View risk details

Understand risk factors, view the specific risk context, and decide which deployments require immediate attention.

4 minute read

When you select a deployment in the Risk view, the Risk Details open in a panel on the right. The Risk Details panel shows detailed information grouped by multiple tabs.

Risk Indicators Tab

The Risk Indicators tab of the Risk Details panel explains the discovered risks.

Risk Indicators Tab
Risk Indicators Tab

The Risk Indicators tab includes following sections:

  • Policy Violations: the names of the policies that are violated for the selected deployment.

  • Suspicious Process Executions: suspicious processes, arguments, and container names in which the process ran.

  • Image Vulnerabilities: images including total CVEs with their CVSS scores.

  • Service Configurations: aspects of the configurations that are often problematic, such as read-write (RW) capability, whether capabilities are dropped, and the presence of privileged containers.

  • Service Reachability: container ports exposed inside or outside the cluster.

  • Components Useful for Attackers: discovered software tools that are often used by attackers.

  • Number of Components in Image: the number of packages found in each image.

  • Image Freshness: image names and age (for example, 285 days old).

  • RBAC Configuration: the level of permissions granted to the deployment in Kubernetes Role-Based Access Control (RBAC).

    Not all sections are visible in the Risk Indicators tab. The StackRox Kubernetes Security Platform displays only relevant sections affecting the selected deployment.

Deployment Details Tab

The sections in the Deployment Details tab of the Deployment Risk panel provide more information so you can make appropriate decisions on how to address the discovered risk.

Risk Deployment Details Tab
Risk Deployment Details Tab

Overview

  • Deployment ID: an alphanumeric identifier for the deployment.
  • Namespace: the Kubernetes or OpenShift namespace in which the deployment exists.
  • Updated: a time stamp with date for when deployment was updated.
  • Deployment Type: the type of deployment, for example Deployment or DaemonSet.
  • Replicas: the number of pods deployed for this deployment.
  • Labels: the key-value labels attached to the Kubernetes or OpenShift application.
  • Cluster: the name of the cluster where deployment is running.
  • Annotations: the Kubernetes annotations for the deployment.
  • Service Account: represents an identity for processes that run in a pod. When a process is authenticated through a service account, it can contact the Kubernetes API server and access cluster resources. If a pod doesn’t have an assigned service account, it gets the default service account.

Container Configuration

  • Image Name: the name of the image that’s deployed.
  • Resources
    • CPU Request (cores): the number of CPUs requested by the container.
    • CPU Limit (cores): the maximum number of CPUs the container can use.
    • Memory Request (MB): the memory size requested by the container.
    • Memory Limit (MB): the maximum amount of memory the container can use without being killed.
  • Mounts
    • Name: the name of the mount.
    • Source: the path from where the data for the mount comes.
    • Destination: the path to which the data for the mount goes.
    • Type: the type of the mount.
  • Secrets: the names of Kubernetes secrets used in the deployment, and basic details for secret values that are X.509 certificates.

Security Context

  • Privileged: lists trueif the container is privileged.

Process Discovery Tab

The Process Discovery tab provides a comprehensive list of all binaries that have been executed in each container in your environment, summarized by deployment.

Process Discovery Tab
Process Discovery Tab

  • Binary Name: the name of the binary which was executed.
  • Container: the container in the deployment in which the process executed.
  • Arguments: specific arguments that were passed with the binary.
  • Time: the date and time of the most recent time the binary was executed in a given container.
  • Pod ID: the identifier of the pod in which the container resides.
  • UID: the Linux user identity under which the process executed.

Use the Process Name:<name> query in the filter bar to find specific processes. See the Use local page filtering topic for more information.

Risk Filter
Risk Filter

Event timeline

The Event Timeline section in the Process Discovery tab provides an overview of events for the selected deployment. It shows the number of policy violations, process activities, and container termination or restart events.

You need the StackRox Kubernetes Security Platform version 3.0.43 and newer to view the Event Timeline.

You can select the Event Timeline to view more details.

The Event Timeline modal box shows events for all pods for the selected deployment. The events on the timeline are categorized as:

  • Process activities (process in and out of the baseline)
  • Policy violations
  • Container restarts and terminations

The events appear as icons on a timeline. To see more details about an event, hold your mouse pointer over the event icon. The details appear in a tooltip.

  • Select Show Legend to see which icon corresponds to which type of event.
  • Select Export > Download PDF or Export > Download CSV to download the event timeline information.
  • Select the Show All drop-down menu to filter which type of events are visible on the timeline.
  • Select the expand icon to see events separately for each container in the selected pod.

All events in the timeline are also visible in the minimap control at the bottom. The minimap controls the number of events visible in the event timeline. You can change the events shown in the timeline by modifying the highlighted area on the minimap. To do this, decrease the highlighted area from left or right sides (or both), and then drag the highlighted area.

  • When containers restart, the StackRox Kubernetes Security Platform:
    • shows information about container termination and restart events for up to 10 inactive container instances for each container in a pod. For example, for a pod with two containers app and sidecar, the StackRox Kubernetes Security Platform keeps activity for up to 10 app instances and up to 10 sidecar instances.
    • doesn’t track process activities associated with the previous instances of the container.
  • The StackRox Kubernetes Security Platform only shows the most recent execution of each (process name, process arguments, UID) tuple for each pod.
  • The StackRox Kubernetes Security Platform shows events only for the active pods.
  • The StackRox Kubernetes Security Platform adjusts the reported timestamps based on time reported by Kubernetes and the Collector. Kubernetes timestamps use second-based precision, and it rounds off the time to the nearest second. However, the Collector uses more precise timestamps. For example, if Kubernetes reports the container start time as 10:54:48, and the Collector reports a process in that container started at 10:54:47.5349823, the StackRox Kubernetes Security Platform adjusts the container start time to 10:54:47.5349823.

Comments and tags

You can use Tags and Comments to specify what’s happening with processes to keep your team up to date.

  • You need the StackRox Kubernetes Security Platform version 3.0.42 or newer to add and view Tags and Comments. To upgrade from an older version, see the Upgrade StackRox section.

  • You can edit and delete your own comments.

  • To delete comments from other users, you need a role with write permission for the AllComments resource.

  • To add and remove comments or tags, you need a role with write permission for the resource you are modifying. For example, to add or remove comments on processes, your role must have write permission for the Indicator resource.

    See Manage role based access control to know more about roles and permissions.

Comments

Comments allow you to add text notes to processes, so that everyone in the team can check what’s happening.

To add a new comment:

  1. Select New in the Process Comments section header.
  2. Enter your comment in the comment editor. You can also add links in the comment editor. These links open in a new tab when someone clicks on the link on a comment.
  3. Select Save.

All comments are visible under the Process Comments section, and you can edit and delete comments by selecting Edit or Delete icon for a specific comment.

Tags

You can use custom Tags to categorize your processes. Then you can filter the Risk view to show deployments with selected tags (Process Tag attribute). See the Use local page filtering topic for more information about filtering.

To add tags:

  1. Select the drop-down in the Process Tags section. Existing tags appear as a list (up to 10).
  2. Select an existing tag or enter a new tag and press Enter. As you enter your query, the StackRox Kubernetes Security Platform automatically displays relevant suggestions for the matching existing tags.

You can add more than one tag for a process. All tags are visible under the Process Tags section and you can remove tags by selecting Remove icon (✕) for a specific tag.

Process baselines

The process baselines are visible under the Spec Container Baselines section. See the Use process baselining topic for more information.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.