mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-12 13:07:49 +00:00
Add rules to detect creating/deleting secrets
New rules K8s Secret Created/K8s Secret Deleted detect creating/deleting secrets, following the pattern of the other "K8s XXX Created/Deleted" rules. One minor difference is that service account token secrets are excluded, as those are created automatically as namespaces are created. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
@@ -102,6 +102,12 @@
|
||||
- macro: role
|
||||
condition: ka.target.resource=roles
|
||||
|
||||
- macro: secret
|
||||
condition: ka.target.resource=secrets
|
||||
|
||||
- macro: req_service_account_token
|
||||
condition: (jevt.value[/requestObject/type]="kubernetes.io/service-account-token")
|
||||
|
||||
- macro: health_endpoint
|
||||
condition: ka.uri=/healthz
|
||||
|
||||
@@ -401,6 +407,22 @@
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s Secret Created
|
||||
desc: Detect any attempt to create a secret. Service account tokens are excluded.
|
||||
condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and not req_service_account_token and response_successful)
|
||||
output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- rule: K8s Secret Deleted
|
||||
desc: Detect any attempt to delete a secret Service account tokens are excluded.
|
||||
condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and not req_service_account_token and response_successful)
|
||||
output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||
priority: INFO
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
# This rule generally matches all events, and as a result is disabled
|
||||
# by default. If you wish to enable these events, modify the
|
||||
# following macro.
|
||||
|
Reference in New Issue
Block a user