-
Notifications
You must be signed in to change notification settings - Fork 908
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wip: new(rules): introduce rule to detect drop and execute pattern in containers #2306
Conversation
@loresuso: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: loresuso The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
cc @incertum |
…ainers Signed-off-by: Lorenzo Susini <[email protected]>
Yay the rule is up ❤️ ! Thanks for opening this @loresuso ! This is a very impactful, much needed more generic / behavioral detection to cover a variety of file based RCE kind of threats. In addition, this rule is not easily circumvented as strict fileless / memory based attacks are more difficult to pull off. Highly recommend:
Question: Sometimes rules of the same Considerations for later: Only deployed a rule to prod containing At the same time it would be challenging to suggest such filters, therefore one option could be to simply add a longer comment section above the rule that outlines some additional tuning options and once those exe ino time related fields are available additional output fields (useful for incident response) could be added to this rule, such as |
/milestone 0.34.0 |
/milestone 0.35.0 |
Closing this to reopen it in the brand new |
Signed-off-by: Lorenzo Susini [email protected]
What type of PR is this?
/kind feature
/kind rule-create
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
This PR introduces detection for the drop and execute pattern in containers. It uses the new field
proc.is_exe_upper_layer
.Currently on wip to wait for libs version bumping.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: