For examples of real-world incidents in which files have been tampered during the build and release process in CI/CD pipelines, refer to Tampering of source code or artifacts during build
"Implement endpoint detection and response (EDR) tools" in CISA/NSA guide: EDR tools provide a high degree of visibility into the security status of endpoints and can help effectively protect against MCAs.
🔙 Go back to the list of tutorials
- Detect File Tampering (GitHub-Hosted Runner)
- Detect File Tampering (Actions Runner Controller)
- Detect File Tampering (Self-Hosted VM Runners e.g. on EC2)
In this tutorial, you will use the step-security/harden-runner
GitHub Action to detect file tampering on the build server in a GitHub Actions workflow.
Without Harden-Runner, you have no visibility into what files are overwritten during a workflow run.
- Go to the
Actions
tab and run theHosted: File Monitoring without Harden-Runner
workflow. - Check out the build logs. From the build logs you see that a package was installed and a docker image was built and published.
As we will see next, one of these steps is overwritting a file, but you cannot know that without file monitoring.
-
Go to the
Actions
tab and run theHosted: File Monitoring with Harden-Runner
workflow. -
View the workflow hosted-network-monitoring-hr.yml file.
-
step-security/harden-runner
GitHub Action is used as the first step in the job. -
After the workflow completes, check out the build logs. In the
Harden-Runner
step, you will see a link to security insights and recommendations. -
Click the link and you will see the
npm install
step is overwritting theindex.js
file, which is not expected. -
You can install the StepSecurity Actions Security GitHub App to get notified via email or Slack when a source code file is overwritten in your workflow.
Actions Runner Controller (ARC) is a Kubernetes operator that orchestrates and scales self-hosted runners for GitHub Actions.
- Rather than incorporating the HardenRunner GitHub Action into each individual workflow, you install the ARC-Harden-Runner daemonset on your Kubernetes cluster.
Please email us at support@stepsecurity.io for instructions on how to install the ARC-Harden-Runner daemonset on your Kubernetes cluster.
-
Upon installation, the ARC-Harden-Runner daemonset constantly monitors file events and correlates them with each step of the workflow.
-
You can access security insights and runtime detections under the
Runtime Security
tab in your dashboard
For a demo of a workflow running on ARC with Harden Runner integrated, follow this tutorial:
-
View this workflow file: https://github.com/step-security/github-actions-goat/blob/main/.github/workflows/arc-solarwinds-simulation.yml
Notice that
harden-runner
Action is not added to this workflow, and that this workflow runs on aself-hosted
runner. -
Check out an example run of this workflow here: https://github.com/step-security/github-actions-goat/actions/runs/6285439163
-
Visit the workflow insights for this run here: https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6285439163
You can see that the file overwrite event is detected, without the need to add
harden-runner
to each job.
- Instead of adding the Harden-Runner GitHub Action in each workflow, you'll need to install the Harden-Runner agent on your runner image (e.g. AMI). This is typically done using packer.
Please email support@stepsecurity.io for instructions on how to install the Harden-Runner agent on your runner image. This agent is different than the one used for GitHub-hosted runners.
-
The Harden-Runner agent monitors file events and correlates them with each step of the workflow.
-
Both ephemeral and persistent VM runners are supported.
-
You can access security insights and runtime detections under the Runtime Security tab in your dashboard.
For a demo of a workflow running on self-hosted EC2 with Harden Runner integrated, follow this tutorial:
-
View this workflow file: https://github.com/step-security/github-actions-goat/blob/main/.github/workflows/self-hosted-file-monitor-with-hr.yml
Notice that
harden-runner
Action is not added to this workflow, and that this workflow runs on aself-hosted
runner. -
Check out an example run of this workflow here: https://github.com/step-security/github-actions-goat/actions/runs/6388842742
-
Visit the workflow insights for this run here: https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6388842742
You can see that the file overwrite event is detected, without the need to add
harden-runner
to each job.