How to execute Incident Response script on Kubernetes node using EDR agent in a privileged pod.
Incident Response on AWS EC2 instance is easy. You need remote access and you just execute Incident Response script. What about EC2 instance hosting Kubernetes node without remote access to host OS? We can use privileged pod with host filesystem mounted.
CONTAINERD=$(ps aux | grep -c “/usr/bin/containerd-shim-runc-v2”)
[ $CONTAINERD -gt 0 ] && [ ! -f /usr/bin/containerd-shim-runc-v2 ] && INSIDE_PRIV_CONTAINER=1
## If we see container processes, but the binary is not present
## on fs - it means that we are in a containerecho “InsidePrivilegedContainer=$INSIDE_PRIV_CONTAINER”
MODE=$1if [ $INSIDE_PRIV_CONTAINER -gt 0 ]; then
COOKIE=$(dd if=/dev/random bs=32 count=1 status=none | sha1sum -b | cut -d” “ -f1)
## We created a unique directory here
## Having access to the host fs we are going to find our containerMYDIR=$(find /host/var/lib -name $COOKIE -type d 2>/dev/null | tail -n 1)echo “Doing inception into $MYDIR, will chroot there”
cat “$0” > /root/$COOKIE/ir.sh
## We need to have access to /proc/kcore on host
## which is /host/proc/kcore
## We change root just for IR script and execute itchroot /host /bin/bash -c “chmod +x $MYDIR/ir.sh; $MYDIR/ir.sh $MODE”
fi... usual actions
Should EDR detect container escape in the script above? Definitely. Scripts executed by EDR should be whitelisted.