Fileless execution via memfd create

​

Event Information

​

Meaning

• Fileless execution via memfd_create event refers to a security event where a process in the Kubernetes cluster attempts to execute code without creating a traditional file on the file system.
• This event indicates a potential malicious activity, as fileless execution techniques are often used by attackers to evade detection and carry out unauthorized actions.
• To investigate this event in a Kubernetes cluster, you can use the following command: kubectl logs <pod-name> -n <namespace>. This will provide you with the logs of the pod, where you can find more details about the fileless execution event and the associated process or container.

​

Remediation

1. Identify the affected pod(s):
   • Use the kubectl get pods command to list all the pods in the cluster.
   • Filter the pods based on the criteria related to the event, such as the pod name or labels.
2. Update the pod’s security context:
   • Retrieve the YAML manifest of the affected pod using the kubectl get pod <pod-name> -o yaml command.
   • Add or modify the securityContext section in the pod’s YAML manifest to restrict the usage of memfd_create.
   • Set the allowUntrusted field to false in the securityContext section to prevent the usage of memfd_create.
   • Save the modified YAML manifest to a file.
3. Apply the updated manifest:
   • Use the kubectl apply -f <path-to-updated-manifest> command to apply the changes to the affected pod.
   • Verify that the pod’s security context has been updated by checking the pod’s YAML manifest again using kubectl get pod <pod-name> -o yaml.