Kubernetes Actions: Exec into Pod
No violationsstackroxhighruntimeAlerts when Kubernetes API receives request to execute command in container
- Rationale
- 'pods/exec' is non-standard approach for interacting with containers. Attackers with permissions could execute malicious code and compromise resources within a cluster
- Remediation
- Restrict RBAC access to the 'pods/exec' resource according to the Principle of Least Privilege. Limit such usage only to development, testing or debugging (non-production) activities
CategoriesKubernetes Events
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 10.1
- ISO/IEC 27001 2022
- A.8.16
- NIST SP 800-53 rev. 5
- AU-2
- PCI DSS 4.0
- 10.2.1
- SOC 2 2017 TSC
- CC7.2
Generated artifacts
1 of 5 targets supportedkubernetes-actions-exec-into-pod.yaml
- rule: kubernetes-actions-exec-into-pod
desc: Alerts when Kubernetes API receives request to execute command in container
condition: ka.target.resource in ("pods_exec")
output: "Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Kubernetes Actions: Exec into Pod)"
priority: ERROR
source: syscall
tags:
- stackrox-import
- policy
IR (canonical)
{
"id": "8ab0f199-4904-4808-9461-3501da1d1b77",
"name": "Kubernetes Actions: Exec into Pod",
"description": "Alerts when Kubernetes API receives request to execute command in container",
"rationale": "'pods/exec' is non-standard approach for interacting with containers. Attackers with permissions could execute malicious code and compromise resources within a cluster",
"remediation": "Restrict RBAC access to the 'pods/exec' resource according to the Principle of Least Privilege. Limit such usage only to development, testing or debugging (non-production) activities",
"severity": "high",
"categories": [
"Kubernetes Events"
],
"lifecycle": [
"runtime"
],
"eventSource": "deployment",
"scope": [],
"exclusions": [
{
"name": "thanos-querier",
"namespace": "openshift-monitoring"
},
{
"name": "prometheus-k8s",
"namespace": "openshift-monitoring"
},
{
"name": "ovnkube-node",
"namespace": "openshift-ovn-kubernetes"
},
{
"name": "etcd-ci-ln-.*-master-\\d+",
"namespace": "openshift-etcd"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "kubernetes-resource",
"values": [
"PODS_EXEC"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "8ab0f199-4904-4808-9461-3501da1d1b77",
"name": "Kubernetes Actions: Exec into Pod",
"description": "Alerts when Kubernetes API receives request to execute command in container",
"rationale": "'pods/exec' is non-standard approach for interacting with containers. Attackers with permissions could execute malicious code and compromise resources within a cluster",
"remediation": "Restrict RBAC access to the 'pods/exec' resource according to the Principle of Least Privilege. Limit such usage only to development, testing or debugging (non-production) activities",
"disabled": false,
"categories": [
"Kubernetes Events"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [
{
"name": "Don't alert on deployment thanos-querier in namespace openshift-monitoring",
"deployment": {
"name": "thanos-querier",
"scope": {
"cluster": "",
"namespace": "openshift-monitoring",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment prometheus-k8s in namespace openshift-monitoring",
"deployment": {
"name": "prometheus-k8s",
"scope": {
"cluster": "",
"namespace": "openshift-monitoring",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment ovnkube-node in namespace openshift-ovn-kubernetes",
"deployment": {
"name": "ovnkube-node",
"scope": {
"cluster": "",
"namespace": "openshift-ovn-kubernetes",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment etcd-ci-ln-*-master-\\d+ in namespace openshift-etcd",
"deployment": {
"name": "etcd-ci-ln-.*-master-\\d+",
"scope": {
"cluster": "",
"namespace": "openshift-etcd",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Kubernetes Resource",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "PODS_EXEC"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0002",
"techniques": [
"T1609"
]
},
{
"tactic": "TA0002",
"techniques": [
"T1059.004"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}