Runbook
Kubernetes - Kernel Module Loaded in Pod.
Back to Runbooks
Overview
This incident type is related to detecting the loading of kernel modules within a Kubernetes pod. This alert is usually triggered when kernel modules are loaded within a pod, which could potentially indicate an attack. The presence of a kernel module in a pod can allow attackers to gain privileges, escalate their access, and perform malicious activities. Therefore, this alert is critical in identifying such security threats and taking necessary actions to prevent them.
Parameters
1export POD_NAME="PLACEHOLDER"2export MODULE_NAME="PLACEHOLDER"3export NAMESPACE="PLACEHOLDER"
Debug
1. List all pods in the default namespace
kubectl get pods
2. Get the logs for a specific pod
kubectl logs ${POD_NAME}
3. List all containers running in a pod
kubectl describe pods ${POD_NAME} | grep -A 1 "Containers:"
4. Check if any kernel modules are loaded in the container
kubectl exec ${POD_NAME} -- cat /proc/modules | grep ${MODULE_NAME}
5. Check the container's security context
kubectl describe pod ${POD_NAME} | grep -A 2 "Security Context:"
6. Check the pod's security policy
kubectl get podsecuritypolicy
Repair
Remove the pod from the Kubernetes cluster to prevent further malicious activities.
1#!/bin/bash23# Set the variables4NAMESPACE=${NAMESPACE}5POD_NAME=${POD_NAME}67# Delete the pod8kubectl delete pod $POD_NAME -n $NAMESPACE910# Check if the pod is deleted successfully11if kubectl get pod $POD_NAME -n $NAMESPACE &> /dev/null; then12 echo "Error: $POD_NAME is still running in $NAMESPACE namespace."13 exit 114else15 echo "Success: $POD_NAME is deleted from $NAMESPACE namespace."16fi
Consider using a security tool such as Falco or Sysdig to continuously monitor the Kubernetes environment for suspicious activities.
1#!/bin/bash23# Install Falco4curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -5echo "deb https://download.falco.org/packages/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list6apt-get update -y && apt-get install -y falco78# Configure Falco9cat <<EOF | tee /etc/falco/falco.yaml10falco:11 program_output:12 enabled: true13 keep_alive: false14 program: "/usr/bin/logger -t falco -p local3.info"15 rules_file:16 - /etc/falco/falco_rules.yaml17EOF1819# Start Falco20systemctl enable falco && systemctl start falco
Learn more
Related Runbooks
Check out these related runbooks to help you debug and resolve similar issues.