-
Epic
-
Resolution: Unresolved
-
Undefined
-
None
-
None
Support New Policy Criteria and Fields for Alerting on Host Path Activity
For 4.10, we intend to have the UI only support configuration of File System policies, and not displaying of File System violations.
New Event Source:
Host event source, to go alongside Deployment and Audit Log event sources, for Runtime policies.
New criteria:
| Section | Attribute | Description | Allowed Values | Regex, NOT, AND, OR | Phase |
| File Activity* | File Path | Monitor sensitive host paths for activity indicating modification attempt. | File Path String (e.g. /etc/sshd/ssh_config) | X (not supported) | Runtime |
| File Activity* | File Operation | Monitor specific types of file operation. | One or more of:
|
Negation supported | Runtime |
- new section
Policy Criteria for Sensitive File Activity (docs) **
Scoping
Only events triggered within a Kubernetes context are affected by inclusion scopes; events outside of a Kubernetes context will always be reported.
Violation Fields
These fields (green/yellow) are an extension of files found in the ProcessIndicator API for Runtime process alerts. See also documentation for responding to violations.
| Field Name | Type | Description | [^Crownstrike analysis - spec suggestion for FIO - Lakhdar HAMMACHE (contractor) - Confluence - ~62738d517dd556006afdd578-Crownstrike analysis - spec suggestion for FIO-180625-080853 (1).pdf] |
| cluster_id | string | ID of the cluster. | |
| node_name | string | Hostname | ComputerName |
| time | google.protobuf.Timestamp | The time of occurrence. | timestamp |
| file_event_type | string | Type of file event (FILE_INTEGRITY) | |
| file_path | string | The file path. | ObjectName |
| file_operation | string | The operation detected (WRITE, CREATE,UNLINK,RENAME,SETATTR). | ObjectAccessOperationType |
| is_external_mount | boolean | True if the file is from a namespace that differs from the process root mount namespace. | IsFromDifferentMountNamespace |
| namespace | string | K8s namespace (if any) | |
| deployment_id | string | K8s deployment_id (if any) | |
| pod_id | string | K8s deployment_id (if any) | |
| container_name | string | Name of the process container (if any) | |
| image_id | string | Image used by process container (if any) | |
| container_id | string | ID of the process container (if any) | |
| process_name | string | The name of the process. | ImageFileName |
| args | string | The arguments passed to the process. | CommandLine |
| exec_file_path | string | The file path of the process executable. | |
| pid | uint32 | The host process ID. | RawProcessId |
| uid | uint32 | The real user ID. | RUID |
| gid | uint32 | The real group ID. | |
| username | string | The username | |
| parent_uid[] | uint32 | The user ID of the ith parent process | |
| parent_exec_file_path[] | string | The executable file path of the ith parent process. | ParentImageFileName / GrandparentImageFileName |
Details to be available in the alert description.
