Kubernetes Container Created with Excessive Linux Capabilities

 1[metadata]
 2creation_date = "2022/09/20"
 3integration = ["kubernetes"]
 4maturity = "production"
 5min_stack_comments = "New fields added to Kubernetes Integration"
 6min_stack_version = "8.4.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the
13ability to deploy a container with added capabilities could use this for further execution, lateral movement, or
14privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the
15host machine.
16"""
17false_positives = [
18    """
19    Some container images require the addition of privileged capabilities. This rule leaves space for the exception of
20    trusted container images. To add an exception, add the trusted container image name to the query field,
21    kubernetes.audit.requestObject.spec.containers.image.
22    """,
23]
24index = ["logs-kubernetes.*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "Kubernetes Container Created with Excessive Linux Capabilities"
28note = """## Triage and analysis
29
30### Investigating Kubernetes Container Created with Excessive Linux Capabilities
31
32Linux capabilities were designed to divide root privileges into smaller units. Each capability grants a thread just enough power to perform specific privileged tasks. In Kubernetes, containers are given a set of default capabilities that can be dropped or added to at the time of creation. Added capabilities entitle containers in a pod with additional privileges that can be used to change
33core processes, change network settings of a cluster, or directly access the underlying host. The following have been used in container escape techniques:
34
35BPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.
36DAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks.
37NET_ADMIN - Perform various network-related operations.
38SYS_ADMIN - Perform a range of system administration operations.
39SYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.
40SYS_MODULE - Load and unload kernel modules.
41SYS_PTRACE - Trace arbitrary processes using ptrace(2).
42SYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)).
43SYSLOG - Perform privileged syslog(2) operations.
44
45### False positive analysis
46
47- While these capabilities are not included by default in containers, some legitimate images may need to add them. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image.
48
49## Setup
50
51The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
52references = [
53    "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container",
54    "https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities",
55    "https://man7.org/linux/man-pages/man7/capabilities.7.html",
56    "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities",
57]
58risk_score = 47
59rule_id = "7164081a-3930-11ed-a261-0242ac120002"
60severity = "medium"
61tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"]
62timestamp_override = "event.ingested"
63type = "query"
64
65query = '''
66event.dataset: kubernetes.audit_logs
67  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
68  and kubernetes.audit.verb: create
69  and kubernetes.audit.objectRef.resource: pods
70  and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: ("BPF" or "DAC_READ_SEARCH"  or "NET_ADMIN" or "SYS_ADMIN" or "SYS_BOOT" or "SYS_MODULE" or "SYS_PTRACE" or "SYS_RAWIO"  or "SYSLOG")
71  and not kubernetes.audit.requestObject.spec.containers.image : ("docker.elastic.co/beats/elastic-agent:8.4.0" or "rancher/klipper-lb:v0.3.5" or "")
72'''
73
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1611"
79name = "Escape to Host"
80reference = "https://attack.mitre.org/techniques/T1611/"
81
82
83[rule.threat.tactic]
84id = "TA0004"
85name = "Privilege Escalation"
86reference = "https://attack.mitre.org/tactics/TA0004/"
87[[rule.threat]]
88framework = "MITRE ATT&CK"
89[[rule.threat.technique]]
90id = "T1610"
91name = "Deploy Container"
92reference = "https://attack.mitre.org/techniques/T1610/"
93
94
95[rule.threat.tactic]
96id = "TA0002"
97name = "Execution"
98reference = "https://attack.mitre.org/tactics/TA0002/"