Correlate the creation or modification of containers using restart policies (e.g., 'always') or DaemonSets with elevated host access, service account misuse, or privileged container contexts. Watch for manipulation of systemd units involving containers or pod scheduling targeting specific nodes or namespaces.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Container Creation (DC0072) | systemd:unit | container run with restart policy set to 'always' or 'unless-stopped' |
| Pod Creation (DC0019) | kubernetes:audit | create |
| Service Creation (DC0060) | kubernetes:audit | create |
| Field | Description |
|---|---|
| restartPolicy | Tune for environments that legitimately use 'always' or 'unless-stopped' in trusted containers |
| targetNamespace | Scope detection to high-risk namespaces (e.g., kube-system) |
| nodeSelector|nodeName | Adjust if targeting known cluster configurations or test environments |
| unitFilePath | Adapt to your OS/systemd hierarchy and container binary references |
| TimeWindow | Adjust temporal correlation (e.g., container launch → privilege escalation) |