Container alerts are generated when there is a policy violation or audit event that is raised due to a policy action. For example, a policy might block execution of a process. When the execution is blocked by KubeArmor enforcer, KubeArmor generates an alert event implying policy action. In the case of an Audit action, the KubeArmor will only generate an alert without actually blocking the action.
The primary difference in the container alerts events vs the telemetry events (showcased above) is that the alert events contains certain additional fields such as policy name because of which the alert was generated and other metadata such as "Tags", "Message", "Severity" associated with the policy rule.
Container Alerts Fields format
Process Alert
{"ClusterName":"default","HostName":"aks-agentpool-16128849-vmss000001","NamespaceName":"wordpress-mysql","PodName":"wordpress-787f45786f-2q9wf","Labels":"app=wordpress","ContainerID":"72de193fc8d849cd052affae5a53a27111bcefb75385635dcb374acdf31a5548","ContainerName":"wordpress", "ContainerImage": "docker.io/library/wordpress:4.8-apache@sha256:6216f64ab88fc51d311e38c7f69ca3f9aaba621492b4f1fa93ddf63093768845",
"HostPPID":495804,"HostPID":495877,"PPID":309835,"PID":309841,"ParentProcessName":"/bin/bash","ProcessName":"/usr/bin/apt","PolicyName":"harden-wordpress-pkg-mngr-exec","Severity":"5","Tags":"NIST,NIST_800-53_CM-7(4),SI-4,process,NIST_800-53_SI-4","ATags": ["NIST","NIST_800-53_CM-7(4)","SI-4","process","NIST_800-53_SI-4" ],"Message":"Alert! Execution of package management process inside container is denied","Type":"MatchedPolicy","Source":"/bin/bash","Operation":"Process","Resource":"/usr/bin/apt","Data":"syscall=SYS_EXECVE","Enforcer":"AppArmor","Action":"Block","Result":"Permission denied"}
File Alert
{"ClusterName":"default","HostName":"aks-agentpool-16128849-vmss000001","NamespaceName":"wordpress-mysql","PodName":"wordpress-787f45786f-2q9wf","Labels":"app=wordpress","ContainerID":"72de193fc8d849cd052affae5a53a27111bcefb75385635dcb374acdf31a5548","ContainerName":"wordpress", "ContainerImage": "docker.io/library/wordpress:4.8-apache@sha256:6216f64ab88fc51d311e38c7f69ca3f9aaba621492b4f1fa93ddf63093768845",
"HostPPID":495804,"HostPID":496390,"PPID":309835,"PID":309842,"ParentProcessName":"/bin/bash","ProcessName":"/bin/rm","PolicyName":"harden-wordpress-file-integrity-monitoring","Severity":"1","Tags":"NIST,NIST_800-53_AU-2,NIST_800-53_SI-4,MITRE,MITRE_T1036_masquerading,MITRE_T1565_data_manipulation","ATags": ["NIST","NIST_800-53_AU-2","NIST_800-53_SI-4","MITRE","MITRE_T1036_masquerading","MITRE_T1565_data_manipulation" ],"Message":"Detected and prevented compromise to File integrity","Type":"MatchedPolicy","Source":"/bin/rm /sbin/raw","Operation":"File","Resource":"/sbin/raw","Data":"syscall=SYS_UNLINKAT flags=","Enforcer":"AppArmor","Action":"Block","Result":"Permission denied"}
Note that KubeArmor also alerts events blocked due to other system policy enforcement. For example, if an SELinux native rule blocks an action, KubeArmor will report those as well as DefaultPosture events. Following is an example of such event:
{"Timestamp":1692814089,"UpdatedTime":"2023-08-23T18:08:09.522743Z","ClusterName":"default","HostName":"gke-my-first-cluster-1-default-pool-9144db50-81gb","HostPPID":1791315,"HostPID":1791316,"PPID":1791315,"PID":1791316,"UID":204,"ParentProcessName":"/usr/sbin/sshd","ProcessName":"/usr/sbin/sshd","PolicyName":"DefaultPosture","Type":"MatchedHostPolicy","Source":"/usr/sbin/sshd","Operation":"Syscall","Data":"syscall=SYS_SETGID userid=0","Enforcer":"BPFLSM","Action":"Block","Result":"Operation not permitted"}
Blocked SETUID
Note that KubeArmor also alerts events blocked due to other system policy enforcement. For example, if an SELinux native rule blocks an action, KubeArmor will report those as well as DefaultPosture events. Following is an example of such event:
{"Timestamp":1692814089,"UpdatedTime":"2023-08-23T18:08:09.523964Z","ClusterName":"default","HostName":"gke-my-first-cluster-1-default-pool-9144db50-81gb","HostPPID":1791315,"HostPID":1791316,"PPID":1791315,"PID":1791316,"UID":204,"ParentProcessName":"/usr/sbin/sshd","ProcessName":"/usr/sbin/sshd","PolicyName":"DefaultPosture","Type":"MatchedHostPolicy","Source":"/usr/sbin/sshd","Operation":"Syscall","Data":"syscall=SYS_SETUID userid=0","Enforcer":"BPFLSM","Action":"Block","Result":"Operation not permitted"}
Log field
Description
Example
Alert Field
Description
Example
ClusterName
gives information about the cluster for which the log was generated
default
Operation
gives details about what type of operation happened in the pod
File/Process/ Network
ContainerID
information about the container ID from where log was generated
7aca8d52d35ab7872df6a454ca32339386be
ContainerImage
shows the image that was used to spin up the container