Violations Flashcards
What types of security findings are possible with ACS
1) Vulnerabilities
2) violations of DevOps best practices
3) high-risk build and deployment practices
4) suspicious runtime behaviors
What are violations
1) Records all specific times where policy criteria have been met.
2) “stream” of events that have occurred
What are some typical attacker goals?
1) gain a foothold
2) maintain a presence
3) move laterally
4) exfiltrate data
Key ACS violation operations
view policy violations
drill down to the actual cause of the violation
take corrective actions.
When is violation reported?
When an enabled policy fails
What are forensic data needed need in a runtime violation?
who, what, when, where, and why
Are violations per deployments or pods?
deployments
What happens if you not resolve a Violation in a Deployment, or if the same violation happened again
events and details are summarized in the same violation
What tabs do I see when i select a violation?
Policy
Deployment
Violation (events
What information do I see when I click on the policy tab of a violation?
description
rationale
guidance
lifecycle stage (deploy, build, runtime)
What is the difference between runtime violation events and deployment violation events?
Runtime violation events include alot more information compare to deployment violation events.
What information are shown in a runtme violation event?
1) Binaries
2) First occurence
3) Last occurence
4) User ID
5) Arguments
6) Time
7) Container ID
Missing: enforcement
What information are shown in a deployment violation event?
List of events with each event being a text line containing severity, component, container name and version of component that includes the fix, and policy enforcement.
How do you use runtime incidents as learning opportunities to improve security
By apply the remediation steps that are included with each violation
