Nco tseg. txhais.: Peb nthuav qhia rau koj mloog cov lus txhais ntawm ib tsab xov xwm los ntawm ib tug laus daim ntawv thov kev ruaj ntseg engineer ntawm lub tuam txhab British ASOS.com. Nrog nws, nws pib ntau cov ntawv tshaj tawm rau kev txhim kho kev ruaj ntseg hauv Kubernetes los ntawm kev siv seccomp. Yog tias cov neeg nyeem nyiam qhov kev taw qhia, peb yuav ua raws li tus sau thiab txuas ntxiv nrog nws cov ntaub ntawv yav tom ntej ntawm lub ncauj lus no.
Kab lus no yog thawj zaug hauv cov ntawv tshaj tawm txog yuav ua li cas los tsim seccomp profiles nyob rau hauv tus ntsuj plig ntawm SecDevOps, tsis muaj kev siv dag zog thiab kev ua khawv koob. Hauv Ntu XNUMX, Kuv yuav hais txog cov hauv paus thiab cov ntsiab lus sab hauv ntawm kev siv seccomp hauv Kubernetes.
Kubernetes ecosystem muaj ntau txoj hauv kev kom ruaj ntseg thiab cais cov thawv. Tsab ntawv no yog hais txog Kev Nyab Xeeb Kev Nyab Xeeb, tseem hu ua seccomp. Nws lub ntsiab yog los lim cov kab ke hu muaj rau kev ua tiav los ntawm cov thawv.
Vim li cas thiaj tseem ceeb? Lub thawv tsuas yog cov txheej txheem khiav ntawm lub tshuab tshwj xeeb. Thiab nws siv cov ntsiav ib yam li lwm daim ntawv thov. Yog tias cov thawv ntim tuaj yeem ua tau ib qho kev hu xov tooj, sai sai malware yuav siv qhov zoo ntawm qhov no kom hla lub thawv cais tawm thiab cuam tshuam rau lwm yam kev siv: cuam tshuam cov ntaub ntawv, hloov chaw teeb tsa, thiab lwm yam.
seccomp profiles txhais tau hais tias qhov kev hu xov tooj yuav tsum raug tso cai lossis tsis siv. Lub thawv runtime activates lawv thaum nws pib kom lub kernel tuaj yeem saib xyuas lawv qhov kev ua tiav. Siv cov ntaub ntawv zoo li no tso cai rau koj txwv qhov kev tawm tsam vector thiab txo kev puas tsuaj yog tias ib qho kev pab cuam hauv lub thawv (uas yog, koj qhov kev vam khom, lossis lawv qhov kev vam khom) pib ua qee yam uas nws tsis tso cai ua.
Tab sis dua, vim li cas qhov no yog qhov teeb meem? Tus kheej, kuv yuav zam kev teev npe dawb hauv qab no hu xov tooj (tshwj tsis yog muaj qhov xav tau tiag tiag rau lawv): capset, set_tid_address, setgid, setgroups и setuid. Txawm li cas los xij, qhov kev sib tw tiag tiag yog los ntawm kev tso cai rau cov txheej txheem uas koj tsis muaj kev tswj hwm kiag li, koj tab tom khi cov ntaub ntawv rau lub thawv siv sijhawm. Hauv lwm lo lus, muaj ib hnub koj tuaj yeem pom tias tom qab hloov kho lub thawv ntim ib puag ncig (txawm yog los ntawm koj lossis, ntau dua, los ntawm tus muab kev pabcuam huab), cov thawv ntim dheev nres.
Thov nco ntsoov tias cov syntax saum toj no yuav hloov thaum Kubernetes seccomp yuav dhau los ua GA (Qhov kev tshwm sim no yuav tsum tau nyob rau hauv qhov kev tso tawm tom ntej ntawm Kubernetes - 1.18 - kwv yees transl.).
Tsawg tus neeg paub tias Kubernetes ib txwm muaj kab laumuas ua rau seccomp profiles siv rau nres lub thawv. Lub sijhawm khiav ib puag ncig ib nrab them rau qhov tsis txaus no, tab sis lub thawv no tsis ploj ntawm cov pods, vim nws yog siv los teeb tsa lawv cov vaj tse.
Qhov teeb meem yog tias lub thawv no ib txwm pib nrog AllowPrivilegeEscalation=true, ua rau cov teeb meem hais nyob rau hauv nqe lus 1, thiab qhov no hloov tsis tau.
Los ntawm kev siv seccomp profiles ntawm qib ntim, koj zam qhov kev poob siab no thiab tuaj yeem tsim tau ib qho profile uas haum rau ib lub thawv tshwj xeeb. Qhov no yuav tsum tau ua kom txog rau thaum cov neeg tsim kho kho cov kab laum thiab cov tshiab version (tej zaum 1.18?) muaj rau txhua tus.
Hauv kev nkag siab zoo, txoj cai no feem ntau yog cov lus teb thoob ntiaj teb rau cov lus nug: "Vim li cas kuv qhov profile seccomp ua haujlwm nrog docker runtab sis tsis ua haujlwm tom qab xa mus rau Kubernetes pawg?
3. Siv runtime/default xwb raws li qhov chaw kawg
Kubernetes muaj ob txoj hauv kev rau kev tsim cov profile: runtime/default и docker/default. Ob leeg yog siv los ntawm lub thawv runtime, tsis Kubernetes. Yog li ntawd, lawv yuav txawv nyob ntawm qhov chaw siv lub sijhawm siv thiab nws cov version.
Hauv lwm lo lus, raws li kev hloov pauv sijhawm, lub thawv tuaj yeem nkag mus rau ntau qhov sib txawv ntawm kev hu xov tooj, uas nws tuaj yeem siv lossis tsis siv. Feem ntau lub sijhawm siv Kev siv Docker. Yog tias koj xav siv qhov profile no, thov xyuas kom meej tias nws tsim nyog rau koj.
profile docker/default tau raug deprecated txij thaum Kubernetes 1.11, yog li tsis txhob siv nws.
Hauv kuv lub tswv yim, profile runtime/default zoo kawg nkaus haum rau lub hom phiaj uas nws tau tsim: tiv thaiv cov neeg siv los ntawm kev pheej hmoo cuam tshuam nrog kev ua tiav cov lus txib docker run ntawm lawv lub tsheb. Txawm li cas los xij, thaum nws los txog rau cov ntawv thov kev lag luam uas khiav ntawm Kubernetes pawg, kuv xav twv kom sib cav tias qhov profile no qhib dhau lawm thiab cov neeg tsim khoom yuav tsum tsom mus rau kev tsim cov profile rau lawv cov ntawv thov (lossis hom kev siv).
Tswv yim # 3: Tsim seccomp profiles rau cov ntawv thov tshwj xeeb. Yog tias qhov no ua tsis tau, tsim cov ntaub ntawv rau hom ntawv thov, piv txwv li, tsim qhov profile siab heev uas suav nrog txhua lub vev xaib APIs ntawm Golang daim ntawv thov. Tsuas yog siv runtime/default ua qhov chaw kawg.
Hauv cov ntawv tshaj tawm yav tom ntej, kuv yuav hais txog yuav ua li cas los tsim SecDevOps-inspired seccomp profiles, automate lawv, thiab sim lawv hauv cov kav dej. Hauv lwm lo lus, koj yuav tsis muaj kev zam txim tsis tau hloov kho rau daim ntawv thov tshwj xeeb profiles.
4. Unconfined tsis yog ib qho kev xaiv.
Ntawm qhov thawj Kubernetes kev soj ntsuam kev ruaj ntseg nws muab tawm tias los ntawm lub neej ntawd seccomp neeg xiam. Qhov no txhais tau tias yog koj tsis teem PodSecurityPolicy, uas yuav pab kom nws nyob rau hauv pawg, tag nrho cov pods uas lub seccomp profile tsis tau txhais yuav ua hauj lwm nyob rau hauv seccomp=unconfined.
Kev khiav hauj lwm hauv hom no txhais tau hais tias tag nrho cov txheej txheej ntawm rwb thaiv tsev ploj uas tiv thaiv pawg. Txoj kev no tsis pom zoo los ntawm cov kws paub txog kev ruaj ntseg.
Tab sis nco ntsoov tias koj yuav tsum thaiv txhua qhov kev hu xov tooj uas koj paub tias yuav tsis siv thiab qhov ntawd tuaj yeem ua rau muaj kev puas tsuaj rau pawg. Lub hauv paus zoo rau kev sau cov npe yog tus nom Docker cov ntaub ntawv. Nws piav qhia meej txog qhov kev hu xov tooj raug kaw hauv qhov profile vim li cas thiab vim li cas.
Txawm li cas los, muaj ib tug catch. Txawm tias SCMT_ACT_LOG txhawb nqa los ntawm Linux ntsiav txij thaum kawg ntawm 2017, nws nkag mus rau Kubernetes ecosystem tsuas yog tsis ntev los no. Yog li ntawd, siv txoj kev no koj yuav xav tau Linux ntsiav 4.14 thiab runC version tsis qis dua v1.0.0c9.
Whitelisting yuav tsum tau siv zog ntxiv vim tias koj yuav tsum txheeb xyuas txhua qhov kev hu xov tooj uas yuav xav tau, tab sis txoj hauv kev no txhim kho kev ruaj ntseg zoo heev:
Nws yog qhov pom zoo kom siv daim ntawv teev npe dawb vim nws yooj yim dua thiab txhim khu kev qha. Daim ntawv teev npe dub yuav tsum tau hloov kho thaum twg qhov kev hu xov tooj tuaj yeem txaus ntshai (lossis tus chij txaus ntshai / kev xaiv yog tias nws nyob hauv blacklist) ntxiv. Tsis tas li ntawd, nws feem ntau tuaj yeem hloov pauv tus sawv cev ntawm qhov ntsuas yam tsis hloov nws cov ntsiab lus thiab yog li hla kev txwv ntawm cov npe dub.
Rau cov ntawv thov Go, kuv tau tsim cov cuab yeej tshwj xeeb uas nrog rau daim ntawv thov thiab sau tag nrho cov kev hu ua thaum ua tiav. Piv txwv li, rau daim ntawv thov hauv qab no:
package main
import "fmt"
func main() {
fmt.Println("test")
}
... cia peb pib gosystract zoo li no:
go install https://github.com/pjbgf/gosystract
gosystract --template='{{- range . }}{{printf ""%s",n" .Name}}{{- end}}' application-path
... thiab peb tau txais cov txiaj ntsig hauv qab no:
Txog tam sim no, qhov no tsuas yog piv txwv - cov ntsiab lus ntxiv txog cov cuab yeej yuav ua raws.
Tswv yim # 6: Tso cai rau cov hu uas koj xav tau tiag tiag thiab thaiv tag nrho lwm tus.
7. Npaj cov hauv paus kom raug (los yog npaj rau tus cwj pwm tsis zoo)
Lub kernel yuav tswj hwm qhov profile txawm tias koj sau dab tsi hauv nws. Txawm tias nws tsis yog raws nraim qhov koj xav tau. Piv txwv li, yog tias koj thaiv kev nkag mus rau kev hu zoo li exit los yog exit_group, lub thawv yuav tsis tuaj yeem kaw kom raug thiab txawm tias cov lus txib yooj yim xws li echo hidai nwso rau lub sijhawm tsis kawg. Yog li ntawd, koj yuav tau txais kev siv CPU siab hauv pawg:
Hauv qhov xwm txheej zoo li no, kev siv hluav taws xob tuaj yeem cawm tau strace - nws yuav qhia tias qhov teeb meem yuav ua li cas:
sudo strace -c -p 9331
Xyuas kom tseeb tias cov profiles muaj tag nrho cov kab ke hu uas daim ntawv thov xav tau ntawm lub sijhawm ua haujlwm.
Tswv yim # 7: Ua tib zoo saib xyuas kom meej thiab xyuas kom txhua qhov kev hu xov tooj tsim nyog tau teev npe dawb.
Qhov no xaus thawj feem ntawm cov kab lus ntawm kev siv seccomp hauv Kubernetes hauv tus ntsuj plig ntawm SecDevOps. Hauv seem hauv qab no peb yuav tham txog vim li cas qhov no yog qhov tseem ceeb thiab yuav ua li cas thiaj li ua haujlwm tau zoo.