Skip to main content

K8s Audit Log Cluster Role With Pod Exec

This alert occurs when Lacework detects the creation of a cluster role that allows the ability to execute commands inside a pod, also called remote access to pods (kubectl exec).

Why this alert is important

Attackers can potentially exploit the ability to execute commands inside a pod in various ways to carry out malicious activities. Here are some examples:

  • Shell commands:
    • rm: Remove files or directories
    • mv: Move or rename files or directories
    • cp: Copy files or directories
    • touch: Create a new file or update the timestamp of an existing file
    • chmod: Change file permissions
  • Networking commands:
    • ping: Send ICMP echo requests to a specified network host
    • nslookup: Perform DNS lookups to retrieve IP addresses or other DNS records
    • curl: Make HTTP/HTTPS requests to a specified URL
    • wget: Download files from the web
  • Process management commands:
    • kill: Send a signal to terminate a process
    • pgrep: List process IDs based on criteria
  • File manipulation and inspection commands:
    • grep: Search for a specific pattern in files or input
    • sed: Invoke stream editor for modifying text
    • awk: Text processing language for manipulating data and generating reports

Investigation

Follow these steps to investigate the alert:

  1. Check the audit logs for any activities related to creating or modifying cluster roles. Look for entries that indicate the creation or modification of roles with permissions to create pods.
  2. Examine the RBAC (Role-Based Access Control) configurations in your Kubernetes cluster. Verify the existing cluster roles and their associated permissions. Pay attention to any roles that grant pod creation permissions.
  3. If you use version control systems like Git to manage your Kubernetes configurations, inspect the history and changes to RBAC files. Look for any recent changes that introduce or modify cluster roles allowing pod creation.
  4. Assess the access controls and authentication mechanisms in your Kubernetes cluster. Identify who has the privileges to create or modify cluster roles. Look for any unauthorized or suspicious users or service accounts with such permissions.
  5. Engage with your team members, particularly those responsible for managing RBAC configurations and access controls. Inquire about recent changes or updates to cluster roles granting pod creation permissions.

Resolution

Follow these steps to resolve the alert:

  1. If the cluster role was created maliciously or in error, remove it immediately to prevent further unauthorized access or activity.
  2. Change the credentials of any users who may have been involved in creating the unauthorized cluster role, and revoke their access if necessary.
  3. Review all users' permissions and access levels and ensure they are appropriate for their job functions. Remove any excessive permissions that could lead to potential security breaches.
  4. Conduct a thorough security audit of the affected cluster to identify other security vulnerabilities or suspicious activity.
  5. Implement additional security measures such as multi-factor authentication, network segmentation, and regular security training for users to prevent future security incidents.