Skip to content

Process forensics

Get granular details of all the executed processes within the target workloads.

Narrative

KubeArmor to audit the following process: /bin/ps, /usr/bin/ps, /usr/bin/pgrep, /usr/bin/top, and /usr/bin/htop. This will allow KubeArmor to detect and respond to suspicious activity involving these tools, such as attempts to enumerate or exploit running processes.

Attack Scenario

Attackers can use the ps, pgrep, and top commands to enumerate the running processes on a system. This information can then be used to identify critical processes that can be targeted for attack.

Compliance

  • MITRE-T1602

Policy

Process Forensics

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-discovery-process-discovery
  namespace: wordpress-mysql
spec:
  tags: ["MITRE", "Discovery"]
  message: "Someone accessed running process"
  selector:
    matchLabels:
      app: wordpress
  process:
    matchPaths:
      - path: /bin/ps
      - path: /usr/bin/ps
      - path: /usr/bin/pgrep
      - path: /usr/bin/top
      - path: /usr/bin/htop
    action: Audit
    severity: 5

Simulation

kubectl exec -it wordpress-7c966b5d85-wvtln -n wordpress-mysql -- bash
root@wordpress-7c966b5d85-wvtln:/var/www/html# ps -A
    PID TTY          TIME CMD
      1 ?        00:00:08 apache2
    189 ?        00:00:00 apache2
    190 ?        00:00:00 apache2
    191 ?        00:00:00 apache2
    192 ?        00:00:00 apache2
    193 ?        00:00:00 apache2
    245 pts/0    00:00:00 bash

Expected Alert

ClusterName: default
HostName: gke-cluster-1-default-pool-37f4c896-8cn6
NamespaceName: wordpress-mysql
PodName: wordpress-7c966b5d85-wvtln
Labels: app=wordpress
ContainerName: wordpress
ContainerID: 6d09394a988c5cf6b9fe260d28fdd57d6ff281618869a173965ecd94a3efac44
ContainerImage: docker.io/library/wordpress:4.8-apache@sha256:6216f64ab88fc51d311e38c7f69ca3f9aaba621492b4f1fa93ddf63093768845
Type: MatchedPolicy
PolicyName: ksp-discovery-process-discovery
Severity: 5
Message: Someone accessed running process
Source: /bin/bash
Resource: /bin/ps -A
Operation: Process
Action: Audit
Data: syscall=SYS_EXECVE
Enforcer: eBPF Monitor
Result: Passed
ATags: [MITRE Discovery]
HostPID: 1.252488e+06
HostPPID: 1.250979e+06
Owner: map[Name:wordpress Namespace:wordpress-mysql Ref:Deployment]
PID: 288
PPID: 281
ParentProcessName: /bin/bash
ProcessName: /bin/ps
Tags: MITRE,Discovery

References

MITRE Data from Configuration Repository