Skip to content
Tracing security events in container with BPF
Go Shell Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.semaphore
cmd
pkg
.gitignore
LICENSE
Makefile
README.md
go.mod
go.sum
semaphore.sh

README.md

cxray

Build Status

cxray is a tool for profiling security events in containers.
It can create a white list of events(running processes, opendfile and binaries, destination HTTP Requests) in container, which is useful for creating rules for other tools(e.g. falco).

Background

Container security tools should be able to automatically profile containerized apps using behavioral learning and build.
According to NIST.SP.800-19, should monitoring the following events:

  • Invalid or unexpected process execution,
  • Invalid or unexpected system calls,
  • Changes to protected configuration files and binaries,
  • Writes to unexpected locations and file types,
  • Creation of unexpected network listeners,
  • Traffic sent to unexpected network destinations, and
  • Malware storage or execution.

cxray can profiling these events. Executes in a test environment and records events in the container, and can be used for monitoring rules.

Install

Download binary from releases page.

Example

$ sudo ./cxray > log.json

$ docker run --rm -it alpine:latest sh
/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/ # uname -a
Linux 5af89d05295b 5.0.0-37-generic #40~18.04.1-Ubuntu SMP Thu Nov 14 12:06:39 UTC 2019 x86_64 Linux
/ # cat /etc/passwd
root:x:0:0:root:/root:/bin/ash
...
/ # curl https://example.com/
...

$ cat log.json
{"data":{"container_id":"5af89d052","event":{"name":"execve","data":{"argv":"","comm":"","pid":"12555","ret":"0","uid":"0","user":"root"}}},"level":"info","msg":"execve","time":"2019-12-24T12:45:36Z"}
{"data":{"container_id":"5af89d052","event":{"name":"execve","data":{"argv":"","comm":"/usr/bin/id","pid":"12605","ret":"0","uid":"0","user":"root"}}},"level":"info","msg":"execve","time":"2019-12-24T12:45:37Z"}
{"data":{"container_id":"5af89d052","event":{"name":"execve","data":{"argv":"-a","comm":"/bin/uname","pid":"12608","ret":"0","uid":"0","user":"root"}}},"level":"info","msg":"execve","time":"2019-12-24T12:45:39Z"}
{"data":{"container_id":"5af89d052","event":{"name":"execve","data":{"argv":"/etc/passwd","comm":"/bin/cat","pid":"12609","ret":"0","uid":"0","user":"root"}}},"level":"info","msg":"execve","time":"2019-12-24T12:45:41Z"}
{"data":{"container_id":"5af89d052","event":{"name":"open","data":{"comm":"cat","fname":"/etc/passwd","pid":"14134","ret":"3","uid":"0"}}},"level":"info","msg":"open","time":"2019-12-25T02:02:27Z"}
{"data":{"container_id":"5af89d052","event":{"name":"tcp_v4_connect","data":{"comm":"curl","daddr":"93.184.216.34","dport":"443","pid":"17408","ret":"0","saddr":"172.17.0.2","uid":"0"}}},"level":"info","msg":"tcp_v4_connect","time":"2019-12-25T16:12:01Z"}

Executing Processes (execve)

{
  "data": {
    "container_id": "b85bd4425",
    "event": {
      "name": "execve",
      "data": {
        "argv": "-a",
        "comm": "/bin/uname",
        "pid": "1714",
        "ret": "0",
        "uid": "0",
        "user": "root"
      }
    }
  },
  "level": "info",
  "msg": "execve",
  "time": "2020-01-04T15:40:12Z"
}

Opening File and Binaries (open)

{
  "data": {
    "container_id": "b85bd4425",
    "event": {
      "name": "open",
      "data": {
        "comm": "cat",
        "fname": "/etc/shadow",
        "pid": "1715",
        "ret": "3",
        "uid": "0"
      }
    }
  },
  "level": "info",
  "msg": "open",
  "time": "2020-01-04T15:41:20Z"
}

HTTP Connection (tcp_v4_connect)

{
  "data": {
    "container_id": "b85bd4425",
    "event": {
      "name": "tcp_v4_connect",
      "data": {
        "comm": "wget",
        "daddr": "93.184.216.34",
        "dport": "443",
        "pid": "1716",
        "ret": "0",
        "saddr": "172.17.0.2",
        "uid": "0"
      }
    }
  },
  "level": "info",
  "msg": "tcp_v4_connect",
  "time": "2020-01-04T15:42:04Z"
}

Network Listeners (inet_listen)

{
  "data": {
    "container_id": "",
    "event": {
      "name": "inet_listen",
      "data": {
        "comm": "nc",
        "listen_addr": "0.0.0.0",
        "listen_port": "12345",
        "pid": "1723",
        "protocol": "tcp",
        "uid": "0"
      }
    }
  },
  "level": "info",
  "msg": "inet_listen",
  "time": "2020-01-04T15:42:43Z"
}

Support Events

  • Process Execution
  • Access to files and binaries
  • Creation of network listeners
  • Traffic sent to network destinations
You can’t perform that action at this time.