Runbook

Kubernetes - Kernel Module Loaded in Pod.

Back to Runbooks

Overview

This incident type is related to detecting the loading of kernel modules within a Kubernetes pod. This alert is usually triggered when kernel modules are loaded within a pod, which could potentially indicate an attack. The presence of a kernel module in a pod can allow attackers to gain privileges, escalate their access, and perform malicious activities. Therefore, this alert is critical in identifying such security threats and taking necessary actions to prevent them.

Parameters

1export POD_NAME="PLACEHOLDER"
2export MODULE_NAME="PLACEHOLDER"
3export NAMESPACE="PLACEHOLDER"

Debug

1. List all pods in the default namespace

kubectl get pods

2. Get the logs for a specific pod

kubectl logs ${POD_NAME}

3. List all containers running in a pod

kubectl describe pods ${POD_NAME} | grep -A 1 "Containers:"

4. Check if any kernel modules are loaded in the container

kubectl exec ${POD_NAME} -- cat /proc/modules | grep ${MODULE_NAME}

5. Check the container's security context

kubectl describe pod ${POD_NAME} | grep -A 2 "Security Context:"

6. Check the pod's security policy

kubectl get podsecuritypolicy

Repair

Remove the pod from the Kubernetes cluster to prevent further malicious activities.

1#!/bin/bash
2
3# Set the variables
4NAMESPACE=${NAMESPACE}
5POD_NAME=${POD_NAME}
6
7# Delete the pod
8kubectl delete pod $POD_NAME -n $NAMESPACE
9
10# Check if the pod is deleted successfully
11if kubectl get pod $POD_NAME -n $NAMESPACE &> /dev/null; then
12 echo "Error: $POD_NAME is still running in $NAMESPACE namespace."
13 exit 1
14else
15 echo "Success: $POD_NAME is deleted from $NAMESPACE namespace."
16fi

Consider using a security tool such as Falco or Sysdig to continuously monitor the Kubernetes environment for suspicious activities.

1#!/bin/bash
2
3# Install Falco
4curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
5echo "deb https://download.falco.org/packages/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list
6apt-get update -y && apt-get install -y falco
7
8# Configure Falco
9cat <<EOF | tee /etc/falco/falco.yaml
10falco:
11 program_output:
12 enabled: true
13 keep_alive: false
14 program: "/usr/bin/logger -t falco -p local3.info"
15 rules_file:
16 - /etc/falco/falco_rules.yaml
17EOF
18
19# Start Falco
20systemctl enable falco && systemctl start falco

Learn more

Related Runbooks

Check out these related runbooks to help you debug and resolve similar issues.