Back to all scenarios
Scenario #229
Security
K8s v1.22, Google Cloud

Inadequate Logging of Sensitive Events

Sensitive security events were not logged, preventing detection of potential security breaches or misconfigurations.

Find this helpful?
What Happened

Security-related events, such as privilege escalations and unauthorized access attempts, were not being logged correctly due to misconfigurations in the auditing system.

Diagnosis Steps
  • 1Examined the audit policy configuration and found that critical security events (e.g., access to secrets, changes in RBAC) were not being captured.
  • 2Reviewed Kubernetes logs and discovered the absence of certain expected security events.
Root Cause

Misconfigured Kubernetes auditing policies prevented sensitive security events from being logged.

Fix/Workaround
• Reconfigured the Kubernetes audit policy to capture sensitive events, including user access to secrets, privilege escalations, and changes in RBAC roles.
• Integrated log aggregation and alerting tools to monitor security logs in real time.
Lessons Learned

Properly configuring audit logging is essential for detecting potential security incidents and ensuring compliance.

How to Avoid
  • 1Implement comprehensive audit logging policies to capture sensitive security events.
  • 2Regularly review audit logs and integrate with centralized monitoring solutions for real-time alerts.
Previous ScenarioNext Scenario