Deployment Task

  • A walkthrough on how to use the Forensics control in order to audit command and activities inside a container.

Deployment Steps

Step 1: Prerequisites

  • Ensure that you have deployed Aqua Enforcers into your cluster as the Forensic control is for a Container Runtime Policy [1, 3];

Step 1: Add the Forensic Control to the Container Runtime Policy

  • Go to the Aqua UI > Policies > Runtime Policies > Add Policy > Container Runtime Policy and add the Forensics control to the policy > Save your policy.
    • In this guide, we will add the Forensics control to the "Aqua default runtime policy" to demonstrate the feature;

Step 2: Exec into a container and enter a command

  • Once your policy has been saved with the control, to demonstrate that commands entered in the container. are audited -- use the kubectl utility to exec into a container.
    • In this guide, the Sock shop microservices demo [2] was deployed in the cluster. We will exec into a rabbitmq container and run the command "lsblk" and exit from the container;

$ kubectl exec -it rabbitmq-7764597b7b-kzs9d -n sock-shop -- /bin/sh

# lsblk

sdb       8:16   0    8G  0 disk
`-sdb1    8:17   0    8G  0 part
sr0      11:0    1  690K  0 rom
sda       8:0    0  100G  0 disk
|-sda14   8:14   0    4M  0 part
|-sda15   8:15   0  106M  0 part
`-sda1    8:1    0 99.9G  0 part /etc/aquasec/policy

# exit

Step 3: Review the audit logs in the Aqua Console.

  • Go to the Aqua UI > Audit > filter using the ["Pod Name"] > rabbitmq-7764597b7b-kzs9d > and review the events that have been audited, specifically the "file exec". Upon clicking on the audit event, you will notice the recorded details of the command "lsblk";

  • As we had also checked the "Audit all network activity" option that was in the Forensic control, you can also review network activity from the said container - as rabbitmq is a message broker, the number of network activity events will be very high;

Related Information

  1. https://docs.aquasec.com/docs/container-runtime-policy-components#section-controls
  2. https://github.com/microservices-demo/microservices-demo
  3. https://docs.aquasec.com/docs/view-audit-events#section-command-based-audit-messages