[lxc-users] lxc-security: iptables audit with nflog not working with default settings (insecure)
Fiedler Roman
Roman.Fiedler at ait.ac.at
Wed Mar 11 13:03:20 UTC 2015
> Von: lxc-users [mailto:lxc-users-bounces at lists.linuxcontainers.org] Im
> Auftrag
>
> On Wed, Mar 11, 2015 at 7:22 PM, Fajar A. Nugraha <list at fajar.net> wrote:
> > On Wed, Mar 11, 2015 at 7:02 PM, Fiedler Roman
> <Roman.Fiedler at ait.ac.at> wrote:
> >> This should be exactly the configuration I have tested so far. But that
> >> did
> >> not yet solve my problem ...
> >>
> >> * If some process in guest registers for the same NFLOG queue, he can
> "steal"
> >> the messages from the host queue, thus removing traces of his activity
> from
> >> host logging. SECURITY-ASPECT: apart from log corruption, the guest can
> get
> >> knowledge about any other connection to/from other containers and the
> host and
> >> as they include sequence numbers, may be able to inject spoofed data
> into any
> >> other unencrypted TCP connection or at least interrupt the connection
> using
> >> another helper machine.
> >
> > No. What makes you believe that?
> >
> > Host and containers does not share iptables rules. Their entire
> > network stack is separated thru network namespace. There's no such
> > thing as "stealing the message".>
> To further clarify:
>
> The default lxc networking setup (veth with bridge) MAY allow a
> container to snoop/hijack traffic to/from other containers. This is
> similar to how a computers on the same LAN, connected to a dumb
> switch, can potentially snoop/hijack traffic to/from other computers.
> This is ethernet bridge issue, not iptables issue, nor lxc issue.
>
> To prevent that issue, there are some options you can do. One option
> is to create a separate bridge for each container. The other option
> would be to use my alternative setup which I linked to earlier, which
> does NOT use bridge.
Yes, I'm completely aware of that property of bridge.
But the current issue is different: The guest can snoop on the NFLOG messages
generated on host and destined for the host and hence can get knowledge of ANY
NFLOGed connection of host or any guest, no matter if on same bridge or
another one.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6344 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150311/989620cb/attachment-0001.bin>
More information about the lxc-users
mailing list