Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security scanning for SSB/SOLR (test) #3799

Closed
4 tasks
jbrown-xentity opened this issue Apr 28, 2022 · 9 comments
Closed
4 tasks

Security scanning for SSB/SOLR (test) #3799

jbrown-xentity opened this issue Apr 28, 2022 · 9 comments
Assignees
@FuhuXia

Comments

@jbrown-xentity
Copy link
Contributor

User Story

In order to meet SI-3, data.gov security wants a scanning tool performing scanning and alerting on malware/any unexpected file system changes.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

  • GIVEN Falco (or equivalent) is deployed in EKS and scanning SOLR
    WHEN an unexpected/bad file is added to the SOLR container
    THEN an alert is generated

Background

Related to #3797, would replace the necessity of regular SOLR restarts.

Security Considerations (required)

Related to SI-3.

Sketch

This may change, but current plan is to:

  • install as a daemonSet
  • helm install from your shell, and testing it out
  • If it works, then you just have to add a(nother) helm_release resource to the Terraform in the EKS brokerpak's provision-k8s directory to automate that
@jbrown-xentity jbrown-xentity changed the title Security scanning for SSB/SOLR Security scanning for SSB/SOLR (test) Apr 28, 2022
@FuhuXia FuhuXia self-assigned this Apr 28, 2022
@FuhuXia
Copy link
Member

FuhuXia commented May 3, 2022

Falco installed on a test EKS cluster in staging, Time to config it.

$ helm install falco falcosecurity/falco
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: <...>
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: <...>
NAME: falco
LAST DEPLOYED: Tue May  3 12:50:19 2022
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Falco agents are spinning up on each node in your cluster. After a few
seconds, they are going to start monitoring your containers looking for
security issues.

No further action should be required.

Tip:
You can easily forward Falco events to Slack, Kafka, AWS Lambda and more with falcosidekick.
Full list of outputs: https://github.com/falcosecurity/charts/falcosidekick.
You can enable its deployment with `--set falcosidekick.enabled=true` or in your values.yaml.
See: https://github.com/falcosecurity/charts/blob/master/falcosidekick/values.yaml for configuration values.

@hkdctol
Copy link
Contributor

hkdctol commented May 5, 2022

@FuhuXia continuing on it for now.

@FuhuXia
Copy link
Member

FuhuXia commented May 6, 2022

Events were generated when suspicious commands were run on new containers

$ kubectl run --rm --restart=Never -it --image=busybox -- bash
/ # mkdir /root/aaa
/ # cd ~/aaa
~/aaa # touch asdf
~/aaa #

logs:
16:18:25.363603618: Error File below / or /root opened for writing (user=root user_loginuid=-1 command=touch asdf parent=sh file=/root/aaa/asdf program=touch container_id=c40f893dc3f0 image=busybox) k8s.ns=default k8s.pod=bash container=c40f893dc3f0 k8s.ns=default k8s.pod=bash container=c40f893dc3f0

$ kubectl run --rm --restart=Never -it --image=ubuntu -- bash
root@bash:/# apt-get update

logs:
16:46:50.369247036: Notice A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=bash container=c4467cdfd8c6 shell=bash parent= cmdline=bash terminal=34816 container_id=c4467cdfd8c6 image=ubuntu) k8s.ns=default k8s.pod=bash container=c4467cdfd8c6
16:46:56.657919553: Error Package management process launched in container (user=root user_loginuid=-1 command=apt-get update container_id=c4467cdfd8c6 container_name=k8s_bash_bash_default_de5edbeb-79a1-429e-95bf-5fe73740f18b_0 image=ubuntu:latest) k8s.ns=default k8s.pod=bash container=c4467cdfd8c6 k8s.ns=default k8s.pod=bash container=c4467cdfd8c6

@FuhuXia
Copy link
Member

FuhuXia commented May 9, 2022

Installed falcosidekick and add the slack webhook, alerts were sent to slack channel.

$ helm upgrade -i falco falcosecurity/falco --set falcosidekick.enabled=true --set falcosidekick.config.slack.webhookurl="https://hooks.slack.com/services/SOMECHANNEL/WEBKOOKKEY"

Alert screenshots:
image

@mogul
Copy link
Contributor

mogul commented May 9, 2022

This is SO GREAT. Please make the Slack webhook URL a variable when you add this to the Terraform.

@FuhuXia FuhuXia mentioned this issue May 10, 2022
Closed
@FuhuXia
Copy link
Member

FuhuXia commented May 12, 2022
edited
Loading

Still need to create custom rule specific for Solr classic/cloud security.

@FuhuXia FuhuXia mentioned this issue May 12, 2022
Open
1 task
@hkdctol
Copy link
Contributor

hkdctol commented May 18, 2022

Will put on hold for the time being pending ECS work.

@hkdctol
Copy link
Contributor

hkdctol commented Jun 16, 2022

Moving back to Icebox for now

@nickumia-reisys
Copy link
Contributor

This is not important for data.gov anymore because of Solr on ECS,

But the scanning mentality would still be useful for other EKS applications. This is a good historical ticket, but I don't think any more work will be done here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FuhuXia FuhuXia

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mogul @FuhuXia @hkdctol @jbrown-xentity @nickumia-reisys