Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Guidance: Security Hub ECS.5 | ECS containers should be limited to read-only access to root filesystems #588

Open
willfarrell opened this issue Sep 12, 2024 · 0 comments
Open

Guidance: Security Hub ECS.5 | ECS containers should be limited to read-only access to root filesystems #588

willfarrell opened this issue Sep 12, 2024 · 0 comments

Comments

@willfarrell
Copy link

I'm running the SSM Agent within a ECS Fargate task (https://github.com/willfarrell/aws-bastion). I'm trying to update it to meet AWS Security Hub ECS.5 (ECS containers should be limited to read-only access to root filesystems) that requires the task definition to have readonlyRootFilesystem: true.

I've added in /etc/amazon/ssm/seelog.xml with the below xml to have logs store /tmp.

<outputs formatid="fmtinfo">
   <console formatid="fmtinfo"/>
   <rollingfile type="size" filename="/tmp/amazon-ssm-agent.log" maxsize="30000000" maxrolls="5"/>
   <filter levels="error,critical" formatid="fmterror">
      <rollingfile type="size" filename="/tmp/errors.log" maxsize="10000000" maxrolls="5"/>
   </filter>
   <custom name="cloudwatch_receiver" formatid="fmtdebug" data-log-group="/aws/ecs/bastion"/>
</outputs>

However, it continue to send logs to the default location (/var/log/amazon/ssm/*.log) instead of /tmp/*.log. Not sure if this is a bug or a misconfiguration on my side. Any guidance would be appreciated.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@willfarrell