Closed Aegrah closed 2 months ago
@Aegrah this is a good idea. I can understand using this type of rule for privileged
containers but I'm not sure about cap_add
or restart=always
. restart=always
is a really common way to ensure high availability. For cap_add
I'd suggest creating a seperate rule that triggers for particularly dangerous capabilities like this K8s rule since adding capabilities in and of itself isn't necessarily dangerous. In fact it's often a best practice to drop all default capabilities and then add only the necessary ones for the container to run with least privileges. I think you'll get more false positives outside of your testing environment.
@imays11 I agree (although the hits in telemetry were not too bad, especially not when considering the addition of new_terms
). For now, I removed the capability
/--restart=always
stuff. That will require some more research when we get to container work.
Thank you!
Summary
This rule leverages the new_terms rule type to identify the creation of a potentially unsafe docker container from an unusual parent process. Attackers can use the
--privileged
and--cap-add
flags to create containers with escalated privileges, which can lead to trivial privilege escalation, docker escaping and persistence. The--restart=always
flag can be used to ensure the container restarts automatically if it crashes or is stopped, allowing for potential persistent access.This query results in only TPs in my testing stack, and several hits in telemetry. By leveraging the
new_terms
rule type, the amount of hits will be automatically decreased. This is a simple but useful query, as creating a docker container with pre-built host escapes built-in is a great method for persistence.