Kubernetes Container Created with Excessive Linux Capabilities
This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the host machine.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/09/20"
3integration = ["kubernetes"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the
11ability to deploy a container with added capabilities could use this for further execution, lateral movement, or
12privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the
13host machine.
14"""
15false_positives = [
16 """
17 Some container images require the addition of privileged capabilities. This rule leaves space for the exception of
18 trusted container images. To add an exception, add the trusted container image name to the query field,
19 kubernetes.audit.requestObject.spec.containers.image.
20 """,
21]
22index = ["logs-kubernetes.*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Kubernetes Container Created with Excessive Linux Capabilities"
26note = """## Triage and analysis
27
28### Investigating Kubernetes Container Created with Excessive Linux Capabilities
29
30Linux capabilities were designed to divide root privileges into smaller units. Each capability grants a thread just enough power to perform specific privileged tasks. In Kubernetes, containers are given a set of default capabilities that can be dropped or added to at the time of creation. Added capabilities entitle containers in a pod with additional privileges that can be used to change
31core processes, change network settings of a cluster, or directly access the underlying host. The following have been used in container escape techniques:
32
33BPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.
34DAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks.
35NET_ADMIN - Perform various network-related operations.
36SYS_ADMIN - Perform a range of system administration operations.
37SYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.
38SYS_MODULE - Load and unload kernel modules.
39SYS_PTRACE - Trace arbitrary processes using ptrace(2).
40SYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)).
41SYSLOG - Perform privileged syslog(2) operations.
42
43### False positive analysis
44
45- While these capabilities are not included by default in containers, some legitimate images may need to add them. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image.
46
47## Setup
48
49The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
50references = [
51 "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container",
52 "https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities",
53 "https://man7.org/linux/man-pages/man7/capabilities.7.html",
54 "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities",
55]
56risk_score = 47
57rule_id = "7164081a-3930-11ed-a261-0242ac120002"
58severity = "medium"
59tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"]
60timestamp_override = "event.ingested"
61type = "query"
62
63query = '''
64event.dataset: kubernetes.audit_logs
65 and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
66 and kubernetes.audit.verb: create
67 and kubernetes.audit.objectRef.resource: pods
68 and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: ("BPF" or "DAC_READ_SEARCH" or "NET_ADMIN" or "SYS_ADMIN" or "SYS_BOOT" or "SYS_MODULE" or "SYS_PTRACE" or "SYS_RAWIO" or "SYSLOG")
69 and not kubernetes.audit.requestObject.spec.containers.image : ("docker.elastic.co/beats/elastic-agent:8.4.0" or "rancher/klipper-lb:v0.3.5" or "")
70'''
71
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75[[rule.threat.technique]]
76id = "T1611"
77name = "Escape to Host"
78reference = "https://attack.mitre.org/techniques/T1611/"
79
80
81[rule.threat.tactic]
82id = "TA0004"
83name = "Privilege Escalation"
84reference = "https://attack.mitre.org/tactics/TA0004/"
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87[[rule.threat.technique]]
88id = "T1610"
89name = "Deploy Container"
90reference = "https://attack.mitre.org/techniques/T1610/"
91
92
93[rule.threat.tactic]
94id = "TA0002"
95name = "Execution"
96reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Investigating Kubernetes Container Created with Excessive Linux Capabilities
Linux capabilities were designed to divide root privileges into smaller units. Each capability grants a thread just enough power to perform specific privileged tasks. In Kubernetes, containers are given a set of default capabilities that can be dropped or added to at the time of creation. Added capabilities entitle containers in a pod with additional privileges that can be used to change core processes, change network settings of a cluster, or directly access the underlying host. The following have been used in container escape techniques:
BPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more. DAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks. NET_ADMIN - Perform various network-related operations. SYS_ADMIN - Perform a range of system administration operations. SYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. SYS_MODULE - Load and unload kernel modules. SYS_PTRACE - Trace arbitrary processes using ptrace(2). SYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)). SYSLOG - Perform privileged syslog(2) operations.
False positive analysis
- While these capabilities are not included by default in containers, some legitimate images may need to add them. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image.
Setup
The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.
References
Related rules
- Kubernetes Pod Created With HostIPC
- Kubernetes Pod Created With HostNetwork
- Kubernetes Pod Created With HostPID
- Kubernetes Pod created with a Sensitive hostPath Volume
- Kubernetes Privileged Pod Created