Add exercise 6.

data/workshop/README.org

@@ -8,7 +8,7 @@ This document captures the steps required to set up an instance of the workshop.
 * Log in to cluster
 
 #+begin_src tmux
-oc login --web https://api.cluster-pnccw.pnccw.sandbox225.opentlc.com:6443/
+oc login --web https://api.cluster-bcfz8.bcfz8.sandbox1805.opentlc.com:6443
 #+end_src
 
 * Update cluster logo
@@ -122,3 +122,49 @@ EOF
 
 oc adm policy add-scc-to-user privileged -z default -n prd-acme-payments
 #+end_src
+
+* Add spicy cluster users
+
+#+begin_src tmux
+# Create the namespace for the exercise
+oc new-project acme-prd-experimental
+
+# Retrive existing users htpasswd file
+oc get secret htpasswd -ojsonpath={.data.htpasswd} -n openshift-config | base64 --decode > ${HOME}/Downloads/users.htpasswd
+
+# Add additional users
+htpasswd -bB ${HOME}/Downloads/users.htpasswd specific-enhanced-ocelot admin
+htpasswd -bB ${HOME}/Downloads/users.htpasswd upset-benevolent-hacker admin
+htpasswd -bB ${HOME}/Downloads/users.htpasswd beaming-aggressive-squid admin
+htpasswd -bB ${HOME}/Downloads/users.htpasswd tame-threatening-otter admin
+htpasswd -bB ${HOME}/Downloads/users.htpasswd rebuked-placid-engineer admin
+htpasswd -bB ${HOME}/Downloads/users.htpasswd expert-invasive-meerkat admin
+htpasswd -bB ${HOME}/Downloads/users.htpasswd childish-shifty-caterpillar admin
+htpasswd -bB ${HOME}/Downloads/users.htpasswd silent-lively-heron admin
+htpasswd -bB ${HOME}/Downloads/users.htpasswd bountiful-soaked-crab admin
+htpasswd -bB ${HOME}/Downloads/users.htpasswd alienated-proud-snail admin
+
+# Replace the secret
+oc create secret generic htpasswd --from-file=htpasswd=${HOME}/Downloads/users.htpasswd --dry-run=client --output yaml --namespace openshift-config | oc replace --filename -
+
+# Login as a specified user
+oc login --username alienated-proud-snail --password admin
+oc login --username bountiful-soaked-crab --password admin
+oc login --username silent-lively-heron --password admin
+oc login --username childish-shifty-caterpillar --password admin
+oc login --username expert-invasive-meerkat --password admin
+oc login --username rebuked-placid-engineer --password admin
+oc login --username tame-threatening-otter --password admin
+oc login --username beaming-aggressive-squid --password admin
+oc login --username upset-benevolent-hacker --password admin
+oc login --username specific-enhanced-ocelot --password admin
+
+# Log back in as admin
+oc login --username admin
+
+# Grant user permission on project
+oc adm policy add-role-to-user admin childish-shifty-caterpillar --namespace prd-acme-experimental
+
+# Delete the namespace as a particular user
+oc delete project prd-acme-experimental --as childish-shifty-caterpillar
+#+end_src

data/workshop/exercise1.mdx

@@ -55,7 +55,7 @@ Register for an environment using `[team name]@redhat.com` and the password prov
 
 ## 1.4 - Confirm environment access
 
-If your team have secured an environment and are ready to start the challenge please post a message in `#event-anz-ocp-security-hackathon` with the message:
+If your team have secured an environment and are ready to start the challenge please post in `#event-anz-ocp-security-hackathon` with the message:
 
 > [team name] have logged into an environment and are starting the challenge!
 

data/workshop/exercise2.mdx

@@ -90,7 +90,7 @@ Documentation you may find helpful is:
 
 ## 2.5 - Check your work
 
-If your pair session with Angie has finished and the hub cluster is secured please post a message in `#event-anz-ocp-security-hackathon` with the message:
+If your pair session with Angie has finished and the hub cluster is secured please post in `#event-anz-ocp-security-hackathon` with the message:
 
 > Please review [team name] solution for exercise 2.
 

data/workshop/exercise3.mdx

@@ -59,7 +59,7 @@ oc --namespace openshift-ovn-kubernetes rsh ovnkube-node-<XXXXX> ovn-nbctl --no-
 
 ## 3.3 - Check your work
 
-If you've kept Brent happy by enabling encryption for internal cluster traffic please post a message in `#event-anz-ocp-security-hackathon` with the message:
+If you've kept Brent happy by enabling encryption for internal cluster traffic please post in `#event-anz-ocp-security-hackathon` with the message:
 
 > Please review [team name] solution for exercise 3, our cluster internal traffic is now encrypted with cipher [cipher].
 

data/workshop/exercise4.mdx

@@ -43,7 +43,7 @@ Documentation you may find helpful is:
 
 ## 4.3 - Check your work
 
-If you've successfully secured the banks vulnerable payments processor please post a message in `#event-anz-ocp-security-hackathon` with the message:
+If you've successfully secured the banks vulnerable payments processor please post in `#event-anz-ocp-security-hackathon` with the message:
 
 > Please review [team name] solution for exercise 4, our payments processor application is now unhackable.
 

data/workshop/exercise5.mdx

@@ -60,7 +60,7 @@ Documentation you may find helpful is:
 
 ## 5.4 - Check your work
 
-If you've successfully run the compliance scan and remediated the compliance issue to show Melissa how things work please post an issue in `#event-anz-ocp-security-hackathon` with the message:
+If you've successfully run the compliance scan and remediated the compliance issue to show Melissa how things work please post in `#event-anz-ocp-security-hackathon` with the message:
 
 > Please review [team name] solution for exercise 5, our cluster is now [percentage] compliant against NIST 800-53 at a cluster level.
 

data/workshop/exercise6.mdx

@@ -0,0 +1,59 @@
+---
+title: Inspecting audit logs
+exercise: 6
+date: '2024-10-31'
+tags: ['openshift','audit','logging']
+draft: false
+authors: ['default']
+summary: "Ahh the classic who dunnit!?!??"
+---
+
+
+You're about to finish up day three of the engagement at ACME and have the lid halfway closed on your ACME provided CrapPhablet7000™ laptop for the day when you hear it. An incoming Skype for Business call 😰
+
+Here we go...
+
+Lifting the lid with a resigned sigh you answer. It's Angie. She's looking aggrieved and in a huff explains that someone has apparently deleted an important company project and she needs to figure out who. She's worried someone has permissions they shouldn't or there is an inside threat actor.
+
+Fear not you tell Angie, Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster. The cluster audits the activities generated by users, by applications that use the Kubernetes API, and by the control plane itself.
+
+So we just need to inspect the audit logs and we should be able to find our culprit!
+
+![audit](/static/images/security/audit-logs.png)
+
+
+## 6.1 - Needle in a haystack
+
+On the call Angie starts sharing her screen and logging into the ACME ElasticSearch instance to start querying the audit logs but you interrupt her and explain that the cluster hasn't yet been configured to ship logs to an external aggregator.
+
+Fear not however, you explain how the internal audit logs can still be queried using the `oc` CLI and fire up your own screen share to step her through how it's done.
+
+The namespace Angie needs to query is `prd-acme-experimental`, can you track down our threat actor??
+
+Documentation you may find helpful is:
+
+- https://docs.openshift.com/container-platform/4.17/security/audit-log-view.html
+
+
+## 6.2 - Removing the culprit
+
+With the culprit identified Angie is unsurprised. This particular user has been causing mayhem in every role they have worked and is on their last written warning so will probably now be let go.
+
+Angie instructs you to remove their platform access immediately so that they can no longer log in to OpenShift.
+
+Documentation you may find helpful is:
+
+- https://access.redhat.com/solutions/4039941
+
+
+## 6.3 - Check your work
+
+If you've successfully identified the culprit and removed their platform access please post in `#event-anz-ocp-security-hackathon` with the message:
+
+> Please review [team name] solution for exercise 6, the culprit for the project deletion no longer has access to our OpenShift cluster.
+
+This exercise is worth `25` points. The event team will reply in slack to confirm your updated team total score 🎉 
+
+
+
+