Back to catalog

OpenShift: Kubernetes Secret Accessed by an Impersonated User

No violationsstackroxmediumruntime

Alert when user impersonation is used to access a secret within the cluster.

Rationale
Users with impersonation access allows users to invoke any command as a different user, typically for troubleshooting purposes (i.e using the oc --as command). This may be used to bypass existing security controls such as RBAC.
Remediation
Audit usage of impersonation when accessing secrets to ensure this access is used for valid business purposes.
CategoriesAnomalous ActivityKubernetes Events
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 10.1
ISO/IEC 27001 2022
A.8.16
NIST SP 800-53 rev. 5
AU-2SI-4
PCI DSS 4.0
10.2.15.3.2
SOC 2 2017 TSC
CC7.2

Generated artifacts

1 of 5 targets supported
openshift-kubernetes-secret-accessed-by-an-impersonated-user.yaml
- rule: openshift-kubernetes-secret-accessed-by-an-imperso
  desc: Alert when user impersonation is used to access a secret within the cluster.
  condition: ka.target.resource in ("secrets") and ka.verb in ("get") and ka.user.name != ka.impuser.name and not (ka.user.name in ("system:serviceaccount:openshift-insights:operator"))
  output: "K8s API: user=%ka.user.name verb=%ka.verb resource=%ka.target.resource name=%ka.target.name (policy=OpenShift: Kubernetes Secret Accessed by an Impersonated User)"
  priority: WARNING
  source: k8s_audit
  tags:
    - stackrox-import
    - policy
    - k
IR (canonical)
{
  "id": "7b71fba0-2afb-4e4e-abf3-0f461cd76acc",
  "name": "OpenShift: Kubernetes Secret Accessed by an Impersonated User",
  "description": "Alert when user impersonation is used to access a secret within the cluster.",
  "rationale": "Users with impersonation access allows users to invoke any command as a different user, typically for troubleshooting purposes (i.e using the oc --as command). This may be used to bypass existing security controls such as RBAC.",
  "remediation": "Audit usage of impersonation when accessing secrets to ensure this access is used for valid business purposes.",
  "severity": "medium",
  "categories": [
    "Anomalous Activity",
    "Kubernetes Events"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "audit-log",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "and",
    "children": [
      {
        "op": "criterion",
        "field": "kubernetes-resource",
        "values": [
          "SECRETS"
        ],
        "valuesOp": "or",
        "negate": false
      },
      {
        "op": "criterion",
        "field": "kubernetes-api-verb",
        "values": [
          "GET"
        ],
        "valuesOp": "or",
        "negate": false
      },
      {
        "op": "criterion",
        "field": "is-impersonated-user",
        "values": [
          "true"
        ],
        "valuesOp": "or",
        "negate": false
      },
      {
        "op": "criterion",
        "field": "kubernetes-user-name",
        "values": [
          "system:serviceaccount:openshift-insights:operator"
        ],
        "valuesOp": "or",
        "negate": true
      }
    ]
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "7b71fba0-2afb-4e4e-abf3-0f461cd76acc",
  "name": "OpenShift: Kubernetes Secret Accessed by an Impersonated User",
  "description": "Alert when user impersonation is used to access a secret within the cluster.",
  "rationale": "Users with impersonation access allows users to invoke any command as a different user, typically for troubleshooting purposes (i.e using the oc --as command). This may be used to bypass existing security controls such as RBAC.",
  "remediation": "Audit usage of impersonation when accessing secrets to ensure this access is used for valid business purposes.",
  "disabled": false,
  "categories": [
    "Anomalous Activity",
    "Kubernetes Events"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "AUDIT_LOG_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "MEDIUM_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Kubernetes Resource",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "SECRETS"
            }
          ]
        },
        {
          "fieldName": "Kubernetes API Verb",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "GET"
            }
          ]
        },
        {
          "fieldName": "Is Impersonated User",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "true"
            }
          ]
        },
        {
          "fieldName": "Kubernetes User Name",
          "booleanOperator": "OR",
          "negate": true,
          "values": [
            {
              "value": "system:serviceaccount:openshift-insights:operator"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0004",
      "techniques": [
        "T1134.001"
      ]
    },
    {
      "tactic": "TA0006",
      "techniques": [
        "T1552.007"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}