search

DataBiosphere / azul

Metadata indexer and query service used for AnVIL, HCA, LungMAP, and CGP
Apache License 2.0
7 stars 2 forks source link

Scan GitLab EBS volumes with GuardDuty #4401

Open hannes-ucsc opened 2 years ago

hannes-ucsc commented 2 years ago

https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html

If this works well it would make #4189 and #3614 obsolete.

Revert #3614.

hannes-ucsc commented 2 years ago

Spike to try this once. I'm curious as to whether this requires a shutdown of the instance. How else would it make sure that the file system on the volume is consistent? Also curious how long it takes.

achave11-ucsc commented 2 years ago

Include https://en.wikipedia.org/wiki/EICAR_test_file in the instance, before the scan. Ensure file is present in both volumes (root / and data /mnt/gitlab).

achave11-ucsc commented 2 years ago

GuardDuty Malware Protection was just enabled for EC2, however there isn't information on when the scan will start or when is it scheduled to run. Additionally, as part of GuardDuty free 30 day trial (start 08/25) Kubernetes Audit logs and S3 Protection were automatically enabled. I disabled the Kubernetes trial given the lack of said infrastructure.

achave11-ucsc commented 2 years ago

Note, the info tab on the the GuardDuty Malware Protection console reads "GuardDuty detects suspicious behavior on an Amazon EC2 instance or a container workload, indicative of malware.", indicating that to start a scan, anomalous behavior must be detected first by GuardDuty.

achave11-ucsc commented 2 years ago

@hannes-ucsc: "@achave11 is right, the scan is only initiated when GuardDuty detects anomalous behavior on the instance. Given that I don't think the GuradDuty scan is a sufficient replacement of #4189. However we should still enable GuardDuty scan permanently. Assuming that enabling GuardDuty scans is a manual operation, we need to document that step in the README.md section 3.1."