diff --git a/data/workshop/exercise6.mdx b/data/workshop/exercise6.mdx index bf9f6aa..5a225c1 100644 --- a/data/workshop/exercise6.mdx +++ b/data/workshop/exercise6.mdx @@ -24,22 +24,22 @@ So we just need to inspect the audit logs and we should be able to find our culp ## 6.1 - Needle in a haystack -On the call Angie starts sharing her screen and logging into the ACME ElasticSearch instance to start querying the audit logs but you interrupt her and explain that the cluster hasn't yet been configured to ship logs to an external aggregator. +On the call Angie starts sharing her screen and logging into the ACME Elasticsearch instance to query the audit logs but you interrupt her and explain that the cluster hasn't yet been configured to ship logs to an external aggregator. -Fear not however, you explain how the internal audit logs can still be queried using the `oc` CLI and fire up your own screen share to step her through how it's done. +Despite this, you explain how the internal audit logs can still be queried using the `oc` CLI and fire up your own screen share to step her through how it's done. The namespace Angie needs to query is `prd-acme-experimental`, can you track down our threat actor?? Documentation you may find helpful is: -- https://docs.openshift.com/container-platform/4.17/security/audit-log-view.html +- https://docs.openshift.com/container-platform/4.16/security/audit-log-view.html ## 6.2 - Removing the culprit -With the culprit identified Angie is unsurprised. This particular user has been causing mayhem in every role they have worked and is on their last written warning so will probably now be let go. +With the culprit identified Angie is aghast to discover it was one of her colleagues in the ACME OpenShift Platform team. -Angie instructs you to remove their platform access immediately so that they can no longer log in to OpenShift. +Angie instructs you to remove their platform access immediately so that they can no longer log in to OpenShift while a formal investigation can be initiated to determine why they deleted the sensitive project was deleted. Documentation you may find helpful is: @@ -53,7 +53,3 @@ If you've successfully identified the culprit and removed their platform access > Please review [team name] solution for exercise 6, the culprit for the project deletion no longer has access to our OpenShift cluster. This exercise is worth `25` points. The event team will reply in slack to confirm your updated team total score 🎉 - - - -