How to execute Incident Response script on Kubernetes node using EDR agent in a privileged pod.

CONTAINERD=$(ps aux | grep -c “/usr/bin/containerd-shim-runc-v2”)
INSIDE_PRIV_CONTAINER=0
[ $CONTAINERD -gt 0 ] && [ ! -f /usr/bin/containerd-shim-runc-v2 ] && INSIDE_PRIV_CONTAINER=1
## If we see container processes, but the binary is not present
## on fs - it means that we are in a container
echo “InsidePrivilegedContainer=$INSIDE_PRIV_CONTAINER”
MODE=$1
if [ $INSIDE_PRIV_CONTAINER -gt 0 ]; then
COOKIE=$(dd if=/dev/random bs=32 count=1 status=none | sha1sum -b | cut -d” “ -f1)
mkdir /root/$COOKIE
## We created a unique directory here
## Having access to the host fs we are going to find our container
MYDIR=$(find /host/var/lib -name $COOKIE -type d 2>/dev/null | tail -n 1)echo “Doing inception into $MYDIR, will chroot there”
MYDIR=${MYDIR:5}
cat “$0” > /root/$COOKIE/ir.sh
## We need to have access to /proc/kcore on host
## which is /host/proc/kcore
## We change root just for IR script and execute it
chroot /host /bin/bash -c “chmod +x $MYDIR/ir.sh; $MYDIR/ir.sh $MODE”
exit 0
fi
... usual actions

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store