github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-14 15:04:37 +00:00
Code Issues Projects Releases Wiki Activity

Rule updates 2019.02.v1 (#551)

Browse Source 
* Let cassandra write to /root/.cassandra

* Add kubelet/kops to allowed_k8s_users
This commit is contained in:
Mark Stemm 2019-03-08 19:23:18 -08:00 committed by GitHub
parent 5740186280
commit 28622e6fdc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/falco_rules.yaml
View File

@ -709,6 +709,12 @@
- macro: kubectl_writing_state - macro: kubectl_writing_state
condition: (proc.name=kubectl and fd.name startswith /root/.kube) condition: (proc.name=kubectl and fd.name startswith /root/.kube)
- macro: java_running_cassandra
condition: (proc.name=java and proc.cmdline contains "cassandra.jar")
- macro: cassandra_writing_state
condition: (java_running_cassandra and fd.directory=/root/.cassandra)
- rule: Write below binary dir - rule: Write below binary dir
desc: an attempt to write to any file below a set of binary directories desc: an attempt to write to any file below a set of binary directories
condition: > condition: >
@ -1047,6 +1053,7 @@
and not maven_writing_groovy and not maven_writing_groovy
and not chef_writing_conf and not chef_writing_conf
and not kubectl_writing_state and not kubectl_writing_state
and not cassandra_writing_state
and not known_root_conditions and not known_root_conditions
output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)" output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)"
priority: ERROR priority: ERROR

2
rules/k8s_audit_rules.yaml
View File

@ -34,7 +34,7 @@
# If you wish to restrict activity to a specific set of users, override/append to this list. # If you wish to restrict activity to a specific set of users, override/append to this list.
- list: allowed_k8s_users - list: allowed_k8s_users
items: ["minikube", "minikube-user"] items: ["minikube", "minikube-user", "kubelet", "kops"]
- rule: Disallowed K8s User - rule: Disallowed K8s User
desc: Detect any k8s operation by users outside of an allowed set of users. desc: Detect any k8s operation by users outside of an allowed set of users.