Questions about security

[rmorlenSplunk]

Looking at the SCC definition in the splunk otel collector helm chart (https://github.com/signalfx/splunk-otel-collector-chart/blob/main/helm-charts/splunk-otel-collector/templates/securityContextConstraints.yaml), comparing it to the OpenShift cluster logging operator SCC “log-collector-scc” (which deploys an EFK stack to perform monitoring).

The OpenShift cluster logging operator SCC is a more restrictive policy, requiring the following kernel capabilities to be dropped:
CHOWN
DAC_OVERRIDE
FSETID
FOWNER
SETGID
SETUID
SETPCAP
NET_BIND_SERVICE
KILL

And also, not requiring access to the:
host-network
host-ports,
or host-PID
It also sets the “read-only root filesystem” requirement as “true”, whereas the Splunk otel collector does not.

I did get that “For the first one with restrictive SCC probably wont work as we need to pick up the files off disk which are root, and requires us to run as root.” And I’m looking for a similar explanation for the other settings. Could you to please help understand the correlation between these other Splunk otel collector SCC settings and the functionality it provides so that it can be assessed from a security perspective, thank you.

Further to this, given that the agent container will be running as the root user, and with the level of host access set out in the SCC available to it, can you please confirm your vulnerability management process for ensuring the risk to the consumer of the agent is minimized?

[mtcolman]

Hi, further to this, the list above is specific to the default capabilities provided when CRI-O is the container engine (as per the "default_capabilities" section of https://github.com/cri-o/cri-o/blob/main/docs/crio.conf.5.md).

Docker however, grants additional capabilities as default, see here: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities. Can you please assess these additional capabilities and look at dropping as many of these that aren't required?

The additional ones granted by Docker are:

• MKNOD
• NET_RAW
• SETFCAP
• SYS_CHROOT
• AUDIT_WRITE

Alternatively, dropping "ALL" and then adding back in only the capabilities the otel-collector needs would be best practice.

Thank you!

[atoulme]

I think we have done some of those enhancements - please get in touch with us over support to file an idea if you'd like to see more work in this area.