From 701c8a0e226985f7669cacf49d4e36c0147ee105 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Tue, 4 Oct 2022 16:56:45 -0400 Subject: [PATCH] Rule Changes (#2337) K8s Rule Changes --- detection_rules/etc/non-ecs-schema.json | 3 +- ...covery_suspicious_self_subject_review.toml | 15 +++++---- .../execution_user_exec_to_pod.toml | 11 ++++--- ...l_access_anonymous_request_authorized.toml | 5 +-- ...ed_service_created_with_type_nodeport.toml | 12 ++++--- ...e_escalation_pod_created_with_hostipc.toml | 20 ++++++++---- ...calation_pod_created_with_hostnetwork.toml | 18 +++++++---- ...e_escalation_pod_created_with_hostpid.toml | 18 +++++++---- ...eated_with_sensitive_hostpath_volume.toml} | 32 +++++++++++++++---- ...ege_escalation_privileged_pod_created.toml | 17 ++++++---- ...ignment_of_controller_service_account.toml | 6 ++-- 11 files changed, 107 insertions(+), 50 deletions(-) rename rules/integrations/kubernetes/{privilege_escalation_pod_created_with_sensitive_hospath_volume.toml => privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml} (71%) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 99952e827..8ca578d13 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -88,6 +88,7 @@ "kubernetes.audit.objectRef.namespace": "keyword", "kubernetes.audit.objectRef.serviceAccountName": "keyword", "kubernetes.audit.requestObject.spec.serviceAccountName": "keyword", - "kubernetes.audit.responseStatus.reason": "keyword" + "kubernetes.audit.responseStatus.reason": "keyword", + "kubernetes.audit.requestObject.spec.containers.image": "text" } } diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index 092ef1d83..b3cc14648 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,9 +2,9 @@ creation_date = "2022/06/30" integration = "kubernetes" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2022/08/24" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2022/10/03" [rule] author = ["Elastic"] @@ -41,9 +41,12 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.verb:"create" -and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") -and kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*) or kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*) +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" + and kubernetes.audit.verb:"create" + and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") + and (kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*) + or kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*)) ''' diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index 31e8714df..1911c2208 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -2,9 +2,9 @@ creation_date = "2022/05/17" integration = "kubernetes" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2022/08/24" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2022/10/03" [rule] author = ["Elastic"] @@ -43,7 +43,10 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.objectRef.resource:"pods" +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" + and kubernetes.audit.verb:"create" + and kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.objectRef.subresource:"exec" ''' diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index af92e9e4d..d5b6fd3f6 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -4,7 +4,7 @@ integration = "kubernetes" maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/09/20" +updated_date = "2022/10/03" [rule] author = ["Elastic"] @@ -38,7 +38,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and (kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated") or not kubernetes.audit.user.username:*) and not kubernetes.audit.objectRef.resource:("healthz" or "livez" or "readyz") ''' diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index e6d6ce886..cd6643506 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2022/08/24" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2022/10/03" [rule] author = ["Elastic"] @@ -47,7 +47,11 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.objectRef.resource:"services" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.type:"NodePort" +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" + and kubernetes.audit.objectRef.resource:"services" + and kubernetes.audit.verb:("create" or "update" or "patch") + and kubernetes.audit.requestObject.spec.type:"NodePort" ''' diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml index 486452743..850004d4f 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml @@ -2,25 +2,26 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2022/08/24" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2022/10/03" [rule] author = ["Elastic"] description = """ This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by -any pod that also use the host�s IPC namespace. If any process on the host or any processes in a pod uses the host�s +any pod that also use the hosts IPC namespace. If any process on the host or any processes in a pod uses the hosts inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used. """ false_positives = [ """ - An administrator or developer may want to use a pod that runs as root and shares the host�s IPC, Network, and PID + An administrator or developer may want to use a pod that runs as root and shares the host's IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and - network namespaces from the host's perspective. + network namespaces from the host's perspective. Add exceptions for trusted container images using the query field + "kubernetes.audit.requestObject.spec.container.image" """, ] index = ["logs-kubernetes.*"] @@ -43,7 +44,12 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostIPC:true +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" + and kubernetes.audit.objectRef.resource:"pods" + and kubernetes.audit.verb:("create" or "update" or "patch") + and kubernetes.audit.requestObject.spec.hostIPC:true + and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0") ''' diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index 3b4443f52..ede8ae447 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2022/08/24" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2022/10/03" [rule] author = ["Elastic"] @@ -16,10 +16,11 @@ applied to its given namespace. """ false_positives = [ """ - An administrator or developer may want to use a pod that runs as root and shares the host�s IPC, Network, and PID + An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and - network namespaces from the host's perspective. + network namespaces from the host's perspective. Add exceptions for trusted container images using the query field + "kubernetes.audit.requestObject.spec.container.image" """, ] index = ["logs-kubernetes.*"] @@ -42,7 +43,12 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostNetwork:true +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" + and kubernetes.audit.objectRef.resource:"pods" + and kubernetes.audit.verb:("create" or "update" or "patch") + and kubernetes.audit.requestObject.spec.hostNetwork:true + and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0") ''' diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml index 70455db95..d8d2b2e19 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2022/08/24" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2022/10/03" [rule] author = ["Elastic"] @@ -17,10 +17,11 @@ they could execute a shell and continue to escalate privileges to root. """ false_positives = [ """ - An administrator or developer may want to use a pod that runs as root and shares the host�s IPC, Network, and PID + An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and - network namespaces from the host's perspective. + network namespaces from the host's perspective. Add exceptions for trusted container images using the query field + "kubernetes.audit.requestObject.spec.container.image" """, ] index = ["logs-kubernetes.*"] @@ -43,7 +44,12 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostPID:true +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" + and kubernetes.audit.objectRef.resource:"pods" + and kubernetes.audit.verb:("create" or "update" or "patch") + and kubernetes.audit.requestObject.spec.hostPID:true + and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0") ''' diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml similarity index 71% rename from rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml rename to rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml index 33fc1c822..13684c16e 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/11" integration = "kubernetes" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2022/08/24" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2022/10/03" [rule] author = ["Elastic"] @@ -20,7 +20,8 @@ false_positives = [ legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and - /var/log. + /var/log. Add exceptions for trusted container images using the query field + "kubernetes.audit.requestObject.spec.container.image" """, ] index = ["logs-kubernetes.*"] @@ -42,9 +43,28 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.objectRef.resource:"pods" +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" + and kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") - and kubernetes.audit.requestObject.spec.volumes.hostPath.path:("/" or "/proc" or "/root" or "/var" or "/var/run/docker.sock" or "/var/run/crio/crio.sock" or "/var/run/cri-dockerd.sock" or "/var/lib/kubelet" or "/var/lib/kubelet/pki" or "/var/lib/docker/overlay2" or "/etc" or "/etc/kubernetes" or "/etc/kubernetes/manifests" or "/home/admin") + and kubernetes.audit.requestObject.spec.volumes.hostPath.path: + ("/" or + "/proc" or + "/root" or + "/var" or + "/var/run" or + "/var/run/docker.sock" or + "/var/run/crio/crio.sock" or + "/var/run/cri-dockerd.sock" or + "/var/lib/kubelet" or + "/var/lib/kubelet/pki" or + "/var/lib/docker/overlay2" or + "/etc" or + "/etc/kubernetes" or + "/etc/kubernetes/manifests" or + "/etc/kubernetes/pki" or + "/home/admin") + and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0") ''' diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index 8451dd09b..17c0adfef 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2022/08/24" +min_stack_comments = "New fields added to Kubernetes Integration" +min_stack_version = "8.4.0" +updated_date = "2022/10/03" [rule] author = ["Elastic"] @@ -20,7 +20,8 @@ false_positives = [ By default a container is not allowed to access any devices on the host, but a "privileged" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. An administrator may want to run a privileged container to use operating system administrative capabilities - such as manipulating the network stack or accessing hardware devices from within the cluster. + such as manipulating the network stack or accessing hardware devices from within the cluster. Add exceptions for + trusted container images using the query field "kubernetes.audit.requestObject.spec.container.image" """, ] index = ["logs-kubernetes.*"] @@ -42,8 +43,12 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.objectRef.resource:pods and kubernetes.audit.verb:create and - kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" + and kubernetes.audit.objectRef.resource:pods + and kubernetes.audit.verb:create + and kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true + and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0") ''' diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml index c6a1ed0de..948324296 100644 --- a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +++ b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml @@ -4,7 +4,7 @@ integration = "kubernetes" maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/09/20" +updated_date = "2022/10/03" [rule] author = ["Elastic"] @@ -40,7 +40,9 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" and kubernetes.audit.verb : "create" +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" + and kubernetes.audit.verb : "create" and kubernetes.audit.objectRef.resource : "pods" and kubernetes.audit.objectRef.namespace : "kube-system" and kubernetes.audit.requestObject.spec.serviceAccountName:*controller