Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rules: detect pods sharing host pid and IPC namespaces #1951

Merged
merged 1 commit into from
Apr 11, 2022
Merged

rules: detect pods sharing host pid and IPC namespaces #1951

merged 1 commit into from
Apr 11, 2022

Conversation

loresuso
Copy link
Member

@loresuso loresuso commented Mar 21, 2022
edited
Loading

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

What this PR does / why we need it:

This PR adds two rules to detect if a pod is created and configured to share host pid and IPC namespaces. When talking about container security, namespaces play a big role, since they allow to control which resources a process in a container can actually use. Having a pod sharing pid and IPC host namespaces is a potential risk and it could be leveraged by attackers. You can read more in this well-written article.

Please, let me know if there are container images that make use of host pid and IPC namespaces and can be whitelisted. I am not aware of any atm

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

I tested these new rules using KinD and installed Falco with the latest Helm chart. To configure k8s audit logs, I configured KinD with this config file:

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  kubeadmConfigPatches:
  - |
    kind: ClusterConfiguration
    apiServer:
        # enable auditing flags on the API server
        extraArgs:
          audit-log-path: /var/log/kubernetes/kube-apiserver-audit.log
          audit-policy-file: /etc/kubernetes/policies/audit-policy.yaml
        # mount new files / directories on the control plane
        extraVolumes:
          - name: audit-policies
            hostPath: /etc/kubernetes/policies
            mountPath: /etc/kubernetes/policies
            readOnly: true
            pathType: "DirectoryOrCreate"
          - name: "audit-logs"
            hostPath: "/var/log/kubernetes"
            mountPath: "/var/log/kubernetes"
            readOnly: false
            pathType: DirectoryOrCreate
  # mount the local file on the control plane
  extraMounts:
  - hostPath: ./audit-policy.yaml
    containerPath: /etc/kubernetes/policies/audit-policy.yaml
    readOnly: true
    # allow Falco to use devices provided by the kernel module
  - hostPath: /dev
    containerPath: /dev
    # allow Falco to use the Docker unix socket
  - hostPath: /var/run/docker.sock
    containerPath: /var/run/docker.sock

Then I have used FluentBit as described in this blog post on the official Falco website

Does this PR introduce a user-facing change?:

new(rules): add rules to detect pods sharing host pid and IPC namespaces

@poiana poiana requested review from leodido and mstemm March 21, 2022 13:50
@poiana poiana added the size/S label Mar 21, 2022
@leogr
Copy link
Member

leogr commented Mar 22, 2022

/cc @Kaizhe

@poiana poiana requested a review from Kaizhe March 22, 2022 09:24
Kaizhe
Kaizhe reviewed Mar 22, 2022
View reviewed changes
rules/k8s_audit_rules.yaml Outdated
@@ -174,6 +174,22 @@
source: k8s_audit
tags: [k8s]

- rule: Create HostPid Pod
desc: Detect an attempt to start a pod using the host pid namespace.
condition: kevt and pod and kcreate and ka.req.pod.host_pid intersects (true)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add an exception list ? e.g. falco_hostpid_images and user_known_hostpid_images

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Kaizhe, I have added an empty list for both rules. If you have any suggestions on how to find out non-malicious images that make use of these namespaces to work, let me know! Thank you

Kaizhe
Kaizhe reviewed Mar 22, 2022
View reviewed changes
rules/k8s_audit_rules.yaml Outdated

- rule: Create HostIPC Pod
desc: Detect an attempt to start a pod using the host ipc namespace.
condition: kevt and pod and kcreate and ka.req.pod.host_ipc intersects (true)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

similar above

@jasondellaluce
Copy link
Contributor

/milestone 0.32.0

@poiana poiana added this to the 0.32.0 milestone Mar 24, 2022
@loresuso
new(rules/k8s_audit): add rules to detect pods sharing host pid and I…
68e64f7 
…PC namespaces

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
@poiana poiana added the lgtm label Apr 6, 2022
@poiana
Copy link
Contributor

poiana commented Apr 6, 2022

LGTM label has been added.

Git tree hash: 6896a83235b7cd37c786a3d85f40769f8099fd64

@leogr
Copy link
Member

leogr commented Apr 6, 2022

Closing and reopening to trigger the CI
/close

@poiana poiana closed this Apr 6, 2022
@poiana
Copy link
Contributor

poiana commented Apr 6, 2022

@leogr: Closed this PR.

In response to this:

Closing and reopening to trigger the CI
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@leogr
Copy link
Member

leogr commented Apr 6, 2022

/reopen

@poiana poiana reopened this Apr 6, 2022
@poiana
Copy link
Contributor

poiana commented Apr 6, 2022

@leogr: Reopened this PR.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

leogr
leogr approved these changes Apr 11, 2022
View reviewed changes
Copy link
Member

@leogr leogr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana
Copy link
Contributor

poiana commented Apr 11, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: leogr, loresuso

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit 4343fe8 into falcosecurity:master Apr 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leogr leogr leogr approved these changes

@Kaizhe Kaizhe Kaizhe approved these changes

@leodido leodido Awaiting requested review from leodido

@mstemm mstemm Awaiting requested review from mstemm

Assignees

@Kaizhe Kaizhe

@leogr leogr

Labels
approved area/rules dco-signoff: yes kind/feature kind/rule-create lgtm release-note size/S
Projects
None yet
Milestone
0.32.0
Development

Successfully merging this pull request may close these issues.
5 participants
@loresuso @leogr @jasondellaluce @poiana @Kaizhe