OpenShift: Kubeadmin Secret Accessed
No violationsstackroxhighruntimeAlert when the kubeadmin secret is accessed
- Rationale
- Kubeadmin is the default administrative user for OpenShift and can be used to obtain full administrative access to the cluster. Investigating if this was accessed for valid business purposes can help organizations to control the use of administrative privileges
- Remediation
- Audit the access carefully to ensure that this secret is only accessed for valid business purposes.
CategoriesAnomalous ActivityKubernetes Events
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 10.1
- ISO/IEC 27001 2022
- A.8.16
- NIST SP 800-53 rev. 5
- AU-2SI-4
- PCI DSS 4.0
- 10.2.15.3.2
- SOC 2 2017 TSC
- CC7.2
Generated artifacts
1 of 5 targets supportedopenshift-kubeadmin-secret-accessed.yaml
- rule: openshift-kubeadmin-secret-accessed
desc: Alert when the kubeadmin secret is accessed
condition: ka.target.resource in ("secrets") and ka.verb in ("get") and ka.target.name in ("kubeadmin") and not (ka.user.name in ("system:serviceaccount:openshift-authentication-operator:authentication-operator", "system:apiserver", "system:serviceaccount:openshift-authentication:oauth-openshift", "system:serviceaccount:openshift-compliance:api-resource-collector", "system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa"))
output: "K8s API: user=%ka.user.name verb=%ka.verb resource=%ka.target.resource name=%ka.target.name (policy=OpenShift: Kubeadmin Secret Accessed)"
priority: ERROR
source: k8s_audit
tags:
- stackrox-import
- policy
- k
IR (canonical)
{
"id": "18cbcb62-7d18-4a6c-b2ca-dd1242746943",
"name": "OpenShift: Kubeadmin Secret Accessed",
"description": "Alert when the kubeadmin secret is accessed",
"rationale": "Kubeadmin is the default administrative user for OpenShift and can be used to obtain full administrative access to the cluster. Investigating if this was accessed for valid business purposes can help organizations to control the use of administrative privileges",
"remediation": "Audit the access carefully to ensure that this secret is only accessed for valid business purposes.",
"severity": "high",
"categories": [
"Anomalous Activity",
"Kubernetes Events"
],
"lifecycle": [
"runtime"
],
"eventSource": "audit-log",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "and",
"children": [
{
"op": "criterion",
"field": "kubernetes-resource",
"values": [
"SECRETS"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "kubernetes-api-verb",
"values": [
"GET"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "kubernetes-resource-name",
"values": [
"kubeadmin"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "kubernetes-user-name",
"values": [
"system:serviceaccount:openshift-authentication-operator:authentication-operator",
"system:apiserver",
"system:serviceaccount:openshift-authentication:oauth-openshift",
"system:serviceaccount:openshift-compliance:api-resource-collector",
"system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa"
],
"valuesOp": "or",
"negate": true
}
]
},
"disabled": false
}Original StackRox JSON
{
"id": "18cbcb62-7d18-4a6c-b2ca-dd1242746943",
"name": "OpenShift: Kubeadmin Secret Accessed",
"description": "Alert when the kubeadmin secret is accessed",
"rationale": "Kubeadmin is the default administrative user for OpenShift and can be used to obtain full administrative access to the cluster. Investigating if this was accessed for valid business purposes can help organizations to control the use of administrative privileges",
"remediation": "Audit the access carefully to ensure that this secret is only accessed for valid business purposes.",
"disabled": false,
"categories": [
"Anomalous Activity",
"Kubernetes Events"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "AUDIT_LOG_EVENT",
"exclusions": [],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Kubernetes Resource",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "SECRETS"
}
]
},
{
"fieldName": "Kubernetes API Verb",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "GET"
}
]
},
{
"fieldName": "Kubernetes Resource Name",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "kubeadmin"
}
]
},
{
"fieldName": "Kubernetes User Name",
"booleanOperator": "OR",
"negate": true,
"values": [
{
"value": "system:serviceaccount:openshift-authentication-operator:authentication-operator"
},
{
"value": "system:apiserver"
},
{
"value": "system:serviceaccount:openshift-authentication:oauth-openshift"
},
{
"value": "system:serviceaccount:openshift-compliance:api-resource-collector"
},
{
"value": "system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0006",
"techniques": [
"T1552.007"
]
},
{
"tactic": "TA0007",
"techniques": [
"T1613"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}