New post

Encontrar

Article
· Oct 4 2m read

Reviews on Open Exchange - #47

#InterSystems IRIS #Open Exchange

If one of your packages on OEX receives a review you get notified by OEX only of YOUR own package.   
The rating reflects the experience of the reviewer with the status found at the time of review.   
It is kind of a snapshot and might have changed meanwhile.   
Reviews by other members of the community are marked by * in the last column.

I also placed a bunch of Pull Requests on GitHub when I found a problem I could fix.    
Some were accepted and merged, and some were just ignored.     
So if you made a major change and expect a changed review just let me know.

# Package Review Stars IPM Docker *
1 iterm my personal +6* 6.5 y y  
2 iris-DataViz excellent PI+I at work 5.5 y y  
3 sql-embeddings complete and easy 5.2 y y  
4 Code-Scanner compact and efficient 5.0 y y *
5 ks-iris-lib a pack pack of 50 classes 5.0 y y  
6 iris-ccd-devtools Love this!!! 5.0   y *
7 iris-api-interface-generator very well documented 5.0   y  
8 IOP-REST-Client-Framework-1 interresting collection 4.7 y y  
9 pxw-lib-sql Nice example 4.0   y  
10 VectorSearchOnPatientSimilarity a HUGE experience 4.5   y  
11 iris-dev-codeinspector room for improvement 4.0   y  
12 db-management-tool still incomplete 3.0   y  
13 IRIS-Log-Monitor not clear what to do 2.9 y y  
14 IRIS-Test-Data-Generator how to use this ? 2.8 y y  
15 IRIS-API-Template-1 minimum content 2.5 y y  
1 new Comment
Discussion (1)2
Log in or sign up to continue
Article
· Oct 4 9m read

eBPF: Tetragon Security for IRIS Workloads

#Kubernetes #Monitoring #Security #InterSystems IRIS

Runtime Enforcement

 

So far in the eBPF Journey applied to InterSystems Workloads, we've been pretty much read only when it comes to system calls, binary execution, and file monitoring.  But much like the Network Security Policies that were in play with the last post that enforce connectivity,  what if we can enforce system calls, file access, and processes in the same manner across an entire cluster ?

Enter, Tetragon, a flexible Kubernetes-aware security observability and runtime enforcement tool that applies policy and filtering directly with eBPF, allowing for reduced observation overhead, tracking of any process, and real-time enforcement of policies.

Enforcement when your application cant provide it.

Where it Runs

Observability and Enforcement Cluster Wide

Up and Running

The obligatory steps to get up and running if you chose to do so, performed in the style of an Isovalent Lab.

kubernetes" Icon - Download for free – IconduckCluster

Kind cluster, 3 worker nodes wide, without a default CNI.

 
kind.sh

Cilium

Install Cilium, if for nother else, a CNI.

 
cilium.sh



Runtime EnforcementTetragon

Here we install the star of our show, Tetragon,  as a daemon set.

 
tetragon.sh

 

Intersystems logo Geometric Uppercase Display Letter i logo, Custom shape Negative Space Flat Two Colors, Blue + Turquoise. IRIS Workload

Quick IRIS pod, not privileged, but easily modified to be so.  This is the pod we will be executing things on to explain some of the tracing policy behavior.

 
iris.sh

 


Tracing Policies

TracingPolicies are custom resources that make it easy to setup real-time filters for kernel events. A TracingPolicy matches and filters system calls for observability and also triggers an action on these matches.

Right out of the box though, process_exec and process_exit without having to load any tracing policies.

In one terminal, execute your ZF, in the other, examine the Tetragon events:

kubectl exec -ti -n kube-system tetragon-sw9k4 -c tetragon -- tetra getevents -o compact --pods iris-nopriv

If we take a look at the process execution in Tetragon for the following call out that prints the current working directory.



This may be obvious to you, but running ZF with the "/SHELL" argument, invokes bash, and then calls the command, where as when it is ommitted, it calls out to the binary directly.  Now we used the compact output in the above, but if you observe the events in json format, you can see how they are called differently, with the /shell option having a parent process.

ie:

            "cwd": "/usr/irissys/bin",
            "binary": "/usr/irissys/bin/irisdb",
            "arguments": "-w /home/irisowner -s /usr/irissys/mgr",
            "flags": "execve",

 

 
direct.json

 

 

 
shell.json
 

 

The JSON events get sent to the tetragon log and can be sent to a SIEM system or observability for actionable insights.

SecurityRuntime Enforcement

This may lack a little bit of imagination for a use case, but what if we wanted to forbid anybody from calling out and "catting" the license file?

For this, we need to apply a TracingPolicy, that enforces an matchAction  These policies are a little involved, but this one is the long way of saying "Hey, if you run `cat /usr/irissys/mgr/iris.key`, I am going to kill you (SIGKILL you).  
 

kubectl apply -f - <<EOF
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "iris-read-file-sigkill"
spec:
  kprobes:
  - call: "fd_install"
    syscall: false
    return: false
    args:
    - index: 0
      type: int
    - index: 1
      type: "file"
    selectors:
    - matchPIDs:
      - operator: NotIn
        followForks: true
        isNamespacePID: true
        values:
        - 1
      matchArgs:
      - index: 1
        operator: "Prefix"
        values:
        - "/usr/irissys/secrets/"
        - "/usr/irissys/mgr/iris.key"
        #- "/tmp/" # wrecks havoc
      matchActions:
      - action: FollowFD
        argFd: 0
        argName: 1
  - call: "__x64_sys_close"
    syscall: true
    args:
    - index: 0
      type: "int"
    selectors:
    - matchActions:
      - action: UnfollowFD
        argFd: 0
        argName: 0
  - call: "__x64_sys_read"
    syscall: true
    args:
    - index: 0
      type: "fd"
    - index: 1
      type: "char_buf"
      returnCopy: true
    - index: 2
      type: "size_t"
    selectors:
    - matchActions:
      - action: Sigkill

EOF

Once deployed, you should see it loaded as a TracingPolicy resource:

So lets see it enforce the policy:

The -1 tells us something is awry, and the command was unsuccessful.

But not known to the fellow brogrammer, we administratively blocked it and sent a SIGKILL to the process!

That is going to be a long call to the WRC for the unsuspecting end user (or wrc specialist).

Experiments

I found a couple that were interesting in the hundreds I stole, applied, and played around with, notable was one that gave up the system calls per binary.  If you really wanted to nerd out, you could literally block by syscall.

Another one that was mesmerizing was the file access TracingPolicy, which showed all processes accessing all the files.  

These and other polices can be found in the examples repo @ tetragon:

  • System calls
  • Process attributes
  • Command-line arguments
  • Network activity
  • File system operations
Discussion (0)1
Log in or sign up to continue
Announcement
· Oct 4

[Video] Accelerate DTL Coding with AI Cloud Service

#Artificial Intelligence (AI) #DTL #Global Summit 2024 #Video #Global Summit #InterSystems IRIS for Health

Hey Community,

Watch this video to learn about AI Co-Pilot, which simplifies DTL coding and offers personalized assistance which makes it accessible to users with varying levels of technical expertise:

⏯ Accelerate DTL Coding with AI Cloud Service @ Global Summit 2024

Presenters:
🗣 @Renan Lourenco, Senior Technical Product Manager, InterSystems
🗣 @Julie Ma, Solutions Engineer, InterSystems  

Subscribe to our YouTube channel InterSystems Developers to stay in touch!

Discussion (0)1
Log in or sign up to continue
Question
· Oct 4

Can a business host know that the production is trying to shut down?

#InterSystems IRIS for Health

Hi all,

Does anyone know of a way for a business host (specifically an operation) to check whether the production it's running in is trying to shut down?

Cheers,

Otto

4 new Comments
Discussion (4)3
Log in or sign up to continue
Question
· Oct 4

Connection problem with %SQLGatewayConnection

#Caché #Ensemble

I'm trying to make a connection to an external database using %SQLGatewayConnection, but the connection always fails. DSN properly configured. I try to make the same connection through isql in bash, and the connection is successful.

This same connection fails in Caché.

2 new Comments
Discussion (2)1
Log in or sign up to continue