> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Write below monitored dir

### Event Information

#### Meaning

* The "Write below monitored dir" event in a Kubernetes cluster indicates that a process running within a container has attempted to write or modify a file or directory that is being monitored by a security tool or policy.
* This event could potentially indicate unauthorized or suspicious activity, as it may suggest an attempt to tamper with sensitive files or directories.
* To investigate this event, you can use kubectl to check the logs of the container where the event occurred, and analyze the specific file or directory that was being written to. Additionally, you can review the security policies and permissions in place to ensure they align with compliance standards.

#### Remediation

1. Use a Read-Only File System:

```yaml theme={null}
apiVersion: v1
kind: Pod
metadata:
  name: monitored-dir-pod
spec:
  containers:
  - name: monitored-dir-container
    image: <your-image>
    securityContext:
      readOnlyRootFilesystem: true
```

2. Use Read-Only Volume Mounts:
   * Mount monitored directories as read-only volumes to prevent modifications:
   ```yaml theme={null}
    apiVersion: v1
    kind: Pod
    metadata:
      name: monitored-dir-pod
    spec:
      containers:
      - name: monitored-dir-container
        image: <your-image>
        volumeMounts:
        - name: monitored-dir
          mountPath: /path/to/monitored/dir
          readOnly: true
      volumes:
      - name: monitored-dir
        emptyDir: {}
   ```

3. Use a security context to restrict which users can write to the directories:
   * If your application needs to use a volume but you want to prevent writes to specific directories, you can use a read-only volume:

```yaml theme={null}
apiVersion: v1
kind: Pod
metadata:
  name: monitored-dir-pod
spec:
  containers:
  - name: monitored-dir-container
    image: <your-image>
    securityContext:
      runAsUser: 1000
      fsGroup: 2000
```

Note: Make sure to test the remediation steps in a non-production environment before applying them to production.
