Create Hidden Files or Directories

​

Event Information

​

Meaning

• The Create Hidden Files or Directories event in a Kubernetes cluster indicates that a process running within a container has attempted to create a hidden file or directory.
• This event could potentially be a security concern as hidden files or directories can be used to hide malicious activities or sensitive information.
• To investigate this event, you can use the kubectl exec command to access the container and inspect the file system for any hidden files or directories. For example: kubectl exec -it <pod_name> -- /bin/bash

​

Remediation

To remediate the event “Create Hidden Files or Directories” using the Python Kubernetes API, you can follow these steps:

1. Identify the affected pod:

   • Use the event details to determine the pod name and namespace.
   • Run the following command to get the pod details:

     kubectl get pod <pod-name> -n <namespace> -o yaml
     

   • Note down the pod’s labels and annotations for later use.

2. Update the pod’s security context:

   • Create a YAML manifest file (e.g., remediation.yaml) with the following content:

     apiVersion: v1
     kind: Pod
     metadata:
       name: <pod-name>
       namespace: <namespace>
     spec:
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000
     

   • Replace <pod-name> and <namespace> with the actual values from step 1.
   • Apply the changes using the following command:

     kubectl apply -f remediation.yaml
     

3. Verify the remediation:

   • Check the pod’s security context to ensure it has been updated:

     kubectl get pod <pod-name> -n <namespace> -o jsonpath='{.spec.securityContext}'
     

   • Ensure that the runAsNonRoot field is set to true and runAsUser is set to 1000.
   • Monitor the pod for any further events related to creating hidden files or directories.

Note: Make sure to test the remediation steps in a non-production environment before applying them to production.