Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ignore sensitive mounts from ecs-agent #881

Merged

Conversation

@fcoelho
Copy link
Contributor

fcoelho commented Oct 7, 2019

/kind rule-update
/area rules

What this PR does / why we need it:

Without this, as ecs-agent starts we get a bunch of errors that look
like this (reformatted for readability):

Notice Container with sensitive mount started (
  user=root
  command=init -- /agent ecs-agent (id=19d4e98bb0dc)
  image=amazon/amazon-ecs-agent:latest
  mounts=/proc:/host/proc:ro:false:rprivate,$lotsofthings
)

ecs-agent needs those to work properly, so this can cause lots of false
positives when starting a new instance.

Special notes for your reviewer:

This can be reproduced on ami ami-0da6ab8acebc7f9db in region sa-east-1 or any Amazon Linux 2 ECS-optimized ami (name pattern like amzn2-ami-ecs-hvm-*-x86_64-ebs)

Installed falco using the following commands:

rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public
curl -s -o /etc/yum.repos.d/draios.repo https://s3.amazonaws.com/download.draios.com/stable/rpm/draios.repo
yum -y install kernel-devel-$(uname -r)
yum -y install falco

Does this PR introduce a user-facing change?:

rules: ignore sensitive mounts from the ecs-agent
@poiana

This comment has been minimized.

Copy link

poiana commented Oct 7, 2019

Welcome @fcoelho! It looks like this is your first PR to falcosecurity/falco 🎉

@poiana poiana requested review from leodido and mstemm Oct 7, 2019
@poiana poiana added the size/XS label Oct 7, 2019
@fcoelho fcoelho force-pushed the fcoelho:amazon-linux-ecs-agent-sensitive-mount branch from 843909c to 6a62cc3 Oct 7, 2019
Copy link
Member

leodido left a comment

Looks good (it works as intended!) but can be probably engineered better (not creating a macro but using the macro already in place for such goal).

@poiana poiana added the lgtm label Oct 8, 2019
@poiana

This comment has been minimized.

Copy link

poiana commented Oct 8, 2019

LGTM label has been added.

Git tree hash: 131dbeedc25777b322fff4856e6a6cb7b913205b

@poiana poiana added the approved label Oct 8, 2019
@leodido leodido self-requested a review Oct 8, 2019
@fntlnz

This comment has been minimized.

Copy link
Member

fntlnz commented Oct 8, 2019

Hi @fcoelho - good catch, thanks for finding it! I tested this on ECS and can totally reproduce.

However can you please use the falco_sensitive_mount_images list instead? Just add the image in there and you get the same result, we have it for this purpose!

Without this, as ecs-agent starts we get a bunch of errors that look
like this (reformatted for readability):

  Notice Container with sensitive mount started (
    user=root
    command=init -- /agent ecs-agent (id=19d4e98bb0dc)
    image=amazon/amazon-ecs-agent:latest
    mounts=/proc:/host/proc:ro:false:rprivate,$lotsofthings
  )

ecs-agent needs those to work properly, so this can cause lots of false
positives when starting a new instance.

Signed-off-by: Felipe Bessa Coelho <fcoelho.9@gmail.com>
@fcoelho fcoelho force-pushed the fcoelho:amazon-linux-ecs-agent-sensitive-mount branch from 6a62cc3 to 2cd5b70 Oct 8, 2019
@poiana poiana removed lgtm approved labels Oct 8, 2019
@fcoelho

This comment has been minimized.

Copy link
Contributor Author

fcoelho commented Oct 8, 2019

@fntlnz Just pushed that change instead, tested locally and seems to do the job too

@Kaizhe

This comment has been minimized.

Copy link
Contributor

Kaizhe commented Oct 8, 2019

/lgtm

@poiana poiana added the lgtm label Oct 8, 2019
@poiana

This comment has been minimized.

Copy link

poiana commented Oct 8, 2019

LGTM label has been added.

Git tree hash: 6794aa1789e08b29ef62dc4103ba5128cafece35

@poiana poiana added the approved label Oct 8, 2019
@leodido
leodido approved these changes Oct 8, 2019
@poiana

This comment has been minimized.

Copy link

poiana commented Oct 8, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Kaizhe, leodido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@leodido leodido merged commit 8353a0b into falcosecurity:dev Oct 9, 2019
2 of 3 checks passed
2 of 3 checks passed
tide Not mergeable. Job Travis CI - Pull Request has not succeeded.
Travis CI - Pull Request Build Passed
Details
dco All commits have Signed-off-by
Details
@fntlnz fntlnz added this to the 0.18.0 milestone Oct 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.