Inspecting audit logs

You're about to finish up day three of the engagement at ACME and have the lid halfway closed on your ACME provided CrapPhablet7000™ laptop for the day when you hear it. An incoming Skype for Business call 😰

Here we go...

Lifting the lid with a resigned sigh you answer. It's Angie. She's looking aggrieved and in a huff explains that someone has apparently deleted an important company project and she needs to figure out who. She's worried someone has permissions they shouldn't or there is an inside threat actor.

Fear not you tell Angie, Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster. The cluster audits the activities generated by users, by applications that use the Kubernetes API, and by the control plane itself.

So we just need to inspect the audit logs and we should be able to find our culprit!

6.1 - Needle in a haystack

On the call Angie starts sharing her screen and logging into the ACME Elasticsearch instance to query the audit logs but you interrupt her and explain that the cluster hasn't yet been configured to ship logs to an external aggregator.

Despite this, you explain how the internal audit logs can still be queried using the oc CLI and fire up your own screen share to step her through how it's done.

The namespace Angie needs to query is prd-acme-experimental, can you track down our threat actor??

Documentation you may find helpful is:

• https://docs.openshift.com/container-platform/4.17/security/audit-log-view.html

6.2 - Removing the culprit

With the culprit identified Angie is aghast to discover it was one of her colleagues in the ACME OpenShift Platform team.

Angie instructs you to remove their platform access immediately so that they can no longer log in to OpenShift while a formal investigation can be initiated to determine why they deleted the sensitive project was deleted.

Documentation you may find helpful is:

• https://access.redhat.com/solutions/4039941

6.3 - Check your work

If you've successfully identified the culprit and removed their platform access please post in #event-anz-ocp-security-hackathon with the message:

Please review [team name] solution for exercise 6, the culprit for the project deletion no longer has access to our OpenShift cluster.

This exercise is worth 25 points. The event team will reply in slack to confirm your updated team total score 🎉