github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-28 15:47:25 +00:00
Code Issues Projects Releases Wiki Activity

macro(user_read_sensitive_file_containers): replace endswiths with exact image repo name

Browse Source 
macro(user_trusted_containers): replace endswiths with exact image repo name
macro(user_privileged_containers): replace endswiths with exact image repo name
macro(trusted_images_query_miner_domain_dns): replace endswiths with exact image repo name
macro(falco_privileged_containers): append "/" to quay.io/sysdig
list(falco_privileged_images): add images docker.io/sysdig/agent-slim and docker.io/sysdig/node-image-analyzer
list(falco_sensitive_mount_images): add image docker.io/sysdig/agent-slim
list(k8s_containers): prepend docker.io to images

Signed-off-by: kaizhe <derek0405@gmail.com>
This commit is contained in:
kaizhe 2020-08-07 12:25:29 -07:00 committed by poiana
parent 938ece8f4e
commit 3e98c2efc0
1 changed files with 9 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
rules/falco_rules.yaml
View File

@ -1459,9 +1459,7 @@
condition: cmp_cp_by_passwd condition: cmp_cp_by_passwd
- macro: user_read_sensitive_file_containers - macro: user_read_sensitive_file_containers
condition: (container and condition: (container and container.image.repository in (docker.io/sysdig/agent, docker.io/sysdig/agent-slim))
(container.image.repository endswith "sysdig/agent") or
(container.image.repository endswith "sysdig/agent-slim"))
- rule: Read sensitive file untrusted - rule: Read sensitive file untrusted
desc: > desc: >
@ -1830,9 +1828,7 @@
# In this file, it just takes one of the images in trusted_containers # In this file, it just takes one of the images in trusted_containers
# and repeats it. # and repeats it.
- macro: user_trusted_containers - macro: user_trusted_containers
condition: (container.image.repository endswith sysdig/agent or condition: (container.image.repository=docker.io/sysdig/agent)
container.image.repository endswith sysdig/agent-slim or
container.image.repository endswith sysdig/node-image-analyzer)
- list: sematext_images - list: sematext_images
items: [docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent, docker.io/sematext/logagent, items: [docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent, docker.io/sematext/logagent,
@ -1844,6 +1840,7 @@
- list: falco_privileged_images - list: falco_privileged_images
items: [ items: [
docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig, docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig,
docker.io/sysdig/agent-slim, docker.io/sysdig/node-image-analyzer,
gcr.io/google_containers/kube-proxy, docker.io/calico/node, quay.io/calico/node, gcr.io/google_containers/kube-proxy, docker.io/calico/node, quay.io/calico/node,
docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/mesosphere/mesos-slave, docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/mesosphere/mesos-slave,
docker.io/docker/ucp-agent, sematext_images, k8s.gcr.io/kube-proxy, docker.io/docker/ucp-agent, sematext_images, k8s.gcr.io/kube-proxy,
@ -1856,7 +1853,7 @@
container.image.repository in (trusted_images) or container.image.repository in (trusted_images) or
container.image.repository in (falco_privileged_images) or container.image.repository in (falco_privileged_images) or
container.image.repository startswith istio/proxy_ or container.image.repository startswith istio/proxy_ or
container.image.repository startswith quay.io/sysdig) container.image.repository startswith quay.io/sysdig/)
# Add conditions to this macro (probably in a separate file, # Add conditions to this macro (probably in a separate file,
# overwriting this macro) to specify additional containers that are # overwriting this macro) to specify additional containers that are
@ -1865,7 +1862,7 @@
# In this file, it just takes one of the images in falco_privileged_images # In this file, it just takes one of the images in falco_privileged_images
# and repeats it. # and repeats it.
- macro: user_privileged_containers - macro: user_privileged_containers
condition: (container.image.repository endswith sysdig/agent) condition: (container.image.repository=docker.io/sysdig/agent)
- list: rancher_images - list: rancher_images
items: [ items: [
@ -1877,7 +1874,7 @@
# host filesystem. # host filesystem.
- list: falco_sensitive_mount_images - list: falco_sensitive_mount_images
items: [ items: [
docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig, docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig, docker.io/sysdig/agent-slim,
gcr.io/google_containers/hyperkube, gcr.io/google_containers/hyperkube,
gcr.io/google_containers/kube-proxy, docker.io/calico/node, gcr.io/google_containers/kube-proxy, docker.io/calico/node,
docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul, docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
@ -2362,8 +2359,8 @@
- macro: k8s_containers - macro: k8s_containers
condition: > condition: >
(container.image.repository in (gcr.io/google_containers/hyperkube-amd64, (container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
gcr.io/google_containers/kube2sky, sysdig/agent, sysdig/falco, gcr.io/google_containers/kube2sky, docker.io/sysdig/agent, docker.io/sysdig/agent-slim, docker.io/sysdig/falco,
sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system")) docker.io/sysdig/sysdig, docker.io/falcosecurity/falco) or (k8s.ns.name = "kube-system"))
- macro: k8s_api_server - macro: k8s_api_server
condition: (fd.sip.name="kubernetes.default.svc.cluster.local") condition: (fd.sip.name="kubernetes.default.svc.cluster.local")
@ -2769,7 +2766,7 @@
condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other))) condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
- macro: trusted_images_query_miner_domain_dns - macro: trusted_images_query_miner_domain_dns
condition: (container.image.repository endswith "sysdig/agent" or container.image.repository endswith "falcosecurity/falco") condition: (container.image.repository in (docker.io/sysdig/agent, docker.io/sysdig/agent-slim, docker.io/falcosecurity/falco))
append: false append: false
# The rule is disabled by default. # The rule is disabled by default.