HIGH
Source
Tracee
ID
TRC-10
Version
0.1.0
Date
28 Jun 2022

K8s TLS Certificate Theft Detected

Kubernetes TLS certificate theft was detected. TLS certificates are used to establish trust between systems, the kubernetes certificate is used to to enable secured communication between kubernetes components, like the kubelet, scheduler, controller and API server. An adversary may steal a kubernetes certificate on a compromised system to impersonate kuberentes components within the cluster.

MITRE ATT&CK

Credential Access: Steal Application Access Token

Rego Policy

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
package tracee.TRC_10

import data.tracee.helpers

__rego_metadoc__ := {
	"id": "TRC-10",
	"version": "0.1.0",
	"name": "K8S TLS Certificate Theft Detected",
	"description": "Kubernetes TLS certificate theft was detected. TLS certificates are used to establish trust between systems, the kubernetes certificate is used to to enable secured communication between kubernetes components, like the kubelet, scheduler, controller and API server. An adversary may steal a kubernetes certificate on a compromised system to impersonate kuberentes components within the cluster.",
	"tags": ["linux", "container"],
	"properties": {
		"Severity": 3,
		"MITRE ATT&CK": "Credential Access: Steal Application Access Token",
	},
}

eventSelectors := [{
	"source": "tracee",
	"name": "security_file_open",
	"origin": "*",
}]

tracee_selected_events[eventSelector] {
	eventSelector := eventSelectors[_]
}

tracee_match {
	input.eventName == "security_file_open"

	flags = helpers.get_tracee_argument("flags")
	helpers.is_file_read(flags)

	pathname = helpers.get_tracee_argument("pathname")
	startswith(pathname, "/etc/kubernetes/pki/")

	process_names_blocklist := {"kube-apiserver", "kubelet", "kube-controller", "etcd"}
	not process_names_blocklist[input.processName]
}