{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTM2Mjk4NjY3OjI1NDgxMTQ=","pid":2548114,"uid":0,"cwd":"/","binary":"/usr/sbin/addgroup","arguments":"--gid 1000 -- evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.969515849Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":8,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","refcnt":1,"tid":2548114,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","pid":2548113,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"-D evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.960771487Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":7,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","tid":2548113,"in_init_tree":true},"function_name":"__arm64_sys_openat","args":[{"string_arg":"/etc/gshadow","label":"filename"},{"int_arg":131074,"label":"flags"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:05:12.973032283Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTM2Mjk4NjY3OjI1NDgxMTQ=","pid":2548114,"uid":0,"cwd":"/","binary":"/usr/sbin/addgroup","arguments":"--gid 1000 -- evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.969515849Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":8,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","refcnt":1,"tid":2548114,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","pid":2548113,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"-D evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.960771487Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":7,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","tid":2548113,"in_init_tree":true},"function_name":"__arm64_sys_openat","args":[{"string_arg":"/etc/group","label":"filename"},{"int_arg":131074,"label":"flags"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:05:12.969893227Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","pid":2548113,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"-D evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.960771487Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":7,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","refcnt":3,"tid":2548113,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","pid":2548100,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-lc \"adduser -D evil_user && id evil_user\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.959548715Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":1,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1Njc1OTQ3Mjc0OjI1NDgwMzk=","tid":2548100,"in_init_tree":true},"function_name":"__arm64_sys_openat","args":[{"string_arg":"/etc/shadow","label":"filename"},{"int_arg":131074,"label":"flags"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:05:12.966180050Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","pid":2548113,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"-D evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.960771487Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":7,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","refcnt":3,"tid":2548113,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","pid":2548100,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-lc \"adduser -D evil_user && id evil_user\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.959548715Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":1,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1Njc1OTQ3Mjc0OjI1NDgwMzk=","tid":2548100,"in_init_tree":true},"function_name":"__arm64_sys_openat","args":[{"string_arg":"/etc/passwd","label":"filename"},{"int_arg":131074,"label":"flags"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:05:12.961366619Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1NzYyNDEyNTg4OjI1NDgwNjI=","pid":2548062,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd","binary":"/usr/sbin/runc","arguments":"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd/init.pid 51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd","flags":"execve inInitTree","start_time":"2025-09-29T23:05:12.195629975Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1Njg3MDI1ODA1OjI1NDgwNTA=","refcnt":1,"tid":2548062,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1Njg3MDI1ODA1OjI1NDgwNTA=","pid":2548050,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd","binary":"/usr/sbin/runc","arguments":"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd/init.pid 51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd","flags":"execve clone","start_time":"2025-09-29T23:05:12.120244128Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1Njc1OTQ3Mjc0OjI1NDgwMzk=","tid":2548050,"in_init_tree":false},"function_name":"__arm64_sys_sethostname","args":[{"string_arg":"atomic-linux-useradd","label":"name"},{"size_arg":"20","label":"len"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:05:12.208610513Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTM2Mjk4NjY3OjI1NDgxMTQ=","pid":2548114,"uid":0,"cwd":"/","binary":"/usr/sbin/addgroup","arguments":"--gid 1000 -- evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.969515849Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":8,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","refcnt":1,"tid":2548114,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","pid":2548113,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"-D evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.960771487Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":7,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","tid":2548113,"in_init_tree":true},"function_name":"__arm64_sys_openat","args":[{"string_arg":"/etc/gshadow","label":"filename"},{"int_arg":131074,"label":"flags"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:05:12.973032283Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTM2Mjk4NjY3OjI1NDgxMTQ=","pid":2548114,"uid":0,"cwd":"/","binary":"/usr/sbin/addgroup","arguments":"--gid 1000 -- evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.969515849Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":8,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","refcnt":1,"tid":2548114,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","pid":2548113,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"-D evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.960771487Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":7,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","tid":2548113,"in_init_tree":true},"function_name":"__arm64_sys_openat","args":[{"string_arg":"/etc/group","label":"filename"},{"int_arg":131074,"label":"flags"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:05:12.969893227Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","pid":2548113,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"-D evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.960771487Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":7,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","refcnt":3,"tid":2548113,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","pid":2548100,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-lc \"adduser -D evil_user && id evil_user\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.959548715Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":1,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1Njc1OTQ3Mjc0OjI1NDgwMzk=","tid":2548100,"in_init_tree":true},"function_name":"__arm64_sys_openat","args":[{"string_arg":"/etc/shadow","label":"filename"},{"int_arg":131074,"label":"flags"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:05:12.966180050Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","pid":2548113,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"-D evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.960771487Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":7,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","refcnt":3,"tid":2548113,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","pid":2548100,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-lc \"adduser -D evil_user && id evil_user\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.959548715Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":1,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1Njc1OTQ3Mjc0OjI1NDgwMzk=","tid":2548100,"in_init_tree":true},"function_name":"__arm64_sys_openat","args":[{"string_arg":"/etc/passwd","label":"filename"},{"int_arg":131074,"label":"flags"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:05:12.961366619Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1NzYyNDEyNTg4OjI1NDgwNjI=","pid":2548062,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd","binary":"/usr/sbin/runc","arguments":"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd/init.pid 51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd","flags":"execve inInitTree","start_time":"2025-09-29T23:05:12.195629975Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1Njg3MDI1ODA1OjI1NDgwNTA=","refcnt":1,"tid":2548062,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1Njg3MDI1ODA1OjI1NDgwNTA=","pid":2548050,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd","binary":"/usr/sbin/runc","arguments":"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd/init.pid 51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd","flags":"execve clone","start_time":"2025-09-29T23:05:12.120244128Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1Njc1OTQ3Mjc0OjI1NDgwMzk=","tid":2548050,"in_init_tree":false},"function_name":"__arm64_sys_sethostname","args":[{"string_arg":"atomic-linux-useradd","label":"name"},{"size_arg":"20","label":"len"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:05:12.208610513Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTM2Mjk4NjY3OjI1NDgxMTQ=","pid":2548114,"uid":0,"cwd":"/","binary":"/usr/sbin/addgroup","arguments":"--gid 1000 -- evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.969515849Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":8,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","refcnt":1,"tid":2548114,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","pid":2548113,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"-D evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.960771487Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":7,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","tid":2548113,"in_init_tree":true},"function_name":"__arm64_sys_openat","args":[{"string_arg":"/etc/gshadow","label":"filename"},{"int_arg":131074,"label":"flags"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:05:12.973032283Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTM2Mjk4NjY3OjI1NDgxMTQ=","pid":2548114,"uid":0,"cwd":"/","binary":"/usr/sbin/addgroup","arguments":"--gid 1000 -- evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.969515849Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":8,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","refcnt":1,"tid":2548114,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","pid":2548113,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"-D evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.960771487Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":7,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","tid":2548113,"in_init_tree":true},"function_name":"__arm64_sys_openat","args":[{"string_arg":"/etc/group","label":"filename"},{"int_arg":131074,"label":"flags"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:05:12.969893227Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","pid":2548113,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"-D evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.960771487Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":7,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","refcnt":3,"tid":2548113,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","pid":2548100,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-lc \"adduser -D evil_user && id evil_user\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.959548715Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":1,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1Njc1OTQ3Mjc0OjI1NDgwMzk=","tid":2548100,"in_init_tree":true},"function_name":"__arm64_sys_openat","args":[{"string_arg":"/etc/shadow","label":"filename"},{"int_arg":131074,"label":"flags"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:05:12.966180050Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI3NTUzOTkzOjI1NDgxMTM=","pid":2548113,"uid":0,"cwd":"/","binary":"/usr/sbin/adduser","arguments":"-D evil_user","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.960771487Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":7,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","refcnt":3,"tid":2548113,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg2NTI2MzMwNzk0OjI1NDgxMDA=","pid":2548100,"uid":0,"cwd":"/","binary":"/bin/sh","arguments":"-lc \"adduser -D evil_user && id evil_user\"","flags":"execve rootcwd clone inInitTree","start_time":"2025-09-29T23:05:12.959548715Z","auid":4294967295,"pod":{"namespace":"default","name":"atomic-linux-useradd","container":{"id":"containerd://f18af6ecc7ceba738f51541fbdbcf518c473ebea25aa23bd4e76efc9725d69a9","name":"atomic-linux-useradd","image":{"id":"docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","name":"docker.io/library/alpine:3"},"pid":1,"security_context":{}},"pod_labels":{"run":"atomic-linux-useradd"},"workload":"atomic-linux-useradd","workload_kind":"Pod"},"docker":"f18af6ecc7ceba738f51541fbdbcf51","parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1Njc1OTQ3Mjc0OjI1NDgwMzk=","tid":2548100,"in_init_tree":true},"function_name":"__arm64_sys_openat","args":[{"string_arg":"/etc/passwd","label":"filename"},{"int_arg":131074,"label":"flags"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:05:12.961366619Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}
{"process_kprobe":{"process":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1NzYyNDEyNTg4OjI1NDgwNjI=","pid":2548062,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd","binary":"/usr/sbin/runc","arguments":"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd/init.pid 51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd","flags":"execve inInitTree","start_time":"2025-09-29T23:05:12.195629975Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1Njg3MDI1ODA1OjI1NDgwNTA=","refcnt":1,"tid":2548062,"in_init_tree":true},"parent":{"exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1Njg3MDI1ODA1OjI1NDgwNTA=","pid":2548050,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd","binary":"/usr/sbin/runc","arguments":"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd/init.pid 51f4f0f447693f818f610a8ffc29180c6f3144cf31f61993562b606e970de1cd","flags":"execve clone","start_time":"2025-09-29T23:05:12.120244128Z","auid":4294967295,"parent_exec_id":"aXAtMTkyLTE2OC04OS02NC51cy13ZXN0LTIuY29tcHV0ZS5pbnRlcm5hbDoyMDg3ODg1Njc1OTQ3Mjc0OjI1NDgwMzk=","tid":2548050,"in_init_tree":false},"function_name":"__arm64_sys_sethostname","args":[{"string_arg":"atomic-linux-useradd","label":"name"},{"size_arg":"20","label":"len"}],"action":"KPROBE_ACTION_POST","policy_name":"auditd-equivalent-security-monitoring","return_action":"KPROBE_ACTION_POST"},"node_name":"ip-192-168-89-64.us-west-2.compute.internal","time":"2025-09-29T23:05:12.208610513Z","cluster_name":"k8s-goat-cluster","node_labels":{"alpha.eksctl.io/cluster-name":"k8s-goat-cluster","alpha.eksctl.io/nodegroup-name":"ng-a99d40b1","beta.kubernetes.io/arch":"arm64","beta.kubernetes.io/instance-type":"t4g.medium","beta.kubernetes.io/os":"linux","eks.amazonaws.com/capacityType":"ON_DEMAND","eks.amazonaws.com/nodegroup":"ng-a99d40b1","eks.amazonaws.com/nodegroup-image":"ami-0339636baccc3c183","eks.amazonaws.com/sourceLaunchTemplateId":"lt-0da0169006f2a7c39","eks.amazonaws.com/sourceLaunchTemplateVersion":"1","failure-domain.beta.kubernetes.io/region":"us-west-2","failure-domain.beta.kubernetes.io/zone":"us-west-2c","k8s.io/cloud-provider-aws":"16c540d8ecc5192189b6444fb194814b","kubernetes.io/arch":"arm64","kubernetes.io/hostname":"ip-192-168-89-64.us-west-2.compute.internal","kubernetes.io/os":"linux","node.kubernetes.io/instance-type":"t4g.medium","topology.k8s.aws/zone-id":"usw2-az3","topology.kubernetes.io/region":"us-west-2","topology.kubernetes.io/zone":"us-west-2c"}}