Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Guidance: Security Hub ECS.5 | ECS containers should be limited to read-only access to root filesystems #588

Open
willfarrell opened this issue Sep 12, 2024 · 3 comments

Comments

@willfarrell
Copy link

I'm running the SSM Agent within a ECS Fargate task (https://github.com/willfarrell/aws-bastion). I'm trying to update it to meet AWS Security Hub ECS.5 (ECS containers should be limited to read-only access to root filesystems) that requires the task definition to have readonlyRootFilesystem: true.

I've added in /etc/amazon/ssm/seelog.xml with the below xml to have logs store /tmp.

<outputs formatid="fmtinfo">
   <console formatid="fmtinfo"/>
   <rollingfile type="size" filename="/tmp/amazon-ssm-agent.log" maxsize="30000000" maxrolls="5"/>
   <filter levels="error,critical" formatid="fmterror">
      <rollingfile type="size" filename="/tmp/errors.log" maxsize="10000000" maxrolls="5"/>
   </filter>
   <custom name="cloudwatch_receiver" formatid="fmtdebug" data-log-group="/aws/ecs/bastion"/>
</outputs>

However, it continue to send logs to the default location (/var/log/amazon/ssm/*.log) instead of /tmp/*.log. Not sure if this is a bug or a misconfiguration on my side. Any guidance would be appreciated.

@Aperocky
Copy link
Contributor

Have you restarted the agent for the seelog.xml to take effect?

@willfarrell
Copy link
Author

willfarrell commented Jan 19, 2025

The seelog.xml is included in the container before it is run.

FROM --platform=linux/arm64/v8 amazonlinux:2023

WORKDIR /

RUN yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_arm64/amazon-ssm-agent.rpm

COPY ./seelog.xml /etc/amazon/ssm/
COPY ./docker-entrypoint.sh /

ENTRYPOINT ["/docker-entrypoint.sh"]

@Aperocky
Copy link
Contributor

Thanks for the report/update, we'll look into replicating/fixing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants