このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect modifications to the runc
binary outside of the normal package management lifecycle.
Strategy
CVE-2019-5736, a vulnerability in runc
through version 1.0-rc6 could allow attackers to overwrite the host runc
binary, which allows the attacker to effectively escape a running container, and gain root access on the underlying host.
Any modifications to runc
(outside of standard package management upgrades) could be exploiting this vulnerability to gain root access to the system.
Triage & Response
- Check to see which user or process changed the
runc
binary. - If these changes are not acceptable, roll back contain the host in question to an acceptable configuration.
- Update
runc
to a version above 1.0-rc6 (or Docker 18.09.2 and above). - Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.
Requires Agent version 7.27 or greater