<  Back to rules search

User Exec into a Pod

kubernetes

Set up the kubernetes integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a user execs into a pod.

Strategy

This rule monitors when a user execs (@objectRef.subresource:exec) into to a pod (@objectRef.resource:pods).

A user should not need to exec into a pod. Execing into a pod allows a user to execute any process in container which is not already running. It is most common to execute the bash process to gain an interactive shell. If this is an attacker, they can access any data which the pod has permissions to, including secrets.

Triage and response

  1. Determine if the user should be execing into a running container.