【已完成】关于堡塔主机安全的问题

就是堡塔主机安全会把我在服务器部署的waf防火墙容器一直当成可疑操作一直哪里报警很烦有没有解决办法通过一下

已经反馈，下个版本进行优化

可以把那条被当作可疑操作的相关信息发一下吗

LuckyWu 发表于 2023-11-24 09:45
可以把那条被当作可疑操作的相关信息发一下吗

基础信息
攻击类型：suspicious_operation
类型描述：可疑操作 疑似非法文件操作行为 重要目录或文件被修改
执行命令：/usr/bin/containerd-shim-runc-v2 -namespace moby -id 6f3403a0d2c6355f49517678446ef65d427c3b2943b875dc24aaf1831bfc34ff -address /run/containerd/containerd.sock
修复建议
在root权限下执行【cd dentry_path】，查看该可疑文件为个人创建的
可疑操作数据
{
"argv":
"runc --root /var/run/docker/runtime-runc/moby --log /run/containerd/io.containerd.runtime.v2.task/moby/6f3403a0d2c6355f49517678446ef65d427c3b2943b875dc24aaf1831bfc34ff/log.json --log-format json exec --process /tmp/runc-process82834545 --detach --pid-file /run/containerd/io.containerd.runtime.v2.task/moby/6f3403a0d2c6355f49517678446ef65d427c3b2943b875dc24aaf1831bfc34ff/80f7c4193779dfa50bbf34530b1c4d499c383467adc8a4736c40786902cc7c9e.pid 6f3403a0d2c6355f49517678446ef65d427c3b2943b875dc24aaf1831bfc34ff",
"comm":
"runc",
"dip":
"-1",
"dport":
"-1",
"exe":
"/usr/bin/runc",
"exe_hash":
"-4",
"file_path":
"/containerd/io.containerd.runtime.v2.task/moby/6f3403a0d2c6355f49517678446ef65d427c3b2943b875dc24aaf1831bfc34ff/.80f7c4193779dfa50bbf34530b1c4d499c383467adc8a4736c40786902cc7c9e.pid",
"nodename":
"ecs-geb2p",
"pgid":
"10488",
"pgid_argv":
"/usr/bin/containerd-shim-runc-v2 -namespace moby -id 6f3403a0d2c6355f49517678446ef65d427c3b2943b875dc24aaf1831bfc34ff -address /run/containerd/containerd.sock",
"pid":
"10318",
"pid_tree":
"-3",
"pns":
"4026531836",
"pod_name":
"-3",
"ppid":
"10488",
"ppid_argv":
"/usr/bin/containerd-shim-runc-v2 -namespace moby -id 6f3403a0d2c6355f49517678446ef65d427c3b2943b875dc24aaf1831bfc34ff -address /run/containerd/containerd.sock",
"root_pns":
"4026531836",
"sa_family":
"-1",
"sb_id":
"tmpfs\x1782",
"sessionid":
"4294967295",
"sid":
"912",
"sip":
"-1",
"socket_argv":
"-3",
"socket_pid":
"-1",
"sport":
"-1",
"tgid":
"10316",
"uid":
"0",
"username":
"root"
}

基础信息
攻击类型：suspicious_operation
类型描述：可疑操作 疑似非法文件操作行为 重要目录或文件被修改
执行命令：make install
修复建议
在root权限下执行【cd dentry_path】，查看该可疑文件为个人创建的
可疑操作数据
{
"argv":
"/bin/sh ./libtool --silent --tag=CC --mode=link gcc -fPIE -fPIC -fstack-protector-all -O1 -ffunction-sections -fdata-sections -g -O2 -Wall -fno-strict-aliasing -pthread -W -Wfloat-equal -Wundef -Wpointer-arith -Wstrict-prototypes -Wmissing-prototypes -Wwrite-strings -Wredundant-decls -Wchar-subscripts -Wcomment -Wformat -Wwrite-strings -Wmissing-declarations -Wredundant-decls -Wnested-externs -Wbad-function-cast -Wswitch-enum -Wno-unused-parameter -Wstrict-aliasing -Winit-self -Wmissing-field-initializers -Wdeclaration-after-statement -Waddress -Wnormalized=id -Woverride-init -Wlogical-op -version-info 5:0:0 -release 2.1 -fPIE -fPIC -fstack-protector-all -O1 -o libevent.la buffer.lo bufferevent.lo bufferevent_filter.lo bufferevent_pair.lo bufferevent_ratelim.lo bufferevent_sock.lo event.lo evmap.lo evthread.lo evutil.lo evutil_rand.lo evutil_time.lo listener.lo log.lo strlcpy.lo select.lo poll.lo epoll.lo signal.lo evdns.lo event_tagging.lo evrpc.lo http.lo",
"comm":
"sh",
"dip":
"-1",
"dport":
"-1",
"exe":
"/usr/bin/bash",
"exe_hash":
"cfd65bed18a1fae631091c3a4c4dd533",
"file_path":
"/root/ntp-4.2.8p15/sntp/libevent/libevent.la",
"nodename":
"iZj6c5y91a23b4glrg403uZ",
"pgid":
"30554",
"pgid_argv":
"make install",
"pid":
"11731",
"pid_tree":
"-3",
"pns":
"4026531836",
"pod_name":
"-3",
"ppid":
"11730",
"ppid_argv":
"/bin/sh -c echo \ CCLD \ libevent.la;/bin/sh ./libtool --silent --tag=CC --mode=link gcc -fPIE -fPIC -fstack-protector-all -O1 -ffunction-sections -fdata-sections -g -O2 -Wall -fno-strict-aliasing -pthread -W -Wfloat-equal -Wundef -Wpointer-arith -Wstrict-prototypes -Wmissing-prototypes -Wwrite-strings -Wredundant-decls -Wchar-subscripts -Wcomment -Wformat -Wwrite-strings -Wmissing-declarations -Wredundant-decls -Wnested-externs -Wbad-function-cast -Wswitch-enum -Wno-unused-parameter -Wstrict-aliasing -Winit-self -Wmissing-field-initializers -Wdeclaration-after-statement -Waddress -Wnormalized=id -Woverride-init -Wlogical-op -version-info 5:0:0 -release 2.1 -fPIE -fPIC -fstack-protector-all -O1 -o libevent.la buffer.lo bufferevent.lo bufferevent_fil",
"root_pns":
"4026531836",
"sa_family":
"-1",
"sb_id":
"vda1",
"sessionid":
"586",
"sid":
"12063",
"sip":
"-1",
"socket_argv":
"-3",
"socket_pid":
"-1",
"sport":
"-1",
"tgid":
"11731",
"uid":
"0",
"username":
"root"  还有这个就是我在服务器上面编译一个软件而已你们也报警可疑操作能不能优化一下

宝塔用_5779 发表于 2023-11-24 15:11
基础信息
攻击类型：suspicious_operation
类型描述：可疑操作 疑似非法文件操作行为 重要目录或文件被修 ...

感谢您的使用反馈，在下个版本进行优化