Red Hat Advanced Cluster Security for Kubernetes Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Note:
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Red Hat Advanced Cluster Security for Kubernetes Sample Message when you use the HTTP Receiver Protocol
Sample 1: The following sample event message shows that a container uses a read/write root file system.
{"alert": {"id":"f92601a5-83ec-47b3-856b-1000cd381b0d","policy":{"id":"8ac93556-4ad4-4220- a275-3f518db0ceb9","name":"Container using read-write root filesystem","description":"Alert on deployments with containers with read-write root filesystem","rationale":"Containers running with read-write root filesystem represent greater post-exploitation risk by allowing an attacker to modify important files in the container.","remediation":"Use a read-only root filesystem, and use volume mounts to allow writes to specific sub-directories depending on your application's needs.","categories":["Privileges","Docker CIS"],"lifecycleStages": ["DEPLOY"],"exclusions":[{"name":"Don't alert on kube-system namespace","deployment":{"scope": {"namespace":"kube-system"}}},{"name":"Don't alert on istio-system namespace","deployment": {"scope":{"namespace":"istio-system"}}},{"name":"Don't alert on openshift-node namespace","deployment":{"scope":{"namespace":"openshift-node"}}},{"name":"Don't alert on openshift-sdn namespace","deployment":{"scope":{"namespace":"openshift-sdn"}}},{"deployment": {"name":"mastercard-processor"}},{"deployment":{"name":"communityoperators- 884t8"}}],"severity":"MEDIUM_SEVERITY","notifiers":["58c8b9ba-0d96-4dd4-a3fed9b9931ab788"," e892ed00-de0f-40b7- b309-45fc6de7bcfa"],"lastUpdated":"2021-04-29T14:45:56.095158050Z","SORTName":"Container using read-write root filesystem","SORTLifecycleStage":"DEPLOY","policyVersion":"1.1","policySections": [{"policyGroups":[{"fieldName":"Read-Only Root Filesystem","values": [{"value":"false"}]}]}]},"deployment":{"id":"47e90a53-3aeb-4e0b-a4cdbf7819f3a2b5"," name":"community-operators-kbw79","type":"Pod","namespace":"openshiftmarketplace"," namespaceId":"23ab4c01-9553-40f7-871b-d9a39317bb90","labels": {"catalogsource.operators.coreos.com/update":"communityoperators"," olm.catalogSource":""},"clusterId":"916b38c2- fa71-45cf-9726-1d6b227858b3","clusterName":"production","containers":[{"image":{"name": {"registry":"registry.redhat.io","remote":"redhat/community-operatorindex"," tag":"v4.7","fullName":"registry.redhat.io/redhat/community-operatorindex: v4.7"}},"name":"registry-server"}],"annotations":{"openshift.io/ scc":"anyuid"}},"violations":[{"message":"Container 'registry-server' uses a read-write root filesystem"}],"time":"2021-05-05T15:16:15.612525111Z","firstOccurred":"2021-05-05T15:16:15.61703 4472Z"}}
JSA field name |
Highlighted values in the payload |
---|---|
Device Time |
2021-05-05T15:16:15.612525111Z |
Sample 2: The following sample event message shows that an administrator requested a read/write access.
{"audit": {"time":"2021-05-06T18:53:37.725743614Z","status":"REQUEST_SUCCEEDED","user": {"friendlyName":"admin","permissions": {"name":"Admin","globalAccess":"READ_WRITE_ACCESS"},"roles": [{"name":"Admin","globalAccess":"READ_WRITE_ACCESS"}],"role": {"name":"Admin","globalAccess":"READ_WRITE_ACCESS"}},"request":{"endpoint":"/v1/networkbaseline/ ebaf8cc8-6dce-46a6-931d-c98d1ecad26f/status","method":"POST","payload": {"@type":"v1.NetworkBaselineStatusRequest","deploymentId":"ebaf8cc8-6dce-46a6-931dc98d1ecad26f"," peers":[{"entity":{"id":"dd550035- eb16-45be-80e0-45d4993358fc","type":"DEPLOYMENT"},"port":7777,"protocol":"L4_PROTOCOL_TCP","ingr ess":true},{"entity": {"id":"f2eed5c7-7a19-4863-8b64-9257416917be","type":"DEPLOYMENT"},"port":8080,"protocol":"L4_PRO TOCOL_TCP"},{"entity":{"id":"5951f034-ca72-4613-bf11- dd5659882a3a","type":"DEPLOYMENT"},"port":8080,"protocol":"L4_PROTOCOL_TCP"}]}},"method":"UI","i nteraction":"CREATE"}}
JSA field name |
Highlighted values in the event payload |
---|---|
Device Time |
2021-05-06T18:53:37.725743614Z |
Username |
admin |