Uploaded image for project: 'Red Hat Advanced Cluster Security'
  1. Red Hat Advanced Cluster Security
  2. ROX-30585

Policy Criteria and Alerting for Host Path Activity

XMLWordPrintable

    • Product / Portfolio Work
    • L
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • 100% To Do, 0% In Progress, 0% Done

      Goal Summary

      The overarching goal is to enable the customer to replace their existing solution with ACS , allowing them to receive a similar type of alerts, particularly for file activity events, to meet an immediate audit deadline.

      This release must provide a concrete, albeit restricted, version of the full solution that satisfies customer's immediate needs and helps them meet their audit deadline.

      Goals and expected user outcomes

      • ACS shall monitor the following file paths (as phase 1 = 4.10) for file activity events either initiated by a deployment or direclty on the host:
        • /etc/shadow
        • /etc/passwd
        • /etc/ssh/sshd_config
        • /etc/sudoers
           
      • Policy Configuration: The solution will provide a mechanism for the customer to configure policies for the monitored file paths. 
      • Noise reduction: The policy creation should have criteria the customer can use to reduce the noise.
        • For example: I want to receive all violations for the paths described above which are not initiated by MCO.
      • Violations & Notifications:  Customers will consume alerts through existing notifiers. Due to the significant effort required to bring file activity violations into the UI, this functionality will not be available in the 4.10 release. The focus is on providing the necessary data via notifiers.
      • Scalability and Noise Handling: The solution's architecture must be designed to scale for a future increase in the number of monitored file paths. It should also handle and reduce noise from notifications that originate from multiple nodes.
      • Alert Content: The alerts must capture all necessary context from the SFA agent and, if relevant, complement it with Kubernetes context to ensure the data is complete and useful for the customer.

      Acceptance Criteria

      • Customer Acknowledgment: Customer must acknowledge and agree to the proposed scope for the 4.10 release, which will be presented to them with both the immediate deliverables and the long-term vision.
      • Customer is able to swap this solution for the other one and receive same alerts

      Success Criteria or KPIs measured

      • Customer must test both solutions (existing and ACS) and ensure that the events received are the same

              rcochran@redhat.com Robby Cochran
              rh-ee-masimonm Maria Simon Marcos
              Maria Simon Marcos Maria Simon Marcos
              ACS Collector
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: