Anonymous request authorized
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when an unauthenticated request user is permitted in Kubernetes.
Strategy
This rule monitors when any action is permitted (@http.status_code:[100 TO 299]) for an unauthenticated user (@user.username:\"system:anonymous\").
The /livez and /readyz endpoints are commonly accessed unauthenticated and are excluded in the query filter.
Triage and response
- Inspect all of the HTTP paths accessed and determine if any of the path should be permitted by unauthenticated users.
- Determine what IP addresses accessed Kubernetes endpoints which may contain sensitive data.
Changelog
- 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
- 15 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.
