Skills
skills/mukul975/anthropic-cybersecurity-skills/analyzing-kubernetes-audit-logs

analyzing-kubernetes-audit-logs

SKILL.md

Analyzing Kubernetes Audit Logs

Instructions

Parse Kubernetes audit log files (JSON lines format) to detect security-relevant events including unauthorized access, privilege escalation, and data exfiltration.

import json

with open("/var/log/kubernetes/audit.log") as f:
    for line in f:
        event = json.loads(line)
        verb = event.get("verb")
        resource = event.get("objectRef", {}).get("resource")
        user = event.get("user", {}).get("username")
        if verb == "create" and resource == "pods/exec":
            print(f"Pod exec by {user}")

Key events to detect:

  1. pods/exec and pods/attach (shell into containers)
  2. secrets access (get/list/watch)
  3. clusterrolebindings creation (RBAC escalation)
  4. Privileged pod creation
  5. Anonymous or system:unauthenticated access

Examples

# Detect secret enumeration
if verb in ("get", "list") and resource == "secrets":
    print(f"Secret access: {user} -> {event['objectRef'].get('name')}")
Weekly Installs
11
Repository
mukul975/anthro…y-skills
GitHub Stars
2.4K
First Seen
3 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
cursor11
github-copilot11
amp11
cline11
codex11
kimi-cli11