output<GetContainerRuntimePolicyResult> Invoke(GetContainerRuntimePolicyInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetContainerRuntimePolicyResult> getContainerRuntimePolicy(GetContainerRuntimePolicyArgs args, InvokeOptions options)
public static Output<GetContainerRuntimePolicyResult> getContainerRuntimePolicy(GetContainerRuntimePolicyArgs args, InvokeOptions options)

fn::invoke:
  function: aquasec:index/getContainerRuntimePolicy:getContainerRuntimePolicy
  arguments:
    # arguments dictionary

The following arguments are supported:

Name string: Name of the container runtime policy
AllowedExecutables List<Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyAllowedExecutable>: Allowed executables configuration.
AllowedRegistries List<Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyAllowedRegistry>: Allowed registries configuration.
Auditing Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyAuditing
ContainerExec Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyContainerExec
FileBlock Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyFileBlock
FileIntegrityMonitorings List<Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyFileIntegrityMonitoring>: Configuration for file integrity monitoring.
LimitContainerPrivileges List<Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyLimitContainerPrivilege>: Container privileges configuration.
MalwareScanOptions List<Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyMalwareScanOption>: Configuration for Real-Time Malware Protection.
PortBlock Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyPortBlock
ReadonlyFiles Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyReadonlyFiles
RestrictedVolumes List<Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyRestrictedVolume>: Restricted volumes configuration.

Name string: Name of the container runtime policy
AllowedExecutables []GetContainerRuntimePolicyAllowedExecutable: Allowed executables configuration.
AllowedRegistries []GetContainerRuntimePolicyAllowedRegistry: Allowed registries configuration.
Auditing GetContainerRuntimePolicyAuditing
ContainerExec GetContainerRuntimePolicyContainerExec
FileBlock GetContainerRuntimePolicyFileBlock
FileIntegrityMonitorings []GetContainerRuntimePolicyFileIntegrityMonitoring: Configuration for file integrity monitoring.
LimitContainerPrivileges []GetContainerRuntimePolicyLimitContainerPrivilege: Container privileges configuration.
MalwareScanOptions []GetContainerRuntimePolicyMalwareScanOption: Configuration for Real-Time Malware Protection.
PortBlock GetContainerRuntimePolicyPortBlock
ReadonlyFiles GetContainerRuntimePolicyReadonlyFiles
RestrictedVolumes []GetContainerRuntimePolicyRestrictedVolume: Restricted volumes configuration.

name String: Name of the container runtime policy
allowedExecutables List<GetContainerRuntimePolicyAllowedExecutable>: Allowed executables configuration.
allowedRegistries List<GetContainerRuntimePolicyAllowedRegistry>: Allowed registries configuration.
auditing GetContainerRuntimePolicyAuditing
containerExec GetContainerRuntimePolicyContainerExec
fileBlock GetContainerRuntimePolicyFileBlock
fileIntegrityMonitorings List<GetContainerRuntimePolicyFileIntegrityMonitoring>: Configuration for file integrity monitoring.
limitContainerPrivileges List<GetContainerRuntimePolicyLimitContainerPrivilege>: Container privileges configuration.
malwareScanOptions List<GetContainerRuntimePolicyMalwareScanOption>: Configuration for Real-Time Malware Protection.
portBlock GetContainerRuntimePolicyPortBlock
readonlyFiles GetContainerRuntimePolicyReadonlyFiles
restrictedVolumes List<GetContainerRuntimePolicyRestrictedVolume>: Restricted volumes configuration.

name string: Name of the container runtime policy
allowedExecutables GetContainerRuntimePolicyAllowedExecutable[]: Allowed executables configuration.
allowedRegistries GetContainerRuntimePolicyAllowedRegistry[]: Allowed registries configuration.
auditing GetContainerRuntimePolicyAuditing
containerExec GetContainerRuntimePolicyContainerExec
fileBlock GetContainerRuntimePolicyFileBlock
fileIntegrityMonitorings GetContainerRuntimePolicyFileIntegrityMonitoring[]: Configuration for file integrity monitoring.
limitContainerPrivileges GetContainerRuntimePolicyLimitContainerPrivilege[]: Container privileges configuration.
malwareScanOptions GetContainerRuntimePolicyMalwareScanOption[]: Configuration for Real-Time Malware Protection.
portBlock GetContainerRuntimePolicyPortBlock
readonlyFiles GetContainerRuntimePolicyReadonlyFiles
restrictedVolumes GetContainerRuntimePolicyRestrictedVolume[]: Restricted volumes configuration.

name str: Name of the container runtime policy
allowed_executables Sequence[GetContainerRuntimePolicyAllowedExecutable]: Allowed executables configuration.
allowed_registries Sequence[GetContainerRuntimePolicyAllowedRegistry]: Allowed registries configuration.
auditing GetContainerRuntimePolicyAuditing
container_exec GetContainerRuntimePolicyContainerExec
file_block GetContainerRuntimePolicyFileBlock
file_integrity_monitorings Sequence[GetContainerRuntimePolicyFileIntegrityMonitoring]: Configuration for file integrity monitoring.
limit_container_privileges Sequence[GetContainerRuntimePolicyLimitContainerPrivilege]: Container privileges configuration.
malware_scan_options Sequence[GetContainerRuntimePolicyMalwareScanOption]: Configuration for Real-Time Malware Protection.
port_block GetContainerRuntimePolicyPortBlock
readonly_files GetContainerRuntimePolicyReadonlyFiles
restricted_volumes Sequence[GetContainerRuntimePolicyRestrictedVolume]: Restricted volumes configuration.

name String: Name of the container runtime policy
allowedExecutables List<Property Map>: Allowed executables configuration.
allowedRegistries List<Property Map>: Allowed registries configuration.
auditing Property Map
containerExec Property Map
fileBlock Property Map
fileIntegrityMonitorings List<Property Map>: Configuration for file integrity monitoring.
limitContainerPrivileges List<Property Map>: Container privileges configuration.
malwareScanOptions List<Property Map>: Configuration for Real-Time Malware Protection.
portBlock Property Map
readonlyFiles Property Map
restrictedVolumes List<Property Map>: Restricted volumes configuration.

getContainerRuntimePolicy Result

The following output properties are available:

ApplicationScopes List<string>: Indicates the application scope of the service.
AuditAllNetworkActivity bool: If true, all network activity will be audited.
AuditAllProcessesActivity bool: If true, all process activity will be audited.
AuditFullCommandArguments bool: If true, full command arguments will be audited.
Author string: Username of the account that created the service.
BlockAccessHostNetwork bool: If true, prevent containers from running with access to host network.
BlockAddingCapabilities bool: If true, prevent containers from running with adding capabilities with --cap-add privilege.
BlockContainerExec bool: If true, exec into a container is prevented.
BlockCryptocurrencyMining bool: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
BlockFilelessExec bool: Detect and prevent running in-memory execution
BlockLowPortBinding bool: If true, prevent containers from running with the capability to bind in port lower than 1024.
BlockNonCompliantImages bool: If true, running non-compliant image in the container is prevented.
BlockNonCompliantWorkloads bool: If true, running containers in non-compliant pods is prevented.
BlockNonK8sContainers bool: If true, running non-kubernetes containers is prevented.
BlockPrivilegedContainers bool: If true, prevent containers from running with privileged container capability.
BlockReverseShell bool: If true, reverse shell is prevented.
BlockRootUser bool: If true, prevent containers from running with root user.
BlockUnregisteredImages bool: If true, running images in the container that are not registered in Aqua is prevented.
BlockUseIpcNamespace bool: If true, prevent containers from running with the privilege to use the IPC namespace.
BlockUsePidNamespace bool: If true, prevent containers from running with the privilege to use the PID namespace.
BlockUseUserNamespace bool: If true, prevent containers from running with the privilege to use the user namespace.
BlockUseUtsNamespace bool: If true, prevent containers from running with the privilege to use the UTS namespace.
BlockedCapabilities List<string>: If true, prevents containers from using specific Unix capabilities.
BlockedExecutables List<string>: List of executables that are prevented from running in containers.
BlockedFiles List<string>: List of files that are prevented from being read, modified and executed in the containers.
BlockedInboundPorts List<string>: List of blocked inbound ports.
BlockedOutboundPorts List<string>: List of blocked outbound ports.
BlockedPackages List<string>: Prevent containers from reading, writing, or executing all files in the list of packages.
BlockedVolumes List<string>: List of volumes that are prevented from being mounted in the containers.
ContainerExecAllowedProcesses List<string>: List of processes that will be allowed.
Description string: The description of the container runtime policy
EnableDriftPrevention bool: If true, executables that are not in the original image is prevented from running.
EnableForkGuard bool: If true, fork bombs are prevented in the containers.
EnableIpReputationSecurity bool: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
EnablePortScanDetection bool: If true, detects port scanning behavior in the container.
Enabled bool: Indicates if the runtime policy is enabled or not.
Enforce bool: Indicates that policy should effect container execution (not just for audit).
EnforceAfterDays int: Indicates the number of days after which the runtime policy will be changed to enforce mode.
ExceptionalReadonlyFilesAndDirectories List<string>: List of files and directories to be excluded from the read-only list.
ExecLockdownWhiteLists List<string>: Specify processes that will be allowed
ForkGuardProcessLimit int: Process limit for the fork guard.
Id string: The provider-assigned unique ID for this managed resource.
LimitNewPrivileges bool: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
MonitorSystemTimeChanges bool: If true, system time changes will be monitored.
Name string: Name of the container runtime policy
ReadonlyFilesAndDirectories List<string>: List of files and directories to be restricted as read-only
ReverseShellAllowedIps List<string>: List of IPs/ CIDRs that will be allowed
ReverseShellAllowedProcesses List<string>: List of processes that will be allowed
ScopeExpression string: Logical expression of how to compute the dependency of the scope variables.
ScopeVariables List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyScopeVariable>: List of scope attributes.
AllowedExecutables List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyAllowedExecutable>: Allowed executables configuration.
AllowedRegistries List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyAllowedRegistry>: Allowed registries configuration.
Auditing Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyAuditing
ContainerExec Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyContainerExec
FileBlock Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyFileBlock
FileIntegrityMonitorings List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyFileIntegrityMonitoring>: Configuration for file integrity monitoring.
LimitContainerPrivileges List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyLimitContainerPrivilege>: Container privileges configuration.
MalwareScanOptions List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyMalwareScanOption>: Configuration for Real-Time Malware Protection.
PortBlock Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyPortBlock
ReadonlyFiles Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyReadonlyFiles
RestrictedVolumes List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyRestrictedVolume>: Restricted volumes configuration.

ApplicationScopes []string: Indicates the application scope of the service.
AuditAllNetworkActivity bool: If true, all network activity will be audited.
AuditAllProcessesActivity bool: If true, all process activity will be audited.
AuditFullCommandArguments bool: If true, full command arguments will be audited.
Author string: Username of the account that created the service.
BlockAccessHostNetwork bool: If true, prevent containers from running with access to host network.
BlockAddingCapabilities bool: If true, prevent containers from running with adding capabilities with --cap-add privilege.
BlockContainerExec bool: If true, exec into a container is prevented.
BlockCryptocurrencyMining bool: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
BlockFilelessExec bool: Detect and prevent running in-memory execution
BlockLowPortBinding bool: If true, prevent containers from running with the capability to bind in port lower than 1024.
BlockNonCompliantImages bool: If true, running non-compliant image in the container is prevented.
BlockNonCompliantWorkloads bool: If true, running containers in non-compliant pods is prevented.
BlockNonK8sContainers bool: If true, running non-kubernetes containers is prevented.
BlockPrivilegedContainers bool: If true, prevent containers from running with privileged container capability.
BlockReverseShell bool: If true, reverse shell is prevented.
BlockRootUser bool: If true, prevent containers from running with root user.
BlockUnregisteredImages bool: If true, running images in the container that are not registered in Aqua is prevented.
BlockUseIpcNamespace bool: If true, prevent containers from running with the privilege to use the IPC namespace.
BlockUsePidNamespace bool: If true, prevent containers from running with the privilege to use the PID namespace.
BlockUseUserNamespace bool: If true, prevent containers from running with the privilege to use the user namespace.
BlockUseUtsNamespace bool: If true, prevent containers from running with the privilege to use the UTS namespace.
BlockedCapabilities []string: If true, prevents containers from using specific Unix capabilities.
BlockedExecutables []string: List of executables that are prevented from running in containers.
BlockedFiles []string: List of files that are prevented from being read, modified and executed in the containers.
BlockedInboundPorts []string: List of blocked inbound ports.
BlockedOutboundPorts []string: List of blocked outbound ports.
BlockedPackages []string: Prevent containers from reading, writing, or executing all files in the list of packages.
BlockedVolumes []string: List of volumes that are prevented from being mounted in the containers.
ContainerExecAllowedProcesses []string: List of processes that will be allowed.
Description string: The description of the container runtime policy
EnableDriftPrevention bool: If true, executables that are not in the original image is prevented from running.
EnableForkGuard bool: If true, fork bombs are prevented in the containers.
EnableIpReputationSecurity bool: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
EnablePortScanDetection bool: If true, detects port scanning behavior in the container.
Enabled bool: Indicates if the runtime policy is enabled or not.
Enforce bool: Indicates that policy should effect container execution (not just for audit).
EnforceAfterDays int: Indicates the number of days after which the runtime policy will be changed to enforce mode.
ExceptionalReadonlyFilesAndDirectories []string: List of files and directories to be excluded from the read-only list.
ExecLockdownWhiteLists []string: Specify processes that will be allowed
ForkGuardProcessLimit int: Process limit for the fork guard.
Id string: The provider-assigned unique ID for this managed resource.
LimitNewPrivileges bool: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
MonitorSystemTimeChanges bool: If true, system time changes will be monitored.
Name string: Name of the container runtime policy
ReadonlyFilesAndDirectories []string: List of files and directories to be restricted as read-only
ReverseShellAllowedIps []string: List of IPs/ CIDRs that will be allowed
ReverseShellAllowedProcesses []string: List of processes that will be allowed
ScopeExpression string: Logical expression of how to compute the dependency of the scope variables.
ScopeVariables []GetContainerRuntimePolicyScopeVariable: List of scope attributes.
AllowedExecutables []GetContainerRuntimePolicyAllowedExecutable: Allowed executables configuration.
AllowedRegistries []GetContainerRuntimePolicyAllowedRegistry: Allowed registries configuration.
Auditing GetContainerRuntimePolicyAuditing
ContainerExec GetContainerRuntimePolicyContainerExec
FileBlock GetContainerRuntimePolicyFileBlock
FileIntegrityMonitorings []GetContainerRuntimePolicyFileIntegrityMonitoring: Configuration for file integrity monitoring.
LimitContainerPrivileges []GetContainerRuntimePolicyLimitContainerPrivilege: Container privileges configuration.
MalwareScanOptions []GetContainerRuntimePolicyMalwareScanOption: Configuration for Real-Time Malware Protection.
PortBlock GetContainerRuntimePolicyPortBlock
ReadonlyFiles GetContainerRuntimePolicyReadonlyFiles
RestrictedVolumes []GetContainerRuntimePolicyRestrictedVolume: Restricted volumes configuration.

applicationScopes List<String>: Indicates the application scope of the service.
auditAllNetworkActivity Boolean: If true, all network activity will be audited.
auditAllProcessesActivity Boolean: If true, all process activity will be audited.
auditFullCommandArguments Boolean: If true, full command arguments will be audited.
author String: Username of the account that created the service.
blockAccessHostNetwork Boolean: If true, prevent containers from running with access to host network.
blockAddingCapabilities Boolean: If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec Boolean: If true, exec into a container is prevented.
blockCryptocurrencyMining Boolean: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockFilelessExec Boolean: Detect and prevent running in-memory execution
blockLowPortBinding Boolean: If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantImages Boolean: If true, running non-compliant image in the container is prevented.
blockNonCompliantWorkloads Boolean: If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers Boolean: If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers Boolean: If true, prevent containers from running with privileged container capability.
blockReverseShell Boolean: If true, reverse shell is prevented.
blockRootUser Boolean: If true, prevent containers from running with root user.
blockUnregisteredImages Boolean: If true, running images in the container that are not registered in Aqua is prevented.
blockUseIpcNamespace Boolean: If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace Boolean: If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace Boolean: If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace Boolean: If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities List<String>: If true, prevents containers from using specific Unix capabilities.
blockedExecutables List<String>: List of executables that are prevented from running in containers.
blockedFiles List<String>: List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts List<String>: List of blocked inbound ports.
blockedOutboundPorts List<String>: List of blocked outbound ports.
blockedPackages List<String>: Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes List<String>: List of volumes that are prevented from being mounted in the containers.
containerExecAllowedProcesses List<String>: List of processes that will be allowed.
description String: The description of the container runtime policy
enableDriftPrevention Boolean: If true, executables that are not in the original image is prevented from running.
enableForkGuard Boolean: If true, fork bombs are prevented in the containers.
enableIpReputationSecurity Boolean: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enablePortScanDetection Boolean: If true, detects port scanning behavior in the container.
enabled Boolean: Indicates if the runtime policy is enabled or not.
enforce Boolean: Indicates that policy should effect container execution (not just for audit).
enforceAfterDays Integer: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptionalReadonlyFilesAndDirectories List<String>: List of files and directories to be excluded from the read-only list.
execLockdownWhiteLists List<String>: Specify processes that will be allowed
forkGuardProcessLimit Integer: Process limit for the fork guard.
id String: The provider-assigned unique ID for this managed resource.
limitNewPrivileges Boolean: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
monitorSystemTimeChanges Boolean: If true, system time changes will be monitored.
name String: Name of the container runtime policy
readonlyFilesAndDirectories List<String>: List of files and directories to be restricted as read-only
reverseShellAllowedIps List<String>: List of IPs/ CIDRs that will be allowed
reverseShellAllowedProcesses List<String>: List of processes that will be allowed
scopeExpression String: Logical expression of how to compute the dependency of the scope variables.
scopeVariables List<GetContainerRuntimePolicyScopeVariable>: List of scope attributes.
allowedExecutables List<GetContainerRuntimePolicyAllowedExecutable>: Allowed executables configuration.
allowedRegistries List<GetContainerRuntimePolicyAllowedRegistry>: Allowed registries configuration.
auditing GetContainerRuntimePolicyAuditing
containerExec GetContainerRuntimePolicyContainerExec
fileBlock GetContainerRuntimePolicyFileBlock
fileIntegrityMonitorings List<GetContainerRuntimePolicyFileIntegrityMonitoring>: Configuration for file integrity monitoring.
limitContainerPrivileges List<GetContainerRuntimePolicyLimitContainerPrivilege>: Container privileges configuration.
malwareScanOptions List<GetContainerRuntimePolicyMalwareScanOption>: Configuration for Real-Time Malware Protection.
portBlock GetContainerRuntimePolicyPortBlock
readonlyFiles GetContainerRuntimePolicyReadonlyFiles
restrictedVolumes List<GetContainerRuntimePolicyRestrictedVolume>: Restricted volumes configuration.

applicationScopes string[]: Indicates the application scope of the service.
auditAllNetworkActivity boolean: If true, all network activity will be audited.
auditAllProcessesActivity boolean: If true, all process activity will be audited.
auditFullCommandArguments boolean: If true, full command arguments will be audited.
author string: Username of the account that created the service.
blockAccessHostNetwork boolean: If true, prevent containers from running with access to host network.
blockAddingCapabilities boolean: If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec boolean: If true, exec into a container is prevented.
blockCryptocurrencyMining boolean: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockFilelessExec boolean: Detect and prevent running in-memory execution
blockLowPortBinding boolean: If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantImages boolean: If true, running non-compliant image in the container is prevented.
blockNonCompliantWorkloads boolean: If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers boolean: If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers boolean: If true, prevent containers from running with privileged container capability.
blockReverseShell boolean: If true, reverse shell is prevented.
blockRootUser boolean: If true, prevent containers from running with root user.
blockUnregisteredImages boolean: If true, running images in the container that are not registered in Aqua is prevented.
blockUseIpcNamespace boolean: If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace boolean: If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace boolean: If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace boolean: If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities string[]: If true, prevents containers from using specific Unix capabilities.
blockedExecutables string[]: List of executables that are prevented from running in containers.
blockedFiles string[]: List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts string[]: List of blocked inbound ports.
blockedOutboundPorts string[]: List of blocked outbound ports.
blockedPackages string[]: Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes string[]: List of volumes that are prevented from being mounted in the containers.
containerExecAllowedProcesses string[]: List of processes that will be allowed.
description string: The description of the container runtime policy
enableDriftPrevention boolean: If true, executables that are not in the original image is prevented from running.
enableForkGuard boolean: If true, fork bombs are prevented in the containers.
enableIpReputationSecurity boolean: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enablePortScanDetection boolean: If true, detects port scanning behavior in the container.
enabled boolean: Indicates if the runtime policy is enabled or not.
enforce boolean: Indicates that policy should effect container execution (not just for audit).
enforceAfterDays number: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptionalReadonlyFilesAndDirectories string[]: List of files and directories to be excluded from the read-only list.
execLockdownWhiteLists string[]: Specify processes that will be allowed
forkGuardProcessLimit number: Process limit for the fork guard.
id string: The provider-assigned unique ID for this managed resource.
limitNewPrivileges boolean: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
monitorSystemTimeChanges boolean: If true, system time changes will be monitored.
name string: Name of the container runtime policy
readonlyFilesAndDirectories string[]: List of files and directories to be restricted as read-only
reverseShellAllowedIps string[]: List of IPs/ CIDRs that will be allowed
reverseShellAllowedProcesses string[]: List of processes that will be allowed
scopeExpression string: Logical expression of how to compute the dependency of the scope variables.
scopeVariables GetContainerRuntimePolicyScopeVariable[]: List of scope attributes.
allowedExecutables GetContainerRuntimePolicyAllowedExecutable[]: Allowed executables configuration.
allowedRegistries GetContainerRuntimePolicyAllowedRegistry[]: Allowed registries configuration.
auditing GetContainerRuntimePolicyAuditing
containerExec GetContainerRuntimePolicyContainerExec
fileBlock GetContainerRuntimePolicyFileBlock
fileIntegrityMonitorings GetContainerRuntimePolicyFileIntegrityMonitoring[]: Configuration for file integrity monitoring.
limitContainerPrivileges GetContainerRuntimePolicyLimitContainerPrivilege[]: Container privileges configuration.
malwareScanOptions GetContainerRuntimePolicyMalwareScanOption[]: Configuration for Real-Time Malware Protection.
portBlock GetContainerRuntimePolicyPortBlock
readonlyFiles GetContainerRuntimePolicyReadonlyFiles
restrictedVolumes GetContainerRuntimePolicyRestrictedVolume[]: Restricted volumes configuration.

application_scopes Sequence[str]: Indicates the application scope of the service.
audit_all_network_activity bool: If true, all network activity will be audited.
audit_all_processes_activity bool: If true, all process activity will be audited.
audit_full_command_arguments bool: If true, full command arguments will be audited.
author str: Username of the account that created the service.
block_access_host_network bool: If true, prevent containers from running with access to host network.
block_adding_capabilities bool: If true, prevent containers from running with adding capabilities with --cap-add privilege.
block_container_exec bool: If true, exec into a container is prevented.
block_cryptocurrency_mining bool: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
block_fileless_exec bool: Detect and prevent running in-memory execution
block_low_port_binding bool: If true, prevent containers from running with the capability to bind in port lower than 1024.
block_non_compliant_images bool: If true, running non-compliant image in the container is prevented.
block_non_compliant_workloads bool: If true, running containers in non-compliant pods is prevented.
block_non_k8s_containers bool: If true, running non-kubernetes containers is prevented.
block_privileged_containers bool: If true, prevent containers from running with privileged container capability.
block_reverse_shell bool: If true, reverse shell is prevented.
block_root_user bool: If true, prevent containers from running with root user.
block_unregistered_images bool: If true, running images in the container that are not registered in Aqua is prevented.
block_use_ipc_namespace bool: If true, prevent containers from running with the privilege to use the IPC namespace.
block_use_pid_namespace bool: If true, prevent containers from running with the privilege to use the PID namespace.
block_use_user_namespace bool: If true, prevent containers from running with the privilege to use the user namespace.
block_use_uts_namespace bool: If true, prevent containers from running with the privilege to use the UTS namespace.
blocked_capabilities Sequence[str]: If true, prevents containers from using specific Unix capabilities.
blocked_executables Sequence[str]: List of executables that are prevented from running in containers.
blocked_files Sequence[str]: List of files that are prevented from being read, modified and executed in the containers.
blocked_inbound_ports Sequence[str]: List of blocked inbound ports.
blocked_outbound_ports Sequence[str]: List of blocked outbound ports.
blocked_packages Sequence[str]: Prevent containers from reading, writing, or executing all files in the list of packages.
blocked_volumes Sequence[str]: List of volumes that are prevented from being mounted in the containers.
container_exec_allowed_processes Sequence[str]: List of processes that will be allowed.
description str: The description of the container runtime policy
enable_drift_prevention bool: If true, executables that are not in the original image is prevented from running.
enable_fork_guard bool: If true, fork bombs are prevented in the containers.
enable_ip_reputation_security bool: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enable_port_scan_detection bool: If true, detects port scanning behavior in the container.
enabled bool: Indicates if the runtime policy is enabled or not.
enforce bool: Indicates that policy should effect container execution (not just for audit).
enforce_after_days int: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptional_readonly_files_and_directories Sequence[str]: List of files and directories to be excluded from the read-only list.
exec_lockdown_white_lists Sequence[str]: Specify processes that will be allowed
fork_guard_process_limit int: Process limit for the fork guard.
id str: The provider-assigned unique ID for this managed resource.
limit_new_privileges bool: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
monitor_system_time_changes bool: If true, system time changes will be monitored.
name str: Name of the container runtime policy
readonly_files_and_directories Sequence[str]: List of files and directories to be restricted as read-only
reverse_shell_allowed_ips Sequence[str]: List of IPs/ CIDRs that will be allowed
reverse_shell_allowed_processes Sequence[str]: List of processes that will be allowed
scope_expression str: Logical expression of how to compute the dependency of the scope variables.
scope_variables Sequence[GetContainerRuntimePolicyScopeVariable]: List of scope attributes.
allowed_executables Sequence[GetContainerRuntimePolicyAllowedExecutable]: Allowed executables configuration.
allowed_registries Sequence[GetContainerRuntimePolicyAllowedRegistry]: Allowed registries configuration.
auditing GetContainerRuntimePolicyAuditing
container_exec GetContainerRuntimePolicyContainerExec
file_block GetContainerRuntimePolicyFileBlock
file_integrity_monitorings Sequence[GetContainerRuntimePolicyFileIntegrityMonitoring]: Configuration for file integrity monitoring.
limit_container_privileges Sequence[GetContainerRuntimePolicyLimitContainerPrivilege]: Container privileges configuration.
malware_scan_options Sequence[GetContainerRuntimePolicyMalwareScanOption]: Configuration for Real-Time Malware Protection.
port_block GetContainerRuntimePolicyPortBlock
readonly_files GetContainerRuntimePolicyReadonlyFiles
restricted_volumes Sequence[GetContainerRuntimePolicyRestrictedVolume]: Restricted volumes configuration.

applicationScopes List<String>: Indicates the application scope of the service.
auditAllNetworkActivity Boolean: If true, all network activity will be audited.
auditAllProcessesActivity Boolean: If true, all process activity will be audited.
auditFullCommandArguments Boolean: If true, full command arguments will be audited.
author String: Username of the account that created the service.
blockAccessHostNetwork Boolean: If true, prevent containers from running with access to host network.
blockAddingCapabilities Boolean: If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec Boolean: If true, exec into a container is prevented.
blockCryptocurrencyMining Boolean: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockFilelessExec Boolean: Detect and prevent running in-memory execution
blockLowPortBinding Boolean: If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantImages Boolean: If true, running non-compliant image in the container is prevented.
blockNonCompliantWorkloads Boolean: If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers Boolean: If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers Boolean: If true, prevent containers from running with privileged container capability.
blockReverseShell Boolean: If true, reverse shell is prevented.
blockRootUser Boolean: If true, prevent containers from running with root user.
blockUnregisteredImages Boolean: If true, running images in the container that are not registered in Aqua is prevented.
blockUseIpcNamespace Boolean: If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace Boolean: If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace Boolean: If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace Boolean: If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities List<String>: If true, prevents containers from using specific Unix capabilities.
blockedExecutables List<String>: List of executables that are prevented from running in containers.
blockedFiles List<String>: List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts List<String>: List of blocked inbound ports.
blockedOutboundPorts List<String>: List of blocked outbound ports.
blockedPackages List<String>: Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes List<String>: List of volumes that are prevented from being mounted in the containers.
containerExecAllowedProcesses List<String>: List of processes that will be allowed.
description String: The description of the container runtime policy
enableDriftPrevention Boolean: If true, executables that are not in the original image is prevented from running.
enableForkGuard Boolean: If true, fork bombs are prevented in the containers.
enableIpReputationSecurity Boolean: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enablePortScanDetection Boolean: If true, detects port scanning behavior in the container.
enabled Boolean: Indicates if the runtime policy is enabled or not.
enforce Boolean: Indicates that policy should effect container execution (not just for audit).
enforceAfterDays Number: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptionalReadonlyFilesAndDirectories List<String>: List of files and directories to be excluded from the read-only list.
execLockdownWhiteLists List<String>: Specify processes that will be allowed
forkGuardProcessLimit Number: Process limit for the fork guard.
id String: The provider-assigned unique ID for this managed resource.
limitNewPrivileges Boolean: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
monitorSystemTimeChanges Boolean: If true, system time changes will be monitored.
name String: Name of the container runtime policy
readonlyFilesAndDirectories List<String>: List of files and directories to be restricted as read-only
reverseShellAllowedIps List<String>: List of IPs/ CIDRs that will be allowed
reverseShellAllowedProcesses List<String>: List of processes that will be allowed
scopeExpression String: Logical expression of how to compute the dependency of the scope variables.
scopeVariables List<Property Map>: List of scope attributes.
allowedExecutables List<Property Map>: Allowed executables configuration.
allowedRegistries List<Property Map>: Allowed registries configuration.
auditing Property Map
containerExec Property Map
fileBlock Property Map
fileIntegrityMonitorings List<Property Map>: Configuration for file integrity monitoring.
limitContainerPrivileges List<Property Map>: Container privileges configuration.
malwareScanOptions List<Property Map>: Configuration for Real-Time Malware Protection.
portBlock Property Map
readonlyFiles Property Map
restrictedVolumes List<Property Map>: Restricted volumes configuration.

Supporting Types

GetContainerRuntimePolicyAllowedExecutable

AllowExecutables List<string>: List of allowed executables.
AllowRootExecutables List<string>: List of allowed root executables.
Enabled bool: Whether allowed executables configuration is enabled.
SeparateExecutables bool: Whether to treat executables separately.

AllowExecutables []string: List of allowed executables.
AllowRootExecutables []string: List of allowed root executables.
Enabled bool: Whether allowed executables configuration is enabled.
SeparateExecutables bool: Whether to treat executables separately.

allowExecutables List<String>: List of allowed executables.
allowRootExecutables List<String>: List of allowed root executables.
enabled Boolean: Whether allowed executables configuration is enabled.
separateExecutables Boolean: Whether to treat executables separately.

allowExecutables string[]: List of allowed executables.
allowRootExecutables string[]: List of allowed root executables.
enabled boolean: Whether allowed executables configuration is enabled.
separateExecutables boolean: Whether to treat executables separately.

allow_executables Sequence[str]: List of allowed executables.
allow_root_executables Sequence[str]: List of allowed root executables.
enabled bool: Whether allowed executables configuration is enabled.
separate_executables bool: Whether to treat executables separately.

allowExecutables List<String>: List of allowed executables.
allowRootExecutables List<String>: List of allowed root executables.
enabled Boolean: Whether allowed executables configuration is enabled.
separateExecutables Boolean: Whether to treat executables separately.

GetContainerRuntimePolicyAllowedRegistry

AllowedRegistries List<string>: List of allowed registries.
Enabled bool: Whether allowed registries are enabled.

AllowedRegistries []string: List of allowed registries.
Enabled bool: Whether allowed registries are enabled.

allowedRegistries List<String>: List of allowed registries.
enabled Boolean: Whether allowed registries are enabled.

allowedRegistries string[]: List of allowed registries.
enabled boolean: Whether allowed registries are enabled.

allowed_registries Sequence[str]: List of allowed registries.
enabled bool: Whether allowed registries are enabled.

allowedRegistries List<String>: List of allowed registries.
enabled Boolean: Whether allowed registries are enabled.

GetContainerRuntimePolicyFileIntegrityMonitoring

Enabled bool: If true, file integrity monitoring is enabled.
ExceptionalMonitoredFiles List<string>: List of paths to be excluded from monitoring.
ExceptionalMonitoredFilesProcesses List<string>: List of processes to be excluded from monitoring.
ExceptionalMonitoredFilesUsers List<string>: List of users to be excluded from monitoring.
MonitoredFiles List<string>: List of paths to be monitored.
MonitoredFilesAttributes bool: Whether to monitor file attribute operations.
MonitoredFilesCreate bool: Whether to monitor file create operations.
MonitoredFilesDelete bool: Whether to monitor file delete operations.
MonitoredFilesModify bool: Whether to monitor file modify operations.
MonitoredFilesProcesses List<string>: List of processes associated with monitored files.
MonitoredFilesRead bool: Whether to monitor file read operations.
MonitoredFilesUsers List<string>: List of users associated with monitored files.

Enabled bool: If true, file integrity monitoring is enabled.
ExceptionalMonitoredFiles []string: List of paths to be excluded from monitoring.
ExceptionalMonitoredFilesProcesses []string: List of processes to be excluded from monitoring.
ExceptionalMonitoredFilesUsers []string: List of users to be excluded from monitoring.
MonitoredFiles []string: List of paths to be monitored.
MonitoredFilesAttributes bool: Whether to monitor file attribute operations.
MonitoredFilesCreate bool: Whether to monitor file create operations.
MonitoredFilesDelete bool: Whether to monitor file delete operations.
MonitoredFilesModify bool: Whether to monitor file modify operations.
MonitoredFilesProcesses []string: List of processes associated with monitored files.
MonitoredFilesRead bool: Whether to monitor file read operations.
MonitoredFilesUsers []string: List of users associated with monitored files.

enabled Boolean: If true, file integrity monitoring is enabled.
exceptionalMonitoredFiles List<String>: List of paths to be excluded from monitoring.
exceptionalMonitoredFilesProcesses List<String>: List of processes to be excluded from monitoring.
exceptionalMonitoredFilesUsers List<String>: List of users to be excluded from monitoring.
monitoredFiles List<String>: List of paths to be monitored.
monitoredFilesAttributes Boolean: Whether to monitor file attribute operations.
monitoredFilesCreate Boolean: Whether to monitor file create operations.
monitoredFilesDelete Boolean: Whether to monitor file delete operations.
monitoredFilesModify Boolean: Whether to monitor file modify operations.
monitoredFilesProcesses List<String>: List of processes associated with monitored files.
monitoredFilesRead Boolean: Whether to monitor file read operations.
monitoredFilesUsers List<String>: List of users associated with monitored files.

enabled boolean: If true, file integrity monitoring is enabled.
exceptionalMonitoredFiles string[]: List of paths to be excluded from monitoring.
exceptionalMonitoredFilesProcesses string[]: List of processes to be excluded from monitoring.
exceptionalMonitoredFilesUsers string[]: List of users to be excluded from monitoring.
monitoredFiles string[]: List of paths to be monitored.
monitoredFilesAttributes boolean: Whether to monitor file attribute operations.
monitoredFilesCreate boolean: Whether to monitor file create operations.
monitoredFilesDelete boolean: Whether to monitor file delete operations.
monitoredFilesModify boolean: Whether to monitor file modify operations.
monitoredFilesProcesses string[]: List of processes associated with monitored files.
monitoredFilesRead boolean: Whether to monitor file read operations.
monitoredFilesUsers string[]: List of users associated with monitored files.

enabled bool: If true, file integrity monitoring is enabled.
exceptional_monitored_files Sequence[str]: List of paths to be excluded from monitoring.
exceptional_monitored_files_processes Sequence[str]: List of processes to be excluded from monitoring.
exceptional_monitored_files_users Sequence[str]: List of users to be excluded from monitoring.
monitored_files Sequence[str]: List of paths to be monitored.
monitored_files_attributes bool: Whether to monitor file attribute operations.
monitored_files_create bool: Whether to monitor file create operations.
monitored_files_delete bool: Whether to monitor file delete operations.
monitored_files_modify bool: Whether to monitor file modify operations.
monitored_files_processes Sequence[str]: List of processes associated with monitored files.
monitored_files_read bool: Whether to monitor file read operations.
monitored_files_users Sequence[str]: List of users associated with monitored files.

enabled Boolean: If true, file integrity monitoring is enabled.
exceptionalMonitoredFiles List<String>: List of paths to be excluded from monitoring.
exceptionalMonitoredFilesProcesses List<String>: List of processes to be excluded from monitoring.
exceptionalMonitoredFilesUsers List<String>: List of users to be excluded from monitoring.
monitoredFiles List<String>: List of paths to be monitored.
monitoredFilesAttributes Boolean: Whether to monitor file attribute operations.
monitoredFilesCreate Boolean: Whether to monitor file create operations.
monitoredFilesDelete Boolean: Whether to monitor file delete operations.
monitoredFilesModify Boolean: Whether to monitor file modify operations.
monitoredFilesProcesses List<String>: List of processes associated with monitored files.
monitoredFilesRead Boolean: Whether to monitor file read operations.
monitoredFilesUsers List<String>: List of users associated with monitored files.

GetContainerRuntimePolicyLimitContainerPrivilege

BlockAddCapabilities bool: Whether to block adding capabilities.
Enabled bool: Whether container privilege limitations are enabled.
Ipcmode bool: Whether to limit IPC-related capabilities.
Netmode bool: Whether to limit network-related capabilities.
Pidmode bool: Whether to limit process-related capabilities.
PreventLowPortBinding bool: Whether to prevent low port binding.
PreventRootUser bool: Whether to prevent the use of the root user.
Privileged bool: Whether the container is run in privileged mode.
UseHostUser bool: Whether to use the host user.
Usermode bool: Whether to limit user-related capabilities.
Utsmode bool: Whether to limit UTS-related capabilities.

BlockAddCapabilities bool: Whether to block adding capabilities.
Enabled bool: Whether container privilege limitations are enabled.
Ipcmode bool: Whether to limit IPC-related capabilities.
Netmode bool: Whether to limit network-related capabilities.
Pidmode bool: Whether to limit process-related capabilities.
PreventLowPortBinding bool: Whether to prevent low port binding.
PreventRootUser bool: Whether to prevent the use of the root user.
Privileged bool: Whether the container is run in privileged mode.
UseHostUser bool: Whether to use the host user.
Usermode bool: Whether to limit user-related capabilities.
Utsmode bool: Whether to limit UTS-related capabilities.

blockAddCapabilities Boolean: Whether to block adding capabilities.
enabled Boolean: Whether container privilege limitations are enabled.
ipcmode Boolean: Whether to limit IPC-related capabilities.
netmode Boolean: Whether to limit network-related capabilities.
pidmode Boolean: Whether to limit process-related capabilities.
preventLowPortBinding Boolean: Whether to prevent low port binding.
preventRootUser Boolean: Whether to prevent the use of the root user.
privileged Boolean: Whether the container is run in privileged mode.
useHostUser Boolean: Whether to use the host user.
usermode Boolean: Whether to limit user-related capabilities.
utsmode Boolean: Whether to limit UTS-related capabilities.

blockAddCapabilities boolean: Whether to block adding capabilities.
enabled boolean: Whether container privilege limitations are enabled.
ipcmode boolean: Whether to limit IPC-related capabilities.
netmode boolean: Whether to limit network-related capabilities.
pidmode boolean: Whether to limit process-related capabilities.
preventLowPortBinding boolean: Whether to prevent low port binding.
preventRootUser boolean: Whether to prevent the use of the root user.
privileged boolean: Whether the container is run in privileged mode.
useHostUser boolean: Whether to use the host user.
usermode boolean: Whether to limit user-related capabilities.
utsmode boolean: Whether to limit UTS-related capabilities.

block_add_capabilities bool: Whether to block adding capabilities.
enabled bool: Whether container privilege limitations are enabled.
ipcmode bool: Whether to limit IPC-related capabilities.
netmode bool: Whether to limit network-related capabilities.
pidmode bool: Whether to limit process-related capabilities.
prevent_low_port_binding bool: Whether to prevent low port binding.
prevent_root_user bool: Whether to prevent the use of the root user.
privileged bool: Whether the container is run in privileged mode.
use_host_user bool: Whether to use the host user.
usermode bool: Whether to limit user-related capabilities.
utsmode bool: Whether to limit UTS-related capabilities.

blockAddCapabilities Boolean: Whether to block adding capabilities.
enabled Boolean: Whether container privilege limitations are enabled.
ipcmode Boolean: Whether to limit IPC-related capabilities.
netmode Boolean: Whether to limit network-related capabilities.
pidmode Boolean: Whether to limit process-related capabilities.
preventLowPortBinding Boolean: Whether to prevent low port binding.
preventRootUser Boolean: Whether to prevent the use of the root user.
privileged Boolean: Whether the container is run in privileged mode.
useHostUser Boolean: Whether to use the host user.
usermode Boolean: Whether to limit user-related capabilities.
utsmode Boolean: Whether to limit UTS-related capabilities.

GetContainerRuntimePolicyMalwareScanOption

Action string: Set Action, Defaults to 'Alert' when empty
Enabled bool: Defines if enabled or not
ExcludeDirectories List<string>: List of registry paths to be excluded from being protected.
ExcludeProcesses List<string>: List of registry processes to be excluded from being protected.
IncludeDirectories List<string>: List of registry paths to be excluded from being protected.

Action string: Set Action, Defaults to 'Alert' when empty
Enabled bool: Defines if enabled or not
ExcludeDirectories []string: List of registry paths to be excluded from being protected.
ExcludeProcesses []string: List of registry processes to be excluded from being protected.
IncludeDirectories []string: List of registry paths to be excluded from being protected.

action String: Set Action, Defaults to 'Alert' when empty
enabled Boolean: Defines if enabled or not
excludeDirectories List<String>: List of registry paths to be excluded from being protected.
excludeProcesses List<String>: List of registry processes to be excluded from being protected.
includeDirectories List<String>: List of registry paths to be excluded from being protected.

action string: Set Action, Defaults to 'Alert' when empty
enabled boolean: Defines if enabled or not
excludeDirectories string[]: List of registry paths to be excluded from being protected.
excludeProcesses string[]: List of registry processes to be excluded from being protected.
includeDirectories string[]: List of registry paths to be excluded from being protected.

action str: Set Action, Defaults to 'Alert' when empty
enabled bool: Defines if enabled or not
exclude_directories Sequence[str]: List of registry paths to be excluded from being protected.
exclude_processes Sequence[str]: List of registry processes to be excluded from being protected.
include_directories Sequence[str]: List of registry paths to be excluded from being protected.

action String: Set Action, Defaults to 'Alert' when empty
enabled Boolean: Defines if enabled or not
excludeDirectories List<String>: List of registry paths to be excluded from being protected.
excludeProcesses List<String>: List of registry processes to be excluded from being protected.
includeDirectories List<String>: List of registry paths to be excluded from being protected.