Drop and execute new binary in container

​

Event Information

​

Meaning

• The “Drop and execute new binary in container” event in a Kubernetes cluster indicates that a container has attempted to drop a file and execute it as a binary within the container.
• This event could potentially indicate a malicious activity, as dropping and executing new binaries within a container can be a security risk.
• To investigate this event, you can use the following steps:
  1. Identify the affected container using the container name or ID.
  2. Inspect the dropped file to determine its origin and purpose.
  3. Analyze the container’s configuration and image to identify any potential vulnerabilities or misconfigurations that may have allowed this event to occur.

​

Remediation

To remediate the event “Drop and execute new binary in container”, you can follow these steps using the Python Kubernetes API:

1. Limit Container Capabilities:

   • Disable capabilities like SYS_PTRACE and SYS_ADMIN that might enable unauthorized execution:

     apiVersion: v1
     kind: Pod
     metadata:
       name: <pod-name>
     spec:
       containers:
       - name: <container-name>
         securityContext:
           capabilities:
             drop:
               - SYS_ADMIN
               - SYS_PTRACE
     

2. Enforce Read-Only Filesystem:

   • Set the container’s filesystem to read-only to prevent unauthorized binaries from being dropped:

     apiVersion: v1
     kind: Pod
     metadata:
       name: <pod-name>
     spec:
       containers:
       - name: <container-name>
         securityContext:
           readOnlyRootFilesystem: true
     

3. Apply the changes:

   • Use the kubectl apply command to apply the updated manifest file: kubectl apply -f <path-to-updated-manifest>.
   • Verify that the pod is running without any issues: kubectl get pods.

Note: The above steps assume that you have the necessary permissions to modify the pod’s manifest file and apply changes to the cluster.