# This 'privileges-raise' Tracing Policy monitors processes trying # to raise their privileges: # # 1. Unprivileged creating user namespace to gain new capabilities. # # 2. Setting or changing capabilities using the capset system call. # # 3. Change their uids/gids to user root. # # __sys_setuid # - __x64_sys_setuid # - __ia32_sys_setuid # - __x64_sys_setuid16 # - __ia32_sys_setuid16 # # __sys_setgid # - __x64_sys_setgid # - __ia32_sys_setgid # - __x64_sys_setgid16 # - __ia32_sys_setgid16 # # __sys_setreuid # - __x64_sys_setreuid # - __ia32_sys_setreuid # - __x64_sys_setreuid16 # - __ia32_sys_setreuid16 # # __sys_setregid # - __x64_sys_setregid # - __ia32_sys_setregid # - __x64_sys_setregid16 # - __ia32_sys_setregid16 # # __sys_setresuid # - __x64_sys_setresuid # - __ia32_sys_setresuid # - __x64_sys_setresuid16 # - __ia32_sys_setresuid16 # # __sys_setresgid # - __x64_sys_setresgid # - __ia32_sys_setresgid # - __x64_sys_setresgid16 # - __ia32_sys_setresgid16 # # __sys_setfsuid # - __x64_sys_setfsuid # - __ia32_sys_setfsuid # - __x64_sys_setfsuid16 # - __ia32_sys_setfsuid16 # # __sys_setfsgid # - __x64_sys_setfsgid # - __ia32_sys_setfsgid # - __x64_sys_setfsgid16 # - __ia32_sys_setfsgid16 # apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: "privileges-raise" annotations: description: "Detects privileges raising operations" spec: kprobes: - call: "security_capset" syscall: false message: "Process changed its capabilities using capset system call" args: - index: 0 type: "nop" - index: 1 type: "cred" - index: 2 type: "cap_effective" - index: 3 type: "cap_inheritable" - index: 4 type: "cap_permitted" selectors: - matchArgs: - index: 2 operator: "NotEqual" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - matchArgs: - index: 3 operator: "NotEqual" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - matchArgs: - index: 4 operator: "NotEqual" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - call: "create_user_ns" syscall: false message: "Unprivileged process created a user namespace where it will be privileged" args: - index: 0 type: "nop" # No need for argument as this targets unprivileged anyway. selectors: - matchCapabilities: - type: Effective operator: NotIn values: - "CAP_SYS_ADMIN" - call: "__sys_setuid" message: "Privileged operation setuid to root" syscall: false args: - index: 0 type: "int" selectors: - matchArgs: - index: 0 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - call: "__sys_setgid" message: "Privileged operation setgid to root" syscall: false args: - index: 0 type: "int" selectors: - matchArgs: - index: 0 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - call: "__sys_setreuid" message: "Privileged operation setuid to root" syscall: false args: - index: 0 type: "int" - index: 1 type: "int" selectors: - matchArgs: - index: 0 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - matchArgs: - index: 1 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - call: "__sys_setregid" message: "Privileged operation setgid to root" syscall: false args: - index: 0 type: "int" - index: 1 type: "int" selectors: - matchArgs: - index: 0 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - matchArgs: - index: 1 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - call: "__sys_setresuid" message: "Privileged operation setuid to root" syscall: false args: - index: 0 type: "int" - index: 1 type: "int" - index: 2 type: "int" selectors: - matchArgs: - index: 1 # We care about the effective user id to reduce noise operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - matchArgs: - index: 2 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - call: "__sys_setresgid" message: "Privileged operation setgid to root" syscall: false args: - index: 0 type: "int" - index: 1 type: "int" - index: 2 type: "int" selectors: - matchArgs: - index: 1 # We care about the effective group id to reduce noise operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - matchArgs: - index: 2 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - call: "__sys_setfsuid" message: "Privileged operation setuid to root" syscall: false args: - index: 0 type: "int" selectors: - matchArgs: - index: 0 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - call: "__sys_setfsgid" message: "Privileged operation setgid to root" syscall: false args: - index: 0 type: "int" selectors: - matchArgs: - index: 0 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min