-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add syscall filtering via seccomp for security #5213
Comments
On a related note, when a seccomp policy is violated an event is sent by Auditbeat. I put a sample into this gist. |
I have opened a PR #6832 to add this feature. |
The adds a default seccomp (Secure Computing) filter on Linux that prohibits execve, execveat, fork, and vfork system calls for the Beat process. The seccomp filter policy is configurable as well. You can create your own whitelist or blacklist policy with specific actions. It uses github.com/elastic/go-seccomp-bpf. Whitelist Example ``` seccomp: default_action: errno syscalls: - action: allow names: - open - close - read - exit ``` Blacklist Example ``` seccomp: default_action: allow syscalls: - action: log names: - execve - execveat - fork - vfork - action: kill_process # Requires kernel 4.14+. names: - connect - accept - sendto - recvfrom - sendmsg - recvmsg - bind - listen ``` Closes elastic#5213 Decisions I Made - The default policy is a blacklist because it was the most simple to start with. Whitelisting is recommended because it is more robust. `man seccomp` states "A blacklist will have to be updated whenever a potentially dangerous system call is added (or a dangerous flag or option if those are blacklisted), and it is often possible to alter the representation of a value without altering its meaning, leading to a blacklist bypass." - I chose to not implement argument filtering. It would be useful to have for more granular policies, but I'd rather wait to see how the policies are used and see if argument filtering is required. - The code only makes use of the `seccomp` syscall to install the filter. It does not fallback to the `prctl(2)` `PR_SET_SECCOMP` operation because it does not support flags. The `SECCOMP_FILTER_FLAG_TSYNC` flag is necessary in Go because we have little control over when threads are started, and there are no guarantees that the filter would be installed before other threads start.
The adds a default seccomp (Secure Computing) filter on Linux that prohibits execve, execveat, fork, and vfork system calls for the Beat process. The seccomp filter policy is configurable as well. You can create your own whitelist or blacklist policy with specific actions. It uses github.com/elastic/go-seccomp-bpf. Whitelist Example ``` seccomp: default_action: errno syscalls: - action: allow names: - open - close - read - exit ``` Blacklist Example ``` seccomp: default_action: allow syscalls: - action: log names: - execve - execveat - fork - vfork - action: kill_process # Requires kernel 4.14+. names: - connect - accept - sendto - recvfrom - sendmsg - recvmsg - bind - listen ``` Closes #5213 Decisions I Made - The default policy is a blacklist because it was the most simple to start with. Whitelisting is recommended because it is more robust. `man seccomp` states "A blacklist will have to be updated whenever a potentially dangerous system call is added (or a dangerous flag or option if those are blacklisted), and it is often possible to alter the representation of a value without altering its meaning, leading to a blacklist bypass." - I chose to not implement argument filtering. It would be useful to have for more granular policies, but I'd rather wait to see how the policies are used and see if argument filtering is required. - The code only makes use of the `seccomp` syscall to install the filter. It does not fallback to the `prctl(2)` `PR_SET_SECCOMP` operation because it does not support flags. The `SECCOMP_FILTER_FLAG_TSYNC` flag is necessary in Go because we have little control over when threads are started, and there are no guarantees that the filter would be installed before other threads start.
Metricbeat system/diskio uses |
This is not nice. I wonder if we should make the disk serial number optional and a config option that can be enabled to have by default not execve? Other ideas? |
There might be another way to get the data with ioctl and We would need to modify gopsutil to not do the |
This PR adds to the seccomp enhancement in elastic#6832 by adding a whitelist policy. The policies are derived from a combination of static analysis of the object code and runtime profiling (to see what the cgo linked libraries are doing). The policies also account for the system calls used while running the system tests with coverage and race detection. Closes elastic#5213
This PR adds to the seccomp enhancement in #6832 by adding a whitelist policy. The policies are derived from a combination of static analysis of the object code and runtime profiling (to see what the cgo linked libraries are doing). The policies also account for the system calls used while running the system tests with coverage and race detection. Closes #5213
This feature has been merged into master and will be included in 6.4. |
The adds a default seccomp (Secure Computing) filter on Linux that prohibits execve, execveat, fork, and vfork system calls for the Beat process. The seccomp filter policy is configurable as well. You can create your own whitelist or blacklist policy with specific actions. It uses github.com/elastic/go-seccomp-bpf. Whitelist Example ``` seccomp: default_action: errno syscalls: - action: allow names: - open - close - read - exit ``` Blacklist Example ``` seccomp: default_action: allow syscalls: - action: log names: - execve - execveat - fork - vfork - action: kill_process # Requires kernel 4.14+. names: - connect - accept - sendto - recvfrom - sendmsg - recvmsg - bind - listen ``` Closes elastic#5213 Decisions I Made - The default policy is a blacklist because it was the most simple to start with. Whitelisting is recommended because it is more robust. `man seccomp` states "A blacklist will have to be updated whenever a potentially dangerous system call is added (or a dangerous flag or option if those are blacklisted), and it is often possible to alter the representation of a value without altering its meaning, leading to a blacklist bypass." - I chose to not implement argument filtering. It would be useful to have for more granular policies, but I'd rather wait to see how the policies are used and see if argument filtering is required. - The code only makes use of the `seccomp` syscall to install the filter. It does not fallback to the `prctl(2)` `PR_SET_SECCOMP` operation because it does not support flags. The `SECCOMP_FILTER_FLAG_TSYNC` flag is necessary in Go because we have little control over when threads are started, and there are no guarantees that the filter would be installed before other threads start.
This PR adds to the seccomp enhancement in elastic#6832 by adding a whitelist policy. The policies are derived from a combination of static analysis of the object code and runtime profiling (to see what the cgo linked libraries are doing). The policies also account for the system calls used while running the system tests with coverage and race detection. Closes elastic#5213
The adds a default seccomp (Secure Computing) filter on Linux that prohibits execve, execveat, fork, and vfork system calls for the Beat process. The seccomp filter policy is configurable as well. You can create your own whitelist or blacklist policy with specific actions. It uses github.com/elastic/go-seccomp-bpf. Whitelist Example ``` seccomp: default_action: errno syscalls: - action: allow names: - open - close - read - exit ``` Blacklist Example ``` seccomp: default_action: allow syscalls: - action: log names: - execve - execveat - fork - vfork - action: kill_process # Requires kernel 4.14+. names: - connect - accept - sendto - recvfrom - sendmsg - recvmsg - bind - listen ``` Closes elastic#5213 Decisions I Made - The default policy is a blacklist because it was the most simple to start with. Whitelisting is recommended because it is more robust. `man seccomp` states "A blacklist will have to be updated whenever a potentially dangerous system call is added (or a dangerous flag or option if those are blacklisted), and it is often possible to alter the representation of a value without altering its meaning, leading to a blacklist bypass." - I chose to not implement argument filtering. It would be useful to have for more granular policies, but I'd rather wait to see how the policies are used and see if argument filtering is required. - The code only makes use of the `seccomp` syscall to install the filter. It does not fallback to the `prctl(2)` `PR_SET_SECCOMP` operation because it does not support flags. The `SECCOMP_FILTER_FLAG_TSYNC` flag is necessary in Go because we have little control over when threads are started, and there are no guarantees that the filter would be installed before other threads start.
This PR adds to the seccomp enhancement in elastic#6832 by adding a whitelist policy. The policies are derived from a combination of static analysis of the object code and runtime profiling (to see what the cgo linked libraries are doing). The policies also account for the system calls used while running the system tests with coverage and race detection. Closes elastic#5213
I have opened a PR to get disk serial from udev data or sysfs without using |
Great. If it doesn't get merge soonish we can also switch to our own fork for now until it is merged. |
gopsutil 2.18.06 released, PR created to update it #7483 |
The Beat process on Linux can drop privileges to perform specific syscalls (like execve, fork, clone) using a seccomp-bpf filter. This is one-way operation where the process drops privileges and cannot restore them. This limits the damage that can be done if there ever would be a vulnerability.
There is a kernel version requirement, but we can test if the feature is available use it when possible.
I wrote a POC that uses google/kafel, a C library that generates the BPF syscall filter from a policy string. We could statically link with the library (we already use cgo in our Beats since 6.0).
When there is a policy violation the kernel kills the thread rather than the whole process. When it does this an audit event is generated.
FYI you can use
/proc/[pid]/status
to see if the process has a seccomp filter applied. Look for theSeccomp:
line and a value > 0.We can audit the syscalls used by a Beat by using
strace -c [beat cmd]
then develop a policy based on that data.The text was updated successfully, but these errors were encountered: