From 2d962dfcb070151b8b8ee196d70ea522a92cbae7 Mon Sep 17 00:00:00 2001
From: ismail yenigul <ismailyenigul@gmail.com>
Date: Mon, 15 Feb 2021 23:26:35 +0300
Subject: [PATCH] rebase to master update user_known_sa_list with k8s internal
 sa in kube-system

{
        "output": "10:27:56.539783936: Warning Service account created
in kube namespace (user=system:kube-controller-manager
serviceaccount=replicaset-controller ns=kube-system)",
        "priority": "Warning",
        "rule": "Service Account Created in Kube Namespace",
        "time": "2021-02-15T10:27:56.539783936Z",
        "output_fields": {
            "jevt.time": "10:27:56.539783936",
            "ka.target.name": "replicaset-controller",
            "ka.target.namespace": "kube-system",
            "ka.user.name": "system:kube-controller-manager"
        }
    }

{
        "output": "17:06:18.267429888: Warning Service account created
in kube namespace (user=system:kube-controller-manager
serviceaccount=deployment-controller ns=kube-system)",
        "priority": "Warning",
        "rule": "Service Account Created in Kube Namespace",
        "time": "2021-02-15T17:06:18.267429888Z",
        "output_fields": {
            "jevt.time": "17:06:18.267429888",
            "ka.target.name": "deployment-controller",
            "ka.target.namespace": "kube-system",
            "ka.user.name": "system:kube-controller-manager"
        }
    }

and more..

Signed-off-by: ismail yenigul <ismailyenigul@gmail.com>
---
 rules/falco_rules.yaml     | 27 +++++++++++++++++++++++++--
 rules/k8s_audit_rules.yaml |  5 +++--
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 2af20084..279b7b56 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1537,6 +1537,7 @@
         - [[rancher-bridge], "rancher/network-manager"]
         - [[calico-node], "calico/node"]
         - [[scope], "weaveworks/scope"]
+        - [[system-probe], "datadog/agent"]
   output: >
     Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
     parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
@@ -1724,6 +1725,24 @@
        container.image.repository endswith /prometheus-node-exporter or
        container.image.repository endswith /image-inspector))
 
+#602401143452.dkr.ecr is official AWS EKS registry. AWS has different ECR repo per region
+#602401143452.dkr.ecr.eu-west-1.amazonaws.com/eks/kube-proxy
+#602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/kube-proxy
+#For this reason we use two macro to match all regions 
+- macro: allowed_aws_eks_registry_root
+    condition: >
+          (container.image.repository startswith "602401143452.dkr.ecr")
+
+- macro: aws_eks_image
+    condition: >
+          (allowed_aws_eks_registry_root and
+          (container.image.repository endswith ".amazonaws.com/amazon-k8s-cni" or
+          container.image.repository endswith ".amazonaws.com/eks/kube-proxy"))
+- macro: aws_eks_image_sensitive_mount
+    condition: >
+          (allowed_aws_eks_registry_root and container.image.repository endswith ".amazonaws.com/amazon-k8s-cni")
+
+
 # These images are allowed both to run with --privileged and to mount
 # sensitive paths from the host filesystem.
 #
@@ -1780,7 +1799,7 @@
     docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
     docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
     docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
-    amazon/amazon-ecs-agent
+    amazon/amazon-ecs-agent, prom/node-exporter, gcr.io/datadoghq/agent, amazon/cloudwatch-agent
     ]
 
 # These container images are allowed to run with hostnetwork=true
@@ -1811,6 +1830,7 @@
     container_started and container
     and container.privileged=true
     and not openshift_image
+    and not aws_eks_image
   exceptions:
     - name: image_repo
       fields: container.image.repository
@@ -1865,6 +1885,7 @@
     container_started and container
     and sensitive_mount
     and not user_sensitive_mount_containers
+    and not aws_eks_image_sensitive_mount
   exceptions:
     - name: image_repo
       fields: container.image.repository
@@ -2343,7 +2364,9 @@
     (container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
      gcr.io/google_containers/kube2sky, docker.io/sysdig/falco,
      docker.io/sysdig/sysdig, docker.io/falcosecurity/falco,
-     sysdig/falco, sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system"))
+     sysdig/falco, sysdig/sysdig, falcosecurity/falco, fluent/fluentd-kubernetes-daemonset, 
+     newrelic/infrastructure-k8s, prom/prometheus,
+     cloudability/metrics-agent) or (k8s.ns.name = "kube-system"))
 
 - macro: k8s_api_server
   condition: (fd.sip.name="kubernetes.default.svc.cluster.local")
diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml
index 2af7b564..5d71043c 100644
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -51,7 +51,8 @@
     cluster-autoscaler,
     "system:addon-manager",
     "cloud-controller-manager",
-    "eks:node-manager"
+    "eks:node-manager",
+    "system:kube-controller-manager"
     ]
 
 - rule: Disallowed K8s User
@@ -346,7 +347,7 @@
   tags: [k8s]
 
 - list: user_known_sa_list
-  items: []
+  items: ["pod-garbage-collector","resourcequota-controller","cronjob-controller","generic-garbage-collector", "daemon-set-controller","endpointslice-controller","deployment-controller", "replicaset-controller"]
 
 - macro: trusted_sa
   condition: (ka.target.name in (user_known_sa_list))