2022-10-14 12:42:10 +00:00
|
|
|
-- Detect the execution of priveleged Docker containers which can be used to escape to the host.
|
|
|
|
--
|
|
|
|
-- references:
|
|
|
|
-- * https://attack.mitre.org/techniques/T1611/
|
|
|
|
--
|
2022-10-19 20:56:32 +00:00
|
|
|
-- false-positives:
|
|
|
|
-- * Nested Kubernetes Environments
|
|
|
|
-- * Containerized builds
|
|
|
|
--
|
2022-10-14 12:42:10 +00:00
|
|
|
-- This query works on macOS as well, but is only an in-the-wild security problem on Linux,
|
2022-10-14 13:16:24 +00:00
|
|
|
-- where the kernel namespaces can be shared. These kind of attacks tend to be
|
2022-10-14 12:42:10 +00:00
|
|
|
--
|
|
|
|
-- platform: linux
|
2022-10-14 18:19:13 +00:00
|
|
|
-- tags: transient state container escalation
|
2022-09-24 15:12:23 +00:00
|
|
|
SELECT
|
2022-10-17 23:06:17 +00:00
|
|
|
command,
|
|
|
|
image_id,
|
|
|
|
path,
|
|
|
|
security_options,
|
|
|
|
started_at,
|
2023-02-24 21:30:17 +00:00
|
|
|
image,
|
|
|
|
COALESCE(REGEX_MATCH (image, '(.*?):', 1), image) AS image_name
|
2022-09-24 15:12:23 +00:00
|
|
|
FROM
|
|
|
|
docker_containers
|
|
|
|
WHERE
|
|
|
|
privileged = 1
|
2023-02-24 21:30:17 +00:00
|
|
|
AND image_name NOT IN (
|
2022-11-03 15:51:54 +00:00
|
|
|
'cgr.dev/chainguard/melange',
|
2022-11-22 14:21:03 +00:00
|
|
|
'cgr.dev/chainguard/sdk',
|
2023-01-18 14:49:56 +00:00
|
|
|
'cgr.dev/chainguard/wolfi-base',
|
2022-11-18 15:27:43 +00:00
|
|
|
'distroless.dev/melange',
|
2023-02-24 21:30:17 +00:00
|
|
|
'docker.io/rancher/k3s',
|
|
|
|
'gcr.io/k8s-minikube/kicbase',
|
|
|
|
'kindest/node',
|
|
|
|
'moby/buildkit',
|
|
|
|
'wolfi'
|
2022-11-03 18:25:35 +00:00
|
|
|
)
|
2023-02-24 21:30:17 +00:00
|
|
|
AND image NOT LIKE 'ghcr.io/k3d-io/k3d-%'
|
|
|
|
AND image NOT LIKE 'melange-%'
|
2022-11-03 18:25:35 +00:00
|
|
|
AND command NOT LIKE '/usr/bin/melange build %'
|