security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Kubernetes Pod Created with Sensitive hostPath Volume (#2094)

Browse Source 
* [New Rule] Kubernetes Pod Created with Sensitive hostPath Volume

created new rule toml and updated non-ecs-schema with k8s fields

* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
This commit is contained in:
Isai
2022-07-28 13:09:26 -04:00
committed by GitHub
parent 4f1b7fa448
commit c1486407aa
2 changed files with 81 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/non-ecs-schema.json
+18 -1
View File
@@ -61,6 +61,23 @@
},
"logs-kubernetes.*": {
"kubernetes.audit.objectRef.resource": "keyword",
"kubernetes.audit.objectRef.subresource": "keyword"
"kubernetes.audit.objectRef.subresource": "keyword",
"kubernetes.audit.verb": "keyword",
"kubernetes.audit.user.username": "keyword",
"kubernetes.audit.impersonatedUser.username": "keyword",
"kubernetes.audit.annotations.authorization_k8s_io/decision": "keyword",
"kubernetes.audit.annotations.authorization_k8s_io/reason": "keyword",
"kubernetes.audit.user.groups": "text",
"kubernetes.audit.requestObject.spec.containers.securityContext.privileged": "boolean",
"kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation": "boolean",
"kubernetes.audit.requestObject.spec.securityContext.runAsUser": "long",
"kubernetes.audit.requestObject.spec.containers.securityContext.runAsUser": "long",
"kubernetes.audit.requestObject.spec.hostPID": "boolean",
"kubernetes.audit.requestObject.spec.hostNetwork": "boolean",
"kubernetes.audit.requestObject.spec.hostIPC": "boolean",
"kubernetes.audit.requestObject.spec.volumes.hostPath.path": "keyword",
"kubernetes.audit.requestObject.spec.type": "keyword",
"kubernetes.audit.requestObject.rules.resources": "keyword",
"kubernetes.audit.requestObject.rules.verb": "keyword"
}
}
rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml
+63
View File
@@ -0,0 +1,63 @@
[metadata]
creation_date = "2022/07/11"
integration = "kubernetes"
maturity = "production"
min_stack_comments = "Necessary audit log fields not available prior to 8.2"
min_stack_version = "8.2"
updated_date = "2022/07/11"
[rule]
author = ["Elastic"]
description = """
This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a
sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this
mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem
can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.
"""
false_positives = [
"""
An administrator may need to attach a hostPath volume for a legitimate reason. This alert should be investigated for
legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed
by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates
several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and
/var/log.
""",
]
index = ["logs-kubernetes.*"]
language = "kuery"
license = "Elastic License v2"
name = "Kubernetes Pod created with a Sensitive hostPath Volume"
note = """## Setup
The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
references = [
"https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216",
"https://kubernetes.io/docs/concepts/storage/volumes/#hostpath",
]
risk_score = 47
rule_id = "2abda169-416b-4bb3-9a6b-f8d239fd78ba"
severity = "medium"
tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"]
timestamp_override = "event.ingested"
type = "query"
query = '''
kubernetes.audit.objectRef.resource:"pods"
and kubernetes.audit.verb:("create" or "update" or "patch")
and kubernetes.audit.requestObject.spec.volumes.hostPath.path:("/" or "/proc" or "/root" or "/var" or "/var/run/docker.sock" or "/var/run/crio/crio.sock" or "/var/run/cri-dockerd.sock" or "/var/lib/kubelet" or "/var/lib/kubelet/pki" or "/var/lib/docker/overlay2" or "/etc" or "/etc/kubernetes" or "/etc/kubernetes/manifests" or "/home/admin")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1611"
name = "Escape to Host"
reference = "https://attack.mitre.org/techniques/T1611/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"