docs: add lockdown notes to SECURITY_GUIDANCE.md #1281
Conversation
Signed-off-by: Ben Cressey <bcressey@amazon.com>
| The first mode, "none", effectively disables the protection. | ||
| This is the default in today's [variants](variants/) of Bottlerocket, for compatibility with existing deployments. |
There was a problem hiding this comment.
Do you expect the default to change for some variants? I see it as more of a global Bottlerocket security offering.
There was a problem hiding this comment.
We could change the default for new launches but migrate to "none" on upgrade, which might be the current behavior.
Today we have the property that you can continue launching new versions of the same variant with no user-data changes. I worry about discarding that property; we don't want moving to new versions to become a scary proposition.
There was a problem hiding this comment.
I'd worry about anything where we change behavior for new launches as compared to upgrades because it introduces a risk for drift within a customer's cluster. For example, if a customer operates an auto-scaling group and changes the ASG to launch a new AMI while upgrading the existing instances, some will have "none" (the upgraded ones) while others won't.
| This is the default in today's [variants](variants/) of Bottlerocket, for compatibility with existing deployments. | ||
|
|
||
| The second mode, "integrity", blocks most ways to overwrite the kernel's memory and modify its code. | ||
| This will become the default in future variants. |
There was a problem hiding this comment.
Similar question here - some variants are longer-lived, like aws-ecs-1, and I believe we should aim for changing the setting for existing variants rather than segmenting our security story by variant.
There was a problem hiding this comment.
For aws-ecs-1, I'd like to change the default prior to GA.
The aws-k8s-* variants will age out of support over the next year, so making the changes in newer variants would let us converge on the new default without risk of disruption.
There was a problem hiding this comment.
I'm 👍 on changing the default for aws-ecs-1 prior to GA. I'm also 👍 on introducing this to the new aws-k8s-* variants as we add them.
| @@ -223,6 +246,11 @@ These settings can passed as [user data](https://docs.aws.amazon.com/AWSEC2/late | |||
| They apply to any Bottlerocket variant. | |||
There was a problem hiding this comment.
Does this comment still apply if you're talking about segmenting this setting's default by variant?
There was a problem hiding this comment.
It's a correct statement today, and would be a no-op if we change the default.
Issue number:
Fixes #1224
Description of changes:
Add notes about the Lockdown LSM to security guidance.
Testing done:
Verified that the example works correctly as user-data and disables unsigned kernel modules from being loaded.
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.