# 30-04-2024 Aarixa training event @BrewdogBrussels {% file src="/files/LIUhGkVosFg0hXm3CwBn" %} {% file src="/files/IpsTtTqOdXwqvDmW2yrN" %} ## Dissecting container and pods ### Running containers is easy #### Docker host * ubuntu machine * public ip address * security group 80, 443, 8080, 8081 #### Install docker ``` curl -fsSL https://get.docker.com -o get-docker.sh sudo sh ./get-docker.sh ``` ``` sudo groupadd docker sudo usermod -aG docker $USER newgrp docker ``` #### Running our first container ``` export IP="x.x.x.x" ``` ``` docker run -d -p 8080:80 --name www nginx:1.24 ``` ``` docker run -d -p 8081:80 --name www2 nginx:1.25 ``` ``` curl -kv $IP:8080 ``` ``` curl -kv $IP:8081 ``` #### Creating our first image ``` mkdir ./lab1 cd lab1 ``` ``` echo "My Annacon secret" >./secret.txt ``` ``` cat >Dockerfile < ``` docker run -d --privileged --name www3 nginx:1.25 ``` ``` docker exec -it www3 bash ``` ``` mkdir /tmp/host-fs mount /dev/vda1 ``` ### eBPF #### Tracee ``` docker run --name tracee --rm -it \ --pid=host \ --cgroupns=host \ --privileged \ -v /etc/os-release:/etc/os-release-host:ro \ aquasec/tracee:latest ``` #### Falco ``` sudo curl -s https://falco.org/repo/falcosecurity-packages.asc |sudo apt-key add - sudo echo "deb https://download.falco.org/packages/deb stable main" | sudo tee -a /etc/apt/sources.list.d/falcosecurity.list sudo apt-get update -y sudo apt-get install -y falco ``` ``` - rule: spawned_process_in_test_container desc: A process was spawned in the test container. condition: container.name = "falco-test" and evt.type = execve output: "%evt.time,%user.uid,%proc.name,%container.id,%container.name,command=%proc.cmdline" priority: WARNING ``` ``` falco -r ./falco.rule .... ``` #### Tetragon ``` docker run -d --name tetragon-container --rm --pull always \ --pid=host \ --cgroupns=host \ --privileged \ -v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf \ quay.io/cilium/tetragon-ci:latest ``` ``` docker exec tetragon-container tetra getevents -o compact ``` ``` root@ip-172-31-31-30:~# cat ./tracing_policy.yaml # This tracing policy 'connect-only-local-addrs' will report attempts # to make outbound TCP connections to any IP address other than those # within the 127.0.0.0/8 CIDR, from the binary /usr/bin/curl. In # addition it will also kill the offending curl process. # # Description: # Report and block outbound TCP connections outside loopback from # /usr/bin/curl. # # In production, this could be used to force processes to only connect # to their side cars on their local loopback, and to treat transgressions # as evidence of malicious activity, resulting in the process being # killed. apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: "connect-only-local-addrs" spec: kprobes: - call: "tcp_connect" syscall: false args: - index: 0 type: "sock" selectors: - matchArgs: - index: 0 operator: "NotDAddr" values: - "127.0.0.0/8" matchBinaries: - operator: "In" values: - "/usr/bin/curl" matchActions: - action: Sigkill ``` ``` docker run -d --name tetragon-container --rm --pull always \ --pid=host --cgroupns=host --privileged \ -v $PWD/tracing_policy.yaml:/tracing_policy.yaml \ -v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf \ quay.io/cilium/tetragon-ci:latest \ --tracing-policy /tracing_policy.yaml ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://meetups.kubiosec.tech/meetup-notes/30-04-2024-aarixa-training-event-brewdogbrussels.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.