From 42e49c7d89e60e6b3fb9d0cd52e4a588608fe0a9 Mon Sep 17 00:00:00 2001
From: Thomas Labarussias <issif+github@gadz.org>
Date: Fri, 17 Jan 2025 18:48:15 +0100
Subject: [PATCH] fix the rule to detect the exec in EKS

Signed-off-by: Thomas Labarussias <issif+github@gadz.org>
---
 plugins/k8saudit/rules/k8s_audit_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/k8saudit/rules/k8s_audit_rules.yaml b/plugins/k8saudit/rules/k8s_audit_rules.yaml
index 731ee03b..3cdddc6e 100644
--- a/plugins/k8saudit/rules/k8s_audit_rules.yaml
+++ b/plugins/k8saudit/rules/k8s_audit_rules.yaml
@@ -335,7 +335,7 @@
 - rule: Attach/Exec Pod
   desc: >
     Detect any attempt to attach/exec to a pod
-  condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
+  condition: kevt_started and pod_subresource and (kcreate or kget) and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
   output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name resource=%ka.target.resource ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
   priority: NOTICE
   source: k8s_audit