Nco tseg. txhais.: Peb nthuav qhia rau koj mloog cov lus txhais ntawm ib tsab xov xwm los ntawm ib tug laus daim ntawv thov kev ruaj ntseg engineer ntawm lub tuam txhab British ASOS.com. Nrog nws, nws pib ntau cov ntawv tshaj tawm rau kev txhim kho kev ruaj ntseg hauv Kubernetes los ntawm kev siv seccomp. Yog tias cov neeg nyeem nyiam qhov kev taw qhia, peb yuav ua raws li tus sau thiab txuas ntxiv nrog nws cov ntaub ntawv yav tom ntej ntawm lub ncauj lus no.
Kab lus no yog thawj zaug hauv cov ntawv tshaj tawm txog yuav ua li cas los tsim seccomp profiles nyob rau hauv tus ntsuj plig ntawm SecDevOps, tsis muaj kev siv dag zog thiab kev ua khawv koob. Hauv Ntu XNUMX, Kuv yuav hais txog cov hauv paus thiab cov ntsiab lus sab hauv ntawm kev siv seccomp hauv Kubernetes.
Kubernetes ecosystem muaj ntau txoj hauv kev kom ruaj ntseg thiab cais cov thawv. Tsab ntawv no yog hais txog Kev Nyab Xeeb Kev Nyab Xeeb, tseem hu ua seccomp. Nws lub ntsiab yog los lim cov kab ke hu muaj rau kev ua tiav los ntawm cov thawv.
Vim li cas thiaj tseem ceeb? Lub thawv tsuas yog cov txheej txheem khiav ntawm lub tshuab tshwj xeeb. Thiab nws siv cov ntsiav ib yam li lwm daim ntawv thov. Yog tias cov thawv ntim tuaj yeem ua tau ib qho kev hu xov tooj, sai sai malware yuav siv qhov zoo ntawm qhov no kom hla lub thawv cais tawm thiab cuam tshuam rau lwm yam kev siv: cuam tshuam cov ntaub ntawv, hloov chaw teeb tsa, thiab lwm yam.
seccomp profiles txhais tau hais tias qhov kev hu xov tooj yuav tsum raug tso cai lossis tsis siv. Lub thawv runtime activates lawv thaum nws pib kom lub kernel tuaj yeem saib xyuas lawv qhov kev ua tiav. Siv cov ntaub ntawv zoo li no tso cai rau koj txwv qhov kev tawm tsam vector thiab txo kev puas tsuaj yog tias ib qho kev pab cuam hauv lub thawv (uas yog, koj qhov kev vam khom, lossis lawv qhov kev vam khom) pib ua qee yam uas nws tsis tso cai ua.
Nkag siab txog Cov Ntsiab Cai
Qhov yooj yim seccomp profile muaj peb yam: defaultAction, architectures (los yog archMap) thiab syscalls:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp"
],
"action": "SCMP_ACT_ALLOW"
}
]
}()
defaultAction txiav txim siab txoj hmoo ntawm ib qho kev hu xov tooj tsis tau teev tseg hauv ntu syscalls. Txhawm rau ua kom yooj yim dua, cia peb tsom mus rau ob qhov tseem ceeb uas yuav siv tau:
-
SCMP_ACT_ERRNO- thaiv kev ua tiav ntawm kev hu xov tooj, -
SCMP_ACT_ALLOW- tso cai.
seem architectures lub hom phiaj architectures tau teev tseg. Qhov no yog qhov tseem ceeb vim tias cov lim nws tus kheej, siv rau ntawm qib ntsiav, nyob ntawm qhov kev hu xov tooj tus cim, thiab tsis nyob ntawm lawv cov npe teev hauv qhov profile. Lub thawv runtime yuav phim lawv rau cov cim ua ntej siv. Lub tswv yim yog tias kev hu xov tooj tuaj yeem muaj ID sib txawv kiag li nyob ntawm qhov system architecture. Piv txwv li, system hu recvfrom (siv tau txais cov ntaub ntawv los ntawm lub qhov (socket)) muaj ID = 64 ntawm x64 systems thiab ID = 517 ntawm x86. Koj tuaj yeem pom cov npe ntawm txhua qhov kev hu rau x86-x64 architectures.
Hauv seem syscalls teev tag nrho cov kev hu xov tooj thiab qhia meej tias yuav ua li cas nrog lawv. Piv txwv li, koj tuaj yeem tsim ib daim ntawv teev npe dawb los ntawm kev teeb tsa defaultAction rau SCMP_ACT_ERRNO, thiab hu rau hauv seem syscalls muab SCMP_ACT_ALLOW. Yog li, koj tsuas yog tso cai hu tau teev nyob rau hauv seem syscalls, thiab txwv tsis pub lwm tus. Rau qhov blacklist koj yuav tsum hloov qhov tseem ceeb defaultAction thiab ua rau qhov opposite.
Tam sim no peb yuav tsum hais ob peb lo lus hais txog nuances uas tsis pom tseeb. Thov nco ntsoov tias cov lus pom zoo hauv qab no xav tias koj tab tom siv cov kab kev lag luam ntawm Kubernetes thiab koj xav kom lawv khiav nrog tsawg kawg ntawm cov cai tau.
1. AllowPrivilegeEscalation=false
В securityContext thawv muaj parameter AllowPrivilegeEscalation. Yog hais tias nws yog ntsia rau hauv false, ntim yuav pib nrog (on) ib . Lub ntsiab lus ntawm qhov ntsuas no yog pom tseeb los ntawm lub npe: nws tiv thaiv lub thawv los ntawm kev tsim cov txheej txheem tshiab nrog cov cai ntau dua li nws tus kheej muaj.
Ib qho kev cuam tshuam ntawm qhov kev xaiv no raug teeb tsa rau true (default) yog tias lub thawv runtime siv qhov profile seccomp thaum pib ntawm cov txheej txheem pib. Yog li, tag nrho cov kev hu xov tooj yuav tsum tau ua haujlwm hauv cov txheej txheem runtime (xws li teeb tsa tus neeg siv / pab pawg IDs, poob qee qhov peev xwm) yuav tsum tau qhib hauv qhov profile.
Rau ib lub thawv uas ua tej yam tsis tseem ceeb echo hi, cov kev tso cai hauv qab no yuav tsum tau:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"brk",
"capget",
"capset",
"chdir",
"close",
"execve",
"exit_group",
"fstat",
"fstatfs",
"futex",
"getdents64",
"getppid",
"lstat",
"mprotect",
"nanosleep",
"newfstatat",
"openat",
"prctl",
"read",
"rt_sigaction",
"statfs",
"setgid",
"setgroups",
"setuid",
"stat",
"uname",
"write"
],
"action": "SCMP_ACT_ALLOW"
}
]
}()
... tsis yog cov no:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"brk",
"close",
"execve",
"exit_group",
"futex",
"mprotect",
"nanosleep",
"stat",
"write"
],
"action": "SCMP_ACT_ALLOW"
}
]
}()
Tab sis dua, vim li cas qhov no yog qhov teeb meem? Tus kheej, kuv yuav zam kev teev npe dawb hauv qab no hu xov tooj (tshwj tsis yog muaj qhov xav tau tiag tiag rau lawv): capset, set_tid_address, setgid, setgroups и setuid. Txawm li cas los xij, qhov kev sib tw tiag tiag yog los ntawm kev tso cai rau cov txheej txheem uas koj tsis muaj kev tswj hwm kiag li, koj tab tom khi cov ntaub ntawv rau lub thawv siv sijhawm. Hauv lwm lo lus, muaj ib hnub koj tuaj yeem pom tias tom qab hloov kho lub thawv ntim ib puag ncig (txawm yog los ntawm koj lossis, ntau dua, los ntawm tus muab kev pabcuam huab), cov thawv ntim dheev nres.
Tswv yim # 1: Khiav cov thawv nrog AllowPrivilegeEscaltion=false. Qhov no yuav txo qhov loj ntawm seccomp profiles thiab ua rau lawv tsis tshua muaj kev cuam tshuam rau cov kev hloov pauv hauv lub thawv runtime ib puag ncig.
2. Teem seccomp profiles nyob rau theem ntim
Lub seccomp profile tuaj yeem teeb tsa ntawm qib pod:
annotations:
seccomp.security.alpha.kubernetes.io/pod: "localhost/profile.json"...los yog nyob rau theem ntim:
annotations:
container.security.alpha.kubernetes.io/<container-name>: "localhost/profile.json"Thov nco ntsoov tias cov syntax saum toj no yuav hloov thaum Kubernetes seccomp (Qhov kev tshwm sim no yuav tsum tau nyob rau hauv qhov kev tso tawm tom ntej ntawm Kubernetes - 1.18 - kwv yees transl.).
Tsawg tus neeg paub tias Kubernetes ib txwm muaj uas ua rau seccomp profiles siv rau . Lub sijhawm khiav ib puag ncig ib nrab them rau qhov tsis txaus no, tab sis lub thawv no tsis ploj ntawm cov pods, vim nws yog siv los teeb tsa lawv cov vaj tse.
Qhov teeb meem yog tias lub thawv no ib txwm pib nrog AllowPrivilegeEscalation=true, ua rau cov teeb meem hais nyob rau hauv nqe lus 1, thiab qhov no hloov tsis tau.
Los ntawm kev siv seccomp profiles ntawm qib ntim, koj zam qhov kev poob siab no thiab tuaj yeem tsim tau ib qho profile uas haum rau ib lub thawv tshwj xeeb. Qhov no yuav tsum tau ua kom txog rau thaum cov neeg tsim kho kho cov kab laum thiab cov tshiab version (tej zaum 1.18?) muaj rau txhua tus.
Tswv yim # 2: Teem seccomp profiles ntawm qib ntim.
Hauv kev nkag siab zoo, txoj cai no feem ntau yog cov lus teb thoob ntiaj teb rau cov lus nug: "Vim li cas kuv qhov profile seccomp ua haujlwm nrog docker runtab sis tsis ua haujlwm tom qab xa mus rau Kubernetes pawg?
3. Siv runtime/default xwb raws li qhov chaw kawg
Kubernetes muaj ob txoj hauv kev rau kev tsim cov profile: runtime/default и docker/default. Ob leeg yog siv los ntawm lub thawv runtime, tsis Kubernetes. Yog li ntawd, lawv yuav txawv nyob ntawm qhov chaw siv lub sijhawm siv thiab nws cov version.
Hauv lwm lo lus, raws li kev hloov pauv sijhawm, lub thawv tuaj yeem nkag mus rau ntau qhov sib txawv ntawm kev hu xov tooj, uas nws tuaj yeem siv lossis tsis siv. Feem ntau lub sijhawm siv . Yog tias koj xav siv qhov profile no, thov xyuas kom meej tias nws tsim nyog rau koj.
profile docker/default tau raug deprecated txij thaum Kubernetes 1.11, yog li tsis txhob siv nws.
Hauv kuv lub tswv yim, profile runtime/default zoo kawg nkaus haum rau lub hom phiaj uas nws tau tsim: tiv thaiv cov neeg siv los ntawm kev pheej hmoo cuam tshuam nrog kev ua tiav cov lus txib docker run ntawm lawv lub tsheb. Txawm li cas los xij, thaum nws los txog rau cov ntawv thov kev lag luam uas khiav ntawm Kubernetes pawg, kuv xav twv kom sib cav tias qhov profile no qhib dhau lawm thiab cov neeg tsim khoom yuav tsum tsom mus rau kev tsim cov profile rau lawv cov ntawv thov (lossis hom kev siv).
Tswv yim # 3: Tsim seccomp profiles rau cov ntawv thov tshwj xeeb. Yog tias qhov no ua tsis tau, tsim cov ntaub ntawv rau hom ntawv thov, piv txwv li, tsim qhov profile siab heev uas suav nrog txhua lub vev xaib APIs ntawm Golang daim ntawv thov. Tsuas yog siv runtime/default ua qhov chaw kawg.
Hauv cov ntawv tshaj tawm yav tom ntej, kuv yuav hais txog yuav ua li cas los tsim SecDevOps-inspired seccomp profiles, automate lawv, thiab sim lawv hauv cov kav dej. Hauv lwm lo lus, koj yuav tsis muaj kev zam txim tsis tau hloov kho rau daim ntawv thov tshwj xeeb profiles.
4. Unconfined tsis yog ib qho kev xaiv.
Ntawm qhov nws muab tawm tias los ntawm lub neej ntawd . Qhov no txhais tau tias yog koj tsis teem PodSecurityPolicy, uas yuav pab kom nws nyob rau hauv pawg, tag nrho cov pods uas lub seccomp profile tsis tau txhais yuav ua hauj lwm nyob rau hauv seccomp=unconfined.
Kev khiav hauj lwm hauv hom no txhais tau hais tias tag nrho cov txheej txheej ntawm rwb thaiv tsev ploj uas tiv thaiv pawg. Txoj kev no tsis pom zoo los ntawm cov kws paub txog kev ruaj ntseg.
Tswv yim # 4: Tsis muaj lub thawv hauv pawg yuav tsum tau khiav hauv seccomp=unconfined, tshwj xeeb tshaj yog nyob rau hauv ntau lawm ib puag ncig.
5. "Audit mode"
Cov ntsiab lus no tsis yog qhov tshwj xeeb rau Kubernetes, tab sis tseem poob rau hauv "yam yuav tsum paub ua ntej koj pib" qeb.
Raws li nws tshwm sim, tsim seccomp profiles yeej ib txwm nyuaj thiab tso siab rau kev sim thiab ua yuam kev. Qhov tseeb yog tias cov neeg siv tsuas tsis muaj sijhawm los sim lawv hauv qhov chaw tsim khoom yam tsis muaj kev pheej hmoo "tso tseg" daim ntawv thov.
Tom qab tso tawm ntawm Linux ntsiav 4.14, nws tau dhau los ua cov haujlwm ntawm qhov profile hauv kev tshuaj xyuas hom, sau cov ntaub ntawv hais txog txhua qhov kev hu xov tooj hauv syslog, tab sis tsis txwv lawv. Koj tuaj yeem qhib hom no siv qhov parameter SCMT_ACT_LOG:
SCMP_ACT_LOG: seccomp yuav tsis cuam tshuam cov xov ua lub kaw lus hu yog tias nws tsis phim ib txoj cai hauv lub lim, tab sis cov ntaub ntawv hais txog kev hu xov tooj yuav raug kaw.
Nov yog lub tswv yim zoo rau kev siv cov yam ntxwv no:
- Tso cai rau kev hu xov tooj uas xav tau.
- Thaiv hu los ntawm lub kaw lus uas koj paub yuav tsis muaj txiaj ntsig.
- Sau cov ntaub ntawv hais txog tag nrho lwm yam kev hu hauv lub cav.
Ib qho piv txwv yooj yim zoo li no:
{
"defaultAction": "SCMP_ACT_LOG",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp"
],
"action": "SCMP_ACT_ALLOW"
},
{
"names": [
"add_key",
"keyctl",
"ptrace"
],
"action": "SCMP_ACT_ERRNO"
}
]
}()
Tab sis nco ntsoov tias koj yuav tsum thaiv txhua qhov kev hu xov tooj uas koj paub tias yuav tsis siv thiab qhov ntawd tuaj yeem ua rau muaj kev puas tsuaj rau pawg. Lub hauv paus zoo rau kev sau cov npe yog tus nom . Nws piav qhia meej txog qhov kev hu xov tooj raug kaw hauv qhov profile vim li cas thiab vim li cas.
Txawm li cas los, muaj ib tug catch. Txawm tias SCMT_ACT_LOG txhawb nqa los ntawm Linux ntsiav txij thaum kawg ntawm 2017, nws nkag mus rau Kubernetes ecosystem tsuas yog tsis ntev los no. Yog li ntawd, siv txoj kev no koj yuav xav tau Linux ntsiav 4.14 thiab runC version tsis qis dua .
Tswv yim # 5: Kev tshuaj xyuas hom profile rau kev sim hauv kev tsim khoom tuaj yeem tsim los ntawm kev sib txuas cov npe dub thiab dawb, thiab txhua qhov kev zam tuaj yeem nkag mus.
6. Siv daim ntawv teev npe dawb
Whitelisting yuav tsum tau siv zog ntxiv vim tias koj yuav tsum txheeb xyuas txhua qhov kev hu xov tooj uas yuav xav tau, tab sis txoj hauv kev no txhim kho kev ruaj ntseg zoo heev:
Nws yog qhov pom zoo kom siv daim ntawv teev npe dawb vim nws yooj yim dua thiab txhim khu kev qha. Daim ntawv teev npe dub yuav tsum tau hloov kho thaum twg qhov kev hu xov tooj tuaj yeem txaus ntshai (lossis tus chij txaus ntshai / kev xaiv yog tias nws nyob hauv blacklist) ntxiv. Tsis tas li ntawd, nws feem ntau tuaj yeem hloov pauv tus sawv cev ntawm qhov ntsuas yam tsis hloov nws cov ntsiab lus thiab yog li hla kev txwv ntawm cov npe dub.
Rau cov ntawv thov Go, kuv tau tsim cov cuab yeej tshwj xeeb uas nrog rau daim ntawv thov thiab sau tag nrho cov kev hu ua thaum ua tiav. Piv txwv li, rau daim ntawv thov hauv qab no:
package main
import "fmt"
func main() {
fmt.Println("test")
}
... cia peb pib gosystract zoo li no:
go install https://github.com/pjbgf/gosystract
gosystract --template='{{- range . }}{{printf ""%s",n" .Name}}{{- end}}' application-path... thiab peb tau txais cov txiaj ntsig hauv qab no:
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp",
"arch_prctl",Txog tam sim no, qhov no tsuas yog piv txwv - cov ntsiab lus ntxiv txog cov cuab yeej yuav ua raws.
Tswv yim # 6: Tso cai rau cov hu uas koj xav tau tiag tiag thiab thaiv tag nrho lwm tus.
7. Npaj cov hauv paus kom raug (los yog npaj rau tus cwj pwm tsis zoo)
Lub kernel yuav tswj hwm qhov profile txawm tias koj sau dab tsi hauv nws. Txawm tias nws tsis yog raws nraim qhov koj xav tau. Piv txwv li, yog tias koj thaiv kev nkag mus rau kev hu zoo li exit los yog exit_group, lub thawv yuav tsis tuaj yeem kaw kom raug thiab txawm tias cov lus txib yooj yim xws li echo hi o rau lub sijhawm tsis kawg. Yog li ntawd, koj yuav tau txais kev siv CPU siab hauv pawg:
Hauv qhov xwm txheej zoo li no, kev siv hluav taws xob tuaj yeem cawm tau strace - nws yuav qhia tias qhov teeb meem yuav ua li cas:
sudo strace -c -p 9331
Xyuas kom tseeb tias cov profiles muaj tag nrho cov kab ke hu uas daim ntawv thov xav tau ntawm lub sijhawm ua haujlwm.
Tswv yim # 7: Ua tib zoo saib xyuas kom meej thiab xyuas kom txhua qhov kev hu xov tooj tsim nyog tau teev npe dawb.
Qhov no xaus thawj feem ntawm cov kab lus ntawm kev siv seccomp hauv Kubernetes hauv tus ntsuj plig ntawm SecDevOps. Hauv seem hauv qab no peb yuav tham txog vim li cas qhov no yog qhov tseem ceeb thiab yuav ua li cas thiaj li ua haujlwm tau zoo.
PS los ntawm tus txhais lus
Nyeem kuj ntawm peb blog:
- «»;
- «»;
- «»;
- «".
Tau qhov twg los: www.hab.com