Hi there,
I recently created a new documentation website where I write k8s security-related articles including CKS relevant information.
The website is still being developed as I have many more articles to add.
You can check it at this link: https://geek-kb.github.io/k8s_security .
This is an example article I consider finished and ready:
Attack Vectors - Container Escape
The reason I opened this post is to ask for permission to use the k8s playgrounds to test and present some topics I write articles about.
I promise not to cause any issues and to revert any changes I do when I finish, but I just wanted your consent.
Thanks in advance,
Itai
That sounds like a good idea. As to using the playgrounds – if you’re doing CKS type things you should be fine, although I’d guess (or hope) that we monitor for things that look like exploits; probably best not to do that, even if you are doing it righteously 
Ok @rob_kodekloud, first of all, thanks.
Second, let me show you an example for something I did prior to opening this topic…
Only after doing that, I realized that it may be problematic (if these stuff are indeed monitored) so I just wanted to make sure.
I will not do such things again, but check this and I would appreciate if you approved/disproved such a thing:
Anyway, thanks in advance!
Itai
Following my CKS studies (here in Kodekloud), these are the required rules you may use to detect such actions, you may consider implementing them:
- Detecting Modification of
release_agent File:
Incase a user attempts to exploit the release_agent file to escape a container, Falco provides a default rule to detect such attempts:
- rule: Detect release_agent File Container Escapes
desc: Detect an attempt to exploit a container escape using release_agent file.
condition: open_write and container and fd.name endswith release_agent and (user.uid=0 or thread.cap_effective contains CAP_DAC_OVERRIDE) and thread.cap_effective contains CAP_SYS_ADMIN
output: "Detect an attempt to exploit a container escape using release_agent file (file=%fd.name cap_effective=%thread.cap_effective user=%user.name command=%proc.cmdline container_id=%container.id)"
priority: CRITICAL
tags: [container, mitre_privilege_escalation, T1611]
- Monitoring for Privileged Container Launches:
Running containers with excessive privileges can increase the risk of container escapes. Falco’s incubating rules include checks for such scenarios:
- rule: Launch Privileged Container
desc: Detect the initial process initiation within a privileged container.
condition: container_started and container and container.privileged=true and not falco_privileged_containers and not user_privileged_containers
output: "Privileged container started (user=%user.name command=%proc.cmdline container_id=%container.id)"
priority: INFO
tags: [container, cis, mitre_execution, T1610, PCI_DSS_10.2.5]
- Detecting Packet Socket Creation in Containers:
The creation of packet sockets within containers can be indicative of attempts to exploit vulnerabilities like CVE-2020-14386. Falco provides a rule to detect such activities:
- rule: Packet socket created in container
desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container.
condition: evt.type=socket and evt.arg[0]=AF_PACKET and container and not proc.name in (user_known_packet_socket_binaries)
output: "Packet socket was created in a container (user=%user.name command=%proc.cmdline container_id=%container.id)"
priority: NOTICE
tags: [network, mitre_discovery, T1046]
Integrate with Alerting Systems:
Configure Falco to send alerts to your preferred monitoring or alerting systems, such as Slack or SIEM solutions, to ensure timely responses to detected threats.
That looks relatively safe and sane, but I’ll ask. I’d guess that doing falco testing would be kasher, but you’re right to wonder if it would trigger any alarms. So I’ll ask.