I run falco and falcosidekick with docker compose, without k8s.
I need to retrive aws instance metadata to falco rules output.
I've found the jevt field class but I encountered an error on falco container start
Invalid output format 'command=%jevt.value[/awsRegion': 'invalid formatting token jevt.value[/awsRegion']
Here my rules:
- rule: Terminal shell in container
desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
condition: >
spawned_process and container
and shell_procs and proc.tty != 0
and container_entrypoint
and not user_expected_terminal_shell_in_container_conditions
output: >
command=%jevt.value["/awsRegion"]
priority: NOTICE
tags: [ container, shell, mitre_execution ]
How can I do?
Thank you
several things to know:
the syntax for jevt.value is jevt.value[/awsRegion] (no quotes)
these kind fields are for events in json format, it works for kubernetes audit logs but in your case where the rule is based on syscalls
falco will not query aws metadata either, you will not have this information in your output like this
Regards,
Falco doesn't query AWS metadata, so I retrieved the metadata with an aws cli describe-instances and passed the metadata to falcosidekick container.
#loading EC2 metadata
INSTANCE_ID=$(curl http://169.254.169.254/latest/meta-data/instance-id)
INSTANCE_IP=$(aws ec2 describe-instances --instance-id "$INSTANCE_ID" --region eu-west-1 --query 'Reservations[*].Instances[*].{InstanceIp:PublicIpAddress}' --output text)
CLUSTER_NAME=$(aws ec2 describe-instances --instance-id "$INSTANCE_ID" --region eu-west-1 --query 'Reservations[*].Instances[*].{ClusterName:Tags[?Key==`Name`]|[0].Value}' --output text)
docker run -d -p 2801:2801 -d \
-e CUSTOMFIELDS=INSTANCE_ID:"$INSTANCE_ID",INSTANCE_IP:"$INSTANCE_IP",CLUSTER_NAME:"$CLUSTER_NAME" \
--name falcosidekick \
falcosecurity/falcosidekick
Related
i am trying to fetch VPC details for all region.i tried to run my script without default profile which results in error "You must specify a region. You can also configure your region by running "aws configure" ,evnthough i have my own profile configured with all required details for it.
same script works fine after configuring default profile.
Question is does AWS CLI requires default profile as mandatory ?
My script
for region in `aws ec2 describe-regions --output text| cut -f4`
do
aws ec2 --profile sam --region $region --output text --query 'Vpcs[*].{VpcId:VpcId,CidrBlock:CidrBlock}'
describe-vpcs
done
cat .aws/config
[profile sam]
output = json
region = us-east-1
If you don’t have a default profile configured, you can define the target profile with the --profile option.
aws ec2 describe-regions --profile profile-name
Another way is to set the AWS_PROFILE environment variable. This way you don’t have to explicitly add the option for every AWS CLI command.
export AWS_PROFILE=profile-name
Seems a bug in your script. I tried the below and it worked for me.
for region in `aws ec2 describe-regions --output text| cut -f4`
do
aws ec2 describe-vpcs --profile <myProfile> --region $region --output text --query 'Vpcs[*].{VpcId:VpcId,CidrBlock:CidrBlock}'
done
found the issue , need to add --profile in my first line of code as well.It works fine now.
for region in `aws ec2 describe-regions --profile sam --output text| cut -f4
This command lists hundreds of windows servers. How do I select the most popular ones those are displayed on web console while I create a new instance?
# aws ec2 describe-images --owners amazon --filters "Name=name,Values=Windows_Server*" --query 'sort_by(Images, &CreationDate)[].Name'
[
"Windows_Server-2016-English-Full-ECS_Optimized-2017.11.24",
"Windows_Server-2016-English-Full-ECS_Optimized-2018.01.10",
"Windows_Server-2016-English-Full-ECS_Optimized-2018.02.21",
"Windows_Server-2016-English-Full-ECS_Optimized-2018.03.26",
"Windows_Server-2016-English-Nano-Base-2018.04.11",
...
...
]
I am looking for the full name and not just the ami-id.
For e.g. which one of the above is "ami-04ca2d0801450d495"?
The DescribeImages API call returns the name of the AMI along with the rest of the info. To extract just the name of the AMI, you can run the following command:
aws ec2 describe-images --image-ids $IMAGE_ID \
--output text --query 'Images[*].Name'
Details about the describe-images command can be found here.
This command will return the full name of the given ami ID
aws ssm get-parameters-by-path --path "/aws/service/ami-windows-latest" --region us-east-1 | grep -C3 '04ca2d0801450d495'
I have been trying to tag EBS Volumes attached to EC2 instances in the CloudFormation UserData section. Here was my first attempt:
Example 1:
AWS_INSTANCE_ID=`curl -s http://169.254.169.254/latest/meta-data/instance-id`
ROOT_DISK_ID=`aws ec2 describe-volumes \
--filter Name=attachment.instance-id,Values="${AWS_INSTANCE_ID}" \
--query "Volumes[].VolumeId" --region us-east-1 --out text`
aws ec2 create-tags --resources "${ROOT_DISK_ID}" \
--tags 'Key=VolumeTagName,Value=VolumeTagValue' --region us-east-1
This resulted in a Template format error: Unresolved resource dependencies [AWS_INSTANCE_ID, ROOT_DISK_ID] in the Resources block of the template error.
A post I came across mentioned that using the ! when calling the variable in the Cloudformation UserData script will get around this, so it now looks like this:
Example 2:
AWS_INSTANCE_ID=`curl -s http://169.254.169.254/latest/meta-data/instance-id`
ROOT_DISK_ID=`aws ec2 describe-volumes \
--filter Name=attachment.instance-id,Values="${!AWS_INSTANCE_ID}" \
--query "Volumes[].VolumeId" --region us-east-1 --out text`
aws ec2 create-tags --resources "${!ROOT_DISK_ID}" \
--tags 'Key=VolumeTagName,Value=VolumeTagValue' --region us-east-1
This gets around that error, yet still, no tags appear on the Volume attached to an instance launched with this template. If I ssh into the instance and run Example 1, it works just fine. Example 2 does not give me any errors to work with.
What am I doing wrong in bash, that is specific to Cloudformation?
If I understand correctly you're trying to create your script using cloudformation, and then executing it on the ec2-instance on startup. Using yaml, this is my userdata section:
UserData: !Base64
Fn::Join:
- ''
- - "#!/bin/bash -xe \n"
- "cat << 'EOF' > /home/ec2-user/script.sh \n"
- "AWS_INSTANCE_ID=`curl -s http://169.254.169.254/latest/meta-data/instance-id`\n"
- "ROOT_DISK_ID=`aws ec2 describe-volumes "
- "--filter Name=attachment.instance-id,Values=\"${AWS_INSTANCE_ID}\" "
- "--query \"Volumes[*].[VolumeId]\" --region eu-west-1 --out text`\n"
- "aws ec2 create-tags --resources \"${ROOT_DISK_ID}\" "
- "--tags 'Key=MyAutoTagName,Value=MyAutoTagValue' --region eu-west-1\n"
- "EOF\n"
- "chmod +x /home/ec2-user/script.sh\n"
- "/home/ec2-user/script.sh\n"
I changed the region due to the region I'm using.
If I view the contents of my script.sh file I get the below:
AWS_INSTANCE_ID=`curl -s http://169.254.169.254/latest/meta-data/instance-id`
ROOT_DISK_ID=`aws ec2 describe-volumes --filter Name=attachment.instance-id,Values="${AWS_INSTANCE_ID}" --query "Volumes[*].[VolumeId]" --region eu-west-1 --out text`
aws ec2 create-tags --resources "${ROOT_DISK_ID}" --tags 'Key=MyAutoTagName,Value=MyAutoTagValue' --region eu-west-1
The only difference I can see is your "Volumes[].[VolumeId]*", I'm not sure what your userdata section looks like, so it may be issues with escaping.
Using my UserData section above the tag was created as soon as the instance was spun up and userdata section ran.
How to catch few AWS EC2 Instances IPs and put them to a script variable if its generates every time randomly and automatically?
I was trying to make it with
echo "$(curl http://169.254.169.254/latest/meta-data/public-ipv4/) master" >> /etc/hosts
but it is just the IP of one of them.
Also was trying with
aws ec2 describe-instances ... but don't know how to separate clear IP with other information. Any suggestions with awk \ sed?
Use the AWS Command-Line Interface (CLI) with a --query parameter:
aws ec2 describe-instances --query 'Reservations[*].Instances[*].{ID:InstanceId,Public:PublicIpAddress,Private:PrivateIpAddress}' --output text
i-2da518a2 172.31.15.3 None
i-6d261640 172.31.27.232 56.64.218.82
i-b3aa3476 172.31.5.0 None
i-6c57c951 172.31.20.243 56.79.129.118
i-192b95c1 172.31.28.76 56.253.207.57
i-af413c91 172.31.27.17 None
You can also output as JSON, which is easier to parse.
End command is
echo "$(aws ec2 describe-instances --filters Name="tag-value",Values="nagios" |grep PrivateIpAddress | awk '{gsub(",","",$2); gsub("\"","",$2); print $2}' | head -n 1) master" >> /file
To catch a dynamic ip address from your aws instance with tag and put it to any file
For example if you want to get all the private IP's which are behind a load balancer and pass it to a file.
/usr/bin/aws --output text --query "Reservations[].Instances[].PrivateIpAddress" ec2 describe-instances --instance-ids aws --output text --query "LoadBalancerDescriptions[0].Instances[*].InstanceId" elb describe-load-balancers --load-balancer-name <loadbalancer name> > hosts.txt
hope it helps....
I have found a script for starting/stopping a dynamically created ec2 instance, but how do I start any instances in my inventory?
Seems you are talking about scripting, not SDK. So there are two tools to do the job.
1 AWS CLI tools
download aws cli tool and set the API Key in $HOME/.aws/credentials
list all instances on region us-east-1
Confirm which instances you are targeting.
aws ec2 describe-instances --query 'Reservations[].Instances[].InstanceId' --region us-east-1 --output text
2 Amazon EC2 Command Line Interface Tools
download and setup instruction
list all instances on region us-east-1
You should get same output as WAY #1.
ec2-describe-instances --region us-west-2 |awk '/INSTANCE/{print $2}'
With the instance ID list, you can use your command to start them one by one.
for example, the instance name are saved in file instance.list
while read instance
do
echo "Starting instance $instance ..."
ec2-start-instances "$linstance"
done < instance.list
BMW, give you an excellent startup, but you can even summarise the thing like this:
1) First get the id of all the instances and save them into a file
aws ec2 describe-instances --query 'Reservations[].Instances[].InstanceId' --region us-east-1 --output text >> id.txt
2) Then simply run this command to start all the instances
for id in $(awk '{print $1}' id.txt); do echo "starting the following instance $id"; aws ec2 start-instances --instance-ids --region us-east-1 $id; done
Please change the region, I am considering that you have installed and setup the AWS CLI tools properly. Thanks