Container Administration Command
Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.
In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as
docker exec to execute a command within a running container. In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as
Use read-only containers and minimal images when possible to prevent the execution of commands.
|M1035||Limit Access to Resource Over Network||
Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.
|M1026||Privileged Account Management||
Ensure containers are not running as root by default.
Container administration service activities and executed commands can be captured through logging of process execution with command-line arguments on the container and the underlying host. In Docker, the daemon log provides insight into events at the daemon and container service level. Kubernetes system component logs may also detect activities running in and out of containers in the cluster.
- Docker. (n.d.). DockerD CLI. Retrieved March 29, 2021.
- The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.
- The Kubernetes Authors. (n.d.). Kubelet. Retrieved March 29, 2021.
- Docker. (n.d.). Docker run reference. Retrieved March 29, 2021.
- Docker. (n.d.). Docker Exec. Retrieved March 29, 2021.
- The Kubernetes Authors. (n.d.). Get a Shell to a Running Container. Retrieved March 29, 2021.
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
- Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
- Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021.
- The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021.