Process Targeting Cluster Kubernetes Docker Stats Endpoint
No violationsstackroxhighruntimeDetects misuse of the Kubernetes docker stats endpoint
- Rationale
- A pod communicating to a Kubernetes API from via command line is highly irregular
- Remediation
- Look for open ports that may allow remote execution. Remove network utilities like curl and wget that allow these connections. Consider a firewall deny ingress firewall rule to the node serving the API
CategoriesKubernetes
Generated artifacts
1 of 5 targets supportedprocess-targeting-cluster-kubernetes-docker-stats-endpoint.yaml
- rule: process-targeting-cluster-kubernetes-docker-stats
desc: Detects misuse of the Kubernetes docker stats endpoint
condition: proc.cmdline contains "(http?://)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:4194/*"
output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Process Targeting Cluster Kubernetes Docker Stats Endpoint)
priority: ERROR
source: syscall
tags:
- stackrox-import
- policy
IR (canonical)
{
"id": "3ebdc07d-7c01-4508-9f81-3f3673fce536",
"name": "Process Targeting Cluster Kubernetes Docker Stats Endpoint",
"description": "Detects misuse of the Kubernetes docker stats endpoint",
"rationale": "A pod communicating to a Kubernetes API from via command line is highly irregular",
"remediation": "Look for open ports that may allow remote execution. Remove network utilities like curl and wget that allow these connections. Consider a firewall deny ingress firewall rule to the node serving the API",
"severity": "high",
"categories": [
"Kubernetes"
],
"lifecycle": [
"runtime"
],
"eventSource": "deployment",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "process-arguments",
"values": [
"(http?://)?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:4194/*"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "3ebdc07d-7c01-4508-9f81-3f3673fce536",
"name": "Process Targeting Cluster Kubernetes Docker Stats Endpoint",
"description": "Detects misuse of the Kubernetes docker stats endpoint",
"rationale": "A pod communicating to a Kubernetes API from via command line is highly irregular",
"remediation": "Look for open ports that may allow remote execution. Remove network utilities like curl and wget that allow these connections. Consider a firewall deny ingress firewall rule to the node serving the API",
"disabled": false,
"categories": [
"Kubernetes"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Process Arguments",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "(http?://)?\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:4194/*"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0007",
"techniques": [
"T1613"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}