Detection rules for RHEL Family data sources. Each rule includes its MITRE ATT&CK mapping, impact rating, and a description of what it detects.
This category contains 10 detection rules.
| Rule | Category | Technique | Impact (C/I/A) |
|---|---|---|---|
| Container Platform Security Attacks | Privilege Escalation | T1611 - Escape to Host | C:3 / I:3 / A:2 |
| Critical SELinux Policy Violation | Privilege Escalation | T1068 - Exploitation for Privilege Escalation | C:3 / I:3 / A:2 |
| OpenShift Security Violations | Credential Access | T1552.007 - Unsecured Credentials: Container API | C:3 / I:3 / A:2 |
| RHEL Boot Loader Attack Detection | Defense Evasion, Persistence | T1542.003 - Pre-OS Boot: Bootkit | C:2 / I:3 / A:2 |
| RHEL Secure Boot Violation Detection | Defense Evasion | T1553.006 - Subvert Trust Controls: Code Signing Policy Modification | C:2 / I:3 / A:2 |
| RHEL-Specific Kernel Exploitation Attempt | Privilege Escalation | Exploitation for Privilege Escalation | C:3 / I:3 / A:3 |
| RHEL-Specific Malware Detection | Defense Evasion, Privilege Escalation | T1055 - Process Injection | C:3 / I:3 / A:2 |
| RPM Database Tampering Detection | Defense Evasion | T1070 - Indicator Removal | C:2 / I:3 / A:2 |
| SystemD Unit File Attack Detected | Persistence, Privilege Escalation | T1543.002 - Create or Modify System Process: Systemd Service | C:2 / I:3 / A:2 |
| YUM/DNF Repository Manipulation Attack | Initial Access | T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools | C:3 / I:3 / A:2 |
Rule Example
Below is an example of a rule definition for Container Platform Security Attacks (view in repository):
# Rule version v1.0.0
dataTypes:
- linux
name: Container Platform Security Attacks
impact:
confidentiality: 3
integrity: 3
availability: 2
category: Privilege Escalation
technique: "T1611 - Escape to Host"
adversary: origin
references:
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/building_running_and_managing_containers/index
- https://attack.mitre.org/techniques/T1611/
description: |
Detects attacks against container platforms including Docker, Podman, and CRI-O such as container escape attempts, privilege escalation, unauthorized image pulls, and runtime manipulation. This rule identifies suspicious container activities that may indicate an adversary attempting to break out of container isolation or manipulate container runtime environments.
Next Steps:
1. Investigate the affected container and host system for signs of compromise
2. Review container logs and runtime configurations for unauthorized changes
3. Check for unusual process execution or file system modifications
4. Verify container image integrity and scan for malicious content
5. Review security policies for containers (seccomp, AppArmor, SELinux)
6. Consider isolating the affected container and host system
7. Update container security policies and runtime configurations as needed
where: |
(oneOf("origin.process", ["docker", "podman", "crio", "containerd"]) ||
oneOf("origin.process", ["dockerd", "podman", "crio", "containerd"]) ||
oneOf("log.service", ["docker", "podman", "crio", "containerd"]) ||
oneOf("log.process_name", ["dockerd", "podman", "crio", "containerd"])) &&
(
contains("log.message", "container escape") ||
contains("log.message", "privilege escalation") ||
contains("log.message", "unauthorized pull") ||
contains("log.message", "runtime manipulation") ||
contains("log.message", "seccomp violation") ||
contains("log.message", "AppArmor violation") ||
contains("log.message", "SELinux denial") ||
(equals("action", "exec") && contains("log.command", "/proc/self/exe")) ||
(equals("action", "mount") && contains("log.path", "/sys")) ||
equals("log.event_type", "container_breakout") ||
(oneOf("log.syscall", ["mount", "pivot_root", "chroot"]) && equals("log.result", "denied"))
)
groupBy:
- lastEvent.log.container_id
- origin.host
Rule Details
Container Platform Security Attacks
Detects attacks against container platforms including Docker, Podman, and CRI-O such as container escape attempts, privilege escalation, unauthorized image pulls, and runtime manipulation. This rule identifies suspicious container activities that may indicate an adversary attempting to break out of container isolation or manipulate container runtime environments.
Category: Privilege Escalation
Technique: T1611 - Escape to Host
Impact: C:3 / I:3 / A:2
Rule file: container_platform_attacks.yml
Reference: https://attack.mitre.org/techniques/T1611/
Critical SELinux Policy Violation
Detects critical SELinux policy violations that may indicate privilege escalation attempts, unauthorized access, or malicious activity bypassing mandatory access controls. This rule identifies AVC denials for sensitive capabilities, attempts to access shadow files, modifications to critical system directories, unconfined processes accessing executables, and unauthorized SELinux management commands.
Category: Privilege Escalation
Technique: T1068 - Exploitation for Privilege Escalation
Impact: C:3 / I:3 / A:2
Rule file: selinux_policy_violations.yml
Reference: https://attack.mitre.org/techniques/T1068/
OpenShift Security Violations
Detects security violations in OpenShift Container Platform including unauthorized API access, RBAC violations, security context constraint breaches, and malicious pod deployments. These violations indicate potential security breaches or misconfigurations that could lead to unauthorized access or privilege escalation within the cluster.
Category: Credential Access
Technique: T1552.007 - Unsecured Credentials: Container API
Impact: C:3 / I:3 / A:2
Rule file: openshift_security_violations.yml
Reference: https://docs.openshift.com/container-platform/latest/security/index.html
RHEL Boot Loader Attack Detection
Detects attempts to modify or tamper with the boot loader configuration, including unauthorized changes to GRUB files, boot parameters, or kernel modules that could indicate bootkit installation attempts.
Category: Defense Evasion, Persistence
Technique: T1542.003 - Pre-OS Boot: Bootkit
Impact: C:2 / I:3 / A:2
Rule file: boot_loader_attacks.yml
RHEL Secure Boot Violation Detection
Detects violations of UEFI Secure Boot policy including unsigned kernel modules, tampering with MOK (Machine Owner Key) database, attempts to disable Secure Boot, or loading of unauthorized boot components. This indicates potential compromise of the boot chain integrity or attempts to bypass security controls.
Category: Defense Evasion
Technique: T1553.006 - Subvert Trust Controls: Code Signing Policy Modification
Impact: C:2 / I:3 / A:2
Rule file: secure_boot_violations.yml
RHEL-Specific Kernel Exploitation Attempt
Detects potential exploitation attempts targeting RHEL-specific kernel vulnerabilities, including memory corruption, privilege escalation through kernel bugs, or attempts to bypass kernel security mechanisms like SELinux or kernel module protections.
Category: Privilege Escalation
Technique: Exploitation for Privilege Escalation
Impact: C:3 / I:3 / A:3
Rule file: rhel_kernel_exploits.yml
Reference: https://access.redhat.com/security/vulnerabilities
Reference: https://attack.mitre.org/techniques/T1068/
RHEL-Specific Malware Detection
Detects indicators of malware specifically targeting RHEL systems including known rootkits, suspicious kernel modules, process injection attempts, and malicious RPM packages or scripts exploiting RHEL-specific vulnerabilities.
Category: Defense Evasion, Privilege Escalation
Technique: T1055 - Process Injection
Impact: C:3 / I:3 / A:2
Rule file: rhel_specific_malware.yml
Reference: https://attack.mitre.org/techniques/T1055/
RPM Database Tampering Detection
Detects potential tampering with the RPM database which could indicate an attacker attempting to hide malicious package installations or system modifications. This includes unauthorized access to RPM database files, non-privileged users attempting to rebuild the database, or corruption indicators in RPM logs.
Category: Defense Evasion
Technique: T1070 - Indicator Removal
Impact: C:2 / I:3 / A:2
Rule file: rpm_database_tampering.yml
Reference: https://attack.mitre.org/techniques/T1070/
Reference: https://access.redhat.com/articles/3763
SystemD Unit File Attack Detected
Detects malicious SystemD unit file creation or modification attempts, including privilege escalation through invalid usernames, suspicious service directives, or attempts to create persistent backdoors through systemd generators or malicious service configurations.
Category: Persistence, Privilege Escalation
Technique: T1543.002 - Create or Modify System Process: Systemd Service
Impact: C:2 / I:3 / A:2
Rule file: systemd_unit_file_attacks.yml
Reference: https://www.linuxjournal.com/content/systemd-service-strengthening
YUM/DNF Repository Manipulation Attack
Detects potential attacks on YUM/DNF repositories including unauthorized repository additions, GPG key modifications, or suspicious package installations that could indicate supply chain compromise. This rule identifies attempts to manipulate package management systems to install malicious software or bypass security controls.
**
Category: Initial Access
Technique: T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Impact: C:3 / I:3 / A:2
Rule file: yum_dnf_repository_attacks.yml