Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

review and fix capabilities granted to containers #282

Closed
mmguero opened this issue Nov 1, 2023 · 1 comment
Closed

review and fix capabilities granted to containers #282

mmguero opened this issue Nov 1, 2023 · 1 comment
Assignees
@mmguero
Labels
cloud Relating to deployment of Malcolm in the cloud and/or with Kubernetes docker Relating to docker and docker-compose as used by Malcolm security Related to issues with bearing on the security of Malcolm itself
Milestone
v23.12.1

Comments

@mmguero
Copy link
Collaborator

mmguero commented Nov 1, 2023

We need to look at the docker-compose.yml and docker-compose-standalone.yml files and the corresponding kubernetes yaml files and look at the capabilities specified for containers (cap_add in the docker compose files, capabilities in the kubernetes manifests) and review/document which ones are actually required. We don't want to be giving containers privileges that they don't explicitly need.
@mmguero mmguero added docker Relating to docker and docker-compose as used by Malcolm security Related to issues with bearing on the security of Malcolm itself cloud Relating to deployment of Malcolm in the cloud and/or with Kubernetes labels Nov 1, 2023
@mmguero mmguero added this to the v23.12.0 milestone Nov 14, 2023
@mmguero mmguero self-assigned this Nov 27, 2023
@mmguero mmguero assigned mmguero and unassigned mmguero Dec 5, 2023
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Dec 6, 2023
@mmguero
for idaholab#282, reviewing capabilities for containers
9284881
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Dec 6, 2023
@mmguero
for idaholab#282, reviewing capabilities for containers
3b437b9
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Dec 6, 2023
@mmguero
for idaholab#282, reviewing capabilities for containers
23e7ea4
@mmguero
Copy link
Collaborator Author

mmguero commented Dec 7, 2023
edited
Loading

I've removed unnecessary capabilities from containers. The ones that remain are requried for the following reasons:

  • NET_ADMIN and NET_RAW - to turn on promiscuous mode and capture raw packets
  • SYS_NICE - to set process nice values, real-timescheduling policies, I/O scheduling
  • IPC_LOCK - to lock memory, preventing swapping
  • SYS_RESOURCE - for increasing memlock limits
  • SYS_ADMIN - only needed by pcap-capture's netsniff-ng process to set disc I/O scheduler policy; this could be removed locally if tcpdump is used instead, although netsniff-ng performs better

These are limited to containers that are 1) doing memory-intensive stuff or 2) performing packet capture.

I am not seeing any sort of broken or degraded behavior with these changes. Closing for now and will keep an eye on it.

@mmguero mmguero closed this as completed Dec 7, 2023
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Dec 7, 2023
@mmguero
comments for idaholab#282
f345c7b
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Dec 7, 2023
@mmguero
for idaholab#282, reviewing capabilities for containers
0c9874a
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Dec 7, 2023
@mmguero
for idaholab#282, reviewing capabilities for containers
2d77b8f
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Dec 8, 2023
@mmguero
work in progress for idaholab#281 (arkime capture) and idaholab#282 (…
0f129fe 
…container capabilities)
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Dec 8, 2023
@mmguero
for idaholab#282 (container capabilities), netsniff-ng needs SYS_ADMI…
89b904d 
…N to set disk i/o scheduler policy
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Dec 8, 2023
@mmguero
for idaholab#282 (container capabilities), netsniff-ng needs SYS_ADMI…
08a76ad 
…N to set disk i/o scheduler policy
@mmguero mmguero changed the title review capabilities granted to containers review and fix capabilities granted to containers Dec 20, 2023
This was referenced Dec 20, 2023
Merged
Merged
@mmguero mmguero mentioned this issue Jan 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
cloud Relating to deployment of Malcolm in the cloud and/or with Kubernetes docker Relating to docker and docker-compose as used by Malcolm security Related to issues with bearing on the security of Malcolm itself
Projects
Malcolm
Status: Released
Milestone
v23.12.1
Development

No branches or pull requests
1 participant
@mmguero