k8s-audit-pod-host-path-volume Configuration

Detects pods creation mounting a sensitive host folder in a K8S cluster, using the cluster audit logs.

Folders or files considered sensitive are:

/
/etc
/etc/kubernetes
/etc/kubernetes/manifests
/proc
/root
/home/admin
/var/lib/kubelet
/var/lib/kubelet/pki
/var/run/docker.sock
/var/run/crio/crio.sock

The scenario needs logs from the pods resources at the Request level at a minimum.

No decision will be taken based on this scenario, it is only intended for notification purposes.

1type: trigger

2name: crowdsecurity/k8s-audit-pod-host-path-volume

3description: "Detect pods mounting a sensitive host folder"

4filter: |

5 evt.Meta.log_type == 'k8s-audit' &&

6 (

7 (

8 evt.Meta.datasource_type == "k8s-audit" &&

9 evt.Unmarshaled.k8s_audit.ObjectRef?.Resource == 'pods' &&

10 evt.Unmarshaled.k8s_audit.RequestObject != nil &&

11 evt.Unmarshaled.k8s_audit.RequestObject.spec != nil &&

12 evt.Unmarshaled.k8s_audit.RequestObject.spec.volumes != nil &&

13 any(evt.Unmarshaled.k8s_audit.RequestObject.spec.volumes, { .hostPath != nil && .hostPath.path in ["/proc", "/var/run/docker.sock", "/", "/etc", "/root", "/var/run/crio/crio.sock", "/home/admin", "/var/lib/kubelet", "/var/lib/kubelet/pki", "/etc/kubernetes", "/etc/kubernetes/manifests"] })

14 )

15 ||

16 (

17 evt.Meta.datasource_type != "k8s-audit" &&

18 evt.Unmarshaled.k8s_audit.objectRef?.resource == 'pods' &&

19 evt.Unmarshaled.k8s_audit.requestObject != nil &&

20 evt.Unmarshaled.k8s_audit.requestObject.spec != nil &&

21 evt.Unmarshaled.k8s_audit.requestObject.spec.volumes != nil &&

22 any(evt.Unmarshaled.k8s_audit.requestObject.spec.volumes, { .hostPath != nil && .hostPath.path in ["/proc", "/var/run/docker.sock", "/", "/etc", "/root", "/var/run/crio/crio.sock", "/home/admin", "/var/lib/kubelet", "/var/lib/kubelet/pki", "/etc/kubernetes", "/etc/kubernetes/manifests"] })

23 )

24 )

25labels:

26 notification: true

27 classification:

28 - attack.T1610

29 behavior: "k8s:audit"

30 label: "Kubernetes Pod Start With Host Path"

31 spoofable: 0

32 confidence: 3

33 service: k8s

Hub configuration

« k8s-audit-pod-host-path-volume »
v0.5 by crowdsecurity
Attack scenarioservice:k8sspoofable:0MITRE:T1610confidence:3

Hub configuration

« k8s-audit-pod-host-path-volume »v0.5 by crowdsecurityAttack scenarioservice:k8sspoofable:0MITRE:T1610confidence:3

« k8s-audit-pod-host-path-volume »
v0.5 by crowdsecurity
Attack scenarioservice:k8sspoofable:0MITRE:T1610confidence:3