Skip to main content

K8s Audit Log Role Created

This alert occurs when Lacework detects a role was created.

Why this alert is important

Unauthorized or maliciously created roles can lead to unauthorized access and potential security breaches. By monitoring role creation, you can identify any suspicious or unauthorized roles and take immediate action to mitigate security risks.

Investigation

Follow these steps to investigate the alert:

  1. Look for any indicators that suggest a malicious role was created, such as unexpected changes in permissions, unusual role names, or unauthorized access attempts.
  2. Collect relevant information about the suspicious role, including its name, associated user or service account, and any other details available.
  3. Check the Kubernetes audit logs to identify any relevant events or activities related to the role creation. Look for log entries that indicate role creation, modifications, or access attempts by unauthorized entities.
  4. Review your Kubernetes cluster's Role-Based Access Control (RBAC) configuration to understand the existing roles, role bindings, and service accounts. Compare the suspicious and authorized roles to determine if they are legitimate or unauthorized.
  5. Examine cluster-wide roles to identify suspicious roles with excessive privileges or conflicting permissions that could indicate a maliciously created role.
  6. Analyze the RBAC objects (Roles, RoleBindings, ClusterRoles, ClusterRoleBindings) associated with the suspicious role. Check for inconsistencies, unexpected modifications, or suspicious references to users or service accounts.
  7. Look for relevant events or log entries related to creating or modifying RBAC objects. Check container, system, and other relevant logs to identify suspicious activities or anomalies.
  8. Determine the source of the malicious role creation. It could be an external attacker, a compromised account, or an internal user with unauthorized access. Identify the root cause, such as misconfigured permissions, vulnerabilities, or social engineering.

Resolution

Follow these steps to resolve the alert:

  1. Disable or remove the unauthorized role from your Kubernetes cluster. Take necessary actions to ensure that any associated permissions or access granted by the role are revoked.
  2. Investigate and identify the source of the unauthorized role creation. Determine whether it was due to a compromised account, misconfigured permissions, or other security vulnerabilities. This step will help you address the root cause of the issue.
  3. Review your Kubernetes RBAC configuration and ensure it aligns with the principle of least privilege. Remove unnecessary roles, role bindings, or service accounts to reduce the attack surface.
  4. Strengthen security measures by implementing multi-factor authentication (MFA) for user accounts, regularly updating and patching your Kubernetes cluster, and conducting security audits and assessments.
  5. Monitor your Kubernetes cluster for any further unauthorized role creations or suspicious activities. Implement logging and monitoring solutions to detect and alert potential security breaches.
  6. Consider implementing a change management process that includes reviewing and approving any role creations or modifications before they are applied to the production environment.
  7. Keep your Kubernetes cluster and associated components up to date with the latest security patches and updates. Regularly review and apply security best practices recommended by the Kubernetes community and relevant security resources.