KubeArmor
KubeArmor copied to clipboard
kubearmor
added ptrace system call to system monitor
Signed-off-by: rk [email protected]
added ptrace system call.
Example 1: trace cat process running directly on the host using strace
Terminal A:
$ cat # pid 86836
Terminal B
$ sudo su
$ strace -p 86836 # attach to cat
$ ^c # detach
Telemetry Events:
{"Timestamp":1657091591,"UpdatedTime":"2022-07-06T07:13:11.360036Z","ClusterName":"default","HostName":"rk-hp-pavilion-notebook","HostPID":107366,"PPID":84410,"PID":107366,"Type":"HostLog","Source":"/usr/bin/strace -p 86386","Operation":"Process","Data":"syscall=SYS_PTRACE request=PTRACE_SEIZE pid=107367","Result":"Passed","ParentProcessName":"/usr/bin/bash","ProcessName":"/usr/bin/strace","HostPPID":84410}
{"Timestamp":1657091591,"UpdatedTime":"2022-07-06T07:13:11.360990Z","ClusterName":"default","HostName":"rk-hp-pavilion-notebook","HostPID":107366,"PPID":84410,"PID":107366,"Type":"HostLog","Source":"/usr/bin/strace -p 86386","Operation":"Process","Data":"syscall=SYS_PTRACE request=PTRACE_SETOPTIONS pid=107368","Result":"Passed","ParentProcessName":"/usr/bin/bash","ProcessName":"/usr/bin/strace","HostPPID":84410}
...
[Truncated]
...
{"Timestamp":1657091593,"UpdatedTime":"2022-07-06T07:13:13.538266Z","ClusterName":"default","HostName":"rk-hp-pavilion-notebook","HostPID":107366,"PPID":84410,"PID":107366,"Type":"HostLog","Source":"/usr/bin/strace -p 86386","Operation":"Process","Resource":"/usr/bin/cat","Data":"syscall=SYS_PTRACE request=PTRACE_INTERRUPT pid=86386","Result":"Passed","ParentProcessName":"/usr/bin/bash","ProcessName":"/usr/bin/strace","HostPPID":84410}
{"Timestamp":1657091593,"UpdatedTime":"2022-07-06T07:13:13.538180Z","ClusterName":"default","HostName":"rk-hp-pavilion-notebook","HostPID":107366,"PPID":84410,"PID":107366,"Type":"HostLog","Source":"/usr/bin/strace -p 86386","Operation":"Process","Resource":"/usr/bin/cat","Data":"syscall=SYS_PTRACE request=PTRACE_DETACH pid=86386","Result":"No such process","ParentProcessName":"/usr/bin/bash","ProcessName":"/usr/bin/strace","HostPPID":84410}
Example 2: (unsuccessful) trace cat process running in a pod in k8s env using strace
Terminal A:
$ cat # pid 132
Terminal B
$ sudo su
$ strace -p 132 # attract to cat
Telemetry Event/Alert:
{"Timestamp":1657089880,"UpdatedTime":"2022-07-06T06:44:40.129236Z","ClusterName":"default","HostName":"rk-hp-pavilion-notebook","NamespaceName":"multiubuntu","PodName":"ubuntu-1-deployment-6fcd9cbc4f-wkqw7","ContainerID":"51c0c58fb05b0602b030485b9545e800a628f46a0db44b73c4f90fea47cc8457","ContainerName":"ubuntu-1-container","HostPID":80537,"PPID":102,"PID":182,"PolicyName":"DefaultPosture","Type":"MatchedPolicy","Source":"/usr/bin/strace -p 132","Operation":"Process","Data":"syscall=SYS_PTRACE request=PTRACE_SEIZE pid=183","Action":"Block","Result":"Permission denied","ContainerImage":"kubearmor/ubuntu-w-utils:0.1@sha256:b4693b003ed1fbf7f5ef2c8b9b3f96fd853c30e1b39549cf98bd772fbd99e260","ParentProcessName":"/bin/bash","ProcessName":"/usr/bin/strace","HostPPID":10769}
{"Timestamp":1657089880,"UpdatedTime":"2022-07-06T06:44:40.129711Z","ClusterName":"default","HostName":"rk-hp-pavilion-notebook","NamespaceName":"multiubuntu","PodName":"ubuntu-1-deployment-6fcd9cbc4f-wkqw7","ContainerID":"51c0c58fb05b0602b030485b9545e800a628f46a0db44b73c4f90fea47cc8457","ContainerName":"ubuntu-1-container","HostPID":80537,"PPID":102,"PID":182,"PolicyName":"DefaultPosture","Type":"MatchedPolicy","Source":"/usr/bin/strace -p 132","Operation":"Process","Data":"syscall=SYS_PTRACE request=PTRACE_ATTACH pid=132","Action":"Block","Result":"Operation not permitted","ContainerImage":"kubearmor/ubuntu-w-utils:0.1@sha256:b4693b003ed1fbf7f5ef2c8b9b3f96fd853c30e1b39549cf98bd772fbd99e260","ParentProcessName":"/bin/bash","ProcessName":"/usr/bin/strace","HostPPID":10769}
Codecov Report
Merging #759 (69fdc02) into main (23a74a8) will decrease coverage by
0.58%. The diff coverage is2.88%.
@@ Coverage Diff @@
## main #759 +/- ##
==========================================
- Coverage 39.20% 38.61% -0.59%
==========================================
Files 31 31
Lines 9911 10013 +102
==========================================
- Hits 3886 3867 -19
- Misses 5514 5630 +116
- Partials 511 516 +5
| Impacted Files | Coverage Δ | |
|---|---|---|
| KubeArmor/enforcer/appArmorHostProfile.go | 0.00% <0.00%> (ø) |
|
| KubeArmor/monitor/logUpdate.go | 66.13% <0.00%> (-3.51%) |
:arrow_down: |
| KubeArmor/monitor/syscallParser.go | 52.51% <0.00%> (-10.24%) |
:arrow_down: |
| KubeArmor/monitor/systemMonitor.go | 49.50% <40.00%> (-0.38%) |
:arrow_down: |
| KubeArmor/enforcer/appArmorEnforcer.go | 48.56% <100.00%> (+0.12%) |
:arrow_up: |
| KubeArmor/core/containerdHandler.go | 53.18% <0.00%> (-4.50%) |
:arrow_down: |
| KubeArmor/core/dockerHandler.go | 44.78% <0.00%> (-2.70%) |
:arrow_down: |
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.
@Ankurk99
[PASS] Successfully tested KubeArmor
runtime tests is successful on my system. tested on ubuntu 20.04 with k3s env.
Currently the proposed changes introduces a new map to keep track of the pid->hostPid mapping per container basis. it seems quite unfeasible and to avoid maintaining a separate map we can take any of the two approaches:
- traversing the existing map using loop to find required host pid mapping.
- (preferred imo) lsm hook ptrace_access_check can be used to get required mete data (full path in this case.) of the tracee process.
the later approach handles everything in kernel space and the hook is available in all the targeted kernel versions.
@daemon1024 wdyt?
Example (Host)log:
== Log / 2022-11-14 08:07:30.716251 ==
ClusterName: default
HostName: hp
Type: HostLog
Source: /usr/bin/strace test
Resource: /usr/bin/test
Operation: Process
Data: syscall=SYS_PTRACE request=PTRACE_SYSCALL pid=47211 process=/usr/bin/test
Result: Passed
HostPID: 47208
HostPPID: 47207
PID: 47208
PPID: 47207
ParentProcessName: /usr/bin/sudo
ProcessName: /usr/bin/strace
Example Alert:
== Alert / 2022-11-14 08:10:25.847611 ==
ClusterName: default
HostName: hp
NamespaceName: syscalls
PodName: ubuntu-1-deployment-66448fc84f-k7c7j
Labels: container=ubuntu-1
ContainerName: ubuntu-1-container
ContainerID: 41c0fafea867f4dd536060b3424aa3af960cad96020152d8e12d7ec0449168db
ContainerImage: docker.io/kubearmor/ubuntu-w-utils:0.1@sha256:b4693b003ed1fbf7f5ef2c8b9b3f96fd853c30e1b39549cf98bd772fbd99e260
Type: MatchedPolicy
PolicyName: DefaultPosture
Source: /usr/bin/strace ls
Resource: /usr/bin/strace
Operation: Process
Action: Block
Data: syscall=SYS_PTRACE request=PTRACE_SEIZE pid=187 process=/usr/bin/strace
Enforcer: AppArmor
Result: Permission denied
HostPID: 47433
HostPPID: 47344
PID: 186
PPID: 172
ParentProcessName: /bin/bash
ProcessName: /usr/bin/strace
We support blocking Syscalls?
ig yes https://docs.kubearmor.com/kubearmor/getting-started/security_policy_specification#syscalls
For System calls monitoring, we only support audit mode no matter what the action is set to.
But we only did audit?
Then why do you have a Permission denied alert? sweat_smile
ig it's because sys_ptrace capability is not assigned by default by the container runtime.
and we get alerts for denials outside KubeArmor right!
output of /var/log/kern.log shows
Nov 14 15:09:35 hp kernel: [20774.373235] audit: type=1400 audit(1668418775.003:133642): apparmor="DENIED" operation="ptrace" profile="kubearmor-syscalls-ubuntu-1-deployment-ubuntu-1-container" pid=58432 comm="strace" requested_mask="trace" denied_mask="trace" peer="kubearmor-syscalls-ubuntu-1-deployment-ubuntu-1-container"
Okay. Makes sense. But the ptrace observer we adding. Shouldn't it show up with Operation: Syscall? provided ptrace is allowed.
Okay. Makes sense. But the ptrace observer we adding. Shouldn't it show up with
Operation: Syscall? provided ptrace is allowed.
Operation is not Syscall because there's no policy applied to Audit the Syscall.
Okay, then can you apply a sample policy and share the relevant telemetry event for the same?
currently we are not auditing ptrace syscall Audit Syscalls,
but i tested it with local changes adding ptrace to syscall list and i'm getting the alert with Operation: Syscall.
== Alert / 2022-11-16 08:32:51.354132 ==
ClusterName: default
HostName: hp
Type: MatchedHostPolicy
PolicyName: hsp-hp-audit-syscall-ptrace
Severity: 5
Source: /usr/bin/strace ls
Resource: /usr/bin/strace
Operation: Syscall
Action: Audit
Data: syscall=SYS_PTRACE request=PTRACE_SEIZE pid=61177 process=/usr/bin/strace
Result: Permission denied
HostPID: 61176
HostPPID: 61175
PID: 61176
PPID: 61175
ParentProcessName: /usr/bin/sudo
ProcessName: /usr/bin/strace
currently we are not auditing ptrace syscall Audit Syscalls
Is this added here? Changes to audit ptrace?
currently we are not auditing ptrace syscall Audit Syscalls
Is this added here? Changes to audit ptrace?
no should it be added?
added ptrace to audit syscalls, tested locally
ClusterName: default
HostName: hp
NamespaceName: multiubuntu
PodName: ubuntu-3-deployment-7cc5cf69f7-ztnzc
Labels: container=ubuntu-3,group=group-1
ContainerName: ubuntu-3-container
ContainerID: d2efaf88f36049a20b36a8685159c51019dac5faf09fe26e49a154b3e207f573
ContainerImage: docker.io/kubearmor/ubuntu-w-utils:0.1@sha256:b4693b003ed1fbf7f5ef2c8b9b3f96fd853c30e1b39549cf98bd772fbd99e260
Type: MatchedPolicy
PolicyName: audit-all-ptrace
Severity: 3
Source: /usr/bin/strace ls
Resource: /bin/ls
Operation: Syscall
Action: Audit
Data: syscall=SYS_PTRACE request=PTRACE_SYSCALL pid=201 process=/bin/ls
Result: Passed
HostPID: 32994
HostPPID: 30495
PID: 199
PPID: 155
ParentProcessName: /bin/bash
ProcessName: /usr/bin/strace