cloudbeat
cloudbeat copied to clipboard
Published
20 hours ago •
elastic
elastic
[BUG] - Findings `Host.containerized` field is evaluated as False
Describe the bug
When running an EC2 instance with a Kubernetes Kind cluster, Host.Containerized is evaluated as false.
Since it runs in a Kubernetes containerized environment, the expected result would be true.
Important note This bug does not reproduce when running Kind on your local machine. Kibana Version: 8.3.0-SNAPSHOT
To Reproduce
- Run Cloud Kibana and Elastic
- Spawn an AWS EC2 with Kubernetes - https://github.com/elastic/security-team/blob/main/docs/cloud-security-posture-team/Onboarding/cloudbeat-ec2.md (No need to clone the repositories).
- Run an elastic agent on the EC2 machine and connect it to your cloud Kibana fleet.
- Open the
Discovertab. - Use the
logs-cloud_security_posture.findings-*data view. - Write in the KQL query bar the following query:
host.containerized : false
Expected behavior No findings appear since all the data is containerized.
JSON example - click to expand
\```md { "_index": "logs-cloud_security_posture.findings_latest-default", "_id": "YTBFAcdkGGnGWlsLRXKRCW56gAAAAAAA", "_version": 515, "_score": 1, "_ignored": [ "rule.audit.keyword", "rule.rationale.keyword" ], "_source": { "agent": { "name": "kind-control-plane", "id": "aa8def81-7f16-4ff9-9850-b6feac03cc7c", "type": "cloudbeat", "ephemeral_id": "921b52e9-3675-4ddd-85bb-b31344125e9b", "version": "8.3.0" }, "cycle_id": "c329e156-1957-4bbc-b5f6-77ea34dcd6e2", "resource": { "sub_type": "ServiceAccount", "name": "pv-protection-controller", "raw": { "metadata": { "uid": "9dc85a29-3c58-4969-a645-495937f1883d", "resourceVersion": "340", "name": "pv-protection-controller", "namespace": "kube-system", "creationTimestamp": "2022-05-08T12:08:01Z" }, "apiVersion": "v1", "kind": "ServiceAccount", "secrets": [ { "name": "pv-protection-controller-token-p8ghf" } ] }, "id": "0054d4c8-26e0-5380-bf5d-d4d908114a34", "type": "k8s_object" }, "rule": { "references": "1. [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)\n", "impact": "All workloads which require access to the Kubernetes API will require an explicit service account to be created.\n", "description": "The `default` service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.\n", "default_value": "By default the `default` service account allows for its service account token\nto be mounted\nin pods in its namespace.\n", "section": "RBAC and Service Accounts", "rationale": "Kubernetes provides a `default` service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.\n", "version": "1.0", "benchmark": { "name": "CIS Kubernetes V1.23", "version": "v1.0.0" }, "tags": [ "CIS", "Kubernetes", "CIS 5.1.5", "RBAC and Service Accounts" ], "remediation": "Create explicit service accounts wherever a Kubernetes workload requires\nspecific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\n```\nautomountServiceAccountToken: false\n```\n", "audit": "For each namespace in the cluster, review the rights assigned to the default service account and ensure that it has no roles or cluster roles bound to it apart from the defaults. Additionally ensure that the `automountServiceAccountToken: false` setting is in place for each default service account.\n", "name": "Ensure that default service accounts are not actively used. (Manual)", "id": "2b399496-f79d-5533-8a86-4ea00b95e3bd", "profile_applicability": "* Level 1 - Master Node\n" }, "type": "k8s_object", "result": { "evaluation": "passed", "evidence": { "serviceAccounts": [], "serviceAccount": [] }, "expected": null }, "cloud": { "availability_zone": "us-east-1a", "image": { "id": "ami-09d56f8956ab235b3" }, "instance": { "id": "i-08de1eff8ac211fea" }, "provider": "aws", "machine": { "type": "c5.4xlarge" }, "service": { "name": "EC2" }, "region": "us-east-1", "account": { "id": "946960629917" } }, "cluster_id": "870e02db-31b4-4a6e-bd27-a1856b919283", "@timestamp": "2022-05-10T07:19:18.021Z", "ecs": { "version": "8.0.0" }, "host": { "hostname": "kind-control-plane", "os": { "kernel": "5.15.0-1004-aws", "codename": "focal", "name": "Ubuntu", "family": "debian", "type": "linux", "version": "20.04.4 LTS (Focal Fossa)", "platform": "ubuntu" }, "containerized": false, "ip": [ "10.244.0.1", "10.244.0.1", "10.244.0.1", "172.18.0.2", "fc00:f853:ccd:e793::2", "fe80::42:acff:fe12:2" ], "name": "kind-control-plane", "mac": [ "02:42:ac:12:00:02", "56:6e:22:31:5c:a6", "8a:2a:8a:be:98:9d", "96:f2:bd:db:cc:a4" ], "architecture": "x86_64" }, "resource_id": "0054d4c8-26e0-5380-bf5d-d4d908114a34", "event": { "agent_id_status": "mismatch", "ingested": "2022-05-10T07:19:19Z" } }, "fields": { "agent.version.keyword": [ "8.3.0" ], "rule.id": [ "2b399496-f79d-5533-8a86-4ea00b95e3bd" ], "resource.raw.metadata.resourceVersion.keyword": [ "340" ], "cloud.instance.id.keyword": [ "i-08de1eff8ac211fea" ], "host.name.keyword": [ "kind-control-plane" ], "rule.id.keyword": [ "2b399496-f79d-5533-8a86-4ea00b95e3bd" ], "rule.section.keyword": [ "RBAC and Service Accounts" ], "rule.references.keyword": [ "1. [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)\n" ], "host.hostname": [ "kind-control-plane" ], "rule.default_value.keyword": [ "By default the `default` service account allows for its service account token\nto be mounted\nin pods in its namespace.\n" ], "type": [ "k8s_object" ], "host.mac": [ "02:42:ac:12:00:02", "56:6e:22:31:5c:a6", "8a:2a:8a:be:98:9d", "96:f2:bd:db:cc:a4" ], "resource.name.keyword": [ "pv-protection-controller" ], "rule.profile_applicability": [ "* Level 1 - Master Node\n" ], "resource.raw.metadata.name.keyword": [ "pv-protection-controller" ], "resource.sub_type": [ "ServiceAccount" ], "host.os.version": [ "20.04.4 LTS (Focal Fossa)" ], "agent.name": [ "kind-control-plane" ], "rule.rationale": [ "Kubernetes provides a `default` service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.\n" ], "cloud.account.id.keyword": [ "946960629917" ], "event.agent_id_status": [ "mismatch" ], "rule.name.keyword": [ "Ensure that default service accounts are not actively used. (Manual)" ], "host.os.type": [ "linux" ], "cloud.region": [ "us-east-1" ], "resource.raw.kind.keyword": [ "ServiceAccount" ], "agent.id.keyword": [ "aa8def81-7f16-4ff9-9850-b6feac03cc7c" ], "host.architecture": [ "x86_64" ], "cloud.provider": [ "aws" ], "cloud.machine.type": [ "c5.4xlarge" ], "agent.id": [ "aa8def81-7f16-4ff9-9850-b6feac03cc7c" ], "host.containerized": [ false ], "rule.benchmark.version.keyword": [ "v1.0.0" ], "cluster_id.keyword": [ "870e02db-31b4-4a6e-bd27-a1856b919283" ], "rule.benchmark.name.keyword": [ "CIS Kubernetes V1.23" ], "resource.raw.metadata.uid": [ "9dc85a29-3c58-4969-a645-495937f1883d" ], "resource.id.keyword": [ "0054d4c8-26e0-5380-bf5d-d4d908114a34" ], "rule.tags": [ "CIS", "Kubernetes", "CIS 5.1.5", "RBAC and Service Accounts" ], "cloud.instance.id": [ "i-08de1eff8ac211fea" ], "host.ip": [ "10.244.0.1", "10.244.0.1", "10.244.0.1", "172.18.0.2", "fc00:f853:ccd:e793::2", "fe80::42:acff:fe12:2" ], "agent.type": [ "cloudbeat" ], "host.os.kernel.keyword": [ "5.15.0-1004-aws" ], "resource.raw.apiVersion": [ "v1" ], "agent.type.keyword": [ "cloudbeat" ], "rule.profile_applicability.keyword": [ "* Level 1 - Master Node\n" ], "agent.ephemeral_id.keyword": [ "921b52e9-3675-4ddd-85bb-b31344125e9b" ], "cloud.region.keyword": [ "us-east-1" ], "rule.remediation.keyword": [ "Create explicit service accounts wherever a Kubernetes workload requires\nspecific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\n```\nautomountServiceAccountToken: false\n```\n" ], "agent.name.keyword": [ "kind-control-plane" ], "host.os.codename": [ "focal" ], "cloud.availability_zone.keyword": [ "us-east-1a" ], "resource.id": [ "0054d4c8-26e0-5380-bf5d-d4d908114a34" ], "cloud.image.id": [ "ami-09d56f8956ab235b3" ], "rule.section": [ "RBAC and Service Accounts" ], "event.ingested": [ "2022-05-10T07:19:19.000Z" ], "@timestamp": [ "2022-05-10T07:19:18.021Z" ], "host.os.platform": [ "ubuntu" ], "cloud.account.id": [ "946960629917" ], "agent.ephemeral_id": [ "921b52e9-3675-4ddd-85bb-b31344125e9b" ], "resource_id": [ "0054d4c8-26e0-5380-bf5d-d4d908114a34" ], "rule.description.keyword": [ "The `default` service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.\n" ], "rule.benchmark.version": [ "v1.0.0" ], "result.evaluation.keyword": [ "passed" ], "host.architecture.keyword": [ "x86_64" ], "result.evaluation": [ "passed" ], "resource_id.keyword": [ "0054d4c8-26e0-5380-bf5d-d4d908114a34" ], "cloud.availability_zone": [ "us-east-1a" ], "rule.tags.keyword": [ "CIS", "Kubernetes", "CIS 5.1.5", "RBAC and Service Accounts" ], "resource.raw.metadata.namespace": [ "kube-system" ], "ecs.version.keyword": [ "8.0.0" ], "host.ip.keyword": [ "10.244.0.1", "10.244.0.1", "10.244.0.1", "172.18.0.2", "fc00:f853:ccd:e793::2", "fe80::42:acff:fe12:2" ], "resource.raw.kind": [ "ServiceAccount" ], "rule.version.keyword": [ "1.0" ], "type.keyword": [ "k8s_object" ], "host.os.name": [ "Ubuntu" ], "host.name": [ "kind-control-plane" ], "host.os.version.keyword": [ "20.04.4 LTS (Focal Fossa)" ], "rule.name": [ "Ensure that default service accounts are not actively used. (Manual)" ], "rule.impact": [ "All workloads which require access to the Kubernetes API will require an explicit service account to be created.\n" ], "rule.default_value": [ "By default the `default` service account allows for its service account token\nto be mounted\nin pods in its namespace.\n" ], "resource.raw.secrets.name": [ "pv-protection-controller-token-p8ghf" ], "cloud.service.name.keyword": [ "EC2" ], "rule.description": [ "The `default` service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.\n" ], "resource.type": [ "k8s_object" ], "rule.references": [ "1. [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)\n" ], "rule.audit": [ "For each namespace in the cluster, review the rights assigned to the default service account and ensure that it has no roles or cluster roles bound to it apart from the defaults. Additionally ensure that the `automountServiceAccountToken: false` setting is in place for each default service account.\n" ], "cloud.service.name": [ "EC2" ], "ecs.version": [ "8.0.0" ], "host.hostname.keyword": [ "kind-control-plane" ], "agent.version": [ "8.3.0" ], "host.os.family": [ "debian" ], "cloud.machine.type.keyword": [ "c5.4xlarge" ], "rule.benchmark.name": [ "CIS Kubernetes V1.23" ], "resource.raw.metadata.name": [ "pv-protection-controller" ], "resource.name": [ "pv-protection-controller" ], "resource.raw.apiVersion.keyword": [ "v1" ], "cluster_id": [ "870e02db-31b4-4a6e-bd27-a1856b919283" ], "resource.raw.metadata.creationTimestamp": [ "2022-05-08T12:08:01.000Z" ], "host.os.kernel": [ "5.15.0-1004-aws" ], "rule.impact.keyword": [ "All workloads which require access to the Kubernetes API will require an explicit service account to be created.\n" ], "host.os.name.keyword": [ "Ubuntu" ], "host.os.codename.keyword": [ "focal" ], "cloud.image.id.keyword": [ "ami-09d56f8956ab235b3" ], "cycle_id": [ "c329e156-1957-4bbc-b5f6-77ea34dcd6e2" ], "host.mac.keyword": [ "02:42:ac:12:00:02", "56:6e:22:31:5c:a6", "8a:2a:8a:be:98:9d", "96:f2:bd:db:cc:a4" ], "resource.raw.metadata.resourceVersion": [ "340" ], "resource.raw.metadata.namespace.keyword": [ "kube-system" ], "cycle_id.keyword": [ "c329e156-1957-4bbc-b5f6-77ea34dcd6e2" ], "resource.raw.metadata.uid.keyword": [ "9dc85a29-3c58-4969-a645-495937f1883d" ], "rule.remediation": [ "Create explicit service accounts wherever a Kubernetes workload requires\nspecific access\nto the Kubernetes API server.\nModify the configuration of each default service account to include this value\n```\nautomountServiceAccountToken: false\n```\n" ], "resource.raw.secrets.name.keyword": [ "pv-protection-controller-token-p8ghf" ], "rule.version": [ "1.0" ], "host.os.family.keyword": [ "debian" ], "host.os.type.keyword": [ "linux" ], "event.agent_id_status.keyword": [ "mismatch" ], "host.os.platform.keyword": [ "ubuntu" ], "cloud.provider.keyword": [ "aws" ], "resource.type.keyword": [ "k8s_object" ], "resource.sub_type.keyword": [ "ServiceAccount" ] }, "ignored_field_values": { "rule.audit.keyword": [ "For each namespace in the cluster, review the rights assigned to the default service account and ensure that it has no roles or cluster roles bound to it apart from the defaults. Additionally ensure that the `automountServiceAccountToken: false` setting is in place for each default service account.\n" ], "rule.rationale.keyword": [ "Kubernetes provides a `default` service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.\n" ] } } \```Screenshots
