Refine wording for exercise 6.
This commit is contained in:
@ -24,22 +24,22 @@ So we just need to inspect the audit logs and we should be able to find our culp
|
|||||||
|
|
||||||
## 6.1 - Needle in a haystack
|
## 6.1 - Needle in a haystack
|
||||||
|
|
||||||
On the call Angie starts sharing her screen and logging into the ACME ElasticSearch instance to start querying the audit logs but you interrupt her and explain that the cluster hasn't yet been configured to ship logs to an external aggregator.
|
On the call Angie starts sharing her screen and logging into the ACME Elasticsearch instance to query the audit logs but you interrupt her and explain that the cluster hasn't yet been configured to ship logs to an external aggregator.
|
||||||
|
|
||||||
Fear not however, you explain how the internal audit logs can still be queried using the `oc` CLI and fire up your own screen share to step her through how it's done.
|
Despite this, you explain how the internal audit logs can still be queried using the `oc` CLI and fire up your own screen share to step her through how it's done.
|
||||||
|
|
||||||
The namespace Angie needs to query is `prd-acme-experimental`, can you track down our threat actor??
|
The namespace Angie needs to query is `prd-acme-experimental`, can you track down our threat actor??
|
||||||
|
|
||||||
Documentation you may find helpful is:
|
Documentation you may find helpful is:
|
||||||
|
|
||||||
- https://docs.openshift.com/container-platform/4.17/security/audit-log-view.html
|
- https://docs.openshift.com/container-platform/4.16/security/audit-log-view.html
|
||||||
|
|
||||||
|
|
||||||
## 6.2 - Removing the culprit
|
## 6.2 - Removing the culprit
|
||||||
|
|
||||||
With the culprit identified Angie is unsurprised. This particular user has been causing mayhem in every role they have worked and is on their last written warning so will probably now be let go.
|
With the culprit identified Angie is aghast to discover it was one of her colleagues in the ACME OpenShift Platform team.
|
||||||
|
|
||||||
Angie instructs you to remove their platform access immediately so that they can no longer log in to OpenShift.
|
Angie instructs you to remove their platform access immediately so that they can no longer log in to OpenShift while a formal investigation can be initiated to determine why they deleted the sensitive project was deleted.
|
||||||
|
|
||||||
Documentation you may find helpful is:
|
Documentation you may find helpful is:
|
||||||
|
|
||||||
@ -53,7 +53,3 @@ If you've successfully identified the culprit and removed their platform access
|
|||||||
> Please review [team name] solution for exercise 6, the culprit for the project deletion no longer has access to our OpenShift cluster.
|
> Please review [team name] solution for exercise 6, the culprit for the project deletion no longer has access to our OpenShift cluster.
|
||||||
|
|
||||||
This exercise is worth `25` points. The event team will reply in slack to confirm your updated team total score 🎉
|
This exercise is worth `25` points. The event team will reply in slack to confirm your updated team total score 🎉
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user