Home

Awesome

Conmachi Container Scanner

Is It Wrong To Pick Up Capabilities In A Container?

Conmachi is a tool written in Golang intended to be used to collect information about a container environment and list potential security issues. It can be statically compiled so that it can be dropped into a container environment and run without any dependencies.

Building

Dependencies:

sudo apt-get install libpcap-dev

Conmachi is intended to be built on any LTS version of Ubuntu. In development, it has been built with Go version 1.9 and above but should compile with most versions.

You can statically build the tool with the following commands:

go get github.com/nccgroup/ConMachi
go get ./...
cd $GOPATH/bin

# Dynamically compile
CGO_LDFLAGS="/usr/lib/x86_64-linux-gnu/libpcap.a" go build conmachi
# OR statically compile, may cause issues with network scanning
CGO_LDFLAGS="/usr/lib/x86_64-linux-gnu/libpcap.a" go build -ldflags '-w -extldflags "-static"' conmachi

What it checks for

Conmachi scans for a large number of potential issues including:

It also collects information that may be useful while exploring a container including:

Currently in progress:

Flags

Usage of ./conmachi:
  -l string
        File to log to
  -sniff int
        Sniff the network for IP addresses for a given number of seconds

Example

Let's walk through running Conmachi in a Docker container. To start, we have our working directory with a copy of Conmachi in it:

$ ls
conmachi

Then let's add a Dockerfile:

FROM ubuntu

WORKDIR /example
ADD . /example

And build it:

$ ls
conmachi   Dockerfile
$ docker build -t example

And run it with a scary capability:

$ docker run --rm --security-opt seccomp=unconfined --security-opt apparmor:unconfined --cap-add SYS_ADMIN -it example
root@ffffffffffff:/example# ./conmachi 
Container has dangerous capabilities
------------------------------------
* Container has capabilities in the CapBnd set which could enable network attacks if a process runs with uid=0: CAP_NET_RAW
* Container has capabilities in the CapEff which could enable network attacks at the current privilege level: CAP_NET_RAW
* Container has dangerous capabilities in the CapBnd set which may allow for container escape if a process runs with uid=0: CAP_SYS_ADMIN
* Container has dangerous capabilities in the CapEff set which may allow for container escape if a process runs at the current privilege level: CAP_SYS_ADMIN


Container has non-default Docker capabilities
---------------------------------------------
Container has non-default Docker capabilities: CAP_SYS_ADMIN

Writeable Mounts
----------------
Some paths are mounted with write permission and may be filesystems mounted from the host. If this is the case, modifying the files at these paths may allow a contained process to modify files outside of the contained environment. The following paths were detected to be mounted with write permissions:
---
Device: /dev/sda1
Path: /etc/resolv.conf
Type: ext4
Opts: [rw relatime data=ordered]
Freq: 0
Pass: 0
---
Device: /dev/sda1
Path: /etc/hostname
Type: ext4
Opts: [rw relatime data=ordered]
Freq: 0
Pass: 0
---
Device: /dev/sda1
Path: /etc/hosts
Type: ext4
Opts: [rw relatime data=ordered]
Freq: 0
Pass: 0
---


User Namespace Disabled
-----------------------
User namespacing is not enabled. As a result, if a contained process is running with uid=0 it will be running as a privileged user if it gains access to resources outside of the container.

Container Running Unconfined AppArmor Profile
---------------------------------------------
Container is not enforcing an AppArmor profile on contained processes

Seccomp is Disabled
-------------------
Seccomp is disabled in container

Processor Vulnerable to Hardware Attacks
----------------------------------------
The following processors have bugs which may be exploited. More information about each of the processors can be found by reading /proc/cpuinfo.

Processor 0 (Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz) bugs: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf
Processor 1 (Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz) bugs: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf


Container Capabilities
----------------------
CapInh (00000000a82425fb): CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID, CAP_SETUID, CAP_SETPCAP, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SYS_CHROOT, CAP_SYS_ADMIN, CAP_MKNOD, CAP_AUDIT_WRITE, CAP_SETFCAP, CAP_MAC_OVERRIDE, CAP_MAC_ADMIN, CAP_WAKE_ALARM, CAP_BLOCK_SUSPEND, CAP_AUDIT_READ
CapPrm (00000000a82425fb): CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID, CAP_SETUID, CAP_SETPCAP, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SYS_CHROOT, CAP_SYS_ADMIN, CAP_MKNOD, CAP_AUDIT_WRITE, CAP_SETFCAP, CAP_MAC_OVERRIDE, CAP_MAC_ADMIN, CAP_WAKE_ALARM, CAP_BLOCK_SUSPEND, CAP_AUDIT_READ
CapEff (00000000a82425fb): CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID, CAP_SETUID, CAP_SETPCAP, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SYS_CHROOT, CAP_SYS_ADMIN, CAP_MKNOD, CAP_AUDIT_WRITE, CAP_SETFCAP, CAP_MAC_OVERRIDE, CAP_MAC_ADMIN, CAP_WAKE_ALARM, CAP_BLOCK_SUSPEND, CAP_AUDIT_READ
CapBnd (00000000a82425fb): CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID, CAP_SETUID, CAP_SETPCAP, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SYS_CHROOT, CAP_SYS_ADMIN, CAP_MKNOD, CAP_AUDIT_WRITE, CAP_SETFCAP, CAP_MAC_OVERRIDE, CAP_MAC_ADMIN, CAP_WAKE_ALARM, CAP_BLOCK_SUSPEND, CAP_AUDIT_READ
CapAmb (0000000000000000):


Cgroup Policy Does Not Restrict CPU Usage
-----------------------------------------
Processes in the conainer are capable of using excessive amounts of CPU time

Cgroup Policy Allows for Excessive Memory Usage
-----------------------------------------------
Processes in the conainer are capable of using excessive amounts (>8GB) of RAM

Detected Container Runtime
--------------------------
Container runtime: docker

Kernel Version Info
-------------------
Linux version 4.4.0-134-generic (buildd@lgw01-amd64-033) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) ) #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018

Cool! It caught our disabled profiles, our dangerous capability, and collected a bunch of info about the environment.