1+ {
2+ "policies" : [
3+ {
4+ "name" : " Possible 'oc debug' access to pod"
5+ "description" : " Detect attempts to access pods using 'oc debug'"
6+ "rationale" : " 'oc debug' can be used to access pod contents, potentially exposing sensitive data."
7+ "remediation" : " Review OpenShift audit logs to verify the user, and investigate whether this was legitimate trouble-shooting or malicious activity."
8+ "disabled" : false ,
9+ "categories" : [
10+ " Anomalous Activity"
11+ ],
12+ "lifecycleStages" : [
13+ " RUNTIME"
14+ ],
15+ "eventSource" : " DEPLOYMENT_EVENT"
16+ "exclusions" : [],
17+ "scope" : [],
18+ "severity" : " HIGH_SEVERITY"
19+ "enforcementActions" : [],
20+ "notifiers" : [],
21+ "SORTName" : " "
22+ "SORTLifecycleStage" : " "
23+ "SORTEnforcement" : false ,
24+ "policyVersion" : " 1.1"
25+ "policySections" : [
26+ {
27+ "sectionName" : " Shell detection"
28+ "policyGroups" : [
29+ {
30+ "fieldName" : " Process Name"
31+ "booleanOperator" : " OR"
32+ "negate" : false ,
33+ "values" : [
34+ {
35+ "value" : " ^.*(sh)$"
36+ }
37+ ]
38+ },
39+ {
40+ "fieldName" : " Process UID"
41+ "booleanOperator" : " OR"
42+ "negate" : false ,
43+ "values" : [
44+ {
45+ "value" : " 0"
46+ }
47+ ]
48+ }
49+ ]
50+ }
51+ ],
52+ "mitreAttackVectors" : [],
53+ "criteriaLocked" : false ,
54+ "mitreVectorsLocked" : false ,
55+ "isDefault" : false
56+ }
57+ ]
58+ }
0 commit comments