Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect modifications to the runc
binary outside of the normal package management lifecycle.
Strategy
CVE-2019-5736, a vulnerability in runc
through version 1.0-rc6 could allow attackers to overwrite the host runc
binary, which allows the attacker to effectively escape a running container, and gain root access on the underlying host.
Any modifications to runc
(outside of standard package management upgrades) could be exploiting this vulnerability to gain root access to the system.
Triage & Response
- Check to see which user or process changed the
runc
binary. - If these changes are not acceptable, roll back contain the host in question to an acceptable configuration.
- Update
runc
to a version above 1.0-rc6 (or Docker 18.09.2 and above). - Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.
Requires Agent version 7.27 or greater