[research 3d]: Malware-detection sidecar buildpack for cloud.gov apps

[mogul]

User Story

In order to satisfy the requirements of NIST 800-53 Rev4 SI-3 for data.gov components running in cloud.gov, the data.gov team wants to achieve malicious code detection at the application instance level by implementing a malware-detection sidecar buildpack.

Acceptance Criteria

• GIVEN an application deployed to cloud.gov that includes a malware-detection buildpack
  WHEN we trigger the signature update task with cf run-task
  THEN we see the malware-detection definitions file get updated in the instance
• GIVEN an application deployed to cloud.gov that includes a malware-detection buildpack
  WHEN we place the EICAR test file in the application instance
  AND we trigger the malware-detection scan with cf run-task
  THEN we see detection of the EICAR sample in the application logs
  AND we see an alert in the #datagov-alerts Slack channel

Background

Sidecar buildpacks enable the implementation of application level detection of malicious code in Cloud Foundry apps. We should use this capability to fill this compliance gap for data.gov and potentially many other cloud.gov tenants.

Security Considerations (required)

This change implements the description from control SI-3 in the data.gov SSP.

Sketch/options to consider

• Options for malware detection:

  • ClamAV
    • Unfortunately this is probably too heavyweight... It apparently takes 500MB in cloud.gov!
  • Linux Malware Detect (LMD) (GitHub)
    • Looks like it runs much more lightly
    • Maintenance status is unclear; how often are signatures updated?

• Try out LMD by hand...

  • What's the process for installing it?
  • Does it run in a reasonable amount of memory?
  • How long does a scan take?
  • What's the process for updating signatures?
  • Can we drive both scanning and signature updates from Monit, using the Monit cron-like functionality?

• A sidecar would be the ideal way to configure Monit+LMD for apps. We can make a malware-detection sidecar buildpack which would enable any team to add this capability just by prepending it to their buildpack list.

• Here's the bare-minimum sidecar buildpack example. Stark and Wayne provided a great sidecar buildpack sample to build upon.

• Use Monit to invoke the actual scan and alert the #datagov-alerts channel via email if problems are found.

• Also take the opportunity to evaluate including AIDE or an equivalent in the sidecar to meet the needs of control SI-4(5), making a new issue if needed.

• Contingency/fallback: Stick with restarting apps every X minutes.

[adborden]

I suggest we treat this as a 3 day research story.... although it already looks bigger than 3 days of research.