检测分析

异常行为检测-集群角色拥有pod/exec权限 (或者拥有其他权限)

测试项名称:异常行为检测-集群角色拥有pod/exec权限

测试内容:系统支持对集群异常行为进行检测

测试要求:能正常检测到入侵行为

测试步骤:

  1. 登录集群节点

  2. 创建集群角色

1
kubectl apply role.yaml

role.yaml文件内容如下

1
2
3
4
5
6
7
8
9
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata: 
  namespace: default 
  name: rwildcard
rules:
- apiGroups: [""] # "" indicates the core API group 
  resources: ["pods/exec"] 
  verbs: ["create", "get", "watch", "list"]
  1. 登录容器安全平台,查看是否检测到该风险行为

开启日志审计功能

准备审计文件

1
vim /etc/kubernetes/audit-policy/apiserver-audit-policy.yaml

审计rbac.authorization.k8s.io组中的roles资源的create动作

1
2
3
4
5
6
7
8
9
10
apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
  - "RequestReceived"
rules:
  - level: Request
    verbs: ["create"]
    resources:
      - group: rbac.authorization.k8s.io
        resources: ["roles"]

配置 API 服务器

1
vim /etc/kubernetes/manifests/kube-apiserver.yaml

  1. spec.containers.command 下添加命令:

    1
    2
    3
    4
    5
    - --audit-log-maxage=30
    - --audit-log-maxbackup=1
    - --audit-log-maxsize=100
    - --audit-log-path=/var/log/audit/kube-apiserver-audit.log
    - --audit-policy-file=/etc/kubernetes/audit-policy/apiserver-audit-policy.yaml

  2. spec.containers.volumeMounts 下添加:

    1
    2
    3
    4
    - mountPath: /var/log/audit
      name: audit-logs
    - mountPath: /etc/kubernetes/audit-policy
      name: audit-policy

  3. spec.volumes 下添加:

    1
    2
    3
    4
    5
    6
    7
    8
    - hostPath:
      path: /var/log/kubernetes/audit
      type: ""
      name: audit-logs
    - hostPath:
      path: /etc/kubernetes/audit-policy
      type: ""
      name: audit-policy

日志分析

查看日志

1
cat /var/log/kubernetes/audit/kube-apiserver-audit.log

分析日志内容,并重点关注特征字段

match one match two
“verbs”:[“create”,”get”,”watch”,”list”] “resources”:[“pods/exec”]

异常行为检测-绑定用户到集群管理员角色

测试项名称:异常行为检测-绑定用户到集群管理员角色

测试内容:系统支持对集群异常访问进行监控

测试要求:能正常检测到异常行为

前置条件:已经根据页面帮助信息配置集群审计规则点击【设置】-【内置策略】开启对应报警

测试步骤:

  1. 登录集群master节点

  2. 执行如下命令:

  3. 将匿名用户绑定到管理员角色 

    1
    kubectl create clusterrolebinding root-cluster-admin-binding --clusterrole=cluster-admin --user=root

开启日志审计功能

准备审计文件

1
vim /etc/kubernetes/audit-policy/apiserver-audit-policy.yaml

审计rbac.authorization.k8s.io组中的clusterrolebindings资源的create动作

1
2
3
4
5
6
7
8
9
10
apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
- level: Request
  users: ["kubernetes-admin"]
  userGroups: ["system:masters","system:authenticated"]
  verbs: ["create"]
  resources:
    - group: rbac.authorization.k8s.io
      resources: ["clusterrolebindings"]

日志分析

查看日志

1
cat /var/log/kubernetes/audit/kube-apiserver-audit.log

分析日志内容,并重点关注特征字段

match one match two match three
“resource”: “clusterrolebindings” “kind”:”ClusterRoleBinding” “name”:”root”

异常行为检测-Secrets异常访问

开启日志审计功能

准备审计文件

1
vim /etc/kubernetes/audit-policy/apiserver-audit-policy.yaml

审计默认组中的secrets资源的list动作

1
2
3
4
5
6
7
8
9
10
11
apiVersion: audit.k8s.io/v1beta1
kind: Policy
omitStages:
  - "RequestReceived"
  - "ResponseStarted"
rules:
- level: RequestResponse
  verbs: ["list"]
  resources:
    - group:
      resources: ["secrets"]

日志分析

查看日志

1
cat /var/log/kubernetes/audit/kube-apiserver-audit.log

分析日志内容,并重点关注特征字段

match one match two match three
“requestURI”:”/api/v1/secrets?limit=500” “description”:”Data contains the secret data “kubernetes.io/service-account-token”

异常行为检测-创建影子API Server

开启日志审计功能

准备审计文件

1
vim /etc/kubernetes/audit-policy/apiserver-audit-policy.yaml

审计默认组中的pod资源的create动作

1
2
3
4
5
6
7
8
9
10
11
apiVersion: audit.k8s.io/v1 
kind: Policy
omitStages:
  - "RequestReceived"
rules:
  # 在日志中用 Request 级别记录 Pod 变化。
  - level: Request
    verbs: ["create"]
    resources:
    - group: ""
      resources: ["pods"]

日志分析

match one match two match three
“name”:”kube-apiserver” “–allow-privileged=true” “–authorization-mode=AlwaysAllow”

异常行为检测-通过k8s控制器创建后门容器

开启日志审计功能

准备审计文件

1
vim /etc/kubernetes/audit-policy/apiserver-audit-policy.yaml

审计默认组中的pod资源的create动作

1
2
3
4
5
6
7
8
9
10
11
apiVersion: audit.k8s.io/v1 
kind: Policy
omitStages:
  - "RequestReceived"
rules:
  # 在日志中用 RequestResponse 级别记录 Pod 变化。
  - level: RequestResponse
    verbs: ["create"]
    resources:
    - group: ""
      resources: ["pods"]

日志分析

match one match two match three
verb: “create” “resource”: “deployments” “hostPath”:{“path”:”/“

异常行为检测-k8s cronjob持久化

开启日志审计功能

准备审计文件

1
vim /etc/kubernetes/audit-policy/apiserver-audit-policy.yaml

审计默认组中的pod资源的create动作

1
2
3
4
5
6
7
8
9
10
11
apiVersion: audit.k8s.io/v1 
kind: Policy
omitStages:
  - "RequestReceived"
rules:
  # 在日志中用 RequestResponse 级别记录 Pod 变化。
  - level: RequestResponse
    verbs: ["create"]
    resources:
    - group: ""
      resources: ["pods"]

日志分析

match one match two match three
verb: “create” “resource”: “cronjobs”

本文采用CC-BY-SA-3.0协议,转载请注明出处
Author: Sally