Mutation Advisor Advanced (MA++)
Mutation Advisor Advanced (MA++) provides real-time, integrity protection for running containers on your clusters. Enable MA++ to collect events from your containers.
MA++ uses a Sysdig/Falco data collector to detect mutation events for files and processes, in real time. For more information, see Falco 
.
MA++ detects unexpected mutation events by filtering event patterns. MA++ is integrated with the Security Advisor and Mutation Advisor controller. Mutation Advisor Advanced (MA++) functions are independent of the Mutation Advisor, except for Minio cloud object storage and Elasticsearch.
Enabling Mutation Advisor Advanced
Prerequisite: You must install the kernel headers in the host (node) operating system. For more information, see Preparing to install Mutation Advisor.
To enable the MA during IBM Cloud Pak for Multicloud Management installation, see Install IBM Cloud Pak for Multicloud Management.
To enable the MA after IBM Cloud Pak for Multicloud Management installation, see Enabling operators after IBM Cloud Pak for Multicloud Management installation.
MA++ APIs
Before you run MA++ API commands, retrieve the authentication token and download the CA certificate for your cluster. For more information, see Preparing to run component or management API commands. For more information about accessing MA++ APIs, see Mutation Advisor Advanced (MA++) APIs.
MA++ components
View the following table for a description of components for Mutation Advisor Advanced (MA++).
| Component | Version | Location | Role |
|---|---|---|---|
| MA++ Crawler | 1.2.0 | all nodes | MA++ data collectors, (mapp-crawlers), capture system level events in containers by using Sysdig to detect unexpected process run and file changes in real time. This crawler is deployed as DaemonSets. |
| MA++ Inlet | 1.2.0 | VA node | MA++ event collection endpoint that is accessed from MA++ crawlers. |
| MA++ API | 1.2.0 | VA node | MA++ frontend service components. This component provide RESTful APIs for the MA++ dashboard and VA SAS API server. |
| MA++ Minio | RELEASE.2019-04-09T01-22-30Z.3 | VA node | Objective data storage component that is used to index and query Mutation Advisor Advanced data. |
| MA++ minioCleaner | RELEASE.2019-04-03T17-59-57Z.3 | VA node | Used to manage MA++ data size. The MA++ minioCleaner curator is deployed as a CronJob. |
| IBM Cloud Pak for Multicloud Management MA++ policy controller | 3.4.0 | VA node | MA policy controller is used to create and remediate mutation policies on IBM Cloud Pak for Multicloud Management clusters. |
Accessing reports
You can view the modification alerts of system files, configuration files, content files, or the operating system process. You can access the MA++ console from the IBM Cloud Pak for Multicloud Management console. Complete the following steps to access the MA++ dashboard:
- Log in to your IBM Cloud Pak for Multicloud Management console as a cluster administrator.
- From the navigation menu, click Administer > Addon > Mutation Advisor.
- Click Go to Mutation Advisor (Advanced) to view the dashboard of cluster summaries.
- Click the Namespace link to view reports in a namespace.
- Click the Pod link to view reports of a pod.
- Click the Allowlist tab to view filter and allowlist rules.
Configuring Mutation Advisor Advanced
To access the MA++ mutation-advisor-mapp-crawler-filter configuration map, complete the following steps:
-
Log in to your IBM Cloud Pak for Multicloud Management console.
-
Select the Terminal icon
in the header.
Remember: The Visual Web Terminal connects to the cloud that you are already logged in to with the console. -
Edit the
mutation-advisor-mapp-crawler-filterconfiguration map by running the following command in the terminal:kubectl edit cm -n management-security-services mutation-advisor-mapp-crawler-filterThe configuration map includes the
config.jsonfile, which lists the configuration maps that are used to allowlist and filter. Your configuration file might resemble the following content:apiVersion: v1 data: mapp-sample-filter-user.json: [ { "k8s.ns.name": "mutation-advisor-samle", "k8s.pod.name": "mutation-advisor-sample", "container.name": "*", "m_type": "*" "key": "proc.cmdline", "operator": "prefix", "value": "sample_filter", "enable": false } ] mapp-sample-allowlist-user.json: [ { "container.image.repository": "*", "container.image.tag": "*", "k8s.ns.name": "mutation-advisor-sample", "k8s.pod.name": "mutation-advisor-sampl", "container.name": "*", "m_type": "*", "key": "proc.cmdline", "value": "sample_allowlist", "enabled": false } ]
Configuring allowlists and filters
MA++ detects unexpected changes of files and processes from system level events in your container. You can filter and allowlist specific mutation events or alerts.
Filter is used to define an ignore pattern when events are collected at the MA++ crawler.
Allowlist is used to define an ignore pattern when mutation alerts are gathered at the MA++ aggregator.
Configure Filter and Allowlist by updating your mutation-advisor-mapp-crawler-filter-user configuration map. The data parameter in your mutation-advisor-mapp-crawler-filter-user configuration
map might resemble the following configuration:
data:
config.json: '{"configs":[{"name":"mutation-advisor-mapp-crawler-filter-system","namespace":"management-security-services","filter":"shared-filter-system.json"},{"name":"mutation-advisor-mapp-crawler-filter-user","namespace":"management-security-services","filter":"shared-filter-user.json"},{"name":"mutation-advisor-mapp-crawler-filter-auto","namespace":"management-security-services","filter":"shared-filter-auto.json"},{"name":"mutation-advisor-mapp-crawler-wl","namespace":"management-security-services","filter":"crawl-filter.json","allowlist":"mutation-filter.json"}]}'
Defining rules
To define allowlists and filters, you can update your mutation-advisor-mapp-crawler-filter-user configuration map. You can define a set of rules for filters and allowlists. For example, your filter rule might resemble the following
configuration:
[
{
"k8s.ns.name": "*",
"k8s.pod.name": "*",
"container.name": "*",
"m_type": "*",
"key": "proc.cmdline",
"operator": "prefix",
"value": "ibmc-s3fs",
"enabled": true
},
....
View the table description of the parameters used in your mutation-advisor-mapp-crawler-filter-user configuration map:
| Parameter name | Required configuration | Example | Description |
|---|---|---|---|
| k8s.ns.name | Filter | "kube-*" |
The name of the target namespace; wildcard * can be used. |
| k8s.pod.name | Filter | "mutation-advisor-*" |
The name of the target pod; wildcard * can be used. |
| container.name | Filter | "*" |
The name of the target container; wildcard * can be used. |
| container.image.repository | Allowlist | "*" |
The name of the target container; wildcard * can be used. |
| container.image.tag | Allowlist | "*" |
The name of the target container; wildcard * can be used. |
| m_type | Filter and Allowlist | "process or file" |
The type of target mutation pattern; wildcard * can be used. |
| key | Filter and Allowlist | "proc.cmdline", "filename" |
The key for the filter. |
| operator | Filter and Allowlist | "match", "prefix", "contain" |
A comparison of mutation events. |
| value | Filter and Allowlist | "ls -l", "/var/log/" |
A list the mutation events. |
| enabled | true |
The toggle switch filter. When the value is false, filter feature is ignored. When the enabled field is empty, the filter is enabled. |
Viewing rules
Complete the following steps to view rules from the MA++ console:
- Log in to your IBM Cloud Pak for Multicloud Management console.
- From the navigation menu, click Add-ons > Mutation Advisor.
- Click Go to Mutation Advisor (Advanced) to view the MA++ dashboard.
- Click Allowlist to view the list of rules.