ConSecure is a security tool designed to enhance the security of commercial containers. It performs security checks on container images and runtime processes to ensure that they are safe and secure. The tool is written in Golang 1.18.1 and uses trace to collect Linux kernel events (version 5.15.0-88-generic) and detect threats.

To build and run ConSecure, follow these steps:

1. Clone the ConSecure repository:

   git clone https://github.com/nevation/ConSecure.git
   

2. Build the ConSecure binary:

   cd ConSecure
   make build
   

3. Setup trace

   sudo bash setup.sh
   

4. Run ConSecure:

   sudo ./consecure
   

   Note: ConSecure requires root privileges to run.

• Image security: ConSecure checks for vulnerabilities in each layer of the container image and blocks container execution if any issues are found.
• Runtime protection: ConSecure performs runtime protection by monitoring the entry point process of the container. It blocks any processes that are not generated by the entry point process, ensuring that the container is protected from unexpected threats.
• Kernel event detection: ConSecure detects kernel events and protects the container based on the events detected. It has access to the kernel and is written in Golang, providing both flexibility and performance.

ConSecure is designed with the following components:

The EventWatcher component collects kernel events and sends them to the EventHandler component.

The EventHandler component receives events from the EventWatcher component and sends them to the Detector component.

The Detector component converts kernel events into container-specific actions. It also collects process information based on the process ID and sends the converted data and process information to the Checker component. The Detector component sends a SIGSTOP signal to the corresponding process to stop it.

The Checker component checks the converted data and process information received from the Detector component to determine if there are any threats. For example, if a container is being executed, the Checker component retrieves image information based on the process's execution arguments and performs vulnerability checks on the corresponding image. If a vulnerability is detected, the Checker component calls the Protector component to prevent any threats. If no issues are found, the Checker component sends a SIGCONT signal to the corresponding process to continue execution.

The Protector component receives messages from the Checker component and sends a SIGKILL signal to the corresponding process to prevent any threats.

To use ConSecure, simply run the tool on your container. ConSecure will perform security checks on the container image and runtime processes to ensure that they are safe and secure.