8000 add bunch of k8s related signatures by roikol · Pull Request #1031 · aquasecurity/tracee · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

add bunch of k8s related signatures #1031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Oct 6, 2021
Merged

add bunch of k8s related signatures #1031

merged 11 commits into from
Oct 6, 2021

Conversation

roikol
Copy link
Contributor
@roikol roikol commented Sep 29, 2021

No description provided.

itaysk
itaysk reviewed Sep 29, 2021
View reviewed changes
@itaysk
Copy link
Collaborator
itaysk commented Sep 29, 2021
edited
Loading

Something that I think worth discussion is some signatures which are not "detections" but more like information collection, for example container start and stop.
It seems like we are starting to use tracee to do more than the original tagline of "detecting suspicious behavior at runtime", and we are looking into using tracee to generate an audit log for forensics.
If we consider container start for example, I'm pretty sure no k8s administrator of a mature production cluster will ignore this signature since it would be too noisy. if the pusrpose is just for storing these events for later use, then I'm not sure how this fits in the use case that we defined for tracee currently. (maybe it does but we need to define it)

@roikol
Copy link
Contributor Author
roikol commented Sep 29, 2021

Something that I think worth discussion is some signatures which are not "detections" but more like information collection, for example container start and stop. It seems like we are starting to use tracee to do more than the original tagline of "detecting suspicious behavior at runtime", and we are looking into using tracee to generate an audit log for forensics. If we consider container start for example, I'm pretty sure no k8s administrator of a mature production cluster will ignore this signature since it would be too noisy. if the pusrpose is just for storing these events for later use, then I'm not sure how this fits in the use case that we defined for tracee currently. (maybe it does but we need to define it)

i agree that these kind of signatures are not detections of suspicious events, but rather events of interest to the user.
we should have a discussion about that. and if the signature has value as detection of suspicious behavior, it should be more specific.
for now, i'll remove the container start and stop signatures from this PR so we can proceed.

@itaysk
Copy link
Collaborator
itaysk commented Sep 29, 2021

A nice "detection" sig would be container started not via kubernetes

@raesene
Copy link
Contributor
raesene commented Sep 30, 2021

that detection would be nice. A standard avoiding detection hack is to use either docker or containerd to run a container. Another related one is putting a manifest into the static manifest path for the node (if there is one). IIRC if you do that and use a non-existent namespace, it'll start but the pod won't show via kubectl.

@itaysk itaysk requested a review from yanivagman October 6, 2021 08:51
yanivagman
yanivagman reviewed Oct 6, 2021
View reviewed changes
@yanivagman
Copy link
Collaborator

LGTM!

@yanivagman yanivagman merged commit fccbca3 into aquasecurity:main Oct 6, 2021
@itaysk itaysk added this to the v0.6.2 milestone Oct 7, 2021
itaysk
itaysk reviewed Oct 7, 2021
View reviewed changes
Copy link
Collaborator
@itaysk itaysk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

forgot to update the docs

@itaysk itaysk mentioned this pull request Oct 7, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@itaysk itaysk itaysk left review comments

@yanivagman yanivagman yanivagman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@roikol @itaysk @raesene @yanivagman
0