enable "Packet socket created in container" by default. #1402
Conversation
|
LGTM label has been added. Git tree hash: 7e7268728ce7e5eef378b85cada3e3109cad2f76
|
|
I am on paternity leave now so I will defer to @mstemm , for not blocking the PR review. |
|
I'm closing and re-opening this to let GitHub checks start again |
|
This seems to be stuck. I'll look at the web hooks. Thanks for the patience @rung |
|
Thanks! no problem. |
|
The webhook was fine, looks like circleci is not keeping it. |
This comment has been minimized.
This comment has been minimized.
…lways_true Signed-off-by: Hiroki Suezawa <[email protected]>
rung
force-pushed
the
change-socket-rule
branch
from
3c918ae to
7841993
Compare
|
let me rebase master, and force push to re-run CI 👍 |
|
LGTM label has been added. Git tree hash: 6d1bb0195b7edda951fd767232dc55e4a528a081
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fntlnz, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Hiroki Suezawa [email protected]
What type of PR is this?
/kind rule-update
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
I want to enable "Packet socket created in container" rule by default.
"Packet socket created in container" rule was created at the end of last year. I think we can say the rule is stable.
The rule can detect ARP spoofing attacks on Kubernetes.
and new kernel vulnerability(CVE-2020-14386, allow privilege escalation to node) was disclosed recently.
net/packet/af_packet.c, so we could detect an attack to the vuln by this rule as far as I read reporter's message and patch.socket(AF_PACKET, ...syscall.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: