keeferJan 20, 2023

I'm experimenting with POC where I'm running vulnerable containers and running exploits against them. I want to be able to essentially monitor for all the binaries in GTFObins, so that I can see if someone gets a shell within my container I can see what commands they're running.

Anyone familiar with monitoring running Docker containers / how I could monitor syscalls within a docker container, to see command being run at the operating system level? Something like auditd with container support would be ideal, as I'm hoping to have these events written to a file. Open source tools would be preferred.

If you have any ideas please point me in the right direction.

#containers #docker #cybersecurity #dfir

Show threadkeeferJan 21, 2023

I'm not trying to do this at scale yet, so literally a tool that logs binary executions and the arguments that were passed in would be great.

The equivalent auditd rule would be something like

# audit all commands
-a exit,always -F arch=b32 -S execve -k allcmds
-a exit,always -F arch=b64 -S execve -k allcmds

But I couldn't get auditd to work within the container.

Show threadkeeferJan 21, 2023
I'm looking at draios/sysdig and it seems pretty close to what I want. The sysdig cli command is outputting a lot of info though, about the host operating system and a lot of other stuff. Trying to find a resource to see if I could narrow this down to just information about the vulnerable container that I'm running.
GitHub - draios/sysdig: Linux system exploration and troubleshooting tool with first class support for containers

Linux system exploration and troubleshooting tool with first class support for containers - GitHub - draios/sysdig: Linux system exploration and troubleshooting tool with first class support for co...

GitHub
Show threadkeeferJan 21, 2023

Getting closer! I'm nerding out on Sysdig right now - it's really cool. After reading through their blog post on containers it looks like I'm able to get what I'm after.

sysdig -pc -c proc_exec_time container.id=6bf86ac40ec3

After running the command above I'm getting a list of processes that are being run from the container!

Let There Be Light - Sysdig Adds Container Visibility

Sysdig adds support for container exploration and monitoring. Get deep insights into containers from the Host OS or from another container.

Sysdig
Show threadkeefer
Now I just need to see if there's a way to log this to newline delimited JSON as new processes appear 😀​
Jan 21, 2023 at 2:33amWeb
Show threadkeeferJan 21, 2023

Well it turns out that the proc_exec_time chisel didn't support JSON output.. bummer..

But! I was able to figure out what filters and fields that the chisel was using and get what I wanted..

sysdig -j -pc container.id=6bf86ac40ec3 and evt.type=procexit -p"%proc.name %proc.args %evt.time.s %proc.duration %container.id"

The above command did just that! Now I've got NDJSON output:

{
"container.id": "6bf86ac40ec3",
"evt.time.s": 1674271291517583551,
"proc.args": "/opt/append_success.sh 3e0100f0-9ffd-4617-9215-7b973e8c3fe1",
"proc.duration": 1673009,
"proc.name": "sh"
}

(I formatted it because reading unformatted JSON can be painful)

Show threadkeeferJan 21, 2023

I think I'll write a blog post about this so that it's easier to read than this stream-of-thought style toot.

Appreciate the folks who boosted this thread 🙏​