crowdsec icon indicating copy to clipboard operation
crowdsec copied to clipboard

Published 20 hours ago verified publisher icon crowdsecurity

Using a Custom Whitelist with the official Docker Image taints crowdsecurity/linux and crowdsecurity/sshd

Open jan-thoma opened this issue 11 months ago • 5 comments

What happened?

When providing a custom whitelist to /etc/crowdsec/parsers/s02-enrich/ the collections crowdsecurity/linux and crowdsecurity/sshd are marked as tainted and no logs will be processed due to the missing parsers.

What did you expect to happen?

Being able to provide a custom whitelist to /etc/crowdsec/parsers/s02-enrich/ without tainting any existing parsers

How can we reproduce it (as minimally and precisely as possible)?

docker-compose.yml

version: '3'
services:
    crowdsec:
        image: crowdsecurity/crowdsec:latest
        restart: always
        environment:
            GID: "${GID-1000}"
        volumes:
            - ./acquis.yaml:/etc/crowdsec/acquis.yaml
            - ./custom_whitelist.yaml:/etc/crowdsec/parsers/s02-enrich/custom_whitelist.yaml

acquis.yaml

filenames:
    - /var/log/traefik/access.log
labels:
    type: traefik

custom_whitelist.yaml

name: crowdsec/whitelists
description: "Custom Whitelist"
whitelist:
    reason: "Good IP's"
    ip:
        - "172.16.100.1"

Anything else we need to know?

Crowdsec Startup Log

crowdsec-crowdsec-1  | Populating configuration directory...
crowdsec-crowdsec-1  | Error: no matches found
crowdsec-crowdsec-1  | Generate local agent credentials
crowdsec-crowdsec-1  | time="20-09-2023 14:41:36" level=info msg="push and pull to Central API disabled"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:36" level=info msg="Machine 'localhost' successfully added to the local API"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:36" level=info msg="API credentials dumped to '/etc/crowdsec/local_api_credentials.yaml'"
crowdsec-crowdsec-1  | Check if lapi needs to register an additional agent
crowdsec-crowdsec-1  | time="20-09-2023 14:41:36" level=warning msg="can't load CAPI credentials from '/etc/crowdsec//online_api_credentials.yaml' (missing field)"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:36" level=info msg="push and pull to Central API disabled"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="Successfully registered to Central API (CAPI)"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="Central API credentials dumped to '/etc/crowdsec//online_api_credentials.yaml'"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=warning msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."
crowdsec-crowdsec-1  | Registration to online API done
crowdsec-crowdsec-1  | sqlite database permissions updated
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="hub index is up to date"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="Wrote new 813262 bytes index to /etc/crowdsec/hub/.index.json"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="dependency of crowdsecurity/sshd : missing parsers crowdsecurity/sshd-logs, tainted."
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="dependency of crowdsecurity/linux : missing parsers crowdsecurity/syslog-logs, tainted."
crowdsec-crowdsec-1  | Object collections/crowdsecurity/linux is tainted, skipping
crowdsec-crowdsec-1  | Running: cscli  parsers upgrade "crowdsecurity/whitelists"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=error msg="Item 'crowdsecurity/whitelists' not found in hub"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."
crowdsec-crowdsec-1  | Running: cscli  parsers install "crowdsecurity/docker-logs"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="crowdsecurity/docker-logs : OK"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="/etc/crowdsec/parsers/s00-raw doesn't exist, create"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="Enabled parsers : crowdsecurity/docker-logs"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="Enabled crowdsecurity/docker-logs"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."
crowdsec-crowdsec-1  | Running: cscli  parsers install "crowdsecurity/cri-logs"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="crowdsecurity/cri-logs : OK"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="Enabled parsers : crowdsecurity/cri-logs"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="Enabled crowdsecurity/cri-logs"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="Enabled feature flags: <none>"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="Crowdsec v1.5.4-e4dcdd25728b914823525f1efabf18d5c454902b"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="Loading prometheus collectors"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:37" level=info msg="Loading CAPI manager"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="CAPI manager configured successfully"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="CrowdSec Local API listening on 0.0.0.0:8080"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Start sending metrics to CrowdSec Central API (interval: 38m29s once, then 30m0s)"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Start push to CrowdSec Central API (interval: 16s once, then 10s)"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=warning msg="scenario list is empty, will not pull yet"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="capi metrics: sending"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Loading grok library /etc/crowdsec/patterns"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Loading enrich plugins"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Successfully registered enricher 'GeoIpCity'"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Successfully registered enricher 'GeoIpASN'"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Successfully registered enricher 'IpToRange'"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Successfully registered enricher 'reverse_dns'"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Successfully registered enricher 'ParseDate'"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Successfully registered enricher 'UnmarshalJSON'"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Loading parsers from 3 files"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s00-raw/cri-logs.yaml stage=s00-raw
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s00-raw/docker-logs.yaml stage=s00-raw
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Loaded 1 parser nodes" file=/etc/crowdsec/parsers/s02-enrich/custom_whitelist.yaml stage=s02-enrich
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Loaded 3 nodes from 2 stages"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="No postoverflow parsers to load"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Loading 2 scenario files"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Adding leaky bucket" cfg=withered-star file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Adding leaky bucket" cfg=green-pine file=/etc/crowdsec/scenarios/ssh-bf.yaml name=crowdsecurity/ssh-bf_user-enum
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Adding leaky bucket" cfg=broken-surf file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Adding leaky bucket" cfg=late-cherry file=/etc/crowdsec/scenarios/ssh-slow-bf.yaml name=crowdsecurity/ssh-slow-bf_user-enum
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Loaded 4 scenarios"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=warning msg="No matching files for pattern /var/log/traefik/access.log" type=file
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="Starting processing data"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:38" level=info msg="127.0.0.1 - [Wed, 20 Sep 2023 14:41:38 UTC] \"POST /v1/watchers/login HTTP/1.1 200 71.796375ms \"crowdsec/v1.5.4-e4dcdd25728b914823525f1efabf18d5c454902b\" \""
crowdsec-crowdsec-1  | time="20-09-2023 14:41:39" level=info msg="Starting community-blocklist update"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:39" level=info msg="capi/community-blocklist : 0 explicit deletions"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:39" level=info msg="capi/community-blocklist : received 0 new entries (expected if you just installed crowdsec)"
crowdsec-crowdsec-1  | time="20-09-2023 14:41:39" level=info msg="Start pull from CrowdSec Central API (interval: 2h2m48s once, then 2h0m0s)"
crowdsec-crowdsec-1  | time="20-09-2023 14:42:38" level=info msg="127.0.0.1 - [Wed, 20 Sep 2023 14:42:38 UTC] \"GET /v1/heartbeat HTTP/1.1 200 5.090792ms \"crowdsec/v1.5.4-e4dcdd25728b914823525f1efabf18d5c454902b\" \""

Crowdsec version

2023/09/20 14:43:41 version: v1.5.4-e4dcdd25728b914823525f1efabf18d5c454902b
2023/09/20 14:43:41 Codename: alphaga
2023/09/20 14:43:41 BuildDate: 2023-09-20_13:53:13
2023/09/20 14:43:41 GoVersion: 1.20.8
2023/09/20 14:43:41 Platform: docker
2023/09/20 14:43:41 libre2: C++
2023/09/20 14:43:41 Constraint_parser: >= 1.0, <= 2.0
2023/09/20 14:43:41 Constraint_scenario: >= 1.0, < 3.0
2023/09/20 14:43:41 Constraint_api: v1
2023/09/20 14:43:41 Constraint_acquis: >= 1.0, < 2.0

OS version

NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.18.3
PRETTY_NAME="Alpine Linux v3.18"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"

Enabled collections and parsers

crowdsecurity/linux,"enabled,tainted",0.2,core linux support : syslog+geoip+ssh,collections
crowdsecurity/sshd,"enabled,tainted",0.2,sshd support : parser and brute-force detection,collections
crowdsecurity/cri-logs,enabled,0.1,CRI logging format parser,parsers
crowdsecurity/docker-logs,enabled,0.1,docker json logs parser,parsers
custom_whitelist.yaml,"enabled,local",n/a,,parsers
crowdsecurity/ssh-bf,enabled,0.1,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.2,Detect slow ssh bruteforce,scenarios

Acquisition config

```filenames: - /var/log/traefik/access.log labels: type: traefikcat: read error: Is a directory ```

Config show

Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /etc/crowdsec/hub
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log/
   - Log level              : info
   - Log Media              : stdout
Crowdsec:
  - Acquisition File        : /etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
  - Acquisition Folder      : /etc/crowdsec/acquis.d
cscli:
  - Output                  : human
  - Hub Branch              :
  - Hub Folder              : /etc/crowdsec/hub
API Client:
  - URL                     : http://0.0.0.0:8080/
  - Login                   : localhost
  - Credentials File        : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
  - Listen URL              : 0.0.0.0:8080
  - Profile File            : /etc/crowdsec/profiles.yaml

  - Trusted IPs:
      - 127.0.0.1
      - ::1
  - Database:
      - Type                : sqlite
      - Path                : /var/lib/crowdsec/data/crowdsec.db
      - Flush age           : 7d
      - Flush size          : 5000

Prometheus metrics

Local API Metrics:
╭────────────────────┬────────┬──────╮
│       Route        │ Method │ Hits │
├────────────────────┼────────┼──────┤
│ /v1/heartbeat      │ GET    │ 5    │
│ /v1/watchers/login │ POST   │ 1    │
╰────────────────────┴────────┴──────╯

Local API Machines Metrics:
╭───────────┬───────────────┬────────┬──────╮
│  Machine  │     Route     │ Method │ Hits │
├───────────┼───────────────┼────────┼──────┤
│ localhost │ /v1/heartbeat │ GET    │ 5    │

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

jan-thoma avatar Sep 20 '23 14:09 jan-thoma

@jan-thoma: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

github-actions[bot] avatar Sep 20 '23 14:09 github-actions[bot]

Managed to replicated so the issue is this CP command

+(docker_start.sh:177): cp -an /staging/etc/crowdsec/acquis.d /staging/etc/crowdsec/acquis.yaml /staging/etc/crowdsec/collections /staging/etc/crowdsec/config.yaml /staging/etc/crowdsec/console /staging/etc/crowdsec/console.yaml /staging/etc/crowdsec/dev.yaml /staging/etc/crowdsec/hub /staging/etc/crowdsec/local_api_credentials.yaml /staging/etc/crowdsec/notifications /staging/etc/crowdsec/online_api_credentials.yaml /staging/etc/crowdsec/parsers /staging/etc/crowdsec/patterns /staging/etc/crowdsec/postoverflows /staging/etc/crowdsec/profiles.yaml /staging/etc/crowdsec/scenarios /staging/etc/crowdsec/simulation.yaml /staging/etc/crowdsec/user.yaml /etc/crowdsec/

Since you are mounting a file into /etc/crowdsec/parsers/ the directory already exists and the -n flag means dont overwrite if it exists this is to protect if in case you mount a custom acquis.yaml

Maybe we should break this down even further @mmetc

LaurenceJJones avatar Sep 20 '23 15:09 LaurenceJJones

any news on this?

jan-thoma avatar Oct 04 '23 15:10 jan-thoma

any news on this?

We managed to reproduce via the instructions you provided, we are currently juggling projects internally, and once we have time to implement a fix, we will move ahead.

There are 2 workarounds whilst a fix is pending , which can be used:

  • build a custom image and place the whitelist within the staging folder (this is useful if you use k8s and need to deploy the image across clusters)
  • mount either /etc/crowdsec or /etc/crowdsec/parsers to the host filesystem and implement it after startup. ( should be fine after first startup)

LaurenceJJones avatar Oct 04 '23 19:10 LaurenceJJones

@LaurenceJJones no need for a custom image, just mount it to /staging/etc/crowdsec/parsers/s02-enrich/custom_whitelists.yaml

Also - and can you please verify this - changing cp with rsync allows it to work in /etc/crowdsec too

mmetc avatar Nov 22 '23 09:11 mmetc