Task weight: 4%
Use context: kubectl config use-context workload-prod
Falco is installed with default configuration on node cluster1-node1. Connect using ssh cluster1-node1 . Use it to:
- Find a Pod running image nginx which creates unwanted package management processes inside its container.
- Find a Pod running image httpd which modifies /etc/passwd.
Save the Falco logs for case 1 under /opt/course/2/falco.log in format:
time-with-nanosconds,container-id,container-name,user-name
No other information should be in any line. Collect the logs for at least 30 seconds.
Afterwards remove the threads (both 1 and 2) by scaling the replicas of the Deployments that control the offending Pods down to 0.
译文
任务权重:4%。
使用环境: kubectl config use-context workload-prod
Falco已经以默认配置安装在 cluster1-node1 节点上。使用 ssh cluster1-node1 连接。用它来
- 找到一个运行nginx镜像的Pod,它在其容器内创建了不需要的包管理进程。
- 找到一个运行httpd镜像的Pod,它修改了/etc/passwd。
将上面的Falco日志保存在/opt/course/2/falco.log下,格式为。
time-with-nanosconds,container-id,container-name,user-name
任何一行都不应该有其他信息。收集至少30秒的日志。
之后,将违规 Pod 的 Deployments 的副本缩减到 0 ,删除线程(包括1和2)。
参考
https://github.com/draios/sysdig
https://github.com/aquasecurity/tracee
解答
kubectl config use-context workload-prod
ssh cluster1-node1
ll /etc/falco/
检查 falco配置 syslog输出是否开启
# /etc/falco/falco.yaml
...
# Where security notifications should go.
# Multiple outputs can be enabled.
syslog_output:
enabled: true
...
查看容器id 并通过id 查看pod信息
grep falco /var/log/syslog | grep nginx | grep process | grep container_id
crictl ps -id 7a5ea6a080d1
crictl pods -id 7a864406b9794
第一个pod 在 team-blue
grep falco /var/log/syslog | grep httpd | grep passwd | grep container_id
crictl ps -id b1339d5cc2de
crictl pods -id 595af943c3245
第二个pod 在 team-purple
对pod进行缩容到0
k -n team-blue scale deploy webapi --replicas 0
k -n team-purple scale deploy rating-service --replicas 0
查找 /etc/falco目录下 包含相关单词的文件
grep -ir "Package management process launched" /etc/falco/
cp /etc/falco/falco_rules.yaml .
vim /etc/falco/falco_rules.yaml
# Container is supposed to be immutable. Package management should be done in building the image.
- rule: Launch Package Management Process in Container
desc: Package management process ran inside container
condition: >
spawned_process
and container
and user.name != "_apt"
and package_mgmt_procs
and not package_mgmt_ancestor_procs
and not user_known_package_manager_in_container
output: >
#Package management process launched in container (user=%user.name user_loginuid=%user.loginuid
#command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
Package management process launched in container %evt.time,%container.id,%container.name,%user.name
# 删除上面两行,并添加
priority: ERROR
tags: [process, mitre_persistence]
格式化输出falco日志, 并把结果复制到文件
systemctl restart falco
grep -i "Package management" /var/log/syslog | awk '{printf $26}' | sed 's/root/root\n/g'