Notifications

Module goals

  • Understanding how notification and alerting work in RHACS

  • Setup a notification alert to a Microsoft teams channel

  • Setup a notification alert to a Slack channel

How do notifications and alerts work in RHACS

Red Hat Advanced Cluster Security for Kubernetes (RHACS) offers robust notification and alerting mechanisms to enhance the security and observability of Kubernetes environments.

Notification and Alerting Mechanisms

Policy Violations

RHACS uses a set of pre-defined and custom policies to monitor the cluster for security violations. These policies can cover a wide range of security aspects including image vulnerabilities, misconfigurations, runtime behaviors, and compliance checks. When a policy is violated, RHACS generates a violation event. These events are the primary triggers for notifications and alerts.

Alert Configurations

RHACS supports integrations with various notification and alerting systems such as Slack, Microsoft Teams, email, PagerDuty, Splunk, and more. For systems not directly supported, custom webhooks can be configured to send alerts to any endpoint that can process HTTP POST requests.

Setting Up Notifications

Administrators can configure notification channels through the RHACS console. This involves providing the necessary credentials and endpoints for the chosen notification service. These notifications can be scoped to specific policies, allowing for granular control over which violations generate alerts and where those alerts are sent.

Alert Management

Policies can be assigned different severity levels (Low, Medium, High, Critical). Alerts can be configured to trigger based on the severity level of the violation. Depending on the integration, alerts can be routed to different teams or systems. For example, critical violations can be sent to on-call engineers via PagerDuty, while lower-severity alerts might be sent to a Slack channel for informational purposes.

Runtime Alerts

RHACS continuously monitors Kubernetes clusters for runtime anomalies. Alerts can be configured to trigger on suspicious activities such as unexpected network connections, process executions, or file system changes.By analyzing the runtime behavior of applications, RHACS can alert on deviations from known good states or behaviors. Configuring Alerting in RHACS

Integrating Slack with RHACS

In this guide, we will show you how to integrate Red Hat Advanced Cluster Security (RHACS) with Slack by setting up an Incoming Webhook in Slack and configuring it in RHACS to receive security alerts.

Prerequisites

Before proceeding, ensure you have the following: - A Slack account and access to create a Slack app.

Steps for Setting Up the Slack Integration

Procedure

  1. Visit the Slack API site: https://api.slack.com/apps?new_app=1 and log in with your Slack credentials.

  2. Click MORE then click Automations.

07 slack 00

  1. Select New Workflow at the top right of the page.

07 slack 01

  1. Select New Workflow at the top right of the page.

  2. Click the workflow title and give it the following name: first-notification-workflow

  3. Search for webhook and select it.

07 slack 02

  1. Hit continue

  2. Select the Slack workspace where it will be used.

07 slack 03
You can add additional features like webhooks or bot users later, but for now, focus on setting up the Incoming Webhooks.

  1. Add a test prompt and save it

  2. Then click Finish Up

07 slack 04

  1. Scroll down to the Webhook URLs for Your Workspace section.

  2. Next copy the unique Webhook URL and navigate to the RHACS dashboard

  3. Log into the RHACS Console and navigate to Platform Configurations → Integrations.

  4. Under Notifier Integrations, select Slack.

  5. Click the New integration button to start the configuration.

    • Integration Name: Enter: slack-alerts

    • Webhook URL: Paste the Webhook URL you copied earlier from Slack.

    • Default Channel: This is typically auto-populated based on the Webhook URL, but verify or select the correct Slack channel.

  6. Click Test to ensure the integration works correctly.

  7. If successful, you will see the message "The test was successful".

References

Next we have to configure our policies to alert based on specific triggers.

Configure Notifications

Balancing security alerting in a team is crucial to ensure that the team is responsive to genuine threats while minimizing alert fatigue. RHACS enables this by letting you configure your alert channels and attach them to the policies you car about.

Let’s test this out. You will use the runtime enforcement policy that was used in the previous module.

Procedure

  1. On the left-hand side of the application, click the Platform Configuration tab and select Policy Management.

07 pol not 00

  1. Filter through the policies to find No bash allowed or use the search bar to select Policy.

07 pol not 01

  1. Once you have found the policy No bash allowed click to edit the policy

08 not 2

  1. Go to Policy behavior - actions. There sohould be your slack-alerts notifier option available.

  2. Click the notifier and save the policy

  3. Run the following command in the terminal

POD=$(oc get pod -n payments -l app=visa-processor -o jsonpath="{.items[0].metadata.name}")
oc exec $POD -n payments -i --tty -- /bin/bash
[demo-user@bastion ~]$ POD=$(oc get pod -l app=ctf-web-to-system -o jsonpath="{.items[0].metadata.name}")
oc exec $POD -i --tty -- /bin/bash
node@ctf-web-to-system-6db858448f-hz6j2:/app$
If you see node@ctf…​ you’ve confirmed you have a shell and access to the Java application.

  1. Lastly, review your Slack or Teams channel for the alert.

Congrats!

Summary

giphy

Nice!

You integrations a webhook into RHACS and configured notifications based on previous policies.

Time to review the RHACS API!