safeguard 使用手册
配置
safeguard 的配置文件是一个YAML格式的文件,包含了key: value 或者 key: [value list] 的键值对。
配置选项
| Config | Type | Description |
|---|---|---|
network | List | Rule for network restrictions. |
files | List | Rule for file access restrictions. |
process | List | Rule for process restrictions. |
mount | List | Rule for mount restrictions. |
dns_proxy | List | DNS Proxy configurations |
log | List containing the following sub-keys:format: [json|text]output: <path>max_size:: Maximum size to rotate (MB). Default: 100MBmax_age: Period for which logs are kept. Default: 365labels: Key / Value to be added to the log. | Log configuration. |
network
| Config | Type | Description |
|---|---|---|
enable | Enum with the following possible values: true, false | Whether to enable restrictions or not. Default is true. |
mode | Enum with the following possible values: monitor, block | If monitor is specified, events are only logged. If block is specified, network access is blocked. |
target | Enum with the following possible values: host, container | Selecting host applies the restriction to the host-wide. Selecting container will apply the restriction only to containers. |
cidr | List containing the following sub-keys:allow: [cidr list]deny: [cidr list] | Allow or Deny CIDRs. |
domain | List containing the following sub-keys:allow: [domain list]deny: [domain list] | Allow or Deny Domains. |
command | List containing the following sub-keys:allow: [command list]deny: [command list] | Allow or Deny commands. |
uid | List containing the following sub-keys:allow: [uid list]deny: [uid list] | Allow or Deny uids. |
gid | List containing the following sub-keys:allow: [gid list]deny: [gid list] | Allow or Deny gids. |
示例
Allow all network connections
Allows all network communications and monitors their connections.
network:
mode: monitor
target: host
cidr:
allow: ['0.0.0.0/0']
Block specify Private Networks
Block access to 192.168.1.1/24 and 10.0.1.1/24.
network:
mode: block
target: host
cidr:
allow: ['0.0.0.0/0']
deny:
- 192.168.1.1/24
- 10.0.1.1/24
Block Metadata service API
Block access to the public cloud Metadata Service. This is a mitigation measure against SSRF, etc.
network:
mode: block
target: host
cidr:
allow: ['0.0.0.0/0']
deny:
- 169.254.169.254/32
Block connections to the specified domain
Block connections to example.com. safeguard periodically looks up IP addresses, so it keeps up with IP address changes.
network:
mode: block
target: host
cidr:
allow: ['0.0.0.0/0']
domain:
deny:
- example.com
Block network connections of containers
Allow communication from the host, but block communication from the containers.
network:
mode: block
target: container
cidr:
allow: ['0.0.0.0/0']
domain:
deny:
- example.com
!!! example
vagrant@ubuntu-impish:~$ curl -I https://example.com
HTTP/2 200
vagrant@ubuntu-impish:~$ sudo docker run --rm -it curlimages/curl https://example.com
curl: (7) Couldn't connect to server
Block all connections from curl
network:
mode: monitor
target: container
cidr:
allow: ['0.0.0.0/0']
command:
deny: ['curl']
!!! example
vagrant@ubuntu-impish:~$ curl -I https://example.com
curl: (6) Could not resolve host: example.com
vagrant@ubuntu-impish:~$ wget https://example.com -O /dev/null
--2022-03-09 14:45:11-- http://example.com/
Resolving example.com (example.com)... 93.184.216.34
Connecting to example.com (example.com)|93.184.216.34|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1256 (1.2K) [text/html]
Saving to: ‘/dev/null’
/dev/null 100%[============================>] 1.23K --.-KB/s in 0s
2022-03-09 14:45:12 (70.1 MB/s) - ‘/dev/null’ saved [1256/1256]
Block all connections by users with UID 1000
Setting that blocks all network access for UID 1000 user, but does not apply restrictions to UID 0 (root).
network:
mode: monitor
target: container
cidr:
allow: ['0.0.0.0/0']
uid:
allow: [0]
deny: [1000]
!!! example
vagrant@ubuntu-impish:~$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant)
vagrant@ubuntu-impish:~$ curl -I https://example.com
curl: (6) Could not resolve host: example.com
vagrant@ubuntu-impish:~$ sudo curl -I https://example.com
HTTP/2 200
files
Linux Kernel >= 5.13 is required to use this option.
| Config | Type | Description |
|---|---|---|
enable | Enum with the following possible values: true, false | Whether to enable restrictions or not. Default is true. |
mode | Enum with the following possible values: monitor, block | If monitor is specified, events are only logged. If block is specified, network access is blocked. |
target | Enum with the following possible values: host, container | Selecting host applies the restriction to the host-wide. Selecting container will apply the restriction only to containers. |
allow | A list of allow file paths | |
deny | A list of allow file paths |
示例
Allow access to all files
file:
mode: monitor
target: host
allow:
- /
Block access to /etc/passwd
file:
mode: block
target: host
allow:
- /
deny:
- /etc/passwd
Block all access to the /root/.ssh directory
file:
mode: block
target: host
allow:
- /
deny:
- /root/.ssh
Block access to the /proc/sys directory in the container
file:
mode: block
target: container
allow:
- /
deny:
- /proc/sys
!!! example
root@ubuntu-impish:/# ls /proc/sys
abi debug dev fs kernel net user vm
root@ubuntu-impish:/# docker run --privileged --rm -it ubuntu:latest bash
root@9cf961922b00:/# ls /proc/sys
ls: cannot open directory '/proc/sys': Operation not permitted
Block escapes from Privileged Container
file:
mode: block
target: container
allow:
- /
deny:
- /proc/sysrq-trigger
- /sys/kernel
- /proc/sys/kernel
!!! example
root@ubuntu-impish:/# docker run --privileged --rm -it ubuntu:latest bash
root@e3b2ffe5b284:/# echo c > /proc/sysrq-trigger
bash: /proc/sysrq-trigger: Operation not permitted
root@e3b2ffe5b284:/# echo '/path/to/evil' > /sys/kernel/uevent_helper
bash: /sys/kernel/uevent_helper: Operation not permitted
root@e3b2ffe5b284:/# echo '|/path/to/evil' > /proc/sys/kernel/core_pattern
bash: /proc/sys/kernel/core_pattern: Operation not permitted
process
| Config | Type | Description |
|---|---|---|
enable | Enum with the following possible values: true, false | Whether to enable restrictions or not. Default is true. |
mode | Enum with the following possible values: monitor | If monitor is specified, events are only logged. |
target | Enum with the following possible values: host, container | Selecting host applies the restriction to the host-wide. Selecting container will apply the restriction only to containers. |
示例
mount:
mode: monitor
target: host
mount
| Config | Type | Description |
|---|---|---|
enable | Enum with the following possible values: true, false | Whether to enable restrictions or not. Default is true. |
mode | Enum with the following possible values: monitor, block | If monitor is specified, events are only logged. If block is specified, access is blocked. |
target | Enum with the following possible values: host, container | Selecting host applies the restriction to the host-wide. Selecting container will apply the restriction only to containers. |
deny | A list of allow mount paths |
示例
Block mount /var/run/docker.sock to container
mount:
mode: block
target: host
deny:
- /var/run/docker.sock
文档捉虫
