Skip to content

Instantly share code, notes, and snippets.

@ahmed-bacha

ahmed-bacha/issue.md

Last active September 13, 2016 16:06
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ahmed-bacha/9c97292d05a0f78fd990a62a38f0a06c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ahmed-bacha/9c97292d05a0f78fd990a62a38f0a06c to your computer and use it in GitHub Desktop.
Download ZIP
Docker issue : auditd broken auid
Raw
issue.md

###Description

To secure Docker usage and auditability, we monitor Docker as recommanded in CIS Docker. Now we would like (security constraints) to monitor commands like exec. The problem is that Docker breaks auditd information (auid, link), and we lose the context, "What did user X do inside container Y ?"

By losing this information, auditing containers become not possible and we lose all information about what is happening inside each containers even if we are using auditd.

###Configuration

  1. Docker 1.12 (issue on 1.10 , 1.11 also)

  2. auditd installed

  3. VM on centos 7.1

###How to reproduce it, received results

Add rules to monitor EXECVE with auditd

cat /etc/audit/rules.d/sh.rules
-a exit,always -F arch=b64 -F euid=0 -S execve
-a exit,always -F arch=b32 -F euid=0 -S execve

Run a Docker container with bash and execute a command on it:

sudo docker run -d -ti centos:latest bash
[root@6aca90a42754 /]# curl google.fr

On the host machine, search for actions that have been executed by the current user:

[vagrant@localhost ~]$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant),10(wheel)
[vagrant@localhost ~]$ sudo ausearch -ul 1000 |less

If you filter with /google.fr , you get nothing.

###Expected results, with nsenter

Get the container PID:

docker inspect --format '{{ .State.Pid }}' CONTAINER_ID

Login into the container using nsenter and execute a command:

sudo nsenter -t CONTAINER_PID -u -i -m -p -n bash
[root@6aca90a42754 /]# curl returneorientedprogramming.com

On the host, search for actions that have been executed by the current user:

[vagrant@localhost ~]$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant),10(wheel)
[vagrant@localhost ~]$ sudo ausearch -ul 1000 |less

If you filter with /returneorientedprogramming.com , you get the following result:

type=EXECVE msg=audit(1473781769.391:14073): argc=2 a0="curl" a1="returneorientedprogramming.com"
type=SYSCALL msg=audit(1473781769.391:14073): arch=c000003e syscall=59 success=yes exit=0 a0=6f6020 a1=70f6c0 a2=712ab0 a3=7ffd033eb9e0 items=2 ppid=32143 pid=32347 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="curl" exe="/usr/bin/curl" key=(null)

And you can see here auid=1000, which corresponds to the current vagrant user.

This is a critical problem to audit Docker containers, to secure it usage and what users are doing inside.

Found and analysed by : @Filirom1

Reported by : @ahmed-bacha

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment