Rule updates 2019.02.v1 (#551)

* Let cassandra write to /root/.cassandra * Add kubelet/kops to allowed_k8s_users
2025-07-13 06:24:29 +00:00 · 2019-03-08 19:23:18 -08:00 · 2019-03-08 19:23:18 -08:00 · 28622e6fdc
commit 28622e6fdc
parent 5740186280
2 changed files with 8 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -709,6 +709,12 @@
 - macro: kubectl_writing_state
  condition: (proc.name=kubectl and fd.name startswith /root/.kube)

+- macro: java_running_cassandra
+  condition: (proc.name=java and proc.cmdline contains "cassandra.jar")
+
+- macro: cassandra_writing_state
+  condition: (java_running_cassandra and fd.directory=/root/.cassandra)
+
 - rule: Write below binary dir
  desc: an attempt to write to any file below a set of binary directories
  condition: >
@ -1047,6 +1053,7 @@
    and not maven_writing_groovy
    and not chef_writing_conf
    and not kubectl_writing_state
+    and not cassandra_writing_state
    and not known_root_conditions
  output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)"
  priority: ERROR
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@ -34,7 +34,7 @@

 # If you wish to restrict activity to a specific set of users, override/append to this list.
 - list: allowed_k8s_users
-  items: ["minikube", "minikube-user"]
+  items: ["minikube", "minikube-user", "kubelet", "kops"]

 - rule: Disallowed K8s User
  desc: Detect any k8s operation by users outside of an allowed set of users.