[Jenkins-infra] (fwd) RE: Your Azure Account - Terms of Use Reminder - Jenkins

Olblak me at olblak.com
Mon Aug 6 11:19:28 UTC 2018


The main problem here is that kind of machine have short live and I
don't think we can know which project was build on that particular
machine. For auditing purpose, it would be nice to have a log file with
such information.
> * there's some repo(s) which are invoking Maven and using it to run
Or for instance gradlew https://git.io/fN1TZ
Unfortunately they are different ways to run arbitrary scripts on those
agents and I don't think it will be possible to avoid that.
A solution that come to my mind would be to isolate those machine
as much as possible to forbid outgoing/ingoing connections as much
as possible.
We'll probably discuss about this during the infra meeting today so feel
free to join  https://jenkins.io/event-calendar/

---
-> gpg --keyserver keys.gnupg.net --recv-key 52210D3D
---




On Mon, Aug 6, 2018, at 10:44 AM, Oleg Nenashev wrote:
> Likely, it looks like an urgent issue so we should get all available
> folks working on it. Added the security team to CC.> 
> I have tried to investigate the issue by looking at build
> histories, etc.> I was not really successful, unfortunately I cannot help much on the
> server side with my current permission level.> 
> It would help if Azure support provides more info about type of the
> cryptominer running there and exact timestamps. It would allow
> narrowing down the scope and going through plugins to find malicious
> dependencies.> 
> BR, Oleg
> 
> 
> 
> 
> On Mon, Aug 6, 2018 at 10:27 AM, Olblak <me at olblak.com> wrote:
>> Shouldn't we move this discussion to security?
>> 
>> ---
>> -> gpg --keyserver keys.gnupg.net --recv-key 52210D3D
>> ---
>> 
>> 
>> On Mon, Aug 6, 2018, at 12:20 AM, R. Tyler Croy wrote:
>> > (replies inline)
>> > 
>> > On Sun, 05 Aug 2018, Oleg Nenashev wrote:
>> > 
>> > > Is any help needed with this case?
>> > > Or are you handling it together with Olivier?
>> > 
>> > 
>> > Olivier and I haven't had a chance to really discuss it, so any
>> > thoughts you>> > might have would be valuable.
>> > 
>> > 
>> > My current theories are:
>> > 
>> > * there's some repo(s) which are invoking Maven and using it to run>> > miners perhaps.
>> > * The dynamic agents are coming online and somehow being infected
>> >   rather>> >   quickly, somehow, with nonsense.
>> > 
>> > 
>> > 
>> > _______________________________________________
>>  > Jenkins-infra mailing list Jenkins-infra at lists.jenkins-ci.org
>>  > http://lists.jenkins-ci.org/mailman/listinfo/jenkins-infra
>> > Email had 1 attachment:>> > + signature.asc
>> >   1k (application/pgp-signature)
>> 
>> _______________________________________________
>> Jenkins-infra mailing list
>> Jenkins-infra at lists.jenkins-ci.org
>> http://lists.jenkins-ci.org/mailman/listinfo/jenkins-infra

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jenkins-ci.org/pipermail/jenkins-infra/attachments/20180806/67e30df2/attachment-0001.html>


More information about the Jenkins-infra mailing list