Back to catalog

Kubernetes Actions: Exec into Pod

No violationsstackroxhighruntime

Alerts when Kubernetes API receives request to execute command in container

Rationale
'pods/exec' is non-standard approach for interacting with containers. Attackers with permissions could execute malicious code and compromise resources within a cluster
Remediation
Restrict RBAC access to the 'pods/exec' resource according to the Principle of Least Privilege. Limit such usage only to development, testing or debugging (non-production) activities
CategoriesKubernetes Events
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 10.1
ISO/IEC 27001 2022
A.8.16
NIST SP 800-53 rev. 5
AU-2
PCI DSS 4.0
10.2.1
SOC 2 2017 TSC
CC7.2

Generated artifacts

1 of 5 targets supported
kubernetes-actions-exec-into-pod.yaml
- rule: kubernetes-actions-exec-into-pod
  desc: Alerts when Kubernetes API receives request to execute command in container
  condition: ka.target.resource in ("pods_exec")
  output: "Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Kubernetes Actions: Exec into Pod)"
  priority: ERROR
  source: syscall
  tags:
    - stackrox-import
    - policy
IR (canonical)
{
  "id": "8ab0f199-4904-4808-9461-3501da1d1b77",
  "name": "Kubernetes Actions: Exec into Pod",
  "description": "Alerts when Kubernetes API receives request to execute command in container",
  "rationale": "'pods/exec' is non-standard approach for interacting with containers. Attackers with permissions could execute malicious code and compromise resources within a cluster",
  "remediation": "Restrict RBAC access to the 'pods/exec' resource according to the Principle of Least Privilege. Limit such usage only to development, testing or debugging (non-production) activities",
  "severity": "high",
  "categories": [
    "Kubernetes Events"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [
    {
      "name": "thanos-querier",
      "namespace": "openshift-monitoring"
    },
    {
      "name": "prometheus-k8s",
      "namespace": "openshift-monitoring"
    },
    {
      "name": "ovnkube-node",
      "namespace": "openshift-ovn-kubernetes"
    },
    {
      "name": "etcd-ci-ln-.*-master-\\d+",
      "namespace": "openshift-etcd"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "kubernetes-resource",
    "values": [
      "PODS_EXEC"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "8ab0f199-4904-4808-9461-3501da1d1b77",
  "name": "Kubernetes Actions: Exec into Pod",
  "description": "Alerts when Kubernetes API receives request to execute command in container",
  "rationale": "'pods/exec' is non-standard approach for interacting with containers. Attackers with permissions could execute malicious code and compromise resources within a cluster",
  "remediation": "Restrict RBAC access to the 'pods/exec' resource according to the Principle of Least Privilege. Limit such usage only to development, testing or debugging (non-production) activities",
  "disabled": false,
  "categories": [
    "Kubernetes Events"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [
    {
      "name": "Don't alert on deployment thanos-querier in namespace openshift-monitoring",
      "deployment": {
        "name": "thanos-querier",
        "scope": {
          "cluster": "",
          "namespace": "openshift-monitoring",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment prometheus-k8s in namespace openshift-monitoring",
      "deployment": {
        "name": "prometheus-k8s",
        "scope": {
          "cluster": "",
          "namespace": "openshift-monitoring",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment ovnkube-node in namespace openshift-ovn-kubernetes",
      "deployment": {
        "name": "ovnkube-node",
        "scope": {
          "cluster": "",
          "namespace": "openshift-ovn-kubernetes",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment etcd-ci-ln-*-master-\\d+ in namespace openshift-etcd",
      "deployment": {
        "name": "etcd-ci-ln-.*-master-\\d+",
        "scope": {
          "cluster": "",
          "namespace": "openshift-etcd",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Kubernetes Resource",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "PODS_EXEC"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0002",
      "techniques": [
        "T1609"
      ]
    },
    {
      "tactic": "TA0002",
      "techniques": [
        "T1059.004"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}