Kaspersky Container Security
2.0
English
Investigating security events  >  Analyzing container forensics  >  Detailed information about file operations

Detailed information about file operations

To open detailed information about file operations,

  1. Click anywhere in the row of a File operations event in the table of security events in the InvestigationContainer forensic section.
  2. In the sidebar that opens, go to the Information tab.

Kaspersky Container Security displays the following information:

  • The General information section contains general information:
    • Date and time the file operation was performed.
    • Type of file operation (for example, Create or Delete).

      Examples of file operations in Kaspersky Container Security

    • Path to the file or directory.
    • New path to the file or directory (displayed only for the Rename or move file operation type).
    • New permissions (displayed only for the Change access permissions operation type).
    • Runtime policy mode.
    • Error code.
  • The Location details block provides the following information about the container where the file operations were found:
    • Container ID and name.
    • Image name and checksum. You can open the page with image scan results by clicking the name of the relevant image.

      To view the results of an image scan, you need the rights to view image scan results. You also need access to the scope for the clusters.

    • Pod name. You can display pod details by clicking the name of the pod.

      Viewing and managing cluster resources requires the corresponding rights. You also need access to the corresponding scope.

    • Namespace name.
    • Cluster name.
    • Host name and IP address.
  • The Process section contains the following data about the process where file operations were found:
    • Parent process ID (PPID)
    • Process ID (PID) and a new PID.
    • User ID (UID).
    • Group ID (GID).
    • Effective User ID (EUID).
    • Effective Group ID (EGID).
    • UID of the new owner (displayed only for the Change ownership file operation type).
    • GID of the new owner (displayed only for the Change ownership file operation type).
  • The table under Runtime policies impacting the container displays a list of all runtime policies that could be applied to the container in which the file operations were detected. For each policy, the solution shows the name of the policy and its mode.

    You can open the sidebar with a detailed description of the applied by clicking the name of the policy. Policy information is displayed in a similar way to how information about applied policies is presented when viewing application information on the graph. Limitations apply when viewing policy information.

Article ID: 292232, Last review: Dec 5, 2024
Page top