osquery-defense-kit/detection/privesc/unexpected-privileged-conta...

39 lines
1.1 KiB
MySQL
Raw Normal View History

2022-10-14 12:42:10 +00:00
-- Detect the execution of priveleged Docker containers which can be used to escape to the host.
--
-- references:
-- * https://attack.mitre.org/techniques/T1611/
--
2022-10-19 20:56:32 +00:00
-- false-positives:
-- * Nested Kubernetes Environments
-- * Containerized builds
--
2022-10-14 12:42:10 +00:00
-- This query works on macOS as well, but is only an in-the-wild security problem on Linux,
-- where the kernel namespaces can be shared. These kind of attacks tend to be
2022-10-14 12:42:10 +00:00
--
-- platform: linux
2022-10-14 18:19:13 +00:00
-- tags: transient state container escalation
SELECT
2022-10-17 23:06:17 +00:00
command,
image_id,
path,
security_options,
started_at,
image
FROM
docker_containers
WHERE
privileged = 1
2022-10-21 16:13:16 +00:00
AND image NOT LIKE 'kindest/node:%'
AND image NOT LIKE 'ghcr.io/k3d-io/k3d-%'
AND image NOT LIKE 'docker.io/rancher/k3s:%'
AND image NOT LIKE 'melange-%'
2022-10-21 16:13:16 +00:00
-- this one makes me sad. It's due to limitations running bubblewrap in a container
AND image NOT IN (
'cgr.dev/chainguard/melange',
'cgr.dev/chainguard/sdk',
'distroless.dev/melange',
'distroless.dev/melange:latest',
'wolfi:test'
2022-11-03 18:25:35 +00:00
)
AND command NOT LIKE '/usr/bin/melange build %'