Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Anti-virus in docker container - does fanotify works between host and container?

Tags:

docker

cgroups

antivirus

linux-namespaces

clam

I need to implement anti-virus on-access scanning solution for files inside docker containers using open-source software. Clamav On-Access works fine but have some requirements and limitations:

  • require CAP_SYS_ADMIN capability for working inside a container
  • needs to be run per-container, not per-host
  • require 850Mb resident memory for signatures in each running container, even small one

Does this limitation - "fanotify not working for container events when watching from host", really exists or I just misconfigured ClamAV? I have no deep knowledge how fanotify works with namespaces, but it looks like kernel limitation to me.

UPDATE: Are there any workarounds for this limitation? Adding /var/lib/docker/overlay2/container_id/merged is one option, because of dynamic container nature clamd.conf needs to be updated on every container event. But even with added path ClamAV doesn't detect malicious files in the containers.

Running ClamAV per-container creates huge memory overhead, especially for small containers.

Links collection:

  • fanotify events do not work between containers
  • Using fanotify within Docker Containers
  • Fanotify kernel interface does not support scanning inside containers
  • Could not watch path /var/lib/docker/overlay2 error
  • Patch for OnAccessIncludePath traversal across file systems
like image 949
mva Avatar asked Feb 03 '20 16:02

mva

People also ask

Do Docker containers need antivirus?

To supplement the need to use an antivirus system, Google Cloud, for example, provides a container-optimized OS that is hardened with efficient security measures for hosting Docker containers. It locks the Kubernetes file system such that critical system files are safe from attacks by threat actors.

How do I secure a Docker container?

Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users inside the container. You can add an extra layer of safety by enabling AppArmor, SELinux, GRSEC, or another appropriate hardening system.

Can Docker images have viruses?

New research reveals the scale at which criminals have exploited public open-source Docker repositories to plant malware among container images. A new security analysis of the 4 million container images hosted on the Docker Hub repository revealed that more than half contained at least one critical vulnerability.

How does Docker provide isolation between containers?

Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container. These namespaces provide a layer of isolation.

2 Answers

I have a solution with a patched ClamAV.

  1. Must use ClamAV < 0.102.0 because of the splitting of scanning and detection: detected files can't be scanned because the path is observed from the container point of view
  2. OnAccessMount doesn't work because you have to list each mount in ClamAV config then restart and docker creates mounts on the fly
  3. Must use overlayfs not LVM so ClamAV can access the mount
  4. OnAccessIncludePath doesn't work because the file and folder enumeration method doesn't traverse file systems (doesn't scan beyond mount for path specified)

I was able to get OnAccessIncludePath working with a patch I posted to clamav-devel mailing list: https://lists.gt.net/clamav/devel/77347#77347.

I ended up with one process using fanotify for static mounts and one using inotify to monitor /var/lib/docker ephemeral mounts. Having 2 instances is still much better than 1 per container. I did a fair bit of load testing and have had the patch in production since about the time I mailed the list.

Sophos didn't work for me but I gave up pretty quickly.

like image 174
user44127 Avatar answered Nov 11 '22 14:11

user44127

Yes, fanotify only monitors events in the mount namespace that it is running in.

like image 1
Douglas Leeder Avatar answered Nov 11 '22 13:11

Douglas Leeder
Sign in to Comment

Related questions

FTP file into docker container on remote server
Version in docker-compose is unsupported
smtp timeout from python client in rancher container
How to fix permissions for an Alpine image writing files using Cron as non root user into accessible volume
Building Docker for vuejs app
Docker Machine network error on public network
PHP-FPM + Nginx on Kubernetes
How to run docker images in google-colaboratory? [duplicate]
How can I solve 403:Forbidden whilst using a docker container?
Please, set "CHROME_BIN" env variable inside docker npm test
Debug Pytest in docker container using VS Code
Running Ngrok in a container using docker
How to fix 'container runtime is down,PLEG is not healthy'
How to fix "s3_website" issue while pushing Jekyll site on CloudFront through gitlab CI/CD?
iptables with docker port mapping
Dockerrun aws hardcoded memory
Issue in ansible playbook command?
How do I install msodbcsql17 driver for alpine linux?
What is the equivalent of `npm install` for `gradle`?
Error "getcwd() failed: No such file or directory" when trying to run from VS in Docker

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!