Skip to content

Commit

Permalink
Merge pull request #108 from shaneboulden/oc-debug
Browse files Browse the repository at this point in the history 
Create a policy to detect 'oc debug'
  • Loading branch information
@SimonBaeumer
SimonBaeumer authored Sep 30, 2024
2 parents 3625e6d + 2863f3a commit 812bc99
Showing 1 changed file with 58 additions and 0 deletions.
58 changes: 58 additions & 0 deletions policies/oc-debug-runtime.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
"policies": [
{
"name": "Possible 'oc debug' access to pod",
"description": "Detect attempts to access pods using 'oc debug'",
"rationale": "'oc debug' can be used to access pod contents, potentially exposing sensitive data.",
"remediation": "Review OpenShift audit logs to verify the user, and investigate whether this was legitimate trouble-shooting or malicious activity.",
"disabled": false,
"categories": [
"Anomalous Activity"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"notifiers": [],
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"policySections": [
{
"sectionName": "Shell detection",
"policyGroups": [
{
"fieldName": "Process Name",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "^.*(sh)$"
}
]
},
{
"fieldName": "Process UID",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "0"
}
]
}
]
}
],
"mitreAttackVectors": [],
"criteriaLocked": false,
"mitreVectorsLocked": false,
"isDefault": false
}
]
}

0 comments on commit 812bc99

Please sign in to comment.