Event Information

Meaning

  • Fileless execution via memfd_create event refers to a security event where a process in the Kubernetes cluster attempts to execute code without creating a traditional file on the file system.
  • This event indicates a potential malicious activity, as fileless execution techniques are often used by attackers to evade detection and carry out unauthorized actions.
  • To investigate this event in a Kubernetes cluster, you can use the following command: kubectl logs <pod-name> -n <namespace>. This will provide you with the logs of the pod, where you can find more details about the fileless execution event and the associated process or container.

Remediation

To remediate the event of Fileless execution via memfd_create using the Python Kubernetes API, you can follow these steps:

  1. Identify the affected pod(s):

    • Use the kubectl get pods command to list all the pods in the cluster.
    • Filter the pods based on the criteria related to the event, such as the pod name or labels.

  2. Update the pod’s security context:

    • Retrieve the YAML manifest of the affected pod using the kubectl get pod <pod-name> -o yaml command.
    • Add or modify the securityContext section in the pod’s YAML manifest to restrict the usage of memfd_create.
    • Set the allowUntrusted field to false in the securityContext section to prevent the usage of memfd_create.
    • Save the modified YAML manifest to a file.

  3. Apply the updated manifest:

    • Use the kubectl apply -f <path-to-updated-manifest> command to apply the changes to the affected pod.
    • Verify that the pod’s security context has been updated by checking the pod’s YAML manifest again using kubectl get pod <pod-name> -o yaml.

Note: The above steps assume that you have the necessary permissions to modify pods and apply changes to the cluster.