Policies define the rules that are used to control what is allowed to run in your Kubernetes cluster. You will define one policy for each cluster that you want to protect, with a default set of rules (also known as a "policy definition") that apply to the entire cluster. If your cluster contains more than one namespace, you can also define separate sets of rules for the namespaces. Any namespace rules take precedence over the cluster-wide rules.
For more information, visit the Help Center article, Defining a policy for a cluster .
Exceptions:
When your architecture demands executing containers with privileges, you can create policies based on specific namespaces. This way you can manage it without exposing all your environment to too broad rules.
Recommendations:
Deployment Phase Possible Actions:
- Log
- Block
| Action | Deployment Phase |
| Pod properties | |
| Log | containers that run in the host network namespace |
| Log | containers that run in the host IPC namespace |
| Log | containers that run in the host PID namespace |
| Container properties | |
| Block | containers that are permitted to run as root |
| Block | privileged containers |
| Block | containers with privilege escalation rights |
| Block | containers that can write to the root filesystem |
| Block | containers with capabilities that do not conform with a baseline policy |
Continuous Phase Possible Actions:
- Log
- Isolate
- Terminate
| Action | Continuous Phase |
| Pod properties | |
| Log | containers that run in the host network namespace |
| Log | containers that run in the host IPC namespace |
| Log | containers that run in the host PID namespace |
| Container properties | |
| Terminate | containers that are permitted to run as root |
| Terminate | privileged containers |
| Terminate | containers with privilege escalation rights |
| Isolate | containers that can write to the root filesystem |
| Isolate | containers with capabilities that do not conform with a baseline policy |
Runtime security provides visibility into container activity that violates a customizable set of rules. Currently, runtime security includes a set of pre-defined rules that provide visibility into MITRE ATT&CK framework tactics for containers, as well as container drift detection. Container Security can automatically mitigate problems detected by the runtime security feature. If a pod violates any rule during runtime, the issue is mitigated by terminating or isolating the pod based on the ruleset assigned to its Container Security policy.
This feature is compatible with Kubernetes and supports Amazon EKS, Microsoft Azure AKS, Google GKE, and OpenShift. It is currently supported with default and the most recent Linux kernels. For more information, visit the Help Center article, Configuring runtime security .
Whatever rules are set to terminate/isolate should be first tested via “log”. Terminate/isolate is suggested for PROD environments only, because it can disrupt development or testing.
Mitre Attack Container Matrix
Most rules are mapped to Mitre Attack Techniques for Containers.
Runtime Possible Actions
- Log
- Isolate
- Terminate
| ID | Rule | Description | Enable | Action | RD Resource |
| TM-00000001 | (T1546.004)Modify Shell Configuration File | Detect attempt to modify shell configuration files | X | Log | - |
| TM-00000002 | (T1505)Update Package Repository | Detect package repositories get updated | X | Log | Link |
| TM-00000003 | (T1555)Read ssh information | Any attempt to read files below ssh directories by non-ssh programs | X | Log | - |
| TM-00000004 | (T1555)Read sensitive file trusted after startup | Attempt to read any sensitive file by a trusted program after startup. Trusted programs might read these files at startup but not afterwards. | - | - | |
| TM-00000005 | (T1021.004)System user interactive | an attempt to run interactive commands by a system (i.e. non-login) user | - | - | |
| TM-00000006 | (T1059.004)Terminal shell in container | A shell was used as the entrypoint/exec point into a container with an attached terminal. | X | Log | - |
| TM-00000007 | (T1020)System procs network activity | Network activity performed by system binaries that are not expected to send or receive any network traffic | X | Log | Link |
| TM-00000008 | (T1552.005)Contact EC2 Instance Metadata Service From Container | Detect attempts to contact the EC2 Instance Metadata Service from a container | - | - | |
| TM-00000010 | (T1543)Launch Package Management Process in Container | Package management process ran inside container | X | Log | Link |
| TM-00000011 | (T1059.004)Netcat Remote Code Execution in Container | Netcat Program runs inside container that allows remote code execution | X | Isolate | - |
| TM-00000012 | (T1070.002)Clear Log Activities | Detect modification or removal of critical log files | X | Log | Link |
| TM-00000013 | (T1059.004)Create Symlink Over Sensitive Files | Detect symlink created over sensitive files | X | Terminate | - |
| TM-00000014 | (T1205.002)Packet socket created in container | Detect new packet socket at the device driver (OSI L2) in a container. Packet socket could be used for ARP Spoofing and privilege escalation(CVE-2020-14386) by attacker. | - | - | |
| TM-00000015 | Redirect STDOUT/STDIN to Network Connection in Container | Detect redirecting stdout/stdin to network connection in container (potential reverse shell). | - | - | |
| TM-00000016 | (T1547.006)Linux Kernel Module Injection Detected | Detect kernel module was injected (from container). | X | Terminate | - |
| TM-00000017 | (T1548.003)Sudo Potential Privilege Escalation | Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root. | X | Terminate | - |
| TM-00000018 | (T1105)Launch Remote File Copy Tools in Container | Detect remote file copy tools launched in container | X | Log | Link |
| TM-00000019 | (T1613)Specific discovery tool executed in container | Detect execution of specific discovery and/or hacking tools inside container | X | Log | - |
| TM-00000020 | (T1613)Amicontained download detected in container | Detect download of amicontained | - | - | |
| TM-00000021 | (T1562.001)Disable Security Tools | Detect an attempt to disable specific security tools | X | Terminate | Link |
| TM-00000022 | (T1609)Docker or kubernetes client executed in container | Detect a docker or kubernetes client tool executed inside a container | X | Log | Link |
| TM-00000023 | (T1611)Escape attempt detected in privileged container | Detect usage of debugfs and mount in container | X | Log | - |
| TM-00000024 | (T1496)HugePages changed in container | Detect HugePages modification as part of mining changes done during XMRig usage | - | - | |
| TM-00000025 | (T1496)Detect crypto miners using the Stratum protocol | Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp' and variants | X | Terminate | Link |
| TM-00000026 | (T1053.003)Schedule Cron Jobs | Detect cron jobs scheduled | X | Log | - |
| TM-00000027 | (T1574.006)Dynamic linker changed | Changes to /etc/ld.so.preload may indicate rootkit | X | Log | - |
| TM-00000028 | (T1059)DB program spawned process | DB related program spawned a new process other than itself. Can indicate successfull SQL injection. | - | - | |
| TM-00000029 | (T1021.004)Lateral Movement using SSH | SSH execution with StrictHostKeyChecking and BatchMode. Can indicate scripted lateral movement attempt. | X | Terminate | Link |
| TM-00000030 | (T1496)Detect miner termination in container | Miners typically kill other competeting miners. | X | Terminate | Link |
| TM-00000031 | (T1610)Launch Privileged Container | Detect the initial process started in a privileged container. | X | Log | Link |
| TM-00000032 | (T1070)Delete or rename shell history | Detect shell history deletion | - | - | |
| TM-00000033 | (T1222.002)File attributes changed in container | Detect an attempt to change attributes on file in container | X | Log | Link |
| TM-00000034 | (T1548.001)Set Setuid or Setgid bit | When the setuid or setgid bits are set for an application this means that the application will run with the privileges of the owning user or group respectively. | X | Log | - |
| TM-00000035 | (T1070.004)Dangerous deletion detected in container | Detect an attempt to destroy everything | X | Log | - |
| TM-00000036 | (T1071)Possible IRC communication in container | Detect communication based on known IRC port(TCP/6697 for TLS) | - | - | |
| TM-00000037 | (T1613)BOtB download detected in container | Detect download of complex analysis and exploitation tool for containers(https://github.com/brompwnie/botb) | X | Terminate | Link |
| TM-00000038 | (T1613)Peirates tool detected in container | Detect download of complex analysis and exploitation tool for containers(https://github.com/inguardians) | X | Terminate | Link |
| TM-00000039 | (T1041)Interpreted procs inbound network activity | Any inbound network activity performed by any interpreted program (perl, python, ruby, etc.) | - | - | |
| TM-00000040 | (T1041)Interpreted procs outbound network activity | Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.) | - | - | |
| TM-00000041 | (T1552)Search Private Keys or Passwords | Detect grep for private keys or passwords also includes find command. | X | Terminate | Link |
| TM-00000042 | (T1070.004)Unexpected process termination in container | Detect an attempt get specific processes and kill them often seen as part of miners deployment and rivals termination. | - | Link | |
| TM-00000047 | (T1070.002)Suspicious log manipulation | Detect targeted modification of critical log files | X | Log | - |
| TM-00000048 | (T1611) Switch Linux namespace | Unauthorized usage of setns syscalls which could lead to container escape | X | Log | - |
| TM-00000049 | (T1105)Launch Ingress Remote File Copy Tools in Container | Detect ingress remote file copy tools launched in container | X | Log | - |
| TM-00000050 | (T1059.004)Execution from /dev/shm | Detect file execution from the /dev/shm directory a common tactic for threat actors to stash their files. | X | Log | - |
| TM-00000051 | (T1552.001)Find AWS Credentials | Detect usage of find or grep trying to access AWS credentials. | X | Log | - |
| TM-00000052 | (T1055.008)PTRACE attached to process | Detect attempts to inject code into a process using PTRACE. | X | Log | - |
| TM-00000053 | (T1564.001)Create Hidden Files or Directories | Detect hidden files or directories created | - | - | |
| TM-00000054 | (T1222.002)Mkdir binary dirs | Attempt to create a directory below a set of binary directories. | - | - | |
| TM-00000055 | (T1222.002)Modify binary dirs | Attempt to modify any file below a set of binary directories. | X | Log | - |
| TM-00000056 | (T1068)Polkit Local Privilege Escalation | Attempt to exploit a privilege escalation vulnerability in Polkit's pkexec | X | Terminate | - |
| TM-00000057 | (T1505)Write below rpm database | Attempt to write to the rpm database by any non-rpm related program | X | Log | - |
| TM-00000058 | (T1496)Increase Resource Limits via Prlimit Command in Container | The prlimit command sets or reports the limits of system-wide resources. | - | - | |
| TM-00000059 | (T1136.001)A Local User Added in Container | User account creation detected in container. | X | Log | - |
| TM-00000060 | (T1098)A Local User Deleted in Container | User account deletion detected in container. | - | - | |
| TM-00000061 | (T1562)Write to Selinux Config | Detect an attempt to write content to the /etc/selinux/config file | - | - | |
| TM-00000062 | (T1053.002)Create Scheduled Task Using At | At utility used to perform task scheduling for initial or recurring execution of code. | - | - | |
| TM-00000063 | (T1053.006)Create Scheduled Task Using Systemd Timers | Systemd timers used to perform task scheduling for initial or recurring execution of code. | - | - | |
| TM-00000064 | (T1562)Write to System Control | Detect an attempt to write content to the /etc/sysctl.conf file | X | Log | - |
| TM-00000068 | Python urllib Import Command Execution | Detect "import urllib" or "import urllib2" command execution in python or python3 | - | - | |
| TM-00000083 | (T1620)File Executed from Memory | Detect reflective code load into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process | X | Log | - |
| TM-00000084 | (T1055.009)Inject File to Process Memory Virtual Space | Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. | X | Log | - |
| TM-00000089 | Suspicious Directory Change via ProcFD | Process attempts to change its working directory using a proc-based file descriptor. Possible CVE-2024-21626 indicator. | X | Log | - |
| TM-00000093 | Grep Search on Shell Configuration File | Detect an attempt to search a shell configuration file. | - | - | |
| TM-00000096 | Vulnerable liblzma loaded into sshd | (T1569.002) liblzma.so.5 loaded into sshd possible supply chain attack (CVE-2024-3094) | X | Terminate | - |
| TM-00000097 | Iptables Modification | Detect iptables modification via command execution. | - | - |
| Orientation | RD Resource |
|---|---|
| One of the basic things that you can do to secure the control plane is to perform integrity monitoring for the most critical Kubernetes files. By doing this, you will be alerted immediately of any change in the configuration. From a Kubernetes security perspective, critical files are those that can affect the entire cluster when compromised. | Link |
| There are still organizations that make the critical mistake of leaving the kube-apiserver publicly exposed. Exposing your API server to the public is the most common entry point for attackers, and allows them to take over your cluster. | Link |
| It is important to know that privileged containers can be used as entry points for attacks and to spread malicious code or malware to compromised hosts and networks. But this is not the only issue—there are other misconfigurations in containers that can put the underlying host at risk. | Link |
| To prevent security issues, it is recommended that you do not run privileged containers in your environment. Instead, provide granular permissions and capabilities to the container environment. Giving containers full access to the host can create security flaws in your production environment. This is the reason that, by default, containers are “unprivileged” and cannot access all the devices in the host. However, this doesn’t mean that privileged containers should not be used at all. Some projects and environments may require its usage, but organizations need to make sure that safeguards and security recommendations are set in place when running such containers. | Link |
| The analyzed samples don’t just search for resource-intensive processes on the host machine; they also look for deployed Docker containers that are conducting mining operations. This behavior aims to guarantee that the latest deployed malware gets to use the host’s computing power. | Link |
| A common trend or technique that malware actors used in the past involved exploiting a vulnerability in a publicly hosted service to gain code execution privileges. This technique allowed an attacker to create a botnet or install a coinminer in the system. A newer technique that entails looking for open APIs, which allow sprawling containers or gain code execution privileges, is becoming more common. When it comes to cryptocurrency-mining malware, there has been a move from on-premise devices to containers and the cloud. | Link |