JSON/K8s Audit Evts extract multiple typed values

Refactor how JSON event/k8s audit events extract values in two important ways: 1. An event can now extract multiple values. 2. The extracted value is a class json_event_value instead of a simple string. The driver for 1. was that some filtercheck fields like "ka.req.container.privileged" actually should extract multiple values, as a pod can have multiple containers and it doesn't make sense to summarize that down to a single value. The driver for 2. is that by having an object represent a single extracted value, you can also hold things like numbers e.g. ports, uids, gids, etc. and ranges e.g. [0:3]. With an object, you can override operators ==, <, etc. to do comparisons between the numbers and ranges, or even set membership tests between extracted numbers and sets of ranges. This is really handy for a lot of new fields implemented as a part of PSP support, where you end up having to check for overlaps between the paths, images, ports, uids, etc in a K8s Audit Event and the acceptable values, ranges, path prefixes enumerated in a PSP. Implementing these changes also involve an overhaul of how aliases are implemented. Instead of having an optional "formatting" function, where arguments to the formatting function were expressed as text within the index, define optional extraction and indexing functions. If an extraction function is defined, it's responsible for taking the full json object and calling add_extracted_value() to add values. There's a default extraction function that uses a list of json_pointers with automatic iteration over array values returned by a json pointer. There's still a notion of filter fields supporting indexes--that's simply handled within the default extraction or custom extraction function. And for most fields, there won't be a need to write a custom extraction function simply to implement indexing. Within a json_event_filter_check object, instead of having a single extracted value as a string, hold a vector of extracted json_event_value objects (vector because order matters) and a set of json_event_value objects (for set comparisons) as m_evalues. Values on the right hand side of the expression are held as a set m_values. json_event_filter_check::compare now supports IN/INTERSECTS as set comparisons. It also supports PMATCH using path_prefix_search objects, which simplifies checks like ka.req.pod.volumes.hostpath--now they can be expressed as "ka.req.pod.volumes.hostpath intersects (/proc, /var/run/docker.sock, /, /etc, /root)" instead of "ka.req.volume.hostpath[/proc]=true or ka.req.volume.hostpath[/root]=true or ...". Define ~10 new filtercheck fields that extract pod properties like hostIpc, readOnlyRootFilesystem, etc. that are relevant for PSP validation. As a part of these changes, also clarify the names of filter fields related to pods to always have a .pod in the name. Furthermore, fields dealing with containers in a pod always have a .pod.containers prefix in the name. Finally, change the comparisons for existing k8s audit rules to use "intersects" and/or "in" when appropriate instead of a single equality comparison. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-07-07 11:49:07 +00:00 · 2019-09-09 16:02:12 -07:00 · 2019-09-09 16:02:12 -07:00 · 154dd18c8f
commit 154dd18c8f
parent b6fec781b7
4 changed files with 942 additions and 339 deletions
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@ -55,7 +55,7 @@
 # your environment. In this main falco rules file, there isn't any way
 # to know all the containers that can run, so any container is
 # allowed, by using the always_true macro. In the overridden macro, the condition
-# would look something like (ka.req.container.image.repository=my-repo/my-image)
+# would look something like (ka.req.pod.containers.image.repository in (my-repo/my-image))
 - macro: allowed_k8s_containers
  condition: (k8s_audit_always_true)

@ -108,7 +108,7 @@
  desc: >
    Detect an attempt to start a pod with a container image outside of a list of allowed images.
  condition: kevt and pod and kcreate and not allowed_k8s_containers
-  output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
+  output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
@ -116,26 +116,22 @@
 - rule: Create Privileged Pod
  desc: >
    Detect an attempt to start a pod with a privileged container
-  condition: kevt and pod and kcreate and ka.req.container.privileged=true and not ka.req.container.image.repository in (falco_privileged_images)
-  output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
+  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
+  output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]

 - macro: sensitive_vol_mount
  condition: >
-    (ka.req.volume.hostpath[/proc*]=true or
-     ka.req.volume.hostpath[/var/run/docker.sock]=true or
-     ka.req.volume.hostpath[/]=true or
-     ka.req.volume.hostpath[/etc]=true or
-     ka.req.volume.hostpath[/root*]=true)
+    (ka.req.pod.volumes.hostpath intersects (/proc, /var/run/docker.sock, /, /etc, /root))

 - rule: Create Sensitive Mount Pod
  desc: >
    Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
    Exceptions are made for known trusted images.
-  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.container.image.repository in (falco_sensitive_mount_images)
-  output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image mounts=%jevt.value[/requestObject/spec/volumes])
+  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
+  output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
@ -143,8 +139,8 @@
 # Corresponds to K8s CIS Benchmark 1.7.4
 - rule: Create HostNetwork Pod
  desc: Detect an attempt to start a pod using the host network.
-  condition: kevt and pod and kcreate and ka.req.container.host_network=true and not ka.req.container.image.repository in (falco_hostnetwork_images)
-  output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
+  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
+  output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
@ -220,7 +216,7 @@
 - rule: Pod Created in Kube Namespace
  desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public)
-  output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
+  output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
@ -257,7 +253,7 @@

 - rule: ClusterRole With Wildcard Created
  desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
-  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources contains '"*"' or ka.req.role.rules.verbs contains '"*"')
+  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
  output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
  priority: WARNING
  source: k8s_audit
@ -265,11 +261,7 @@

 - macro: writable_verbs
  condition: >
-    (ka.req.role.rules.verbs contains create or
-     ka.req.role.rules.verbs contains update or
-     ka.req.role.rules.verbs contains patch or
-     ka.req.role.rules.verbs contains delete or
-     ka.req.role.rules.verbs contains deletecollection)
+    (ka.req.role.rules.verbs intersects (create, update, patch, delete, deletecollection))

 - rule: ClusterRole With Write Privileges Created
  desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
@ -281,7 +273,7 @@

 - rule: ClusterRole With Pod Exec Created
  desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
-  condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources contains "pods/exec"
+  condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
  output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
  priority: WARNING
  source: k8s_audit
@ -395,7 +387,7 @@
 - rule: K8s Role/Clusterrolebinding Created
  desc: Detect any attempt to create a clusterrolebinding
  condition: (kactivity and kcreate and clusterrolebinding and response_successful)
-  output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason foo=%ka.req.binding.subject.has_name[cluster-admin])
+  output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
  priority: INFO
  source: k8s_audit
  tags: [k8s]
--- a/userspace/engine/falco_engine_version.h
+++ b/userspace/engine/falco_engine_version.h
@ -16,9 +16,9 @@ limitations under the License.

 // The version of rules/filter fields/etc supported by this falco
 // engine.
-#define FALCO_ENGINE_VERSION (4)
+#define FALCO_ENGINE_VERSION (5)

 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of falco. It's used
 // at build time to detect a changed set of fields.
-#define FALCO_FIELDS_CHECKSUM "ceb069d9f9b2d4ebcc5de39bddc53b7af2e6b8f072edc293668fd6ac4e532413"
+#define FALCO_FIELDS_CHECKSUM "163684ddd69fd0d2ec8a3d246e6901c84e995ae1ba29d105853b1fb12c3e1bbb"
--- a/userspace/engine/json_evt.cpp
+++ b/userspace/engine/json_evt.cpp
--- a/userspace/engine/json_evt.h
+++ b/userspace/engine/json_evt.h
@ -26,6 +26,7 @@ limitations under the License.

 #include <nlohmann/json.hpp>

+#include "prefix_search.h"
 #include "gen_filter.h"

 class json_event : public gen_event
@ -56,9 +57,59 @@ protected:
 	uint64_t m_event_ts;
 };

+// A class representing an extracted value or a value on the rhs of a
+// filter_check. This intentionally doesn't use the same types as
+// ppm_events_public.h to take advantage of actual classes instead of
+// lower-level pointers pointing to syscall events and to allow for
+// efficient set comparisons.
+
+class json_event_value
+{
+public:
+	enum param_type {
+		JT_STRING,
+		JT_INT64,
+		JT_INT64_PAIR
+	};
+
+	json_event_value();
+	json_event_value(const std::string &val);
+	json_event_value(int64_t val);
+	virtual ~json_event_value();
+
+	param_type ptype() const;
+
+	std::string as_string() const;
+
+	bool operator==(const json_event_value &val) const;
+	bool operator!=(const json_event_value &val) const;
+	bool operator<(const json_event_value &val) const;
+	bool operator>(const json_event_value &val) const;
+
+	// Only meaningful for string types
+	bool startswith(const json_event_value &val) const;
+	bool contains(const json_event_value &val) const;
+
+private:
+	param_type m_type;
+
+	static bool parse_as_pair_int64(std::pair<int64_t,int64_t> &pairval, const std::string &val);
+	static bool parse_as_int64(int64_t &intval, const std::string &val);
+
+	// The number of possible types is small so far, so sticking
+	// with separate vars
+
+	std::string m_stringval;
+	int64_t m_intval;
+	std::pair<int64_t,int64_t> m_pairval;
+};
+
 class json_event_filter_check : public gen_event_filter_check
 {
 public:
+
+	static std::string no_value;
+
 	enum index_mode
 	{
 		IDX_REQUIRED,
@ -66,12 +117,16 @@ public:
 		IDX_NONE
 	};

+	static std::vector<std::string> s_index_mode_strs;
+
 	enum index_type
 	{
 		IDX_KEY,
 		IDX_NUMERIC
 	};

+	static std::vector<std::string> s_index_type_strs;
+
 	// A struct describing a single filtercheck field ("ka.user")
 	struct field_info
 	{
@ -80,6 +135,9 @@ public:

 		index_mode m_idx_mode;
 		index_type m_idx_type;
+
+		bool m_uses_paths;
+
 		// The variants allow for brace-initialization either
 		// with just the name/desc or additionally with index
 		// information
@ -87,6 +145,7 @@ public:
 		field_info(std::string name, std::string desc);
 		field_info(std::string name, std::string desc, index_mode mode);
 		field_info(std::string name, std::string desc, index_mode mode, index_type itype);
+		field_info(std::string name, std::string desc, index_mode mode, index_type itype, bool uses_paths);
 		virtual ~field_info();
 	};

@ -95,6 +154,7 @@ public:
 	{
 		std::string m_name;
 		std::string m_desc;
+		std::string m_class_info;

 		std::list<field_info> m_fields;
 	};
@ -105,10 +165,9 @@ public:
 	virtual int32_t parse_field_name(const char *str, bool alloc_state, bool needed_for_filtering);
 	void add_filter_value(const char *str, uint32_t len, uint32_t i = 0);
 	bool compare(gen_event *evt);
-	virtual uint8_t *extract(gen_event *evt, uint32_t *len, bool sanitize_strings = true);

-	// Simpler version that returns a string
-	std::string extract(json_event *evt);
+	// This always returns a const extracted_values_t *. The pointer points to m_evalues;
+	uint8_t* extract(gen_event *evt, uint32_t* len, bool sanitize_strings = true) final;

 	const std::string &field();
 	const std::string &idx();
@ -124,8 +183,21 @@ public:
 	//
 	virtual json_event_filter_check *allocate_new() = 0;

+	// Subclasses or extraction functions can call this method to add each extracted value.
+	void add_extracted_value(const std::string &val);
+	void add_extracted_value_num(int64_t val);
+
+	// After calling extract, you can call extracted_values to get
+	// the values extracted from an event.
+	typedef std::vector<json_event_value> values_t;
+	const values_t &extracted_values();
+
 protected:
-	static std::string def_format(const nlohmann::json &j, std::string &field, std::string &idx);
+
+	// Subclasses can override this method, calling
+	// add_extracted_value to add extracted values.
+	virtual bool extract_values(json_event *jevt);
+
 	static std::string json_as_string(const nlohmann::json &j);

 	// Subclasses can define field names that act as aliases for
@ -133,28 +205,34 @@ protected:
 	// jevt.value[/user/username]. This struct represents one of
 	// those aliases.

-	typedef std::function<std::string(const nlohmann::json &, std::string &field, std::string &idx)> format_t;
+	// An alias might define an alternative function to extract
+	// values instead of using a json pointer. An example is
+	// ka.uri.param, which parses the query string to extract
+	// key=value parameters.
+	typedef std::function<bool (const nlohmann::json &, json_event_filter_check &jchk)> extract_t;

 	struct alias
 	{
 		// The variants allow for brace-initialization either
-		// with just the pointer or with both the pointer and
-		// a format function.
+		// with just the pointer list or with a custom
+		// extraction function.
 		alias();
-		alias(nlohmann::json::json_pointer ptr);
-		alias(nlohmann::json::json_pointer ptr, format_t format);
+	        alias(std::list<nlohmann::json::json_pointer> ptrs);
+	        alias(extract_t extract);
+
 		virtual ~alias();

 		// A json pointer used to extract a referenced value
-		// from a json object.
-		nlohmann::json::json_pointer m_jptr;
+		// from a json object. The pointers are applied in
+		// order. After applying a pointer, if the resulting
+		// object is an array, each array member is considered
+		// for subsequent json pointers.
+		//
+		// This allows for "plucking" items out of an array
+		// selected by an earlier json pointer.
+		std::list<nlohmann::json::json_pointer> m_jptrs;

-		// A function that given the referenced value selected
-		// above, formats and returns the appropriate string. This
-		// function might do further selection (e.g. array
-		// indexing, searches, etc.) or string reformatting to
-		// trim unnecessary parts of the value.
-		format_t m_format;
+		extract_t m_extract;
 	};

 	// This map defines the aliases defined by this filter check
@ -173,17 +251,39 @@ protected:
 	// e.g. ka.value[idx]. This holds the index.
 	std::string m_idx;

-	// The actual json pointer value to use to extract from events.
-	nlohmann::json::json_pointer m_jptr;
-
-	// Temporary storage to hold extracted value
-	std::string m_tstr;
-
-	// Reformatting function
-	format_t m_format;
-
 private:
-	std::vector<std::string> m_values;
+	typedef std::set<json_event_value> values_set_t;
+	typedef std::pair<values_t, values_set_t> extracted_values_t;
+
+	// The default extraction function uses the list of pointers
+	// in m_jptrs. Iterates over array elements between pointers if
+	// found.
+	bool def_extract(const nlohmann::json &j,
+			 const std::list<nlohmann::json::json_pointer> &ptrs,
+			 std::list<nlohmann::json::json_pointer>::iterator it);
+
+	// The actual json pointer value to use to extract from
+	// events. See alias struct for usage.
+	std::list<nlohmann::json::json_pointer> m_jptrs;
+
+	// Theextraction function to use. May not be defined, in which
+	// case the default function is used.
+	extract_t m_extract;
+
+	// All values specified on the right hand side of the operator
+	// e.g. "ka.ns in ("one","two","three"), m_values has ("one",
+	// "two", "three")
+	values_set_t m_values;
+
+	// All values extracted from the object by the field e.g. for
+	// a field ka.req.container.image returns all container images
+	// for all pods within a request.
+	extracted_values_t m_evalues;
+
+	// If true, this filtercheck works on paths, which enables
+	// some extra bookkeeping to allow for path prefix searches.
+	bool m_uses_paths;
+	path_prefix_search m_prefix_search;
 };

 class jevt_filter_check : public json_event_filter_check
@ -192,13 +292,20 @@ public:
 	jevt_filter_check();
 	virtual ~jevt_filter_check();

-	int32_t parse_field_name(const char *str, bool alloc_state, bool needed_for_filtering);
-
-	virtual uint8_t *extract(gen_event *evt, uint32_t *len, bool sanitize_strings = true);
+        int32_t parse_field_name(const char* str, bool alloc_state, bool needed_for_filtering) final;

 	json_event_filter_check *allocate_new();

+protected:
+
+	bool extract_values(json_event *jevt) final;
+
 private:
+
+	// When the field is jevt_value, a json pointer representing
+	// the index in m_idx
+	nlohmann::json::json_pointer m_idx_ptr;
+
 	static std::string s_jevt_time_field;
 	static std::string s_jevt_time_iso_8601_field;
 	static std::string s_jevt_rawtime_field;
@ -214,30 +321,30 @@ public:

 	json_event_filter_check *allocate_new();

-	// Index to the appropriate container and/or remove any repo,
-	// port, and tag from the provided image name.
-	static std::string index_image(const nlohmann::json &j, std::string &field, std::string &idx);
+	// Extract all images/image repositories from the provided containers
+	static bool extract_images(const nlohmann::json &j,
+				   json_event_filter_check &jchk);

-	// Extract the value of the provided query parameter
-	static std::string index_query_param(const nlohmann::json &j, std::string &field, std::string &idx);
+	// Extract all query parameters
+	static bool extract_query_param(const nlohmann::json &j,
+					json_event_filter_check &jchk);

-	// Return true if an object in the provided array has a name property with idx as value
-	static std::string index_has_name(const nlohmann::json &j, std::string &field, std::string &idx);
+	// Extract some property from the set of rules in the request object
+	static bool extract_rule_attrs(const nlohmann::json &j,
+				       json_event_filter_check &jchk);

-	// Return whether the ith container (or any container, if an
-	// index is not specified) is run privileged.
-	static std::string index_privileged(const nlohmann::json &j, std::string &field, std::string &idx);
+	// Extract the volume types from volumes in the request object
+	static bool extract_volume_types(const nlohmann::json &j,
+					 json_event_filter_check &jchk);

-	// Return whether or not a hostpath mount exists matching the provided index.
-	static std::string check_hostpath_vols(const nlohmann::json &j, std::string &field, std::string &idx);
+	// Extract all hostPort values from containers in the request object
+	static bool extract_host_port(const nlohmann::json &j,
+				      json_event_filter_check &jchk);

-	// Index to the ith value from the provided array. If no index is provided, return the entire array as a string.
-	static std::string index_generic(const nlohmann::json &j, std::string &field, std::string &idx);
-
-	// Index to the ith value from the provided array, and select
-	// the property which is the last component of the provided
-	// field.
-	static std::string index_select(const nlohmann::json &j, std::string &field, std::string &idx);
+	// Using both the pod and container security contexts, extract
+	// the uid/gid that will be used for each container.
+	static bool extract_effective_run_as(const nlohmann::json &j,
+					     json_event_filter_check &jchk);
 };

 class json_event_filter : public gen_event_filter