Non sudo setuid

​

Event Information

​

Meaning

• The “Non sudo setuid” event in a Kubernetes cluster refers to a situation where a non-root user attempts to execute a process with the setuid permission, which allows the process to run with the privileges of the file owner.
• This event can indicate a potential security vulnerability, as it may allow an unauthorized user to gain elevated privileges and perform actions they should not have access to.
• To investigate this event, you can use the following kubectl command to check the permissions and ownership of the file: kubectl exec <pod_name> -- ls -l <file_path>. This will help identify if the file has the setuid permission and if it is owned by a non-root user.

• This event may violate compliance standards such as the Principle of Least Privilege (PoLP), which requires that users and processes should only have the minimum privileges necessary to perform their tasks.
• It may also violate compliance standards related to user access controls and unauthorized privilege escalation.
• Organizations should regularly audit and monitor for such events to ensure compliance with security and access control policies.

​

Remediation

1. Create a Kubernetes Deployment manifest file (e.g., remediation.yaml) with the following content:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: remediation
spec:
  replicas: 1
  selector:
    matchLabels:
      app: remediation
  template:
    metadata:
      labels:
        app: remediation
    spec:
      containers:
      - name: remediation
        image: python:latest
        command: ["python", "-c"]
        args: ["import os; os.setuid(0); os.system('chmod u-s /usr/bin/sudo')"]

2. Apply the remediation manifest using the following command:

kubectl apply -f remediation.yaml

3. Verify that the remediation deployment is running successfully:

kubectl get pods -l app=remediation