Back to catalog

Process Targeting Cluster Kubernetes Docker Stats Endpoint

No violationsstackroxhighruntime

Detects misuse of the Kubernetes docker stats endpoint

Rationale
A pod communicating to a Kubernetes API from via command line is highly irregular
Remediation
Look for open ports that may allow remote execution. Remove network utilities like curl and wget that allow these connections. Consider a firewall deny ingress firewall rule to the node serving the API
CategoriesKubernetes

Generated artifacts

1 of 5 targets supported
process-targeting-cluster-kubernetes-docker-stats-endpoint.yaml
- rule: process-targeting-cluster-kubernetes-docker-stats
  desc: Detects misuse of the Kubernetes docker stats endpoint
  condition: proc.cmdline contains "(http?://)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:4194/*"
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Process Targeting Cluster Kubernetes Docker Stats Endpoint)
  priority: ERROR
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "3ebdc07d-7c01-4508-9f81-3f3673fce536",
  "name": "Process Targeting Cluster Kubernetes Docker Stats Endpoint",
  "description": "Detects misuse of the Kubernetes docker stats endpoint",
  "rationale": "A pod communicating to a Kubernetes API from via command line is highly irregular",
  "remediation": "Look for open ports that may allow remote execution. Remove network utilities like curl and wget that allow these connections. Consider a firewall deny ingress firewall rule to the node serving the API",
  "severity": "high",
  "categories": [
    "Kubernetes"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "process-arguments",
    "values": [
      "(http?://)?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:4194/*"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "3ebdc07d-7c01-4508-9f81-3f3673fce536",
  "name": "Process Targeting Cluster Kubernetes Docker Stats Endpoint",
  "description": "Detects misuse of the Kubernetes docker stats endpoint",
  "rationale": "A pod communicating to a Kubernetes API from via command line is highly irregular",
  "remediation": "Look for open ports that may allow remote execution. Remove network utilities like curl and wget that allow these connections. Consider a firewall deny ingress firewall rule to the node serving the API",
  "disabled": false,
  "categories": [
    "Kubernetes"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Process Arguments",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "(http?://)?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:4194/*"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0007",
      "techniques": [
        "T1613"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}