User Guide
Configuration
The safeguard configuration file is a YAML file that contains key:value or key:[value list] pairs.
Configuration Items
| Configuration Item | Type | Description |
|---|---|---|
network | List | Rule for network restrictions. |
files | List | Rule for file access restrictions. |
process | List | Rule for process restrictions. |
mount | List | Rule for mount restrictions. |
dns_proxy | List | DNS proxy configurations. |
log | List containing the following sub-keys:format: [json|text]output: <path>max_size: Maximum size to rotate (MB). Default: 100MBmax_age: Period for which logs are kept. Default: 365labels: Key/Value to be added to the log. | Log configuration. |
Network
| Configuration Item | Type | Description |
|---|---|---|
enable | Enum with the following possible values: true, false | Whether to enable restrictions or not. Default is true. |
mode | Enum with the following possible values: monitor, block | If monitor is specified, events are only logged. If block is specified, network access is blocked. |
target | Enum with the following possible values: host, container | Selecting host will apply the restriction to hosts. Selecting container will apply the restriction only to containers. |
cidr | List containing the following sub-keys:allow: [cidr list]deny: [cidr list] | Allow or deny CIDRs. |
domain | List containing the following sub-keys:allow: [domain list]deny: [domain list] | Allow or deny domains. |
command | List containing the following sub-keys:allow: [command list]deny: [command list] | Allow or deny commands. |
uid | List containing the following sub-keys:allow: [uid list]deny: [uid list] | Allow or deny UIDs. |
gid | List containing the following sub-keys:allow: [gid list]deny: [gid list] | Allow or deny GIDs. |
Examples
Allowing All Network Connections
Allow all network communications and monitor their connections.
network:
mode: monitor
target: host
cidr:
allow: ['0.0.0.0/0']
Blocking Specified Private Networks
Block access to 192.168.1.1/24 and 10.0.1.1/24.
network:
mode: block
target: host
cidr:
allow: ['0.0.0.0/0']
deny:
- 192.168.1.1/24
- 10.0.1.1/24
Blocking Metadata Service API
Block access to the public cloud Metadata Service. This is a mitigation measure against SSRF, etc.
network:
mode: block
target: host
cidr:
allow: ['0.0.0.0/0']
deny:
- 169.254.169.254/32
Blocking Connections to a Specified Domain
Block connections to example.com. safeguard periodically looks up IP addresses to keep up with IP address changes.
network:
mode: block
target: host
cidr:
allow: ['0.0.0.0/0']
domain:
deny:
- example.com
Blocking Network Connections of Containers
Allow communication from hosts, but block communication from containers.
network:
mode: block
target: container
cidr:
allow: ['0.0.0.0/0']
domain:
deny:
- example.com
!!! example
vagrant@ubuntu-impish:~$ curl -I https://example.com
HTTP/2 200
vagrant@ubuntu-impish:~$ sudo docker run --rm -it curlimages/curl https://example.com
curl: (7) Couldn't connect to server
Blocking All Connections from cURL
network:
mode: monitor
target: container
cidr:
allow: ['0.0.0.0/0']
command:
deny: ['curl']
!!! example
vagrant@ubuntu-impish:~$ curl -I https://example.com
curl: (6) Could not resolve host: example.com
vagrant@ubuntu-impish:~$ wget https://example.com -O /dev/null
--2022-03-09 14:45:11-- http://example.com/
Resolving example.com (example.com)... 93.184.216.34
Connecting to example.com (example.com)|93.184.216.34|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1256 (1.2K) [text/html]
Saving to: '/dev/null'
/dev/null 100%[============================>] 1.23K --.-KB/s in 0s
2022-03-09 14:45:12 (70.1 MB/s) - '/dev/null' saved [1256/1256]
Blocking All Connections from the User Whose UID Is 1000
Block network access of the user whose UID is 1000, but allow network access of the user whose UID is 0.
network:
mode: monitor
target: container
cidr:
allow: ['0.0.0.0/0']
uid:
allow: [0]
deny: [1000]
!!! example
vagrant@ubuntu-impish:~$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant)
vagrant@ubuntu-impish:~$ curl -I https://example.com
curl: (6) Could not resolve host: example.com
vagrant@ubuntu-impish:~$ sudo curl -I https://example.com
HTTP/2 200
Files
Linux kernel 5.13 is required to use these options.
| Config | Type | Description |
|---|---|---|
enable | Enum with the following possible values: true, false | Whether to enable restrictions or not. The default value is true. |
mode | Enum with the following possible values: monitor, block | If monitor is specified, events are only logged. If block is specified, network access is blocked. |
target | Enum with the following possible values: host, container | Selecting host will apply the restriction to hosts. Selecting container will apply the restriction to containers. |
allow | List of allowed file paths | |
deny | List of denied file paths |
Examples
Allowing Access to All Files
file:
mode: monitor
target: host
allow:
- /
Blocking Access to /etc/passwd
file:
mode: block
target: host
allow:
- /
deny:
- /etc/passwd
Blocking All Accesses to /root/.ssh
file:
mode: block
target: host
allow:
- /
deny:
- /root/.ssh
Blocking Access to /proc/sys in Containers
file:
mode: block
target: container
allow:
- /
deny:
- /proc/sys
!!! example
root@ubuntu-impish:/# ls /proc/sys
abi debug dev fs kernel net user vm
root@ubuntu-impish:/# docker run --privileged --rm -it ubuntu:latest bash
root@9cf961922b00:/# ls /proc/sys
ls: cannot open directory '/proc/sys': Operation not permitted
Blocking Escapes from Privileged Containers
file:
mode: block
target: container
allow:
- /
deny:
- /proc/sysrq-trigger
- /sys/kernel
- /proc/sys/kernel
!!! example
root@ubuntu-impish:/# docker run --privileged --rm -it ubuntu:latest bash
root@e3b2ffe5b284:/# echo c > /proc/sysrq-trigger
bash: /proc/sysrq-trigger: Operation not permitted
root@e3b2ffe5b284:/# echo '/path/to/evil' > /sys/kernel/uevent_helper
bash: /sys/kernel/uevent_helper: Operation not permitted
root@e3b2ffe5b284:/# echo '|/path/to/evil' > /proc/sys/kernel/core_pattern
bash: /proc/sys/kernel/core_pattern: Operation not permitted
Processes
| Configuration Item | Type | Description |
|---|---|---|
enable | Enum with the following possible values: true, false | Whether to enable restrictions or not. The default value is true. |
mode | Enum with the following possible value: monitor | If monitor is specified, events are only logged. |
target | Enum with the following possible values: host, container | Selecting host will apply the restriction to hosts. Selecting container will apply the restriction to containers. |
Examples
mount:
mode: monitor
target: host
Mount
| Configuration Item | Type | Description |
|---|---|---|
enable | Enum with the following possible values: true, false | Whether to enable restrictions or not. The default value is true. |
mode | Enum with the following possible values: monitor, block | If monitor is specified, events are only logged. If block is specified, accesses are blocked. |
target | Enum with the following possible values: host, container | Selecting host will apply the restriction to hosts. Selecting container will apply the restriction to containers. |
deny | List of allowed mount paths |
Examples
Blocking the Mount of /var/run/docker.sock to Containers
mount:
mode: block
target: host
deny:
- /var/run/docker.sock
Bug Catching
