security: enhance logging for denied privileged method calls
Improved security audit trail for attempted container privilege escalation: - Added detailed logging when containers attempt privileged methods - Logs UID, GID, PID, correlation ID, and method name - Marked with "SECURITY:" prefix for easy filtering/alerting - Helps operators detect and investigate compromise attempts Example log output: SECURITY: Container attempted to call privileged method - access denied method=ensure_cluster_keys uid=101000 gid=101000 pid=12345 Addresses Codex recommendation for comprehensive logging of denied privileged RPCs to enable monitoring and alerting on attempted abuse.
This commit is contained in:
parent
1e25fa572a
commit
1519390f08
1 changed files with 6 additions and 2 deletions
|
|
@ -400,9 +400,13 @@ func (p *Proxy) handleConnection(conn net.Conn) {
|
|||
// Privileged methods can only be called from host (not from containers)
|
||||
if p.isIDMappedRoot(cred) {
|
||||
resp.Error = "method requires host-level privileges"
|
||||
logger.Warn().
|
||||
log.Warn().
|
||||
Str("method", req.Method).
|
||||
Msg("Container attempted to call privileged method")
|
||||
Uint32("uid", cred.uid).
|
||||
Uint32("gid", cred.gid).
|
||||
Uint32("pid", cred.pid).
|
||||
Str("corr_id", req.CorrelationID).
|
||||
Msg("SECURITY: Container attempted to call privileged method - access denied")
|
||||
p.sendResponse(conn, resp)
|
||||
p.metrics.rpcRequests.WithLabelValues(req.Method, "unauthorized").Inc()
|
||||
return
|
||||
|
|
|
|||
Loading…
Reference in a new issue