search

kubearmor / kubearmor-client

KubeArmor cli tool aka kArmor :robot:
Apache License 2.0
34 stars 83 forks source link

`karmor recommend` doesn't recommend all expected policies with Docker v26 #444

Closed DelusionalOptimist closed 2 months ago

DelusionalOptimist commented 3 months ago

Description

karmor recommend detects certain things from the image being scanned using paths of the container filesystem. For reference some of the the paths that are checked for detecting distro can be found here. The function which detects the same can be found here.

If for certain reason the paths cannot be listed - karmor won't recommend the correct policies and the output returned will be missing some fields.

For example, upon running

karmor recommend --image=ubuntu:18.04

It would return something like

created policy out/ubuntu-18-04/remote-file-copy.yaml ...
created policy out/ubuntu-18-04/maint-tools-access.yaml ...
created policy out/ubuntu-18-04/trusted-cert-mod.yaml ...
created policy out/ubuntu-18-04/k8s-client-tool-exec.yaml ...
created policy out/ubuntu-18-04/write-etc-dir.yaml ...
created policy out/ubuntu-18-04/crypto-miners.yaml ...
created policy out/ubuntu-18-04/system-owner-discovery.yaml ...
created policy out/ubuntu-18-04/cronjob-cfg.yaml ...
created policy out/ubuntu-18-04/pkg-mngr-exec.yaml ...
created policy out/ubuntu-18-04/impair-defense.yaml ...
created policy out/ubuntu-18-04/remote-services.yaml ...
created policy out/ubuntu-18-04/write-under-dev-dir.yaml ...
created policy out/ubuntu-18-04/write-in-shm-dir.yaml ...
created policy out/ubuntu-18-04/file-integrity-monitoring.yaml ...
created policy out/ubuntu-18-04/network-service-scanning.yaml ...
output report in out/report.txt ...
  Container               | ubuntu:18.04
  OS                      | linux
  Arch                    | amd64
  Distro                  |
  Output Directory        | out/ubuntu-18-04
  policy-template version | v0.2.3

Where distro is empty and the number of policies returned is incorrect.

Discovery

This has been found in CI. GitHub has recently updated their runners which has led to Docker version changing. CI worked with this release (Docker v24) - https://github.com/actions/runner-images/blob/ubuntu22/20240516.1/images/ubuntu/Ubuntu2204-Readme.md CI doesn't work with this release (Docker v26) - https://github.com/actions/runner-images/blob/ubuntu22/20240609.1/images/ubuntu/Ubuntu2204-Readme.md

The difference between the two releases is the docker version. You can easily find the list of files by adding a simple debug log.

Solution

Figure out how to recommend correct policies with new Docker versions.

Ishaanj18 commented 3 months ago

Can I work on this issue?