# KubeArmor Default Posture - Deny by Default - Redirect "Permission Denied Logs" to Alerts - Implicit Denied - Audit by Default - Redirect every log to Alert? - How is Audit by Default different from monitoring all logs? - Can monitor file/network specific logs? - this would act as a filtering option than policy matching I guess? - Audit shows what would have been blocked otherwise karmor --logfilter all We have applied autogenerated policy Empty log feed unless something else happens? We only have allow based policies Redirect every log to alert Type: MatchedPolicy... PolicyName: Implicit Deny allow cat only secret.txt - fromsourceallowpolicy with allow by default only allow cat only secret.txt - fromsourceallowpolicy with deny by default - Audit with selectors - Logs filtered based on selectors? - Deny by default in selectors - Permission Denied logs filtered on selectors? Allow by Default is different from Allow Policies Allow Policies signify whitelist a particular target, essentially deny by default. A global allow policy shouldn't exist with Allow by default A from source allow by default should't exist with from source allow policy default armor : block/audit RAW Also check network log resource matching LS - need more valid regex - check apparmor permissions for listing dirs ```diff= == Alert / 2022-02-14 12:10:44.361303 == Cluster Name: default Host Name: kubearmor-dev-all Namespace Name: multiubuntu Pod Name: ubuntu-5-deployment-7778f46c67-nfvzb Container ID: 9f6ad71bb941e7ebcd88ed789b91fbfbdf500372c8973e152aa9f5e5196e6aeb Container Name: ubuntu-5-container +Policy Name: DefaultPosture -Type: DefaultArmor +Type: MatchedPolicy Source: /usr/bin/wget 142.251.42.46 Operation: Network Resource: domain=AF_INET type=SOCK_STREAM protocol=0 Data: syscall=SYS_SOCKET -Action: ImplicitBlock +Action: Block/Audit Result: Permission denied ``` - fromSource and resource --> MatchedPolicy with Name - !fromSource and resource --> MatchedPolicy with Name CRD Do not allow DefaultPosture