Policies define the rules that are used to control what is allowed to run in your Kubernetes cluster. You will define one policy for each cluster that you want to protect, with a default set of rules (also known as a "policy definition") that apply to the entire cluster. If your cluster contains more than one namespace, you can also define separate sets of rules for the namespaces. Any namespace rules take precedence over the cluster-wide rules.
For more information, visit the Help Center article, Defining a policy for a cluster.
Exceptions:
When your architecture demands executing containers with privileges, you can create policies based on specific namespaces. This way you can manage it without exposing all your environment to too broad rules.
Recommendations:
Deployment Phase Possible Actions:
- Log
- Block
| Action | Deployment Phase |
| Pod properties | |
| Log | containers that run in the host network namespace |
| Log | containers that run in the host IPC namespace |
| Log | containers that run in the host PID namespace |
| Container properties | |
| Block | containers that are permitted to run as root |
| Block | privileged containers |
| Block | containers with privilege escalation rights |
| Block | containers that can write to the root filesystem |
| Block | containers with capabilities that do not conform with a baseline policy |
Continuous Phase Possible Actions:
- Log
- Isolate
- Terminate
| Action | Continuous Phase |
| Pod properties | |
| Log | containers that run in the host network namespace |
| Log | containers that run in the host IPC namespace |
| Log | containers that run in the host PID namespace |
| Container properties | |
| Terminate | containers that are permitted to run as root |
| Terminate | privileged containers |
| Terminate | containers with privilege escalation rights |
| Isolate | containers that can write to the root filesystem |
| Isolate | containers with capabilities that do not conform with a baseline policy |
Runtime security provides visibility into container activity that violates a customizable set of rules. Currently, runtime security includes a set of pre-defined rules that provide visibility into MITRE ATT&CK framework tactics for containers, as well as container drift detection. Container Security can automatically mitigate problems detected by the runtime security feature. If a pod violates any rule during runtime, the issue is mitigated by terminating or isolating the pod based on the ruleset assigned to its Container Security policy.
This feature is compatible with Kubernetes and supports Amazon EKS, Microsoft Azure AKS, Google GKE, and OpenShift. It is currently supported with default and the most recent Linux kernels. For more information, visit the Help Center article, Configuring runtime security.
Mitre Attack Container Matrix
Most rules are mapped to Mitre Attack Techniques for Containers. Highlighted in orange below are the techniques that are in the Impact tactic.
Runtime Possible Actions
- Log
- Isolate
- Terminate
| Rule ID | Name | Description | Enable | Action | RD Resource |
|---|---|---|---|---|---|
| TM-00000002 | (T1059.004)Update Package Repository | Detect package repositories get updated | X | Log | Link |
| TM-00000004 | (T1003.008)Read sensitive file trusted after startup | Attempt to read any sensitive file by a trusted program after startup. Trusted programs might read these files at startup, but not afterwards. | |||
| TM-00000005 | (T1021.004)System user interactive | An attempt to run interactive commands by a system (i.e. non-login) user | |||
| TM-00000007 | (T1020)System procs network activity | Network activity performed by system binaries that are not expected to send or receive any network traffic | X | Isolate | Link |
| TM-00000009 | (T1613)Contact K8S API Server From Container | Detect attempts to contact the K8S API Server from a container | X | Isolate | Link |
| TM-00000010 | (T1543)Launch Package Management Process in Container | Package management process ran inside container | X | Log | Link |
| TM-00000012 | (T1070.002)Clear Log Activities | Detect modification or removal of critical log files | X | Terminate | Link |
| TM-00000013 | (T1059.004)Create Symlink Over Sensitive Files | Detect symlink created over sensitive files | |||
| TM-00000014 | (T1068)Packet socket created in container | Detect new packet socket at the device driver (OSI L2) in a container. Packet socket could be used for ARP Spoofing and privilege escalation(CVE-2020-14386) by attacker. | |||
| TM-00000015 | Redirect STDOUT/STDIN to Network Connection in Container | Detect redirecting stdout/stdin to network connection in container (potential reverse shell). | |||
| TM-00000016 | (T1547.006)Linux Kernel Module Injection Detected | Detect kernel module was injected (from container). | |||
| TM-00000018 | (T1105)Launch Remote File Copy Tools in Container | Detect remote file copy tools launched in container | X | Log | Link |
| TM-00000019 | (T1613)Specific discovery tool executed in container | Detect execution of specific discovery and/or hacking tools inside container | X | Terminate | |
| TM-00000020 | (T1613)Amicontained download detected in container | Detect download of amicontained | |||
| TM-00000021 | (T1562.001)Disable Security Tools | Detect an attempt to disable specific security tools | X | Terminate | Link |
| TM-00000022 | (T1609)Docker or kubernetes client executed in container | Detect a docker or kubernetes client tool executed inside a container | X | Log | Link |
| TM-00000023 | (T1611)Escape attempt detected in privileged container | Detect usage of debugfs and mount in container | |||
| TM-00000024 | (T1496)HugePages changed in container | Detect HugePages modification as part of mining changes done during XMRig usage | |||
| TM-00000025 | (T1496)Detect crypto miners using the Stratum protocol | Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp' and variants | X | Terminate | Link |
| TM-00000026 | (T1053.003)Schedule Cron Jobs | Detect cron jobs scheduled | |||
| TM-00000027 | (T1574.006)Dynamic linker changed | Changes to /etc/ld.so.preload may indicate rootkit | |||
| TM-00000028 | (T1059)DB program spawned process | DB related program spawned a new process other than itself. Can indicate successful SQL injection. | |||
| TM-00000029 | (T1021.004)Lateral Movement using SSH | SSH execution with StrictHostKeyChecking and BatchMode. Can indicate scripted lateral movement attempt. | X | Log | Link |
| TM-00000030 | (T1496)Detect miner termination in container | Miners typically kill other competing miners. | X | Terminate | Link |
| TM-00000031 | (T1610)Launch Privileged Container | Detect the initial process started in a privileged container. | X | Terminate | Link |
| TM-00000032 | (T1070)Delete or rename shell history | Detect shell history deletion | |||
| TM-00000033 | (T1222.002)File attributes changed in container | Detect an attempt to change attributes on file in container | X | Terminate | Link |
| TM-00000034 | (T1548.001)Set Setuid or Setgid bit | When the setuid or setgid bits are set for an application, this means that the application will run with the privileges of the owning user or group respectively. | |||
| TM-00000035 | (T1070.004)Dangerous deletion detected in container | Detect an attempt to destroy everything | |||
| TM-00000036 | (T1071)Possible IRC communication in container | Detect communication based on known IRC port(TCP/6667, TCP/6697 for TLS). | |||
| TM-00000037 | (T1613)BOtB download detected in container | Detect download of complex analysis and exploitation tool for containers(https://github.com/brompwnie/botb) | X | Terminate | Link |
| TM-00000038 | (T1613)Peirates tool detected in container | Detect download of complex analysis and exploitation tool for containers(https://github.com/inguardians) | X | Terminate | Link |
| TM-00000039 | (T1041)Interpreted procs inbound network activity | Any inbound network activity performed by any interpreted program (perl, python, ruby, etc.) | |||
| TM-00000040 | (T1041)Interpreted procs outbound network activity | Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.) | |||
| TM-00000041 | (T1552)Search Private Keys or Passwords | Detect grep for private keys or passwords, also includes find command. | X | Terminate | Link |
| TM-00000042 | (T1070.004)Unexpected process termination in container | Detect an attempt get specific processes and kill them, often seen as part of miners deployment and rivals termination. | X | Terminate | Link |
| TM-00000043 | New executable created (chmod) | New executable created in container with chmod | X | Log | Link |
| TM-00000044 | New executable created (open+create) | New executable created in a container with open+create | X | Log | Link |
| TM-00000046 | Out-of-namespace network access attempts | Access kubernetes out-of-namespace resource | |||
| TM-00000047 | (T1070.002)Suspicious log manipulation | Detect targeted modification of critical log files | |||
| TM-00000048 | (T1611) Switch Linux namespace | Unauthorized usage of setns syscalls, which could lead to container escape | |||
| TM-00000049 | (T1105)Launch Ingress Remote File Copy Tools in Container | Detect ingress remo |
| Orientation | RD Resource |
|---|---|
| One of the basic things that you can do to secure the control plane is to perform integrity monitoring for the most critical Kubernetes files. By doing this, you will be alerted immediately of any change in the configuration. From a Kubernetes security perspective, critical files are those that can affect the entire cluster when compromised. | Link |
| There are still organizations that make the critical mistake of leaving the kube-apiserver publicly exposed. Exposing your API server to the public is the most common entry point for attackers, and allows them to take over your cluster. | Link |
| It is important to know that privileged containers can be used as entry points for attacks and to spread malicious code or malware to compromised hosts and networks. But this is not the only issue—there are other misconfigurations in containers that can put the underlying host at risk. | Link |
| To prevent security issues, it is recommended that you do not run privileged containers in your environment. Instead, provide granular permissions and capabilities to the container environment. Giving containers full access to the host can create security flaws in your production environment. This is the reason that, by default, containers are “unprivileged” and cannot access all the devices in the host. However, this doesn’t mean that privileged containers should not be used at all. Some projects and environments may require its usage, but organizations need to make sure that safeguards and security recommendations are set in place when running such containers. | Link |
| The analyzed samples don’t just search for resource-intensive processes on the host machine; they also look for deployed Docker containers that are conducting mining operations. This behavior aims to guarantee that the latest deployed malware gets to use the host’s computing power. | Link |
| A common trend or technique that malware actors used in the past involved exploiting a vulnerability in a publicly hosted service to gain code execution privileges. This technique allowed an attacker to create a botnet or install a coinminer in the system. A newer technique that entails looking for open APIs, which allow sprawling containers or gain code execution privileges, is becoming more common. When it comes to cryptocurrency-mining malware, there has been a move from on-premise devices to containers and the cloud. | Link |