Kubernetes Pod created with a Sensitive hostPath Volume

 1[metadata]
 2creation_date = "2022/07/11"
 3integration = ["kubernetes"]
 4maturity = "production"
 5min_stack_comments = "New fields added to Kubernetes Integration"
 6min_stack_version = "8.4.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a
13sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this
14mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem
15can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.
16"""
17false_positives = [
18    """
19    An administrator may need to attach a hostPath volume for a legitimate reason. This alert should be investigated for
20    legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed
21    by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates
22    several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and
23    /var/log. Add exceptions for trusted container images using the query field
24    "kubernetes.audit.requestObject.spec.container.image"
25    """,
26]
27index = ["logs-kubernetes.*"]
28language = "kuery"
29license = "Elastic License v2"
30name = "Kubernetes Pod created with a Sensitive hostPath Volume"
31note = """## Setup
32
33The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
34references = [
35    "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216",
36    "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath",
37]
38risk_score = 47
39rule_id = "2abda169-416b-4bb3-9a6b-f8d239fd78ba"
40severity = "medium"
41tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"]
42timestamp_override = "event.ingested"
43type = "query"
44
45query = '''
46event.dataset : "kubernetes.audit_logs"
47  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
48  and kubernetes.audit.objectRef.resource:"pods"
49  and kubernetes.audit.verb:("create" or "update" or "patch")
50  and kubernetes.audit.requestObject.spec.volumes.hostPath.path:
51  ("/" or
52  "/proc" or
53  "/root" or
54  "/var" or
55  "/var/run" or
56  "/var/run/docker.sock" or
57  "/var/run/crio/crio.sock" or
58  "/var/run/cri-dockerd.sock" or
59  "/var/lib/kubelet" or
60  "/var/lib/kubelet/pki" or
61  "/var/lib/docker/overlay2" or
62  "/etc" or
63  "/etc/kubernetes" or
64  "/etc/kubernetes/manifests" or
65  "/etc/kubernetes/pki" or
66  "/home/admin")
67  and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0")
68'''
69
70
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73[[rule.threat.technique]]
74id = "T1611"
75name = "Escape to Host"
76reference = "https://attack.mitre.org/techniques/T1611/"
77
78
79[rule.threat.tactic]
80id = "TA0004"
81name = "Privilege Escalation"
82reference = "https://attack.mitre.org/tactics/TA0004/"
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1610"
87name = "Deploy Container"
88reference = "https://attack.mitre.org/techniques/T1610/"
89
90
91[rule.threat.tactic]
92id = "TA0002"
93name = "Execution"
94reference = "https://attack.mitre.org/tactics/TA0002/"