diff --git a/test/falco_k8s_audit_tests.yaml b/test/falco_k8s_audit_tests.yaml index 4f0d636a..3e61833b 100644 --- a/test/falco_k8s_audit_tests.yaml +++ b/test/falco_k8s_audit_tests.yaml @@ -21,7 +21,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml - ./rules/k8s_audit/engine_v4/allow_only_apache_container.yaml detect_counts: @@ -33,7 +33,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml - ./rules/k8s_audit/engine_v4/allow_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml @@ -44,7 +44,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml detect_counts: - Create Privileged Pod: 1 @@ -55,7 +55,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml @@ -66,7 +66,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json @@ -76,7 +76,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml detect_counts: - Create HostNetwork Pod: 1 @@ -87,7 +87,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml @@ -99,7 +99,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/allow_namespace_foo.yaml detect_counts: @@ -111,7 +111,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/allow_namespace_foo.yaml - ./rules/k8s_audit/allow_user_some-user.yaml @@ -124,7 +124,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/allow_only_apache_container.yaml detect_counts: @@ -136,7 +136,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/allow_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml @@ -147,7 +147,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - Create Privileged Pod: 1 @@ -159,7 +159,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - Create Privileged Pod: 1 @@ -171,7 +171,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - Create Privileged Pod: 1 @@ -182,7 +182,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml @@ -192,7 +192,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json @@ -201,7 +201,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml @@ -212,7 +212,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - Create Sensitive Mount Pod: 1 @@ -224,7 +224,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - Create Sensitive Mount Pod: 1 @@ -235,7 +235,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml @@ -245,7 +245,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json @@ -254,7 +254,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml @@ -265,7 +265,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - Create HostNetwork Pod: 1 @@ -276,7 +276,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml @@ -286,7 +286,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json @@ -295,7 +295,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/trust_nginx_container.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml @@ -306,7 +306,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/disallow_kactivity.yaml detect_counts: @@ -318,7 +318,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/disallow_kactivity.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml @@ -329,7 +329,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/disallow_kactivity.yaml detect_counts: @@ -341,7 +341,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/disallow_kactivity.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml @@ -352,7 +352,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - Anonymous Request Allowed: 1 @@ -364,7 +364,7 @@ trace_files: !mux detect_level: NOTICE enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - Attach/Exec Pod: 1 @@ -376,7 +376,7 @@ trace_files: !mux detect_level: NOTICE enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - Attach/Exec Pod: 1 @@ -388,7 +388,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/allow_user_some-user.yaml detect_counts: @@ -400,7 +400,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/allow_namespace_foo.yaml - ./rules/k8s_audit/disallow_kactivity.yaml @@ -412,7 +412,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - Pod Created in Kube Namespace: 1 @@ -424,7 +424,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - Pod Created in Kube Namespace: 1 @@ -436,7 +436,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - Service Account Created in Kube Namespace: 1 @@ -448,7 +448,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - Service Account Created in Kube Namespace: 1 @@ -460,7 +460,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - System ClusterRole Modified/Deleted: 1 @@ -472,7 +472,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - System ClusterRole Modified/Deleted: 1 @@ -484,7 +484,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - Attach to cluster-admin Role: 1 @@ -496,7 +496,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - ClusterRole With Wildcard Created: 1 @@ -508,7 +508,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - ClusterRole With Wildcard Created: 1 @@ -520,7 +520,7 @@ trace_files: !mux detect_level: NOTICE enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - ClusterRole With Write Privileges Created: 1 @@ -532,7 +532,7 @@ trace_files: !mux detect_level: WARNING enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - ClusterRole With Pod Exec Created: 1 @@ -544,7 +544,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - K8s Deployment Created: 1 @@ -556,7 +556,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - K8s Deployment Deleted: 1 @@ -568,7 +568,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - K8s Service Created: 1 @@ -580,7 +580,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - K8s Service Deleted: 1 @@ -592,7 +592,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - K8s ConfigMap Created: 1 @@ -604,7 +604,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - K8s ConfigMap Deleted: 1 @@ -616,7 +616,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml - ./rules/k8s_audit/allow_namespace_foo.yaml - ./rules/k8s_audit/allow_user_some-user.yaml @@ -630,7 +630,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - K8s Namespace Deleted: 1 @@ -642,7 +642,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - K8s Serviceaccount Created: 1 @@ -654,7 +654,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - K8s Serviceaccount Deleted: 1 @@ -666,7 +666,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - K8s Role/Clusterrole Created: 1 @@ -678,7 +678,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - K8s Role/Clusterrole Deleted: 1 @@ -690,7 +690,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - K8s Role/Clusterrolebinding Created: 1 @@ -702,7 +702,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - K8s Role/Clusterrolebinding Deleted: 1 @@ -714,7 +714,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - K8s Secret Created: 1 @@ -727,7 +727,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service_account_token_secret.json @@ -737,7 +737,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_kube_system_secret.json @@ -747,7 +747,7 @@ trace_files: !mux detect_level: INFO enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml detect_counts: - K8s Secret Deleted: 1 @@ -758,7 +758,7 @@ trace_files: !mux detect: False enable_source: k8s_audit rules_file: - - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml + - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/fal_01_003.json @@ -773,4 +773,4 @@ trace_files: !mux detect_counts: - json_pointer_example: 1 conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml - addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json \ No newline at end of file + addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json diff --git a/test/falco_test.py b/test/falco_test.py index 143f5443..f719511c 100644 --- a/test/falco_test.py +++ b/test/falco_test.py @@ -99,7 +99,7 @@ class FalcoTest(Test): self.addl_cmdline_opts = self.params.get('addl_cmdline_opts', '*', default='') self.enable_source = self.params.get('enable_source', '*', default='') self.rules_file = self.params.get( - 'rules_file', '*', default='BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/rules/falco_rules.yaml') + 'rules_file', '*', default='BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml') if not isinstance(self.rules_file, list): self.rules_file = [self.rules_file]