[New Rule] PE via Container Misconfiguration #2983
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Aegrah
added
Rule: New
| process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( | ||
| (process.name == "runc" and process.args : "run") or | ||
| (process.name == "ctr" and process.args : "run" and process.args : ("--privileged", "--mount")) | ||
| ) and not user.Ext.real.id : "0" and not group.Ext.real.id : "0" and |
There was a problem hiding this comment.
in this case, wouldn't we want to check that user.effective.id != "0" and user.effective.group.id != "0", otherwise sudo perms will FP?
There was a problem hiding this comment.
@brokensound77 The only pitfall of using user.effective.id here, is that this field is only ingested in Linux through auditbeat, and mostly present in non-interactive process events. I just checked, and in the events from this DR this field does not exist.
This one would work with user.id, process.user.id, process.real_user.id, user.Ext.real.id, user.effective.id, as long as the field would be present. I picked user.Ext.real.id because this field always exists, and to make sure that when a normal user runs sudo, it doesn't FP, because then user.Ext.real.id will never be 0.
There was a problem hiding this comment.
I guess you are right about the field availability, good call.
| (process.name == "runc" and process.args : "run") or | ||
| (process.name == "ctr" and process.args : "run" and process.args : ("--privileged", "--mount")) | ||
| ) and not user.Ext.real.id : "0" and not group.Ext.real.id : "0" and | ||
| process.interactive == true and process.parent.interactive == true |
There was a problem hiding this comment.
are these fields dependent on session data? If so, we may want to add it in setup
There was a problem hiding this comment.
Good call, totally forgot about that. Added a small setup guide to the rule!
rules/linux/privilege_escalation_container_util_misconfiguration.toml
Outdated
Show resolved
Hide resolved
…on.toml Co-authored-by: Justin Ibarra <[email protected]>
brokensound77
approved these changes
Aug 4, 2023
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 4, 2023
* [New Rule] PE via Container Misconfiguration * fixed boolean comparison unit test error * Update privilege_escalation_container_util_misconfiguration.toml * Update rules/linux/privilege_escalation_container_util_misconfiguration.toml Co-authored-by: Justin Ibarra <[email protected]> --------- Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> (cherry picked from commit e904ebb)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 4, 2023
* [New Rule] PE via Container Misconfiguration * fixed boolean comparison unit test error * Update privilege_escalation_container_util_misconfiguration.toml * Update rules/linux/privilege_escalation_container_util_misconfiguration.toml Co-authored-by: Justin Ibarra <[email protected]> --------- Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> (cherry picked from commit e904ebb)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 4, 2023
* [New Rule] PE via Container Misconfiguration * fixed boolean comparison unit test error * Update privilege_escalation_container_util_misconfiguration.toml * Update rules/linux/privilege_escalation_container_util_misconfiguration.toml Co-authored-by: Justin Ibarra <[email protected]> --------- Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> (cherry picked from commit e904ebb)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 4, 2023
* [New Rule] PE via Container Misconfiguration * fixed boolean comparison unit test error * Update privilege_escalation_container_util_misconfiguration.toml * Update rules/linux/privilege_escalation_container_util_misconfiguration.toml Co-authored-by: Justin Ibarra <[email protected]> --------- Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> (cherry picked from commit e904ebb)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 4, 2023
* [New Rule] PE via Container Misconfiguration * fixed boolean comparison unit test error * Update privilege_escalation_container_util_misconfiguration.toml * Update rules/linux/privilege_escalation_container_util_misconfiguration.toml Co-authored-by: Justin Ibarra <[email protected]> --------- Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> (cherry picked from commit e904ebb)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 4, 2023
* [New Rule] PE via Container Misconfiguration * fixed boolean comparison unit test error * Update privilege_escalation_container_util_misconfiguration.toml * Update rules/linux/privilege_escalation_container_util_misconfiguration.toml Co-authored-by: Justin Ibarra <[email protected]> --------- Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> (cherry picked from commit e904ebb)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 4, 2023
* [New Rule] PE via Container Misconfiguration * fixed boolean comparison unit test error * Update privilege_escalation_container_util_misconfiguration.toml * Update rules/linux/privilege_escalation_container_util_misconfiguration.toml Co-authored-by: Justin Ibarra <[email protected]> --------- Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> (cherry picked from commit e904ebb)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This rule monitors for the execution of processes that interact with Linux containers through an interactive shell without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container escape attack, which might allow them to escalate privileges and gain further access onto the host file system.
Detection
The Docker utility leverages runc and ctr under-the-hood as well, for log writing and other administrative tasks. In order to minimize FPs of runc and ctr spawns by Docker, the
and process.interactive == "true" and process.parent.interactive == "true"filter has been added. When docker spawns these processes, they will run in a non-interactive state. This query has 0 hits in RedSector over the last 365 days, while the query without this filter has 8 hits.