[Jenkins-infra] (fwd) RE: Your Azure Account - Terms of Use Reminder - Jenkins
Olblak
me at olblak.com
Mon Aug 6 11:19:28 UTC 2018
The main problem here is that kind of machine have short live and I
don't think we can know which project was build on that particular
machine. For auditing purpose, it would be nice to have a log file with
such information.
> * there's some repo(s) which are invoking Maven and using it to run
Or for instance gradlew https://git.io/fN1TZ
Unfortunately they are different ways to run arbitrary scripts on those
agents and I don't think it will be possible to avoid that.
A solution that come to my mind would be to isolate those machine
as much as possible to forbid outgoing/ingoing connections as much
as possible.
We'll probably discuss about this during the infra meeting today so feel
free to join https://jenkins.io/event-calendar/
---
-> gpg --keyserver keys.gnupg.net --recv-key 52210D3D
---
On Mon, Aug 6, 2018, at 10:44 AM, Oleg Nenashev wrote:
> Likely, it looks like an urgent issue so we should get all available
> folks working on it. Added the security team to CC.>
> I have tried to investigate the issue by looking at build
> histories, etc.> I was not really successful, unfortunately I cannot help much on the
> server side with my current permission level.>
> It would help if Azure support provides more info about type of the
> cryptominer running there and exact timestamps. It would allow
> narrowing down the scope and going through plugins to find malicious
> dependencies.>
> BR, Oleg
>
>
>
>
> On Mon, Aug 6, 2018 at 10:27 AM, Olblak <me at olblak.com> wrote:
>> Shouldn't we move this discussion to security?
>>
>> ---
>> -> gpg --keyserver keys.gnupg.net --recv-key 52210D3D
>> ---
>>
>>
>> On Mon, Aug 6, 2018, at 12:20 AM, R. Tyler Croy wrote:
>> > (replies inline)
>> >
>> > On Sun, 05 Aug 2018, Oleg Nenashev wrote:
>> >
>> > > Is any help needed with this case?
>> > > Or are you handling it together with Olivier?
>> >
>> >
>> > Olivier and I haven't had a chance to really discuss it, so any
>> > thoughts you>> > might have would be valuable.
>> >
>> >
>> > My current theories are:
>> >
>> > * there's some repo(s) which are invoking Maven and using it to run>> > miners perhaps.
>> > * The dynamic agents are coming online and somehow being infected
>> > rather>> > quickly, somehow, with nonsense.
>> >
>> >
>> >
>> > _______________________________________________
>> > Jenkins-infra mailing list Jenkins-infra at lists.jenkins-ci.org
>> > http://lists.jenkins-ci.org/mailman/listinfo/jenkins-infra
>> > Email had 1 attachment:>> > + signature.asc
>> > 1k (application/pgp-signature)
>>
>> _______________________________________________
>> Jenkins-infra mailing list
>> Jenkins-infra at lists.jenkins-ci.org
>> http://lists.jenkins-ci.org/mailman/listinfo/jenkins-infra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jenkins-ci.org/pipermail/jenkins-infra/attachments/20180806/67e30df2/attachment-0001.html>
More information about the Jenkins-infra
mailing list