Files
Anthropic-Cybersecurity-Skills/skills/analyzing-kubernetes-audit-logs/SKILL.md
T

50 lines
1.5 KiB
Markdown

---
name: analyzing-kubernetes-audit-logs
description: >
Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret
access, RBAC modifications, privileged pod creation, and anonymous API access. Builds
threat detection rules from audit event patterns. Use when investigating Kubernetes
cluster compromise or building k8s-specific SIEM detection rules.
domain: cybersecurity
subdomain: container-security
tags: [analyzing, kubernetes, audit, logs]
version: "1.0"
author: mahipal
license: MIT
---
# Analyzing Kubernetes Audit Logs
## Instructions
Parse Kubernetes audit log files (JSON lines format) to detect security-relevant
events including unauthorized access, privilege escalation, and data exfiltration.
```python
import json
with open("/var/log/kubernetes/audit.log") as f:
for line in f:
event = json.loads(line)
verb = event.get("verb")
resource = event.get("objectRef", {}).get("resource")
user = event.get("user", {}).get("username")
if verb == "create" and resource == "pods/exec":
print(f"Pod exec by {user}")
```
Key events to detect:
1. pods/exec and pods/attach (shell into containers)
2. secrets access (get/list/watch)
3. clusterrolebindings creation (RBAC escalation)
4. Privileged pod creation
5. Anonymous or system:unauthenticated access
## Examples
```python
# Detect secret enumeration
if verb in ("get", "list") and resource == "secrets":
print(f"Secret access: {user} -> {event['objectRef'].get('name')}")
```