From 50832c7990254857915258b89e602a7e8129ca44 Mon Sep 17 00:00:00 2001 From: kaizhe Date: Mon, 10 Aug 2020 14:30:59 -0700 Subject: [PATCH] remove non-oss images in the whitelist Signed-off-by: kaizhe --- rules/falco_rules.yaml | 30 +++++++++++------------------- 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 574437eb..164222d2 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1459,7 +1459,7 @@ condition: cmp_cp_by_passwd - list: read_sensitive_file_images - items: [sysdig/agent, sysdig/agent-slim, docker.io/sysdig/agent, docker.io/sysdig/agent-slim] + items: [] - macro: user_read_sensitive_file_containers condition: (container and container.image.repository in read_sensitive_file_images) @@ -1831,24 +1831,19 @@ # In this file, it just takes one of the images in trusted_containers # and repeats it. - macro: user_trusted_containers - condition: (container.image.repository=docker.io/sysdig/agent) + condition: (never_true) - list: sematext_images - items: [docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent, docker.io/sematext/logagent, - registry.access.redhat.com/sematext/sematext-agent-docker, - registry.access.redhat.com/sematext/agent, - registry.access.redhat.com/sematext/logagent] + items: [] # These container images are allowed to run with --privileged - list: falco_privileged_images items: [ - docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig, - docker.io/sysdig/agent-slim, docker.io/sysdig/node-image-analyzer, + docker.io/sysdig/falco, docker.io/sysdig/sysdig, gcr.io/google_containers/kube-proxy, docker.io/calico/node, quay.io/calico/node, docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/mesosphere/mesos-slave, docker.io/docker/ucp-agent, sematext_images, k8s.gcr.io/kube-proxy, - docker.io/falcosecurity/falco, sysdig/agent, sysdig/falco, sysdig/sysdig, sysdig/agent-slim, - falcosecurity/falco, sysdig/node-image-analyzer + docker.io/falcosecurity/falco, sysdig/falco, sysdig/sysdig, falcosecurity/falco ] - macro: falco_privileged_containers @@ -1866,7 +1861,7 @@ # In this file, it just takes one of the images in falco_privileged_images # and repeats it. - macro: user_privileged_containers - condition: (container.image.repository=docker.io/sysdig/agent) + condition: (never_true) - list: rancher_images items: [ @@ -1878,8 +1873,7 @@ # host filesystem. - list: falco_sensitive_mount_images items: [ - docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig, docker.io/sysdig/agent-slim, - sysdig/agent, sysdig/falco, sysdig/sysdig, sysdig/agent-slim, + docker.io/sysdig/falco, docker.io/sysdig/sysdig, sysdig/falco, sysdig/sysdig, gcr.io/google_containers/hyperkube, gcr.io/google_containers/kube-proxy, docker.io/calico/node, docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul, @@ -1905,7 +1899,7 @@ # In this file, it just takes one of the images in falco_sensitive_mount_images # and repeats it. - macro: user_sensitive_mount_containers - condition: (container.image.repository = docker.io/sysdig/agent) + condition: (never_true) - rule: Launch Privileged Container desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images. @@ -2364,9 +2358,9 @@ - macro: k8s_containers condition: > (container.image.repository in (gcr.io/google_containers/hyperkube-amd64, - gcr.io/google_containers/kube2sky, docker.io/sysdig/agent, docker.io/sysdig/agent-slim, docker.io/sysdig/falco, + gcr.io/google_containers/kube2sky, docker.io/sysdig/falco, docker.io/sysdig/sysdig, docker.io/falcosecurity/falco, - sysdig/agent, sysdig/agent-slim, sysdig/falco, sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system")) + sysdig/falco, sysdig/sysdig, falcosecurity/falco) or (k8s.ns.name = "kube-system")) - macro: k8s_api_server condition: (fd.sip.name="kubernetes.default.svc.cluster.local") @@ -2772,9 +2766,7 @@ condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other))) - macro: trusted_images_query_miner_domain_dns - condition: (container.image.repository in (docker.io/sysdig/agent, - docker.io/sysdig/agent-slim, docker.io/falcosecurity/falco, - sysdig/agent, sysdig/agent-slim, falcosecurity/falco)) + condition: (container.image.repository in (docker.io/falcosecurity/falco, falcosecurity/falco)) append: false # The rule is disabled by default.