Red Hat Advanced Cluster Security for Kubernetes Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Note:
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Red Hat Advanced Cluster Security for Kubernetes Sample Message when you use the HTTP Receiver Protocol
Sample 1: The following sample event message shows that a container uses a read/write root file system.
{"alert": {"id":"f92601a5-83ec-47b3-856b-1000cd381b0d","policy":{"id":"8ac93556-4ad4-4220-
a275-3f518db0ceb9","name":"Container using read-write root filesystem","description":"Alert on
deployments with containers with read-write root filesystem","rationale":"Containers running
with read-write root filesystem represent greater post-exploitation risk by allowing an
attacker to modify important files in the container.","remediation":"Use a read-only root
filesystem, and use volume mounts to allow writes to specific sub-directories depending on your
application's needs.","categories":["Privileges","Docker CIS"],"lifecycleStages":
["DEPLOY"],"exclusions":[{"name":"Don't alert on kube-system namespace","deployment":{"scope":
{"namespace":"kube-system"}}},{"name":"Don't alert on istio-system namespace","deployment":
{"scope":{"namespace":"istio-system"}}},{"name":"Don't alert on openshift-node
namespace","deployment":{"scope":{"namespace":"openshift-node"}}},{"name":"Don't alert on
openshift-sdn namespace","deployment":{"scope":{"namespace":"openshift-sdn"}}},{"deployment":
{"name":"mastercard-processor"}},{"deployment":{"name":"communityoperators-
884t8"}}],"severity":"MEDIUM_SEVERITY","notifiers":["58c8b9ba-0d96-4dd4-a3fed9b9931ab788","
e892ed00-de0f-40b7-
b309-45fc6de7bcfa"],"lastUpdated":"2021-04-29T14:45:56.095158050Z","SORTName":"Container using
read-write root
filesystem","SORTLifecycleStage":"DEPLOY","policyVersion":"1.1","policySections":
[{"policyGroups":[{"fieldName":"Read-Only Root Filesystem","values":
[{"value":"false"}]}]}]},"deployment":{"id":"47e90a53-3aeb-4e0b-a4cdbf7819f3a2b5","
name":"community-operators-kbw79","type":"Pod","namespace":"openshiftmarketplace","
namespaceId":"23ab4c01-9553-40f7-871b-d9a39317bb90","labels":
{"catalogsource.operators.coreos.com/update":"communityoperators","
olm.catalogSource":""},"clusterId":"916b38c2-
fa71-45cf-9726-1d6b227858b3","clusterName":"production","containers":[{"image":{"name":
{"registry":"registry.redhat.io","remote":"redhat/community-operatorindex","
tag":"v4.7","fullName":"registry.redhat.io/redhat/community-operatorindex:
v4.7"}},"name":"registry-server"}],"annotations":{"openshift.io/
scc":"anyuid"}},"violations":[{"message":"Container 'registry-server' uses a read-write root
filesystem"}],"time":"2021-05-05T15:16:15.612525111Z","firstOccurred":"2021-05-05T15:16:15.61703
4472Z"}}|
JSA field name |
Highlighted values in the payload |
|---|---|
|
Device Time |
2021-05-05T15:16:15.612525111Z |
Sample 2: The following sample event message shows that an administrator requested a read/write access.
{"audit": {"time":"2021-05-06T18:53:37.725743614Z","status":"REQUEST_SUCCEEDED","user":
{"friendlyName":"admin","permissions":
{"name":"Admin","globalAccess":"READ_WRITE_ACCESS"},"roles":
[{"name":"Admin","globalAccess":"READ_WRITE_ACCESS"}],"role":
{"name":"Admin","globalAccess":"READ_WRITE_ACCESS"}},"request":{"endpoint":"/v1/networkbaseline/
ebaf8cc8-6dce-46a6-931d-c98d1ecad26f/status","method":"POST","payload":
{"@type":"v1.NetworkBaselineStatusRequest","deploymentId":"ebaf8cc8-6dce-46a6-931dc98d1ecad26f","
peers":[{"entity":{"id":"dd550035-
eb16-45be-80e0-45d4993358fc","type":"DEPLOYMENT"},"port":7777,"protocol":"L4_PROTOCOL_TCP","ingr
ess":true},{"entity":
{"id":"f2eed5c7-7a19-4863-8b64-9257416917be","type":"DEPLOYMENT"},"port":8080,"protocol":"L4_PRO
TOCOL_TCP"},{"entity":{"id":"5951f034-ca72-4613-bf11-
dd5659882a3a","type":"DEPLOYMENT"},"port":8080,"protocol":"L4_PROTOCOL_TCP"}]}},"method":"UI","i
nteraction":"CREATE"}}|
JSA field name |
Highlighted values in the event payload |
|---|---|
|
Device Time |
2021-05-06T18:53:37.725743614Z |
|
Username |
admin |