forked from cisagov/Malcolm
-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
review and fix capabilities granted to containers #282
Labels
Milestone
Comments
mmguero
added
docker
Relating to docker and docker-compose as used by Malcolm
security
Related to issues with bearing on the security of Malcolm itself
cloud
Relating to deployment of Malcolm in the cloud and/or with Kubernetes
labels
Nov 1, 2023
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Dec 6, 2023
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Dec 6, 2023
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Dec 6, 2023
I've removed unnecessary capabilities from containers. The ones that remain are requried for the following reasons:
These are limited to containers that are 1) doing memory-intensive stuff or 2) performing packet capture. I am not seeing any sort of broken or degraded behavior with these changes. Closing for now and will keep an eye on it. |
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Dec 7, 2023
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Dec 7, 2023
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Dec 7, 2023
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Dec 8, 2023
…container capabilities)
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Dec 8, 2023
…N to set disk i/o scheduler policy
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Dec 8, 2023
…N to set disk i/o scheduler policy
mmguero
changed the title
review capabilities granted to containers
review and fix capabilities granted to containers
Dec 20, 2023
This was referenced Dec 20, 2023
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We need to look at the
docker-compose.yml
anddocker-compose-standalone.yml
files and the corresponding kubernetes yaml files and look at the capabilities specified for containers (cap_add
in the docker compose files,capabilities
in the kubernetes manifests) and review/document which ones are actually required. We don't want to be giving containers privileges that they don't explicitly need.The text was updated successfully, but these errors were encountered: