Closed omerazr closed 4 years ago
I like the idea behind this, thanks @omer-sd
/close
@leodido: Closing this issue.
Word of warning: don't use this feature on a kubernetes node if you are running CI/CD pipelines in pods (e.g. gitlab-runner) -- your pod will pull down source code and execute scripts, and falcon will kill processes. You will lose hours of your life trying to understand what is wrong with your pipeline runners.
Motivation
Container drift means changes that break the immutability of images. A subset of such changes are executables created in a container during runtime. Detecting such behavior can help flag critical security issues related to RCEs.
Feature
There are a limited set of options to create an executable in a system. By adding Falco rules to detect this behavior, we can alert users about suspicious activity. This will include adding two new Falco rules that uses a newly added sysdig filter - "is_open_exec" -https://github.com/draios/sysdig/pull/1638
Alternatives
By listing all executables in an image, one can create an apparmor profile to prevent such a change in runtime. As always, applications do behave in unexpected ways, so detecting such execution and tuning an apparmor profile will be a better workflow.
Additional context
https://www.openshift.com/blog/configuration-drift-prevention-in-openshift-resource-locker-operator