Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
cmd
 
 
pkg
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

cxray

Build Status

cxray is a tool for profiling security events in containers.
It can create a white list of events(running processes, opendfile and binaries, destination HTTP Requests) in container, which is useful for creating rules for other tools(e.g. falco).

Background

Container security tools should be able to automatically profile containerized apps using behavioral learning and build.
According to NIST.SP.800-19, should monitoring the following events:

  • Invalid or unexpected process execution,
  • Invalid or unexpected system calls,
  • Changes to protected configuration files and binaries,
  • Writes to unexpected locations and file types,
  • Creation of unexpected network listeners,
  • Traffic sent to unexpected network destinations, and
  • Malware storage or execution.

cxray can profiling these events. Executes in a test environment and records events in the container, and can be used for monitoring rules.

Install

Download binary from releases page.

Example

$ sudo ./cxray > log.json

$ docker run --rm -it alpine:latest sh
/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/ # uname -a
Linux 5af89d05295b 5.0.0-37-generic #40~18.04.1-Ubuntu SMP Thu Nov 14 12:06:39 UTC 2019 x86_64 Linux
/ # cat /etc/passwd
root:x:0:0:root:/root:/bin/ash
...
/ # curl https://example.com/
...

$ cat log.json
{"data":{"container_id":"5af89d052","event":{"name":"execve","data":{"argv":"","comm":"","pid":"12555","ret":"0","uid":"0","user":"root"}}},"level":"info","msg":"execve","time":"2019-12-24T12:45:36Z"}
{"data":{"container_id":"5af89d052","event":{"name":"execve","data":{"argv":"","comm":"/usr/bin/id","pid":"12605","ret":"0","uid":"0","user":"root"}}},"level":"info","msg":"execve","time":"2019-12-24T12:45:37Z"}
{"data":{"container_id":"5af89d052","event":{"name":"execve","data":{"argv":"-a","comm":"/bin/uname","pid":"12608","ret":"0","uid":"0","user":"root"}}},"level":"info","msg":"execve","time":"2019-12-24T12:45:39Z"}
{"data":{"container_id":"5af89d052","event":{"name":"execve","data":{"argv":"/etc/passwd","comm":"/bin/cat","pid":"12609","ret":"0","uid":"0","user":"root"}}},"level":"info","msg":"execve","time":"2019-12-24T12:45:41Z"}
{"data":{"container_id":"5af89d052","event":{"name":"open","data":{"comm":"cat","fname":"/etc/passwd","pid":"14134","ret":"3","uid":"0"}}},"level":"info","msg":"open","time":"2019-12-25T02:02:27Z"}
{"data":{"container_id":"5af89d052","event":{"name":"tcp_v4_connect","data":{"comm":"curl","daddr":"93.184.216.34","dport":"443","pid":"17408","ret":"0","saddr":"172.17.0.2","uid":"0"}}},"level":"info","msg":"tcp_v4_connect","time":"2019-12-25T16:12:01Z"}

Executing Processes (execve)

{
  "data": {
    "container_id": "b85bd4425",
    "event": {
      "name": "execve",
      "data": {
        "argv": "-a",
        "comm": "/bin/uname",
        "pid": "1714",
        "ret": "0",
        "uid": "0",
        "user": "root"
      }
    }
  },
  "level": "info",
  "msg": "execve",
  "time": "2020-01-04T15:40:12Z"
}

Opening File and Binaries (open)

{
  "data": {
    "container_id": "b85bd4425",
    "event": {
      "name": "open",
      "data": {
        "comm": "cat",
        "fname": "/etc/shadow",
        "pid": "1715",
        "ret": "3",
        "uid": "0"
      }
    }
  },
  "level": "info",
  "msg": "open",
  "time": "2020-01-04T15:41:20Z"
}

HTTP Connection (tcp_v4_connect)

{
  "data": {
    "container_id": "b85bd4425",
    "event": {
      "name": "tcp_v4_connect",
      "data": {
        "comm": "wget",
        "daddr": "93.184.216.34",
        "dport": "443",
        "pid": "1716",
        "ret": "0",
        "saddr": "172.17.0.2",
        "uid": "0"
      }
    }
  },
  "level": "info",
  "msg": "tcp_v4_connect",
  "time": "2020-01-04T15:42:04Z"
}

Network Listeners (inet_listen)

{
  "data": {
    "container_id": "",
    "event": {
      "name": "inet_listen",
      "data": {
        "comm": "nc",
        "listen_addr": "0.0.0.0",
        "listen_port": "12345",
        "pid": "1723",
        "protocol": "tcp",
        "uid": "0"
      }
    }
  },
  "level": "info",
  "msg": "inet_listen",
  "time": "2020-01-04T15:42:43Z"
}

Support Events

  • Process Execution
  • Access to files and binaries
  • Creation of network listeners
  • Traffic sent to network destinations