Make agent "runtime aware" about agent HOT 5 CLOSED

@vpetersson Debian Package and Python Package are not runtime environments. They are the way the application was installed. Everything else stays the same, nothing changes in the way the application works.

Docker also shouldn't be in this category, because if we're running Debian in Docker it's still Debian, even though it can't have journald/systemd and may have iptables disabled.

Here's what I think it should look like:

• Debian/Ubuntu app
  • Installation:
    • Installed debian package
    • Installed as python package
    • Uninstalled (ran the code directly)
  • Virtualisation:
    • Live
    • Virtual Machine (VirtualBox, VMware, ...)
    • Dockerized
• Ubuntu snap
  • Virtualization?

from agent.

Debian Package and Python Package are not runtime environments.

Yes, technically speaking, you are right. However, there is a reason why I want to group them like this. That reason is tightly coupled with the capabilities. For Debian runtime, we can do everything we need to do (manage firewall, check passwords, scan ports etc).

For Snaps and Docker (i.e. Balena), the only thing we can really do is credential management. As such, we need to detect this and hide all security features from the dashboard.

The python library is somewhat of an edge case.

from agent.

One can install a Debian package or a Python package in Debian under Docker. Same goes to the “real” Debian.
In Docker we can manage iptables with CAP_NET_ADMIN. We can also check for passwords (inside the container). But if you’re talking about Balena, then we should only consider Balena in this case.

What I’m saying is, the groups you’re speaking of are not mutually exclusive.

from agent.

One can install a Debian package or a Python package in Debian under Docker. Same goes to the “real” Debian.

Yes and no. What we care about is the operating environment (what I referred to loosely as "runtime environment"). If you have a better word for this, I'm all ears.

In Docker we can manage iptables with CAP_NET_ADMIN. We can also check for passwords (inside the container).

Yes, but we don't care about the password inside the docker container because it's unlikely that login services are exposed.

But if you’re talking about Balena, then we should only consider Balena in this case.

Yes, for now we only care about Balena and assume CAP_NET_ADMIN is not enabled (nor is the shadows file volume mounted).

from agent.

note to self: we can detect whether we're running from a Debian package or not using this code:

def is_installed_deb():
    try:
        import apt
        cache = apt.Cache()
        return __file__ in cache['wott-agent'].installed_files
    except:
        return False

from agent.