HIGH
Source
Tracee
ID
TRC-1010
Version
1
Date
1 Dec 2022

Cgroups Release Agent File Modification

An attempt to modify Cgroup release agent file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.

MITRE ATT&CK

Privilege Escalation: Escape to Host

Go Source

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
package main

import (
	"fmt"
	"path"

	"github.com/aquasecurity/tracee/signatures/helpers"
	"github.com/aquasecurity/tracee/types/detect"
	"github.com/aquasecurity/tracee/types/protocol"
	"github.com/aquasecurity/tracee/types/trace"
)

type CgroupReleaseAgentModification struct {
	cb               detect.SignatureHandler
	releaseAgentName string
}

func (sig *CgroupReleaseAgentModification) Init(cb detect.SignatureHandler) error {
	sig.cb = cb
	sig.releaseAgentName = "release_agent"
	return nil
}

func (sig *CgroupReleaseAgentModification) GetMetadata() (detect.SignatureMetadata, error) {
	return detect.SignatureMetadata{
		ID:          "TRC-1010",
		Version:     "1",
		Name:        "Cgroups release agent file modification",
		Description: "An attempt to modify Cgroup release agent file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",
		Properties: map[string]interface{}{
			"Severity":             3,
			"Category":             "privilege-escalation",
			"Technique":            "Escape to Host",
			"Kubernetes_Technique": "",
			"id":                   "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
			"external_id":          "T1611",
		},
	}, nil
}

func (sig *CgroupReleaseAgentModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
	return []detect.SignatureEventSelector{
		{Source: "tracee", Name: "security_file_open", Origin: "container"},
		{Source: "tracee", Name: "security_inode_rename", Origin: "container"},
	}, nil
}

func (sig *CgroupReleaseAgentModification) OnEvent(event protocol.Event) error {

	eventObj, ok := event.Payload.(trace.Event)
	if !ok {
		return fmt.Errorf("invalid event")
	}

	basename := ""

	switch eventObj.EventName {

	case "security_file_open":

		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
		if err != nil {
			return err
		}

		if helpers.IsFileWrite(flags) {
			pathname, err := helpers.GetTraceeStringArgumentByName(eventObj, "pathname")
			if err != nil {
				return err
			}

			basename = path.Base(pathname)
		}

	case "security_inode_rename":

		newPath, err := helpers.GetTraceeStringArgumentByName(eventObj, "new_path")
		if err != nil {
			return err
		}

		basename = path.Base(newPath)

	}

	if basename == sig.releaseAgentName {
		metadata, err := sig.GetMetadata()
		if err != nil {
			return err
		}
		sig.cb(detect.Finding{
			SigMetadata: metadata,
			Event:       event,
			Data:        nil,
		})
	}

	return nil
}

func (sig *CgroupReleaseAgentModification) OnSignal(s detect.Signal) error {
	return nil
}

func (sig *CgroupReleaseAgentModification) Close() {}