github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-17 15:28:18 +00:00
Code Issues Projects Releases Wiki Activity

new(rules/k8s_audit): add rules to detect pods sharing host pid and IPC namespaces

Browse Source 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
This commit is contained in:
Lorenzo Susini
2022-03-21 13:24:59 +00:00
committed by poiana
parent 2934ef29b9
commit 4343fe8a8b
1 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
rules/k8s_audit_rules.yaml
View File

@@ -185,6 +185,28 @@
source: k8s_audit
tags: [k8s]
- list: falco_hostpid_images
items: []
- rule: Create HostPid Pod
desc: Detect an attempt to start a pod using the host pid namespace.
condition: kevt and pod and kcreate and ka.req.pod.host_pid intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostpid_images)
output: Pod started using host pid namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
priority: WARNING
source: k8s_audit
tags: [k8s]
- list: falco_hostipc_images
items: []
- rule: Create HostIPC Pod
desc: Detect an attempt to start a pod using the host ipc namespace.
condition: kevt and pod and kcreate and ka.req.pod.host_ipc intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostipc_images)
output: Pod started using host ipc namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
priority: WARNING
source: k8s_audit
tags: [k8s]
- macro: user_known_node_port_service
condition: (k8s_audit_never_true)