From 026965bc6a449aee5b834520df472d55b9520c74 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 17 Apr 2020 10:02:02 -0700 Subject: [PATCH] Add rules to detect creating/deleting secrets New rules K8s Secret Created/K8s Secret Deleted detect creating/deleting secrets, following the pattern of the other "K8s XXX Created/Deleted" rules. One minor difference is that service account token secrets are excluded, as those are created automatically as namespaces are created. Signed-off-by: Mark Stemm --- rules/k8s_audit_rules.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml index ebf18e34..7744af2b 100644 --- a/rules/k8s_audit_rules.yaml +++ b/rules/k8s_audit_rules.yaml @@ -102,6 +102,12 @@ - macro: role condition: ka.target.resource=roles +- macro: secret + condition: ka.target.resource=secrets + +- macro: req_service_account_token + condition: (jevt.value[/requestObject/type]="kubernetes.io/service-account-token") + - macro: health_endpoint condition: ka.uri=/healthz @@ -401,6 +407,22 @@ source: k8s_audit tags: [k8s] +- rule: K8s Secret Created + desc: Detect any attempt to create a secret. Service account tokens are excluded. + condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and not req_service_account_token and response_successful) + output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + +- rule: K8s Secret Deleted + desc: Detect any attempt to delete a secret Service account tokens are excluded. + condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and not req_service_account_token and response_successful) + output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason) + priority: INFO + source: k8s_audit + tags: [k8s] + # This rule generally matches all events, and as a result is disabled # by default. If you wish to enable these events, modify the # following macro.