Kubernetes Container Created with Excessive Linux Capabilities

edit

Kubernetes Container Created with Excessive Linux Capabilities

edit

This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the host machine.

Rule type: query

Rule indices:

  • logs-kubernetes.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Kubernetes
  • Continuous Monitoring
  • Execution
  • Privilege Escalation

Version: 1

Added (Elastic Stack release): 8.6.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Some container images require the addition of privileged capabilities. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image.

Investigation guide

edit
## Triage and analysis

### Investigating Kubernetes Container Created with Excessive Linux Capabilities

Linux capabilities were designed to divide root privileges into smaller units. Each capability grants a thread just enough power to perform specific privileged tasks. In Kubernetes, containers are given a set of default capabilities that can be dropped or added to at the time of creation. Added capabilities entitle containers in a pod with additional privileges that can be used to change
core processes, change network settings of a cluster, or directly access the underlying host. The following have been used in container escape techniques:

BPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.
DAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks.
NET_ADMIN - Perform various network-related operations.
SYS_ADMIN - Perform a range of system administration operations.
SYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.
SYS_MODULE - Load and unload kernel modules.
SYS_PTRACE - Trace arbitrary processes using ptrace(2).
SYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)).
SYSLOG - Perform privileged syslog(2) operations.

### False positive analysis

- While these capabilities are not included by default in containers, some legitimate images may need to add them. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image.

Rule query

edit
event.dataset: kubernetes.audit_logs and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
and kubernetes.audit.verb: create and
kubernetes.audit.objectRef.resource: pods and kubernetes.audit.requ
estObject.spec.containers.securityContext.capabilities.add: ("BPF" or
"DAC_READ_SEARCH" or "NET_ADMIN" or "SYS_ADMIN" or "SYS_BOOT" or
"SYS_MODULE" or "SYS_PTRACE" or "SYS_RAWIO" or "SYSLOG") and not
kubernetes.audit.requestObject.spec.containers.image :
("docker.elastic.co/beats/elastic-agent:8.4.0" or "rancher/klipper-
lb:v0.3.5" or "")

Threat mapping

edit

Framework: MITRE ATT&CKTM