OpenShift: Kubernetes Secret Accessed by an Impersonated User
No violationsstackroxmediumruntimeAlert when user impersonation is used to access a secret within the cluster.
- Rationale
- Users with impersonation access allows users to invoke any command as a different user, typically for troubleshooting purposes (i.e using the oc --as command). This may be used to bypass existing security controls such as RBAC.
- Remediation
- Audit usage of impersonation when accessing secrets to ensure this access is used for valid business purposes.
CategoriesAnomalous ActivityKubernetes Events
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 10.1
- ISO/IEC 27001 2022
- A.8.16
- NIST SP 800-53 rev. 5
- AU-2SI-4
- PCI DSS 4.0
- 10.2.15.3.2
- SOC 2 2017 TSC
- CC7.2
Generated artifacts
1 of 5 targets supportedopenshift-kubernetes-secret-accessed-by-an-impersonated-user.yaml
- rule: openshift-kubernetes-secret-accessed-by-an-imperso
desc: Alert when user impersonation is used to access a secret within the cluster.
condition: ka.target.resource in ("secrets") and ka.verb in ("get") and ka.user.name != ka.impuser.name and not (ka.user.name in ("system:serviceaccount:openshift-insights:operator"))
output: "K8s API: user=%ka.user.name verb=%ka.verb resource=%ka.target.resource name=%ka.target.name (policy=OpenShift: Kubernetes Secret Accessed by an Impersonated User)"
priority: WARNING
source: k8s_audit
tags:
- stackrox-import
- policy
- k
IR (canonical)
{
"id": "7b71fba0-2afb-4e4e-abf3-0f461cd76acc",
"name": "OpenShift: Kubernetes Secret Accessed by an Impersonated User",
"description": "Alert when user impersonation is used to access a secret within the cluster.",
"rationale": "Users with impersonation access allows users to invoke any command as a different user, typically for troubleshooting purposes (i.e using the oc --as command). This may be used to bypass existing security controls such as RBAC.",
"remediation": "Audit usage of impersonation when accessing secrets to ensure this access is used for valid business purposes.",
"severity": "medium",
"categories": [
"Anomalous Activity",
"Kubernetes Events"
],
"lifecycle": [
"runtime"
],
"eventSource": "audit-log",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "and",
"children": [
{
"op": "criterion",
"field": "kubernetes-resource",
"values": [
"SECRETS"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "kubernetes-api-verb",
"values": [
"GET"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "is-impersonated-user",
"values": [
"true"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "kubernetes-user-name",
"values": [
"system:serviceaccount:openshift-insights:operator"
],
"valuesOp": "or",
"negate": true
}
]
},
"disabled": false
}Original StackRox JSON
{
"id": "7b71fba0-2afb-4e4e-abf3-0f461cd76acc",
"name": "OpenShift: Kubernetes Secret Accessed by an Impersonated User",
"description": "Alert when user impersonation is used to access a secret within the cluster.",
"rationale": "Users with impersonation access allows users to invoke any command as a different user, typically for troubleshooting purposes (i.e using the oc --as command). This may be used to bypass existing security controls such as RBAC.",
"remediation": "Audit usage of impersonation when accessing secrets to ensure this access is used for valid business purposes.",
"disabled": false,
"categories": [
"Anomalous Activity",
"Kubernetes Events"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "AUDIT_LOG_EVENT",
"exclusions": [],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Kubernetes Resource",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "SECRETS"
}
]
},
{
"fieldName": "Kubernetes API Verb",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "GET"
}
]
},
{
"fieldName": "Is Impersonated User",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "true"
}
]
},
{
"fieldName": "Kubernetes User Name",
"booleanOperator": "OR",
"negate": true,
"values": [
{
"value": "system:serviceaccount:openshift-insights:operator"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0004",
"techniques": [
"T1134.001"
]
},
{
"tactic": "TA0006",
"techniques": [
"T1552.007"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}