rule(Change thread namespace): Modify condition to detect suspicious container activity

[rung]

Signed-off-by: Hiroki Suezawa suezawa@gmail.com

What type of PR is this?
/kind rule-update

Any specific area of the project related to this PR?
/area rules

What this PR does / why we need it:

• What this PR does

  • Modify condition to detect some process names within a container.
  • Add evt.dir to avoid detection of same syscall

• Why we need it

  • The current rule exclude some process names used on host
    • i.e. k8s_binaries, nsenter
  • But nsenter could be used to do privilege escalation
    • https://twitter.com/mauilion/status/1129468485480751104
    • (nsenter is included in many container images like alpine by default)
  • So I would like to change condition to detect suspicious container activity.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

rule(Change thread namespace): Modify condition to detect suspicious container activity

[rung]

Procedure Step

• Start a container

kubectl run malicious-container --restart=Never -ti --rm --image lol --overrides '{"spec":{"hostPID": true, "containers":[{"name":"1","image":"alpine","command":["sh"],"stdin": true,"tty":true,"securityContext":{"privileged":true}}]}}'

• Change namespace to host

nsenter --mount=/proc/1/ns/mnt -- /bin/bash

Sample Output

{"output":"16:46:42.320531675: Notice Namespace change (setns) by unexpected program (user=root command=nsenter --mount=/proc/1/ns/mnt -- /bin/bash parent=sh k8s.ns=default k8s.pod=malicious-container container=3172964a195b container_id=3172964a195b image=alpine:latest) k8s.ns=default k8s.pod=malicious-container container=3172964a195b k8s.ns=default k8s.pod=malicious-container container=3172964a195b","priority":"Notice","rule":"Change thread namespace","time":"2019-12-16T16:46:42.320531675Z", "output_fields": {"container.id":"3172964a195b","container.image.repository":"alpine","container.image.tag":"latest","evt.time":1576514802320531675,"k8s.ns.name":"default","k8s.pod.name":"malicious-container","proc.cmdline":"nsenter --mount=/proc/1/ns/mnt -- /bin/bash","proc.pname":"sh","user.name":"root"}}

[Kaizhe]

I like this change.evt.dir=<

[Kaizhe]

/lgtm

[poiana]

LGTM label has been added.

Git tree hash: c19ce5e70645012684c11623453c3f717782b2ef

[rung]

I'll check why CI failed.

[leodido]

🚒

[rung]

(hmm, I tried finding the reason to get error, but I haven't solved it yet)

[Kaizhe]

@mstemm can you please help? The rule changes might break the existing tests. It would be great that you can point us to the right place. Thanks!

[fntlnz]

Closing and reopening this to let this test against the new CI

[rung]

oh, very sorry. I thought this was merged 🙇🙇.
I'll fix the conflict.

[rung]

This line was conflicted because of the PR (48a0f51), and I fixed the conflict.

[Kaizhe]

did you rebase?

[rung]

Yes, after I got needs-rebase label from poiana. The point I changed in first commit is to add cilium-cni.

[rung]

Report on deep dive (why regression tests failed).

Reason 1

• Related test cases

  • https://github.com/falcosecurity/falco/blob/master/test/falco_traces.yaml.in#L29
  • https://github.com/falcosecurity/falco/blob/master/test/falco_tests.yaml#L692

• How to fix

  • When I modified "Change thread namespace": 2 to "Change thread namespace": 1 on the above files, the test was successful.

• Reason
  

  • The scap file of regression test has 2 setns(enter and exit). but I added condition of evt.dir=<, so the count of detection should be 1 now.
  • Related files
    • Regression test script
      • https://github.com/falcosecurity/falco/blob/master/test/run_regression_tests.sh#L36
    • scap file for regression test
      • https://s3.amazonaws.com/download.draios.com/falco-tests/traces-positive.zip

Reason 2

• Error Message

15:30:21 ERROR| FAIL 55-/source/falco/test/falco_test.py:FalcoTest.test;no-kube-demo-47e1 -> TestFail: Detected 188 events when should have detected none

• traces-negative/kube-demo.scap has many nsenter processes

  • Old rule bypassed every nsenter, but my rule detects every nsenter on container. so the regression test failed.
  • it seems kubelet(or hyperkube kubelet) use nsenter binary, (I think kubelet runs on host basically though, the regression test runs it on container)

• Sample

DEBUG| [stdout] {"output":"04:46:52.887250174: Notice Namespace change (setns) by unexpected program (user=root command=nsenter --mount=/rootfs/proc/1/ns/mnt -- /bin/findmnt -o target --noheadings --target /var/lib/kubelet/pods/352aff16-2f8d-11e6-8bd9-0800270a6574/volumes/kubernetes.io~secret/default-token-pb8gr parent=hyperkube k8s-kubelet (id=af911d183773) container_id=af911d183773 image=<NA>:<NA>)","priority":"Notice","rule":"Change thread namespace","time":"2016-06-11T04:46:52.887250174Z", "output_fields": {"container.id":"af911d183773","container.image.repository":null,"container.image.tag":null,"container.name":"k8s-kubelet","evt.time":1465620412887250174,"proc.cmdline":"nsenter --mount=/rootfs/proc/1/ns/mnt -- /bin/findmnt -o target --noheadings --target /var/lib/kubelet/pods/352aff16-2f8d-11e6-8bd9-0800270a6574/volumes/kubernetes.io~secret/default-token-pb8gr","proc.pname":"hyperkube","user.name":"root"}}

• How to fix
  • add this line

not proc.pname in (hyperkube, kubelet)

[rung]

@leodido @Kaizhe Could you review this PR when you have time?
CI passed finally.
Thanks.

[rung]

@leodido @Kaizhe How about this PR?
Thank you! 👍

[poiana]

LGTM label has been added.

Git tree hash: 17f1406746d56ff07ee0721850368ffb50565b69

[fntlnz]

Good job as always @rung !

[leodido]

🔥

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fntlnz, Kaizhe, leodido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [fntlnz,leodido]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[leodido]

/milestone 0.21.0

[rung]

@fntlnz @leodido Thank you for your review!