conmachi

command module

v0.0.0-...-784864f Latest Latest Go to latest Published: Nov 30, 2018 License: MIT Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/nccgroup/conmachi

Links

Open Source Insights

README ¶

Conmachi Container Scanner

Is It Wrong To Pick Up Capabilities In A Container?

Conmachi is a tool written in Golang intended to be used to collect information about a container environment and list potential security issues. It can be statically compiled so that it can be dropped into a container environment and run without any dependencies.

Building

Dependencies:

sudo apt-get install libpcap-dev

Conmachi is intended to be built on any LTS version of Ubuntu. In development, it has been built with Go version 1.9 and above but should compile with most versions.

You can statically build the tool with the following commands:

go get github.com/nccgroup/ConMachi
go get ./...
cd $GOPATH/bin

# Dynamically compile
CGO_LDFLAGS="/usr/lib/x86_64-linux-gnu/libpcap.a" go build conmachi
# OR statically compile, may cause issues with network scanning
CGO_LDFLAGS="/usr/lib/x86_64-linux-gnu/libpcap.a" go build -ldflags '-w -extldflags "-static"' conmachi

What it checks for

Conmachi scans for a large number of potential issues including:

Disabled process and user namespacing
Dangerous capabilities
Disabled Seccomp/AppArmor profiles
Devices mounted from the host

It also collects information that may be useful while exploring a container including:

Kernel version
All capability sets with decoded values
Detect container solution
Sniff network interface for other hosts

Currently in progress:

Scan for Kubernetes related issues
Scan for cloud provider related issues

Flags

Usage of ./conmachi:
  -l string
        File to log to
  -sniff int
        Sniff the network for IP addresses for a given number of seconds

Example

Let's walk through running Conmachi in a Docker container. To start, we have our working directory with a copy of Conmachi in it:

$ ls
conmachi

Then let's add a Dockerfile:

FROM ubuntu

WORKDIR /example
ADD . /example

And build it:

$ ls
conmachi   Dockerfile
$ docker build -t example

And run it with a scary capability:

$ docker run --rm --security-opt seccomp=unconfined --security-opt apparmor:unconfined --cap-add SYS_ADMIN -it example
root@ffffffffffff:/example# ./conmachi 
Container has dangerous capabilities
------------------------------------
* Container has capabilities in the CapBnd set which could enable network attacks if a process runs with uid=0: CAP_NET_RAW
* Container has capabilities in the CapEff which could enable network attacks at the current privilege level: CAP_NET_RAW
* Container has dangerous capabilities in the CapBnd set which may allow for container escape if a process runs with uid=0: CAP_SYS_ADMIN
* Container has dangerous capabilities in the CapEff set which may allow for container escape if a process runs at the current privilege level: CAP_SYS_ADMIN


Container has non-default Docker capabilities
---------------------------------------------
Container has non-default Docker capabilities: CAP_SYS_ADMIN

Writeable Mounts
----------------
Some paths are mounted with write permission and may be filesystems mounted from the host. If this is the case, modifying the files at these paths may allow a contained process to modify files outside of the contained environment. The following paths were detected to be mounted with write permissions:
---
Device: /dev/sda1
Path: /etc/resolv.conf
Type: ext4
Opts: [rw relatime data=ordered]
Freq: 0
Pass: 0
---
Device: /dev/sda1
Path: /etc/hostname
Type: ext4
Opts: [rw relatime data=ordered]
Freq: 0
Pass: 0
---
Device: /dev/sda1
Path: /etc/hosts
Type: ext4
Opts: [rw relatime data=ordered]
Freq: 0
Pass: 0
---


User Namespace Disabled
-----------------------
User namespacing is not enabled. As a result, if a contained process is running with uid=0 it will be running as a privileged user if it gains access to resources outside of the container.

Container Running Unconfined AppArmor Profile
---------------------------------------------
Container is not enforcing an AppArmor profile on contained processes

Seccomp is Disabled
-------------------
Seccomp is disabled in container

Processor Vulnerable to Hardware Attacks
----------------------------------------
The following processors have bugs which may be exploited. More information about each of the processors can be found by reading /proc/cpuinfo.

Processor 0 (Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz) bugs: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf
Processor 1 (Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz) bugs: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf


Container Capabilities
----------------------
CapInh (00000000a82425fb): CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID, CAP_SETUID, CAP_SETPCAP, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SYS_CHROOT, CAP_SYS_ADMIN, CAP_MKNOD, CAP_AUDIT_WRITE, CAP_SETFCAP, CAP_MAC_OVERRIDE, CAP_MAC_ADMIN, CAP_WAKE_ALARM, CAP_BLOCK_SUSPEND, CAP_AUDIT_READ
CapPrm (00000000a82425fb): CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID, CAP_SETUID, CAP_SETPCAP, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SYS_CHROOT, CAP_SYS_ADMIN, CAP_MKNOD, CAP_AUDIT_WRITE, CAP_SETFCAP, CAP_MAC_OVERRIDE, CAP_MAC_ADMIN, CAP_WAKE_ALARM, CAP_BLOCK_SUSPEND, CAP_AUDIT_READ
CapEff (00000000a82425fb): CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID, CAP_SETUID, CAP_SETPCAP, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SYS_CHROOT, CAP_SYS_ADMIN, CAP_MKNOD, CAP_AUDIT_WRITE, CAP_SETFCAP, CAP_MAC_OVERRIDE, CAP_MAC_ADMIN, CAP_WAKE_ALARM, CAP_BLOCK_SUSPEND, CAP_AUDIT_READ
CapBnd (00000000a82425fb): CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID, CAP_SETUID, CAP_SETPCAP, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SYS_CHROOT, CAP_SYS_ADMIN, CAP_MKNOD, CAP_AUDIT_WRITE, CAP_SETFCAP, CAP_MAC_OVERRIDE, CAP_MAC_ADMIN, CAP_WAKE_ALARM, CAP_BLOCK_SUSPEND, CAP_AUDIT_READ
CapAmb (0000000000000000):


Cgroup Policy Does Not Restrict CPU Usage
-----------------------------------------
Processes in the conainer are capable of using excessive amounts of CPU time

Cgroup Policy Allows for Excessive Memory Usage
-----------------------------------------------
Processes in the conainer are capable of using excessive amounts (>8GB) of RAM

Detected Container Runtime
--------------------------
Container runtime: docker

Kernel Version Info
-------------------
Linux version 4.4.0-134-generic (buildd@lgw01-amd64-033) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) ) #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018

Cool! It caught our disabled profiles, our dangerous capability, and collected a bunch of info about the environment.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL