Create a CSPM test to detect AWS registry container images that still have root enabled

[ActionAnalytics]

Describe the issue During the openshift on-prem build process of an image, the root user is always deleted after the installation of software in the image, so that the runtime cannot ever run as root since the root user is gone. There are Openshift tests to scan for and prevent images with root from slipping by. We wish to guarantee the same for ECS image registry images.

Additional context

• Assume that CloudGuard CSPM access to the Production LZ2 environments with the new licensed Candian CSPM tool is already done
• There are other image registries/docker images that we would need to check later, but limiting scope to ECS images because we start off a lot of our clients with ECS
• Security Hub has this capability and can possibly give us alerts (hint: see Security Hub)
• We don't know for sure we can scan with CSPM to do this (it's either easy or doesn't exist)

Definition of done

• Pull in Gary to ride along and learn
• Get Asset ID number from Julian for contacting CheckPoint support and get the contact name from Julian of the CSPM agent he is working with
• Start by reaching out to CheckPoint Support to get help accomplishing this
• Will happen in ECF Prod LZ2, might need use of lab account - I think we can do the scan on existing team workloads because there are lots of ECS out there
• There might be two or more ways to solve this, either scan running ECS images or images in the ECR
• Create a manually triggered test in CSPM that can detect if images in ECS/ECR images still have the root user present
• Scope is Detect, related ticket 760 is Remediate (so out of scope for current ticket)

[bruce-wh-li]

May need Onboarding Container Registries but this feature is only available as Early Available. Please see the following abridged from Cloudguard Admin Guide. Quote "Container Registry is available to customers through the Check Point Early Availability Program. If you want to participate and test the feature, contact the EAP team at ea_support@checkpoint.com. " Unquote

[bruce-wh-li]

Also checked and found checkov by bridgecrew has the capability to scan docker file to ensure the last USER is not root. As mentioned in our daily scrum standup, checkov is the path we're goring forward.

[ActionAnalytics]

We are working with CP support but not getting results yet. We may be able try to build a github bot that looks at the dockerfile user (we will make tickets). Currently waiting on CP

[ActionAnalytics]

We think this might not be a feature that is ready to use in CSPM yet, we're going to leave the ticket open until we know for sure. If the answer is no, please close the ticket

[bruce-wh-li]

Prabhu had shared the container registry in LZ2. The account, workload can be found in CSPM but not image. It could be CSPM onboarding permission issue or checkpoint. Currently, pending on onboarding permission to be fixed before try again.

[bruce-wh-li]

Checkpoint TAC SR #6-0003369490 responded it could be related to role, external id, or SCP, guardrail. Warren is helping to see if AWS SEA related.

[bruce-wh-li]

PO to give Prabhu CSPM permission and same level of access to see if the 'unauthorized operation' error stemming from the lack of authority. If not, due to extreme difficult and dependency on checkpoint support. Owning to the difficulty aforementioned and other alternatives available, we will close the ticket as a result if retry failed.

[bruce-wh-li]

Had the screenshare session with checkpoint TAC support. The 'unauthorized operation' error is appeared related to SCP ro CSP Policy. In addition, we have to onboard Container Environment as it is not part of unified onboarding and have to do it separately. However, Terraform API does not have the related serverless API to onboard. But, could do it through standalone AWS API call !? Also, the CloudGuard CSPM does not have AWS container in the UI. Hence, can't do it through UI. If CheckPoint TAC support can't replicate the problem, I will create another ticket and reach out to Chris B. for it.

[bruce-wh-li]

AWS Dashboard System Ruleset (D9.AWS.IAM.49 to be exact) covers the checking of running ECS Service as 'Admin'.

[bruce-wh-li]

1. Kubernetes Cluster is needed to onboard ECR Registry to install the CloudGuard Agent as per current UI
2. CheckPoint is currently working to change for ECS Scanning.
3. ECR Image Scanning is available in Shift Left/Spectral. CheckPoint to Update the status next week (of Sept 18 2022)

[ActionAnalytics]

Checkov can already cover root configuration checks in the Docker file IaC, so this mitigates a lot of the risk.

We are holding off on the ShipLeft, no certainty of runtime protection. Bruce thinks ACS (RedHat Advanced Cluster Security) is capable of doing it for ROSA so we would imagine it's possible via Check Point.

Also possible to assign Carles to see if he design a custom test for probing container user status in all ECS instances.

[ActionAnalytics]

Good try, thank you!