Threat Stack recently added support for a dockerized agent, which is great! Unfortunately, their official image requires you to mount a configuration file. This works well for some orchestrators, but due not so much with Amazon's Elastic Container Service. This image addresses that issue.
This uses the official image as a base and then applies some very basic templating using environment
variables and sed to achieve a more seamless ECS experience. You should consider using a tool such
as Segment's Chamber to load your environment variables from
SSM at launch.
These instructions will guide you through the basics of using this image. While this image was designed to be used with ECS, you can certainly use it with any other orchestrator.
IMPORTANT NOTE: Given the nature of this package (security, lots of permissive access), you are highly encouraged to clone / fork this repository, build the image yourself, and push/pull it from your own Docker registry.
- Docker CE
- An active Threat Stack account
- A valid Threat Stack deployment key
The following environment variables can be passed to the container to make configuration changes.
The only required variable is THREATSTACK_DEPLOYMENT_KEY. If it is not present, the container will
not function.
THREATSTACK_DEPLOY_KEY: The deployment key generated for your Threat Stack account. Required.
THREATSTACK_RULESET: The rulesets you want to use. Defaults to Base Rule Set, Docker Rule Set.
THREATSTACK_LOGLEVEL: Changes the logging verbosity. Defaults to info.
If you're not using the container within ECS, you can use the following command to run the container:
sudo docker run -it -d \
-e THREATSTACK_DEPLOY_KEY="<YOUR DEPLOYMENT KEY>" \
--name=ts-docker \
--privileged \
--network=host \
--pid=host \
--cap-add=AUDIT_CONTROL \
--cap-add=AUDIT_READ \
--cap-add=NET_ADMIN \
--cap-add=SYS_ADMIN \
-v /:/threatstackfs/ \
-v /var/run/docker.sock:/var/run/docker.sock
DOCKER_IMAGEYou will need to replace DOCKER_IMAGE with your image.
In order to run this container on ECS, you must be using Amazon ECS Agent v1.22.0. Previous versions do
not support the --pid=host Docker parameter, so the agent will not fully work in ECS. Below is a sample
task definition that can be used to get you started:
{
"requiresCompatibilities": [
"EC2"
],
"containerDefinitions": [
{
"name": "threatstack-agent",
"image": "lever/threatstack:1.8.0c",
"memoryReservation": "1024",
"pidMode": "host",
"essential": true,
"portMappings": [],
"environment": null,
"mountPoints": [
{
"sourceVolume": "system",
"containerPath": "/threatstackfs",
"readOnly": ""
},
{
"sourceVolume": "docker",
"containerPath": "/var/run/docker.sock",
"readOnly": ""
}
],
"volumesFrom": null,
"hostname": null,
"user": null,
"workingDirectory": null,
"privileged": true,
"extraHosts": null,
"logConfiguration": null,
"ulimits": null,
"linuxParameters": {
"capabilities": {
"add": ["AUDIT_CONTROL", "AUDIT_READ", "NET_ADMIN", "SYS_ADMIN"]
}
},
"dockerLabels": null,
"repositoryCredentials": {
"credentialsParameter": ""
}
}
],
"volumes": [
{
"host": {
"sourcePath": "/"
},
"name": "system"
},
{
"host": {
"sourcePath": "/var/run/docker.sock"
},
"name": "docker"
}
],
"networkMode": "host",
"memory": null,
"cpu": null,
"placementConstraints": [],
"family": "threatstack",
"executionRoleArn": null
}Huge thanks to the Threat Stack team for putting forth the inital work to create a Docker-based agent. More so, a huge thanks for making a fantastic product that has made our lives much easier!