The behavior of the containers and the applications or services operating within them SHOULD be monitored.
ACS offers policies that monitor behavior. Baselining enables the definition of the desired behavior and policies enable the reaction to undesirable behavior (i.e. that does not exist in the baseline).
Deviations from normal behavior SHOULD be noticed and reported.
The policies provided by ACS alert via OpenShift Monitoring. Furthermore, ACS maintains a history of all violations.
Reports SHOULD be handled appropriately in the central security incident handling process.
This requirement must be implemented organizationally.
Note: The alerts from OpenShift monitoring must be forwarded to the system used by the central process for handling security incidents. The usual alert manager methods are available for this. OpenShift provides email and Slack integration. The community offers further integration such as in Teams. If necessary, an integration can be developed that receives the alert manager's webhook and forwards it appropriately to the external system.
The behavior to be monitored SHOULD include at least:
network connections,
created processes,
file system accesses and
kernel requests (syscalls).
At the host level, Red Hat CoreOS supports auditd, which is enabled by default. Policies for auditd can include network connections, created processes, file accesses and syscalls. Red Hat CoreOS provides many sample policies that cover all of the areas described.
ACS offers alerting on network connections, created processes and kernel requests. File access is not covered by ACS policies.
In addition, the files on the RHCOS nodes can be checked cryptographically using the Advanced Intrusion Detection Environment (AIDE) using the file integrity operator provided by Red Hat and changes to files can be detected [FileIntegrity].
sluetze
commented
1 month ago