KubeArmor Events

Supported formats

Native Json format (this document)
KubeArmor Open Telemetry format
KubeArmor CEF Format (coming soon...)

Container Telemetry

Container Telemetry Fields format

Log field	Description	Example
ClusterName	gives information about the cluster for which the log was generated	default
Operation	gives details about what type of operation happened in the pod	File/Process/ Network
ContainerID	information about the container ID from where log was generated	7aca8d52d35ab7872df6a454ca32339386be
ContainerImage	shows the image that was used to spin up the container	docker.io/accuknox/knoxautopolicy:v0.9@sha256:bb83b5c6d41e0d0aa3b5d6621188c284ea
ContainerName	specifies the Container name where the log got generated	discovery-engine
Data	shows the system call that was invoked for this operation	syscall=SYS_OPENAT fd=-100 flags=O_RDWR\|O_CREAT\|O_NOFOLLOW\|O_CLOEXEC
HostName	shows the node name where the log got generated	aks-agentpool-16128849-vmss000001
HostPID	gives the host Process ID	967872
HostPPID	list the details of host Parent Process ID	967496
Labels	shows the pod label from where log generated	app=discovery-engine
Message	gives the message specified in the policy	Alert! Execution of package management process inside container is denied
NamespaceName	lists the namespace where pod is running	accuknox-agents
PID	lists the process ID running in container	1
PPID	lists the Parent process ID running in container	967496
ParentProcessName	gives the parent process name from where the operation happend	/usr/bin/containerd-shim-runc-v2
PodName	lists the pod name where the log got generated	mysql-76ddc6ddc4-h47hv
ProcessName	specifies the operation that happened inside the pod for this log	/knoxAutoPolicy
Resource	lists the resources that was requested	//accuknox-obs.db
Result	shows whether the event was allowed or denied	Passed
Source	lists the source from where the operation request came	/knoxAutoPolicy
Type	specifies it as container log	ContainerLog

Log field

Description

Example

ClusterName

gives information about the cluster for which the log was generated

default

Operation

gives details about what type of operation happened in the pod

File/Process/ Network

ContainerID

information about the container ID from where log was generated

7aca8d52d35ab7872df6a454ca32339386be

ContainerImage

shows the image that was used to spin up the container

docker.io/accuknox/knoxautopolicy:v0.9@sha256:bb83b5c6d41e0d0aa3b5d6621188c284ea

ContainerName

specifies the Container name where the log got generated

discovery-engine

Data

shows the system call that was invoked for this operation

syscall=SYS_OPENAT fd=-100 flags=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC

HostName

shows the node name where the log got generated

aks-agentpool-16128849-vmss000001

HostPID

gives the host Process ID

967872

HostPPID

list the details of host Parent Process ID

967496

Labels

shows the pod label from where log generated

app=discovery-engine

Message

gives the message specified in the policy

Alert! Execution of package management process inside container is denied

NamespaceName

lists the namespace where pod is running

accuknox-agents

PID

lists the process ID running in container

PPID

lists the Parent process ID running in container

967496

ParentProcessName

gives the parent process name from where the operation happend

/usr/bin/containerd-shim-runc-v2

PodName

lists the pod name where the log got generated

mysql-76ddc6ddc4-h47hv

ProcessName

specifies the operation that happened inside the pod for this log

/knoxAutoPolicy

Resource

lists the resources that was requested

//accuknox-obs.db

Result

shows whether the event was allowed or denied

Passed

Source

lists the source from where the operation request came

/knoxAutoPolicy

Type

specifies it as container log

ContainerLog

Process Log

{
  "ClusterName": "default",
  "HostName": "aks-agentpool-16128849-vmss000000",
  "NamespaceName": "default",
  "PodName": "vault-0",
  "Labels": "app.kubernetes.io/instance=vault,app.kubernetes.io/name=vault,component=server,helm.sh/chart=vault-0.24.1,statefulset.kubernetes.io/pod-name=vault-0",
  "ContainerID": "775fb27125ee8d9e2f34d6731fbf3bf677a1038f79fe8134856337612007d9ae",
  "ContainerName": "vault",
  "ContainerImage": "docker.io/hashicorp/vault:1.13.1@sha256:b888abc3fc0529550d4a6c87884419e86b8cb736fe556e3e717a6bc50888b3b8",
  "ParentProcessName": "/usr/bin/runc",
  "ProcessName": "/bin/sh",
  "HostPPID": 2514065,
  "HostPID": 2514068,
  "PPID": 2514065,
  "PID": 3552620,
  "UID": 100,
  "Type": "ContainerLog",
  "Source": "/usr/bin/runc",
  "Operation": "Process",
  "Resource": "/bin/sh -ec vault status -tls-skip-verify",
  "Data": "syscall=SYS_EXECVE",
  "Result": "Passed"
}

File Log

{
  "ClusterName": "default",
  "HostName": "aks-agentpool-16128849-vmss000000",
  "NamespaceName": "accuknox-agents",
  "PodName": "discovery-engine-6f5c4df7b4-q8zbc",
  "Labels": "app=discovery-engine",
  "ContainerID": "7aca8d52d35ab7872df6a454ca32339386be755d9ed6bd6bf7b37ec6aaf277e4",
  "ContainerName": "discovery-engine",
  "ContainerImage": "docker.io/accuknox/knoxautopolicy:v0.9@sha256:bb83b5c6d41e0d0aa3b5d6621188c284ea99741c3692e34b0f089b0e74745413",
  "ParentProcessName": "/usr/bin/containerd-shim-runc-v2",
  "ProcessName": "/knoxAutoPolicy",
  "HostPPID": 967496,
  "HostPID": 967872,
  "PPID": 967496,
  "PID": 1,
  "Type": "ContainerLog",
  "Source": "/knoxAutoPolicy",
  "Operation": "File",
  "Resource": "/var/run/secrets/kubernetes.io/serviceaccount/token",
  "Data": "syscall=SYS_OPENAT fd=-100 flags=O_RDONLY|O_CLOEXEC",
  "Result": "Passed"
}

Network Log

{
  "ClusterName": "default",
  "HostName": "aks-agentpool-16128849-vmss000001",
  "NamespaceName": "accuknox-agents",
  "PodName": "policy-enforcement-agent-7946b64dfb-f4lgv",
  "Labels": "app=policy-enforcement-agent",
  "ContainerID": "b597629c9b59304c779c51839e9a590fa96871bdfdf55bfec73b26c9fb7647d7",
  "ContainerName": "policy-enforcement-agent",
  "ContainerImage": "public.ecr.aws/k9v9d5v2/policy-enforcement-agent:v0.1.0@sha256:005c1fde3ff8a667f3ac7540c5c011c752a7e3aaa2c89aa335703289ed8d80f8",
  "ParentProcessName": "/usr/bin/containerd-shim-runc-v2",
  "ProcessName": "/home/pea/main",
  "HostPPID": 1394403,
  "HostPID": 1394554,
  "PPID": 1394403,
  "PID": 1,
  "Type": "ContainerLog",
  "Source": "./main",
  "Operation": "Network",
  "Resource": "sa_family=AF_INET sin_port=53 sin_addr=10.0.0.10",
  "Data": "syscall=SYS_CONNECT fd=10",
  "Result": "Passed"
}

Container Alerts

Container alerts are generated when there is a policy violation or audit event that is raised due to a policy action. For example, a policy might block execution of a process. When the execution is blocked by KubeArmor enforcer, KubeArmor generates an alert event implying policy action. In the case of an Audit action, the KubeArmor will only generate an alert without actually blocking the action.

The primary difference in the container alerts events vs the telemetry events (showcased above) is that the alert events contains certain additional fields such as policy name because of which the alert was generated and other metadata such as "Tags", "Message", "Severity" associated with the policy rule.

Container Alerts Fields format

Alert Field	Description	Example
Action	specifies the action of the policy it has matched.	Audit/Block
ClusterName	gives information about the cluster for which the alert was generated	aks-test-cluster
Operation	gives details about what type of operation happened in the pod	File/Process/Network
ContainerID	information about the container ID where the policy violation or alert got generated	e10d5edb62ac2daa4eb9a2146e2f2cfa87b6a5f30bd3a
ContainerImage	shows the image that was used to spin up the container	docker.io/library/mysql:5.6@sha256:20575ecebe6216036d25dab5903808211f
ContainerName	specifies the Container name where the alert got generated	mysql
Data	shows the system call that was invoked for this operation	syscall=SYS_EXECVE
Enforcer	it specifies the name of the LSM that has enforced the policy	AppArmor/BPFLSM
HostName	shows the node name where the alert got generated	aks-agentpool-16128849-vmss000001
HostPID	gives the host Process ID	3647533
HostPPID	list the details of host Parent Process ID	3642706
Labels	shows the pod label from where alert generated	app=mysql
Message	gives the message specified in the policy	Alert! Execution of package management process inside container is denied
NamespaceName	lists the namespace where pod is running	wordpress-mysql
PID	lists the process ID running in container	266
PPID	lists the Parent process ID running in container	251
ParentProcessName	gives the parent process name from where the operation happend	/bin/bash
PodName	lists the pod name where the alert got generated	mysql-76ddc6ddc4-h47hv
PolicyName	gives the policy that was matched for this alert generation	harden-mysql-pkg-mngr-exec
ProcessName	specifies the operation that happened inside the pod for this alert	/usr/bin/apt
Resource	lists the resources that was requested	/usr/bin/apt
Result	shows whether the event was allowed or denied	Permission denied
Severity	gives the severity level of the operation	5
Source	lists the source from where the operation request came	/bin/bash
Tags	specifies the list of benchmarks this policy satisfies	NIST,NIST_800-53_CM-7(4),SI-4,process,NIST_800-53_SI-4
Timestamp	gives the details of the time this event tried to happen	1687868507
Type	shows whether policy matched or default posture alert	MatchedPolicy
UpdatedTime	gives the time of this alert	2023-06-27T12:21:47.932526
cluster_id	specifies the cluster id where the alert was generated	596
component_name	gives the component which generated this log/alert	kubearmor
tenant_id	specifies the tenant id where this cluster is onboarded in AccuKnox SaaS	11

Alert Field

Description

Example

Action

specifies the action of the policy it has matched.

Audit/Block

ClusterName

gives information about the cluster for which the alert was generated

aks-test-cluster

Operation

gives details about what type of operation happened in the pod

File/Process/Network

ContainerID

information about the container ID where the policy violation or alert got generated

e10d5edb62ac2daa4eb9a2146e2f2cfa87b6a5f30bd3a

ContainerImage

shows the image that was used to spin up the container

docker.io/library/mysql:5.6@sha256:20575ecebe6216036d25dab5903808211f

ContainerName

specifies the Container name where the alert got generated

mysql

Data

shows the system call that was invoked for this operation

syscall=SYS_EXECVE

Enforcer

it specifies the name of the LSM that has enforced the policy

AppArmor/BPFLSM

HostName

shows the node name where the alert got generated

aks-agentpool-16128849-vmss000001

HostPID

gives the host Process ID

3647533

HostPPID

list the details of host Parent Process ID

3642706

Labels

shows the pod label from where alert generated

app=mysql

Message

gives the message specified in the policy

Alert! Execution of package management process inside container is denied

NamespaceName

lists the namespace where pod is running

wordpress-mysql

PID

lists the process ID running in container

266

PPID

lists the Parent process ID running in container

251

ParentProcessName

gives the parent process name from where the operation happend

/bin/bash

PodName

lists the pod name where the alert got generated

mysql-76ddc6ddc4-h47hv

PolicyName

gives the policy that was matched for this alert generation

harden-mysql-pkg-mngr-exec

ProcessName

specifies the operation that happened inside the pod for this alert

/usr/bin/apt

Resource

lists the resources that was requested

/usr/bin/apt

Result

shows whether the event was allowed or denied

Permission denied

Severity

gives the severity level of the operation

Source

lists the source from where the operation request came

/bin/bash

Tags

specifies the list of benchmarks this policy satisfies

NIST,NIST_800-53_CM-7(4),SI-4,process,NIST_800-53_SI-4

Timestamp

gives the details of the time this event tried to happen

1687868507

Type

shows whether policy matched or default posture alert

MatchedPolicy

UpdatedTime

gives the time of this alert

2023-06-27T12:21:47.932526

cluster_id

specifies the cluster id where the alert was generated

596

component_name

gives the component which generated this log/alert

kubearmor

tenant_id

specifies the tenant id where this cluster is onboarded in AccuKnox SaaS

Process Alert

{
  "ClusterName": "default",
  "HostName": "aks-agentpool-16128849-vmss000001",
  "NamespaceName": "wordpress-mysql",
  "PodName": "wordpress-787f45786f-2q9wf",
  "Labels": "app=wordpress",
  "ContainerID": "72de193fc8d849cd052affae5a53a27111bcefb75385635dcb374acdf31a5548",
  "ContainerName": "wordpress",
  "ContainerImage": "docker.io/library/wordpress:4.8-apache@sha256:6216f64ab88fc51d311e38c7f69ca3f9aaba621492b4f1fa93ddf63093768845",
  "HostPPID": 495804,
  "HostPID": 495877,
  "PPID": 309835,
  "PID": 309841,
  "ParentProcessName": "/bin/bash",
  "ProcessName": "/usr/bin/apt",
  "PolicyName": "harden-wordpress-pkg-mngr-exec",
  "Severity": "5",
  "Tags": "NIST,NIST_800-53_CM-7(4),SI-4,process,NIST_800-53_SI-4",
  "ATags": [
    "NIST",
    "NIST_800-53_CM-7(4)",
    "SI-4",
    "process",
    "NIST_800-53_SI-4"
  ],
  "Message": "Alert! Execution of package management process inside container is denied",
  "Type": "MatchedPolicy",
  "Source": "/bin/bash",
  "Operation": "Process",
  "Resource": "/usr/bin/apt",
  "Data": "syscall=SYS_EXECVE",
  "Enforcer": "AppArmor",
  "Action": "Block",
  "Result": "Permission denied"
}

File Alert

{
  "ClusterName": "default",
  "HostName": "aks-agentpool-16128849-vmss000001",
  "NamespaceName": "wordpress-mysql",
  "PodName": "wordpress-787f45786f-2q9wf",
  "Labels": "app=wordpress",
  "ContainerID": "72de193fc8d849cd052affae5a53a27111bcefb75385635dcb374acdf31a5548",
  "ContainerName": "wordpress",
  "ContainerImage": "docker.io/library/wordpress:4.8-apache@sha256:6216f64ab88fc51d311e38c7f69ca3f9aaba621492b4f1fa93ddf63093768845",
  "HostPPID": 495804,
  "HostPID": 496390,
  "PPID": 309835,
  "PID": 309842,
  "ParentProcessName": "/bin/bash",
  "ProcessName": "/bin/rm",
  "PolicyName": "harden-wordpress-file-integrity-monitoring",
  "Severity": "1",
  "Tags": "NIST,NIST_800-53_AU-2,NIST_800-53_SI-4,MITRE,MITRE_T1036_masquerading,MITRE_T1565_data_manipulation",
  "ATags": [
    "NIST",
    "NIST_800-53_AU-2",
    "NIST_800-53_SI-4",
    "MITRE",
    "MITRE_T1036_masquerading",
    "MITRE_T1565_data_manipulation"
  ],
  "Message": "Detected and prevented compromise to File integrity",
  "Type": "MatchedPolicy",
  "Source": "/bin/rm /sbin/raw",
  "Operation": "File",
  "Resource": "/sbin/raw",
  "Data": "syscall=SYS_UNLINKAT flags=",
  "Enforcer": "AppArmor",
  "Action": "Block",
  "Result": "Permission denied"
}

Network Alert

{
  "ClusterName": "default",
  "HostName": "aks-agentpool-16128849-vmss000000",
  "NamespaceName": "default",
  "PodName": "vault-0",
  "Labels": "app.kubernetes.io/instance=vault,app.kubernetes.io/name=vault,component=server,helm.sh/chart=vault-0.24.1,statefulset.kubernetes.io/pod-name=vault-0",
  "ContainerID": "775fb27125ee8d9e2f34d6731fbf3bf677a1038f79fe8134856337612007d9ae",
  "ContainerName": "vault",
  "ContainerImage": "docker.io/hashicorp/vault:1.13.1@sha256:b888abc3fc0529550d4a6c87884419e86b8cb736fe556e3e717a6bc50888b3b8",
  "HostPPID": 2203523,
  "HostPID": 2565259,
  "PPID": 2203523,
  "PID": 3558570,
  "UID": 100,
  "ParentProcessName": "/usr/bin/containerd-shim-runc-v2",
  "ProcessName": "/bin/vault",
  "PolicyName": "ksp-vault-network",
  "Severity": "8",
  "Type": "MatchedPolicy",
  "Source": "/bin/vault status -tls-skip-verify",
  "Operation": "Network",
  "Resource": "domain=AF_UNIX type=SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC protocol=0",
  "Data": "syscall=SYS_SOCKET",
  "Enforcer": "eBPF Monitor",
  "Action": "Audit",
  "Result": "Passed"
}

Host Alerts

The fields are self-explanatory and have similar meaning as in the context of container based events (explained above).

Process Alert

{
  "Timestamp": 1692813948,
  "UpdatedTime": "2023-08-23T18:05:48.301798Z",
  "ClusterName": "default",
  "HostName": "gke-my-first-cluster-1-default-pool-9144db50-81gb",
  "HostPPID": 1979,
  "HostPID": 1787227,
  "PPID": 1979,
  "PID": 1787227,
  "ParentProcessName": "/bin/bash",
  "ProcessName": "/bin/sleep",
  "PolicyName": "sleep-deny",
  "Severity": "5",
  "Type": "MatchedHostPolicy",
  "Source": "/bin/bash",
  "Operation": "Process",
  "Resource": "/usr/bin/sleep 10",
  "Data": "syscall=SYS_EXECVE",
  "Enforcer": "BPFLSM",
  "Action": "Block",
  "Result": "Permission denied"
}

Blocked SETGID

Note that KubeArmor also alerts events blocked due to other system policy enforcement. For example, if an SELinux native rule blocks an action, KubeArmor will report those as well as DefaultPosture events. Following is an example of such event:

{
  "Timestamp": 1692814089,
  "UpdatedTime": "2023-08-23T18:08:09.522743Z",
  "ClusterName": "default",
  "HostName": "gke-my-first-cluster-1-default-pool-9144db50-81gb",
  "HostPPID": 1791315,
  "HostPID": 1791316,
  "PPID": 1791315,
  "PID": 1791316,
  "UID": 204,
  "ParentProcessName": "/usr/sbin/sshd",
  "ProcessName": "/usr/sbin/sshd",
  "PolicyName": "DefaultPosture",
  "Type": "MatchedHostPolicy",
  "Source": "/usr/sbin/sshd",
  "Operation": "Syscall",
  "Data": "syscall=SYS_SETGID userid=0",
  "Enforcer": "BPFLSM",
  "Action": "Block",
  "Result": "Operation not permitted"
}

Blocked SETUID

{
  "Timestamp": 1692814089,
  "UpdatedTime": "2023-08-23T18:08:09.523964Z",
  "ClusterName": "default",
  "HostName": "gke-my-first-cluster-1-default-pool-9144db50-81gb",
  "HostPPID": 1791315,
  "HostPID": 1791316,
  "PPID": 1791315,
  "PID": 1791316,
  "UID": 204,
  "ParentProcessName": "/usr/sbin/sshd",
  "ProcessName": "/usr/sbin/sshd",
  "PolicyName": "DefaultPosture",
  "Type": "MatchedHostPolicy",
  "Source": "/usr/sbin/sshd",
  "Operation": "Syscall",
  "Data": "syscall=SYS_SETUID userid=0",
  "Enforcer": "BPFLSM",
  "Action": "Block",
  "Result": "Operation not permitted"
}

PreviousAdvanced NextControl Telemetry/Visibility

Last updated 8 months ago