Skip to content

Commit

Permalink
fix the rule to detect the exec in EKS
Browse files Browse the repository at this point in the history 
Signed-off-by: Thomas Labarussias <[email protected]>
  • Loading branch information
@Issif @poiana
Issif authored and poiana committed Jan 22, 2025
1 parent 7e92fd6 commit 42e49c7
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion plugins/k8saudit/rules/k8s_audit_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -335,7 +335,7 @@
- rule: Attach/Exec Pod
desc: >
Detect any attempt to attach/exec to a pod
condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
condition: kevt_started and pod_subresource and (kcreate or kget) and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name resource=%ka.target.resource ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
priority: NOTICE
source: k8s_audit
Expand Down

0 comments on commit 42e49c7

Please sign in to comment.