...
- File Integrity Monitoring: Any changes to the systems folders should be monitored/audited.
- Reverse Shell execution
- Use of security sensitive primitives: setuid(), setguid(),chmod(),chown(),
- Updates to root certificates folder
- Use of
kubectl exec
to gain shell access in the pod - Privilege escalation attempted
- Monitor for external networks access
- Suspicious IP detection (for e.g. using Feodo Blocked IP List)
- Monitor for use of DGA (Domain Generation Algorithms) in the workload
Application Performance Monitoring:
...
- Network Segmentation and enforcing least privilege nnetwork access
- Enforce Process Whitelisting
- Enforce least permissive access to sensitive assets. All volume mount points can be considered sensitive assets.
- Enforce least permissive process based network control. Only allow certain set of processes to do network communication.
Protection: Enforcing Network Protection
TODO
Workload Forensics
...
- Enforce Ingress/Egress controls using CIDRSets, Domain names, Protocols/Ports
- Auto Discover Network Protection rules.
Workload Forensics
- Workload Process Monitoring
- Workload Sensitive Asset access
- External Network exposure for workloads
- Ability to query forensics details for a specified time duration from past X days.
charisse lu Should we create security guidelines for workload creators?
...