Skip to content

Commit

Permalink
Merge pull request #230 from stackrox/mc/violation-alerts
Browse files Browse the repository at this point in the history
ROX-23900: Add prometheus alert for SELinux violations
  • Loading branch information
mclasmeier authored May 22, 2024
2 parents 97f63bd + 4d20524 commit 7a9693d
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 0 deletions.
10 changes: 10 additions & 0 deletions resources/prometheus/prometheus-rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -756,3 +756,13 @@ cluster autoscaler. Limits can be adjusted by modifying the cluster autoscaler c
the cluster autoscaler. This is calculated by summing the memory capacity for all nodes in the cluster and comparing that number against the maximum memory bytes value set
for the cluster autoscaler. Limits can be adjusted by modifying the cluster autoscaler configuration."
sop_url: "https://gitlab.cee.redhat.com/stackrox/acs-cloud-service/runbooks/-/blob/master/sops/dp-042-modify-cluster-autoscaler.md"
- alert: ClusterAuditSELinuxViolations
expr: |
selinux_denials_sample_count > 0
labels:
severity: info
annotations:
summary: "SELinux Violations occuring on cluster."
description: |
A cluster node logged {{ $value }} SELinux AVC denial(s) per minute to the audit log.
sop_url: "https://gitlab.cee.redhat.com/stackrox/acs-cloud-service/runbooks/-/blob/master/sops/dp-043-selinux-violation.md"
23 changes: 23 additions & 0 deletions resources/prometheus/unit_tests/ClusterAuditSELinuxViolations.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
rule_files:
- /tmp/prometheus-rules-test.yaml

evaluation_interval: 1m

tests:
- interval: 1m
input_series:
- series: selinux_denials_sample_count{namespace="rhacs-cloudwatch"}
values: "1x5"
alert_rule_test:
- eval_time: 70s
alertname: ClusterAuditSELinuxViolations
exp_alerts:
- exp_labels:
alertname: ClusterAuditSELinuxViolations
namespace: rhacs-cloudwatch
severity: info
exp_annotations:
summary: "SELinux Violations occuring on cluster."
description: |
A cluster node logged 1 SELinux AVC denial(s) per minute to the audit log.
sop_url: "https://gitlab.cee.redhat.com/stackrox/acs-cloud-service/runbooks/-/blob/master/sops/dp-043-selinux-violation.md"

0 comments on commit 7a9693d

Please sign in to comment.