Event Information

Meaning

  • The Create Hardlink Over Sensitive Files event in a Kubernetes cluster indicates that a process attempted to create a hardlink to a sensitive file.
  • This event could potentially be a security concern as it may indicate an unauthorized attempt to modify or access sensitive data.
  • It is important to investigate the source of this event and take appropriate actions to ensure the integrity and confidentiality of the sensitive files in the cluster.
To investigate further, you can:
  • Use kubectl to check the logs of the relevant pod or container to identify the process that triggered the event.
  • Inspect the file system permissions and ownership of the sensitive files to ensure they are properly secured.
  • Consider implementing file integrity monitoring tools or auditing mechanisms to detect and prevent unauthorized modifications to sensitive files.

Remediation

To remediate the event “Create Hardlink Over Sensitive Files” using the Python Kubernetes API, you can follow these steps:
  1. Identify the affected pod:
    • Use the event details to determine the pod name and namespace.
    • Run the following command to get the pod details: 
      kubectl get pod <pod-name> -n <namespace> -o yaml
  2. Create a Kubernetes manifest file to update the pod:
    • Modify the YAML file obtained from the previous step to include a securityContext with the appropriate settings to prevent hardlink creation.
    • Add the following section to the pod’s YAML file: 
      spec:
  securityContext:
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
  3. Apply the updated manifest file:
    • Save the modified YAML file.
    • Run the following command to apply the changes to the pod: 
      kubectl apply -f <path-to-updated-manifest-file>
Note: Make sure you have the necessary permissions to modify the pod and namespace.