Sen dat audit

Simulation

kubectl exec -it wordpress-7c966b5d85-wvtln -n wordpress-mysql -- bash
root@wordpress-7c966b5d85-wvtln:/var/www/html# cat /etc/shadow
root:*:17448:0:99999:7:::
daemon:*:17448:0:99999:7:::
bin:*:17448:0:99999:7:::
sys:*:17448:0:99999:7:::
sync:*:17448:0:99999:7:::
games:*:17448:0:99999:7:::
man:*:17448:0:99999:7:::
lp:*:17448:0:99999:7:::

Expected Alert

ClusterName: default
HostName: gke-cluster-1-default-pool-37f4c896-8cn6
NamespaceName: wordpress-mysql
PodName: wordpress-7c966b5d85-wvtln
Labels: app=wordpress
ContainerName: wordpress
ContainerID: 6d09394a988c5cf6b9fe260d28fdd57d6ff281618869a173965ecd94a3efac44
ContainerImage: docker.io/library/wordpress:4.8-apache@sha256:6216f64ab88fc51d311e38c7f69ca3f9aaba621492b4f1fa93ddf63093768845
Type: MatchedPolicy
PolicyName: hsp-nist-ca-9-audit-untrusted-read-on-sensitive-files
Severity: 5
Message: Alert! Sensitive file opened for reading by non-trusted program! Possible violation of NIST CA-9 SA-20
Source: /bin/cat /etc/shadow
Resource: /etc/shadow
Operation: File
Action: Audit
Data: syscall=SYS_OPEN flags=O_RDONLY
Enforcer: eBPF Monitor
Result: Passed
ATags: [NIST NIST-800-53-r5 CA-9 File Rules Internal System Connections NIST_SA NIST_SA-20 NIST_SA-20-Customized Development of Critical Components SA]
HostPID: 706899
HostPPID: 706810
Owner: map[Name:wordpress Namespace:wordpress-mysql Ref:Deployment]
PID: 251
PPID: 245
ParentProcessName: /bin/bash
ProcessName: /bin/cat
Tags: NIST,NIST-800-53-r5,CA-9,File Rules,Internal System Connections,NIST_SA,NIST_SA-20,NIST_SA-20-Customized Development of Critical Components,SA