Cherechedza. transl.: Tinokupa kutarisiro yako kududzirwa kwechinyorwa nemukuru wechishandiso chekuchengetedza mainjiniya kuBritish kambani ASOS.com. Nayo, anotanga nhevedzano yezvinyorwa zvakatsaurirwa kuvandudza kuchengetedzeka muKubernetes kuburikidza nekushandisa seccomp. Kana vaverengi vakafarira nhanganyaya, tichatevera munyori toenderera mberi nezvinyorwa zvake zveramangwana pamusoro penyaya iyi.
Ichi chinyorwa ndicho chekutanga munhevedzano yezvinyorwa zvekugadzira seccomp profiles mumweya weSecDevOps, pasina kushandisa mashiripiti uye huroyi. MuChikamu XNUMX, ini ndichavhara izvo zvekutanga uye zvemukati ruzivo rwekuita seccomp muKubernetes.
Iyo Kubernetes ecosystem inopa dzakasiyana siyana nzira dzekuchengetedza nekuzviparadzanisa midziyo. Chinyorwa chiri pamusoro peSecure Computing Mode, inozivikanwawo se seccomp. Chinhu chayo ndechekusefa iyo system inofona inowanikwa kuti iitwe nemidziyo.
Nei zvichikosha? Chigaba chinongova muitiro uri kushanda pamuchina chaiwo. Uye inoshandisa kernel semamwe maapplication. Kana midziyo yaigona kufona chero system, munguva pfupi malware yaizotora mukana weiyi kunzvenga midziyo yekuzvimiririra uye kukanganisa mamwe maapplication: tora ruzivo, shandura masisitimu ehurongwa, nezvimwe.
seccomp profiles inotsanangura kuti ndedzipi nharembozha dzinofanira kubvumidzwa kana kudzimwa. Iyo mudziyo runtime inovaita kana yatanga kuitira kuti kernel itarise kuurayiwa kwavo. Kushandisa maprofiles akadaro kunobvumidza iwe kudzikamisa vheji yekurwisa uye kuderedza kukuvadzwa kana chero chirongwa chiri mukati memudziyo (kureva, kutsamira kwako, kana kutsamira kwavo) chotanga kuita chimwe chinhu chisingatenderwe kuita.
Kusvika kune zvakakosha
Iyo yakakosha seccomp mbiri inosanganisira zvinhu zvitatu: defaultAction, architectures (kana archMap) uye syscalls:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp"
],
"action": "SCMP_ACT_ALLOW"
}
]
}()
defaultAction inosarudza iyo yakasarudzika mhedzisiro yechero system yekufona isina kutaurwa muchikamu syscalls. Kuita kuti zvinhu zvive nyore, ngatitarisei pane maviri makuru maitiro achashandiswa:
-
SCMP_ACT_ERRNO- inovhara kuitwa kwehurongwa hwekufona, -
SCMP_ACT_ALLOW- inobvumira.
chidimbu architectures chinangwa chezvivakwa zvakanyorwa. Izvi zvakakosha nekuti iyo sefa pachayo, inoshandiswa padanho re kernel, zvinoenderana nezviziviso zvekufona system, uye kwete pamazita avo akatsanangurwa muprofile. Iyo mudziyo yekumhanyisa nguva inovafananidza kune zviziviso isati yashandiswa. Pfungwa ndeyekuti mafoni ehurongwa anogona kuve nema ID akasiyana zvachose zvichienderana nehurongwa hwekuvaka. Semuenzaniso, system call recvfrom (inoshandiswa kugamuchira ruzivo kubva pachiso) ine ID = 64 pa x64 masisitimu uye ID = 517 pa x86. iwe unogona kuwana runyoro rwese system inofona ye x86-x64 architecture.
Muchikamu syscalls inonyora ese masystem mafoni uye inotsanangura zvekuita nawo. Semuenzaniso, unogona kugadzira whitelist nekuisa defaultAction pamusoro SCMP_ACT_ERRNO, uye kufona muchikamu syscalls assign SCMP_ACT_ALLOW. Saka, iwe unongobvumira mafoni anotsanangurwa muchikamu syscalls, uye kurambidza mamwe ose. Kune iyo blacklist unofanirwa kushandura maitiro defaultAction uye zviito kune zvinopesana.
Iye zvino tinofanira kutaura mazwi mashomanana pamusoro pema nuances asina kunyatsojeka. Ndokumbira utarise kuti kurudziro pazasi inofunga kuti uri kutumira mutsara wemabhizimusi ekunyorera paKubernetes uye iwe unoda kuti vamhanye nehuwandu hushoma hweropafadzo dzinogoneka.
1. AllowPrivilegeEscalation=nhema
В securityContext mudziyo une parameter AllowPrivilegeEscalation. Kana yakaiswa mukati false, midziyo ichatanga na (on) zvishoma . Chirevo cheiyi parameter chiri pachena kubva pazita: chinodzivirira mudziyo kubva kuvhura maitiro matsva ane ropafadzo dzakawanda kupfuura iyo pachayo.
A side effect yeiyi sarudzo irikusetwa kuti true (default) ndeyekuti mudziyo wekumhanya unoshandisa iyo seccomp mbiri pakutanga chaipo pekutanga maitiro. Nekudaro, ese masystem ekufona anodiwa kuti amhanye mukati menguva yekumhanya maitiro (semuenzaniso kuseta vashandisi / boka ID, kudonhedza humwe hunyanzvi) kunofanirwa kugoneswa muprofile.
Kumudziyo unoita zvinhu zvisina basa echo hi, zvinotevera mvumo zvichadikanwa:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"brk",
"capget",
"capset",
"chdir",
"close",
"execve",
"exit_group",
"fstat",
"fstatfs",
"futex",
"getdents64",
"getppid",
"lstat",
"mprotect",
"nanosleep",
"newfstatat",
"openat",
"prctl",
"read",
"rt_sigaction",
"statfs",
"setgid",
"setgroups",
"setuid",
"stat",
"uname",
"write"
],
"action": "SCMP_ACT_ALLOW"
}
]
}()
... pachinzvimbo cheizvi:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"brk",
"close",
"execve",
"exit_group",
"futex",
"mprotect",
"nanosleep",
"stat",
"write"
],
"action": "SCMP_ACT_ALLOW"
}
]
}()
Asi zvakare, nei iri dambudziko? Ini pachangu, ndaizodzivirira kuchena kunotevera kufona system (kunze kwekunge paine kudiwa chaiko kwavari): capset, set_tid_address, setgid, setgroups и setuid. Nekudaro, dambudziko chairo nderekuti nekubvumira maitiro ausina zvachose kutonga pamusoro, iwe uri kusungirira maprofile kumudziyo wekumhanyisa kuita. Mune mamwe mazwi, rimwe zuva iwe unogona kuona kuti mushure mekugadzirisa mudziyo wekumhanyisa nharaunda (kungave newe kana, zvakanyanya, nemupi webasa wegore), midziyo inongoerekana yamira kushanda.
Zano # 1: Mhanya midziyo ne AllowPrivilegeEscaltion=false. Izvi zvinoderedza saizi ye seccomp profiles uye kuita kuti isanyanya kunzwa kune shanduko mumudziyo wekumhanya nharaunda.
2. Kuisa seccomp profiles padanho remudziyo
Iyo seccomp mbiri inogona kusetwa padanho repod:
annotations:
seccomp.security.alpha.kubernetes.io/pod: "localhost/profile.json"...kana padanho remudziyo:
annotations:
container.security.alpha.kubernetes.io/<container-name>: "localhost/profile.json"Ndokumbira utarise kuti syntax iri pamusoro ichachinja kana Kubernetes seccomp (chiitiko ichi chinotarisirwa mukuburitswa kunotevera kweKubernetes - 1.18 - approx. transl.).
Vashoma vanhu vanoziva kuti Kubernetes agara aine izvo zvakaita kuti seccomp profiles ishandiswe kune . Iyo nguva yekumhanya nharaunda inotsikisa kushomeka uku, asi chigadziko ichi hachinyangarike kubva kumapodhi, nekuti chinoshandiswa kugadzirisa zvivakwa zvavo.
Dambudziko nderekuti mudziyo uyu unogara uchitanga nawo AllowPrivilegeEscalation=true, zvichitungamirira kuzvinetso zvinodudzwa mundima 1, uye ikoku hakugoni kuchinjwa.
Nekushandisa seccomp profiles padanho remidziyo, unodzivirira gomba iri uye unogona kugadzira chimiro chakagadzirirwa kune chaiyo mudziyo. Izvi zvichafanira kuitwa kusvikira vagadziri vagadzirisa bhagi uye shanduro itsva (zvichida 1.18?) inowanikwa kune wese.
Zano # 2: Seta seccomp profiles padanho remudziyo.
Nenzira inoshanda, mutemo uyu unowanzo shanda semhinduro yepasirese kumubvunzo: "Sei seccomp yangu ichishanda ne docker runasi haishande mushure mekuendesa kune Kubernetes cluster?
3. Shandisa nguva yekumhanya/yakagadzika chete senzira yekupedzisira
Kubernetes ine sarudzo mbiri dzeakavakirwa-mukati maprofiles: runtime/default и docker/default. Ose ari maviri anoitwa nemudziyo runtime, kwete Kubernetes. Naizvozvo, ivo vanogona kusiyana zvichienderana nenzvimbo yekumhanya inoshandiswa uye shanduro yayo.
Mune mamwe mazwi, semhedzisiro yekuchinja nguva yekumhanya, mudziyo unogona kuwana kune akasiyana seti yekufona system, iyo inogona kana kusashandisa. Nguva zhinji yekushandisa . Kana iwe uchida kushandisa iyi profil, ndapota ita shuwa kuti yakakukodzera iwe.
Nhoroondo docker/default yakabviswa kubva Kubernetes 1.11, saka dzivisa kuishandisa.
Mukuona kwangu, profile runtime/default yakanyatsokodzera chinangwa chayakasikirwa: kuchengetedza vashandisi kubva kune njodzi dzine chekuita nekuita murairo docker run pamotokari dzavo. Nekudaro, kana zvasvika kune bhizinesi maapplication ari kushanda paKubernetes masumbu, ndingashinga kupokana kuti chimiro chakadaro chakavhurika zvakanyanya uye vanogadzira vanofanirwa kutarisa kugadzira maprofile ezvishandiso zvavo (kana mhando dzekushandisa).
Zano # 3: Gadzira seccomp profiles kune chaiwo maapplication. Kana izvi zvisingaite, gadzira mafaera emhando dzemaapplication, semuenzaniso, gadzira chimiro chepamberi chinosanganisira ese ewebhu APIs eGolang application. Ingoshandisa nguva yekumhanya / yakasarudzika seyekupedzisira sarudzo.
Mune zvinyorwa zvinotevera, ini ndichavhara maitiro ekugadzira SecDevOps-yakafemerwa seccomp profiles, iite otomatiki, uye kuyedza iwo mumapaipi. Mune mamwe mazwi, hauzove nechikonzero chekusakwidziridza kune maapplication-chaiwo maprofile.
4. Kusavharirwa HASI sarudzo.
Of zvakazoitika kuti by default . Izvi zvinoreva kuti kana ukasaisa PodSecurityPolicy, iyo inogonesa iyo musumbu, ese mapodhi ayo iyo seccomp mbiri isina kutsanangurwa ichashanda mukati seccomp=unconfined.
Kushanda mune iyi modhi kunoreva kuti iyo yese layer yekudzivirira inorasika inodzivirira sumbu. Iyi nzira haikurudzirwe nenyanzvi dzekuchengetedza.
Zano # 4: Hapana chigadziko chiri muchikwata chinofanirwa kunge chiri kupinda mukati seccomp=unconfined, kunyanya munzvimbo dzekugadzira.
5. "Audit mode"
Iyi poindi haina kungosiya Kubernetes, asi ichiri kuwira muchikamu che "zvinhu zvekuziva usati watanga".
Sezvazvinoitika, kugadzira seccomp profiles kwagara kuchinetsa uye kunovimba zvakanyanya pakuedza uye kukanganisa. Icho chokwadi ndechekuti vashandisi havangove nemukana wekuvayedza munzvimbo dzekugadzira pasina kuisa njodzi "kudonhedza" application.
Mushure mekuburitswa kweLinux kernel 4.14, zvakave zvinogoneka kumhanyisa zvikamu zveprofile mune yekuongorora mode, kurekodha ruzivo nezvese mafoni ehurongwa musyslog, asi pasina kuvavharira. Iwe unogona kumisa iyi modhi uchishandisa parameter SCMT_ACT_LOG:
SCMP_ACT_LOG: seccomp haizokanganisa tambo inoita iyo system kufona kana isingaenderane chero mutemo musefa, asi ruzivo nezve system yekufona ichaiswa.
Heino nzira yakajairika yekushandisa chimiro ichi:
- Bvumira masisitimu mafoni anodiwa.
- Vimba mafoni kubva kuhurongwa hwaunoziva hauzobatsiri.
- Rekodha ruzivo nezve mamwe ese mafoni mulogi.
Muenzaniso wakareruka unotaridzika seizvi:
{
"defaultAction": "SCMP_ACT_LOG",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp"
],
"action": "SCMP_ACT_ALLOW"
},
{
"names": [
"add_key",
"keyctl",
"ptrace"
],
"action": "SCMP_ACT_ERRNO"
}
]
}()
Asi yeuka kuti iwe unofanirwa kuvharira mafoni ese aunoziva kuti haashandiswe uye anogona kukuvadza cluster. Hwaro hwakanaka hwekunyora rondedzero ndeyemukuru . Inotsanangura zvakadzama kuti ndedzipi mafoni ehurongwa akavharirwa muiyo default profile uye nei.
Zvisinei, pane imwe kubata. Nyangwe SCMT_ACT_LOG inotsigirwa neLinux kernel kubva pakupera kwa2017, yakapinda muKubernetes ecosystem nguva pfupi yadarika. Naizvozvo, kushandisa nzira iyi iwe uchada Linux kernel 4.14 uye runC vhezheni isiri yakaderera .
Zano # 5: Iyo yekuongorora modhi chimiro chekuyedzwa mukugadzira inogona kugadzirwa nekubatanidza nhema uye chena rondedzero, uye zvese zvinosara zvinogona kudhindwa.
6. Shandisa whitelists
Whitelisting inoda imwe nhamburiko nekuti unofanirwa kuona runhare rwese rungade kudiwa, asi nzira iyi inovandudza chengetedzo zvakanyanya:
Inokurudzirwa zvikuru kushandisa nzira yewhitelist sezvo iri nyore uye yakavimbika. Rondedzero yevatema inoda kuvandudzwa pese painofona system inogona kuva nengozi (kana mureza une njodzi/sarudzo kana iri pa blacklist) yawedzerwa. Pamusoro pezvo, kazhinji zvinogoneka kushandura kumiririra kweparameter pasina kushandura hunhu hwayo uye nekudaro kunzvenga zvirambidzo zveblacklist.
Kune Go maapplication, ndakagadzira yakakosha chishandiso chinoperekedza application uye inounganidza ese mafoni akaitwa panguva yekuurayiwa. Semuenzaniso, kune inotevera application:
package main
import "fmt"
func main() {
fmt.Println("test")
}
... ngatitangei gosystract saka:
go install https://github.com/pjbgf/gosystract
gosystract --template='{{- range . }}{{printf ""%s",n" .Name}}{{- end}}' application-path... uye tinowana mhedzisiro inotevera:
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp",
"arch_prctl",Parizvino, uyu ungori muenzaniso-zvakawanda zvezvishandiso zvichatevera.
Zano # 6: Bvumira iwo chete mafoni aunoda chaizvo uye vhara mamwe ese.
7. Isa nheyo dzakakodzera (kana gadzirira maitiro asingatarisirwi)
Iyo kernel inosimbisa iyo mbiri zvisinei nezvaunonyora mairi. Kunyangwe zvisiri izvo chaizvo zvawaida. Semuenzaniso, kana iwe ukavharira kupinda kune mafoni senge exit kana exit_group, mudziyo hauzokwanisi kuvhara zvakanaka uye kunyangwe murairo wakapusa senge echo hi o kwenguva isingazivikanwi. Nekuda kweizvozvo, iwe unowana yakakwira CPU kushandiswa musumbu:
Mumamiriro ezvinhu akadaro, utility inogona kuuya kuzonunura strace - icharatidza kuti dambudziko ringave riri rei:
sudo strace -c -p 9331
Ita shuwa kuti maprofiles ane ese masystem ekufona anodiwa neapplication panguva yekumhanya.
Zano # 7: Teerera kune zvakadzama uye ita shuwa kuti ese anodiwa system mafoni akaitwa whitelist.
Izvi zvinopedzisa chikamu chekutanga chezvinyorwa zvekushandisa seccomp muKubernetes mumweya weSecDevOps. Muzvikamu zvinotevera tichataura nezvekuti nei izvi zvakakosha uye maitiro ekuita otomatiki maitiro.
PS kubva kumushanduri
Verenga zvakare pablog yedu:
- «";
- «";
- «";
- «".
Source: www.habr.com