Alcide kAudit is designed to automatically analyze Kubernetes audit logs to detect anomalous behavior of users and service accounts. kAudit automatically detects security-related issues related to Kubernetes' administrative actions, especially anomalous behavior that can only be detected from observing extended context over multiple activities. In addition, kAudit supports Audit rules to detect violations of organization compliance policies regarding Kubernetes usage. Incident forensics, along with audit statistics, are presented in graphical and tabular summaries for easy investigation and analysis.
In this tutorial we will learn about kAudit support for organization compliance and control, Audit Rules, and how you can set up a Audit Rules to monitor specific activities or alerts on it.
For this tutorial you will need:
In order to manage Audit Policy Rules, Login to kAudit UI and in the left menu go to Policy > Rules.
Here you can find your existing rules, activate/deactivate, edit or delete them.
In this use-case we'll detect and notify on a user accessed into a pod using kubectl exec command.
kubectl exec -it <pod_name> sh
In this use-case we'll detect and notify on a tunnel opened to a specific network socket.
kubectl port-forward <pod_name>
In this use-case we'll detect and notify about read container logs from a specific namespace that runs workloads that handle senstive data such as card holder data (PCI), health information (HIPAA) etc.
kubectl logs -n <your_namespace> <pod_name>
In this use-case we'll detect and notify about access to an object of kind "secret" in a specific namespace.
kubectl get secrets -n <your_namespace> <pod_name> -o json
In this codelab we added an automated scan of an application on an kubernetes cluster as a step in your GitHub Actions workflow.