Kubernetes Pod created with a Sensitive hostPath Volume

 1[metadata]
 2creation_date = "2022/07/11"
 3integration = ["kubernetes"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a
11sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this
12mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem
13can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.
14"""
15false_positives = [
16    """
17    An administrator may need to attach a hostPath volume for a legitimate reason. This alert should be investigated for
18    legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed
19    by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates
20    several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and
21    /var/log. Add exceptions for trusted container images using the query field
22    "kubernetes.audit.requestObject.spec.container.image"
23    """,
24]
25index = ["logs-kubernetes.*"]
26language = "kuery"
27license = "Elastic License v2"
28name = "Kubernetes Pod created with a Sensitive hostPath Volume"
29note = """## Setup
30
31The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
32references = [
33    "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216",
34    "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath",
35]
36risk_score = 47
37rule_id = "2abda169-416b-4bb3-9a6b-f8d239fd78ba"
38severity = "medium"
39tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset : "kubernetes.audit_logs"
45  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
46  and kubernetes.audit.objectRef.resource:"pods"
47  and kubernetes.audit.verb:("create" or "update" or "patch")
48  and kubernetes.audit.requestObject.spec.volumes.hostPath.path:
49  ("/" or
50  "/proc" or
51  "/root" or
52  "/var" or
53  "/var/run" or
54  "/var/run/docker.sock" or
55  "/var/run/crio/crio.sock" or
56  "/var/run/cri-dockerd.sock" or
57  "/var/lib/kubelet" or
58  "/var/lib/kubelet/pki" or
59  "/var/lib/docker/overlay2" or
60  "/etc" or
61  "/etc/kubernetes" or
62  "/etc/kubernetes/manifests" or
63  "/etc/kubernetes/pki" or
64  "/home/admin")
65  and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0")
66'''
67
68
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1611"
73name = "Escape to Host"
74reference = "https://attack.mitre.org/techniques/T1611/"
75
76
77[rule.threat.tactic]
78id = "TA0004"
79name = "Privilege Escalation"
80reference = "https://attack.mitre.org/tactics/TA0004/"
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1610"
85name = "Deploy Container"
86reference = "https://attack.mitre.org/techniques/T1610/"
87
88
89[rule.threat.tactic]
90id = "TA0002"
91name = "Execution"
92reference = "https://attack.mitre.org/tactics/TA0002/"