Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore sensitive mounts from ecs-agent #881

Merged
merged 1 commit into from
Oct 9, 2019
Merged

Ignore sensitive mounts from ecs-agent #881

merged 1 commit into from
Oct 9, 2019

Conversation

fcoelho
Copy link
Contributor

@fcoelho fcoelho commented Oct 7, 2019
edited by fntlnz
Loading

/kind rule-update
/area rules

What this PR does / why we need it:

Without this, as ecs-agent starts we get a bunch of errors that look
like this (reformatted for readability):

Notice Container with sensitive mount started (
  user=root
  command=init -- /agent ecs-agent (id=19d4e98bb0dc)
  image=amazon/amazon-ecs-agent:latest
  mounts=/proc:/host/proc:ro:false:rprivate,$lotsofthings
)

ecs-agent needs those to work properly, so this can cause lots of false
positives when starting a new instance.

Special notes for your reviewer:

This can be reproduced on ami ami-0da6ab8acebc7f9db in region sa-east-1 or any Amazon Linux 2 ECS-optimized ami (name pattern like amzn2-ami-ecs-hvm-*-x86_64-ebs)

Installed falco using the following commands:

rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public
curl -s -o /etc/yum.repos.d/draios.repo https://s3.amazonaws.com/download.draios.com/stable/rpm/draios.repo
yum -y install kernel-devel-$(uname -r)
yum -y install falco

Does this PR introduce a user-facing change?:

rules: ignore sensitive mounts from the ecs-agent

@poiana
Copy link
Contributor

poiana commented Oct 7, 2019

Welcome @fcoelho! It looks like this is your first PR to falcosecurity/falco 🎉

@poiana poiana requested review from leodido and mstemm October 7, 2019 21:56
@fcoelho fcoelho mentioned this pull request Oct 7, 2019
Closed
leodido
leodido previously approved these changes Oct 8, 2019
View reviewed changes
Copy link
Member

@leodido leodido left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good (it works as intended!) but can be probably engineered better (not creating a macro but using the macro already in place for such goal).

@poiana poiana added the lgtm label Oct 8, 2019
@poiana
Copy link
Contributor

poiana commented Oct 8, 2019

LGTM label has been added.

Git tree hash: 131dbeedc25777b322fff4856e6a6cb7b913205b

@poiana poiana added the approved label Oct 8, 2019
@leodido leodido self-requested a review October 8, 2019 14:28
@fntlnz
Copy link
Contributor

fntlnz commented Oct 8, 2019

Hi @fcoelho - good catch, thanks for finding it! I tested this on ECS and can totally reproduce.

However can you please use the falco_sensitive_mount_images list instead? Just add the image in there and you get the same result, we have it for this purpose!

@fcoelho
Ignore sensitive mounts from ecs-agent
2cd5b70 
Without this, as ecs-agent starts we get a bunch of errors that look
like this (reformatted for readability):

  Notice Container with sensitive mount started (
    user=root
    command=init -- /agent ecs-agent (id=19d4e98bb0dc)
    image=amazon/amazon-ecs-agent:latest
    mounts=/proc:/host/proc:ro:false:rprivate,$lotsofthings
  )

ecs-agent needs those to work properly, so this can cause lots of false
positives when starting a new instance.

Signed-off-by: Felipe Bessa Coelho <[email protected]>
@fcoelho
Copy link
Contributor Author

fcoelho commented Oct 8, 2019

@fntlnz Just pushed that change instead, tested locally and seems to do the job too

@Kaizhe
Copy link
Contributor

Kaizhe commented Oct 8, 2019

/lgtm

@poiana poiana added the lgtm label Oct 8, 2019
@poiana
Copy link
Contributor

poiana commented Oct 8, 2019

LGTM label has been added.

Git tree hash: 6794aa1789e08b29ef62dc4103ba5128cafece35

@poiana poiana added the approved label Oct 8, 2019
@poiana
Copy link
Contributor

poiana commented Oct 8, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Kaizhe, leodido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@leodido leodido merged commit 8353a0b into falcosecurity:dev Oct 9, 2019
@fntlnz fntlnz added this to the 0.18.0 milestone Oct 28, 2019
@fntlnz fntlnz mentioned this pull request Nov 29, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leodido leodido leodido approved these changes

@mstemm mstemm Awaiting requested review from mstemm

Assignees

@leodido leodido

@Kaizhe Kaizhe

Labels
approved area/rules dco-signoff: yes kind/rule-update lgtm release-note size/XS
Projects
None yet
Milestone
0.18.0
Development

Successfully merging this pull request may close these issues.
5 participants
@fcoelho @poiana @fntlnz @Kaizhe @leodido