Adds a new 'mounts' command to audit sensitive host paths mounts #322
Conversation
The audit will trigger an alert if one a the specified host paths is mounted inside a container. Alerts for legit use cases can be overriden using a dedicated label per mount.
ghost
added
the
|
Hey @jcbbc , thanks for opening another PR! The team will triage this on Monday. Cheers! |
There was a problem hiding this comment.
This is really awesome, thank you! Much better implemented than the mountds auditor too 😄
I think you're right and we should deprecate mountds in favour of this one. There's not really a proper deprecation flow but I think we can just remove it from the all command and update the docs to say it's deprecated.
Could you also update the kubeaudit config docs in the main README and add examples using the config file and flag (for example)
Would you mind modifying one of the tests (or adding a test) to test at least one other host path (other than /proc) to prove it doesn't only work for the first path in the array.
|
Should we address the deprecation in this PR or another one? |
auditors/mounts/mounts.go
Outdated
| } | ||
|
|
||
| func getOverrideLabel(mountName string) string { | ||
| return overrideLabelPrefix + strings.Replace(strings.ToLower(mountName), "_", "-", -1) |
There was a problem hiding this comment.
| return overrideLabelPrefix + strings.Replace(strings.ToLower(mountName), "_", "-", -1) | |
| return overrideLabelPrefix + mountName |
cmd/commands/mounts.go
Outdated
| A WARN result is generated when a container mounts one or more paths specified with the '--paths' argument. | ||
|
|
||
| Example usage: | ||
| kubeaudit mount --paths "%s"`, formatPathsList(), strings.Join(mounts.DefaultSensitivePaths[:3], ",")), |
There was a problem hiding this comment.
| kubeaudit mount --paths "%s"`, formatPathsList(), strings.Join(mounts.DefaultSensitivePaths[:3], ",")), | |
| kubeaudit mounts --paths "%s"`, formatPathsList(), strings.Join(mounts.DefaultSensitivePaths[:3], ",")), |
| "Container": container.Name, | ||
| MountNameMetadataKey: mount.Name, | ||
| MountPathMetadataKey: mount.MountPath, | ||
| MountReadOnlyMetadataKey: fmt.Sprintf("%t", mount.ReadOnly), |
There was a problem hiding this comment.
Actually can we add the volume name and host path as metadata as well? It might be useful for JSON output
docs/auditors/mounts.md
Outdated
| Message: Sensitive path mounted as volume: etc-volume (/etc -> /host/etc, readOnly: false). It should be removed from the container's mounts list. | ||
| Metadata: | ||
| Container: container | ||
| Mount: etc-volume |
There was a problem hiding this comment.
Do you mind adding the other metadata fields here?
docs/auditors/mounts.md
Outdated
| ```yaml | ||
| --- | ||
| auditors: | ||
| mounts: | ||
| paths: ["/etc", "/var/run/docker.sock"] | ||
| ``` |
There was a problem hiding this comment.
When I tested locally, I also had to turn this auditor on by setting mountsto true, like so:
enabledAuditors:
mounts: trueI see it in the config.yaml example, but it might be worth making it explicit
There was a problem hiding this comment.
Another suggestion, to make it more explicit (completely optional). Instead of paths, how about pathsToWatch?
There was a problem hiding this comment.
I went for the simple paths to be more aligned with other auditors that also use simple key (add, image, cpu) that are also the same as the CLI options. But we can totally switch to pathsToWatch if you find it better.
There was a problem hiding this comment.
I see. For the capabilities auditor, however, we add capabilities to an allowAddList so kubeaudit won't raise errors for those. So it made me think that paths would have a similar effect - listed paths would be the ones kubeaudit would ignore. However it's the opposite - kubeaudit will only watch for those specific paths, everything else will be ignored. That's why I thought of a more explicit name... what do you think?
There was a problem hiding this comment.
Ok understood. I find the phrasing a bit weird however :) I was about to suggest sensitivesPaths but I guess the issue is the same, it may not be quite clear that it work as a deny-list and not as an allow-list. So if you prefer, yes we can go for pathsToWatch
There was a problem hiding this comment.
yeah... let's leave it like that, then. And hopefully the documentation will make it clear! 😁
There was a problem hiding this comment.
or maybe denyPathsList? :P
There was a problem hiding this comment.
@jcbbc can you please change it to denyPathsList? with that, we're good to go! thanks! 🙏
There was a problem hiding this comment.
Sorry, I missed your previous comment. I've made the change.
There was a problem hiding this comment.
Thanks a lot, @jcbbc!! :)
cmd/commands/mounts.go
Outdated
| } | ||
|
|
||
| func setPathsFlags(cmd *cobra.Command) { | ||
| cmd.Flags().StringSliceVarP(&mountsConfig.SensitivePaths, sensitivePathsFlagName, "s", mounts.DefaultSensitivePaths, |
There was a problem hiding this comment.
Another tiny thing, and more of a question. How about p rather than s for the shorthand?
| cmd.Flags().StringSliceVarP(&mountsConfig.SensitivePaths, sensitivePathsFlagName, "s", mounts.DefaultSensitivePaths, | |
| cmd.Flags().StringSliceVarP(&mountsConfig.SensitivePaths, sensitivePathsFlagName, "p", mounts.DefaultSensitivePaths, |
There was a problem hiding this comment.
Yes, that was my initial idea but -p is already used as a shorthand for the --format argument (I guess it comes from pretty?)
-p, --format string The output format to use (one of "pretty", "logrus", "json") (default "pretty")
So I fall back on s for "Sensitive paths" but it's indeed not really obvious
There was a problem hiding this comment.
oh, yeah! you're right! perhaps sp? not sure...it's optional. We can always revisit that later if someone gives us feedback saying it's confusing.
|
This is looking great, @jcbbc! I agree with @genevieveluyt that this is a more comprehensive implementation, if compared to our current |
|
Should be good now 👌 |
|
Thank you @jcbbc !!! |
Description
Adds a new command
mountsto audit sensitive host paths that are mounted in contains. The auditor will trigger an alert when one of the specified paths is mounted by a container. If no paths are specified in arguments, a default paths list is used (I use the one used by Falco).Alerts can be overridden using a label either at the pod level or the container level. Labels are per mount, so you can only override alerts for legit mounts.
Here's a sample result:
This auditor makes the
mountdskind of redundant so we can remove/deprecate it if you prefer.Type of change
How Has This Been Tested?
Checklist: