was_777
Reputation: 711
Falco: Executing binary not part of base image for clamav freshclam
I am using GCP's malware scanner https://github.com/GoogleCloudPlatform/docker-clamav-malware-scanner/tree/main/cloudrun-malware-scanner
We have Falco configured in our infra. After running falco on the scanner service, it detects the binary freshclam which is present here in Dockerfile as a potential threat.
This is the output:
Executing binary not part of base image (proc_exe=freshclam proc_sname=bash gparent=containerd-shim proc_exe_ino_ctime=1723025821816443963 proc_exe_ino_mtime=1707425906000000000 proc_exe_ino_ctime_duration_proc_start=31954027282 proc_cwd=/app/ container_start_ts=1723025814660069004 evt_type=execve user=root user_uid=0 user_loginuid=-1 process=freshclam proc_exepath=/usr/bin/freshclam parent=bash command=freshclam terminal=0 exe_flags=EXE_WRITABLE|EXE_UPPER_LAYER container_id=7e5d8b554c6b container_name=cloudrun-malware-scanner)
However, the freshclam is a valid binary shared by clamAV for updating virus definitions.
One option would be to tweak the falco rule to whitelist the binary, but we are not allowed to update it due to the security policy of our organization.
We are finding other ways to suppress the error.
Any way to handle it in the Dockerfile?
Edit: the Dockerfile contents:
FROM node:22.5.1
WORKDIR /app
COPY . /app
ENV PATH "$PATH:/opt/google-cloud-sdk/bin/"
RUN set -x \
&& echo 'Dir::Log::Planner "/dev/null";' > /etc/apt/apt.conf.d/99disablePlannerLog \
&& export DEBIAN_FRONTEND=noninteractive \
&& apt-get -qqy update \
&& apt-get -qqy --no-install-recommends install \
apt-transport-https \
ca-certificates \
curl \
python3-pip \
pipx \
lsb-release \
openssh-client \
gnupg \
jq \
gawk \
gettext-base \
clamav-daemon \
clamav-freshclam \
python3-crcmod \
&& apt-get -qqy remove \
libclamav9 \
clamav-base \
clamav-daemon \
clamav-freshclam \
&& echo -n "Adding Cloud SDK apt repository: " \
&& echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" \
| tee -a /etc/apt/sources.list.d/google-cloud-sdk.list \
&& curl https://packages.cloud.google.com/apt/doc/apt-key.gpg \
| gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg \
&& apt-get -qqy update \
&& apt-get -qqy --no-install-recommends install google-cloud-sdk \
&& gcloud config set core/disable_usage_reporting true \
&& gcloud config set component_manager/disable_update_check true \
&& gcloud config set metrics/environment github_docker_image \
&& gcloud --version \
&& find /var/log -type f -delete \
&& npm install --omit=dev
CMD ["bash", "bootstrap.sh"]
Upvotes: 0
Views: 78
Answers (0)
Related Questions
- How can I list all tags for a Docker image on a remote registry?
- Failed to solve with frontend xxx: rpc error: code = Unknown desc = (...) out: `exit status 2: gpg: decryption failed: No secret key`
- How can I use a local image as the base image with a dockerfile?
- build context for docker image very large
- How to force Docker for a clean build of an image
- How do I add a user when I'm using Alpine as a base image?
- Docker container killed after Ctrl +C
- Team City Linux Agent Docker Build Failing (Docker in Docker) - error creating aufs mount to /var/lib/docker/aufs/mnt/...-init: invalid argument
- Issue with using Dockerfile to build image