mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-06 11:26:44 +00:00
Add exceptions fields/comps/values to rules files
Take advantage of the changes to support exceptions and refactor rules to use them whenever feasible: - Define exceptions for every rule. In cases where no practical exception exists e.g. "K8s <obj> Created/Deleted", define an empty exception property just to avoid warnings when loading rules. - Go through all rules and convert macros-used-as-exceptions that matched against 2-3 filter fields into exceptions. In most cases, switching from equality (e.g proc.name=nginx) to in (e.g. proc.name in (nginx)) allowed for better groupings into a smaller set of exception items. - In cases where the exception had complex combinations of fields, keep the macro as is. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm
poiana
parent
7b030727a2
commit
64a231b962
File diff suppressed because it is too large
Load Diff
@ -55,7 +55,12 @@
|
|||||||
|
|
||||||
- rule: Disallowed K8s User
|
- rule: Disallowed K8s User
|
||||||
desc: Detect any k8s operation by users outside of an allowed set of users.
|
desc: Detect any k8s operation by users outside of an allowed set of users.
|
||||||
condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users)
|
condition: kevt and non_system_user
|
||||||
|
exceptions:
|
||||||
|
- name: user_names
|
||||||
|
fields: ka.user.name
|
||||||
|
comps: in
|
||||||
|
values: [allowed_k8s_users]
|
||||||
output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
|
output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -122,6 +127,10 @@
|
|||||||
desc: >
|
desc: >
|
||||||
Detect an attempt to start a pod with a container image outside of a list of allowed images.
|
Detect an attempt to start a pod with a container image outside of a list of allowed images.
|
||||||
condition: kevt and pod and kcreate and not allowed_k8s_containers
|
condition: kevt and pod and kcreate and not allowed_k8s_containers
|
||||||
|
exceptions:
|
||||||
|
- name: image_repos
|
||||||
|
fields: ka.req.pod.containers.image.repository
|
||||||
|
comps: in
|
||||||
output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -130,7 +139,12 @@
|
|||||||
- rule: Create Privileged Pod
|
- rule: Create Privileged Pod
|
||||||
desc: >
|
desc: >
|
||||||
Detect an attempt to start a pod with a privileged container
|
Detect an attempt to start a pod with a privileged container
|
||||||
condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
|
condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true)
|
||||||
|
exceptions:
|
||||||
|
- name: image_repos
|
||||||
|
fields: ka.req.pod.containers.image.repository
|
||||||
|
comps: in
|
||||||
|
values: [falco_privileged_images]
|
||||||
output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -144,7 +158,12 @@
|
|||||||
desc: >
|
desc: >
|
||||||
Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
|
Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
|
||||||
Exceptions are made for known trusted images.
|
Exceptions are made for known trusted images.
|
||||||
condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
|
condition: kevt and pod and kcreate and sensitive_vol_mount
|
||||||
|
exceptions:
|
||||||
|
- name: image_repos
|
||||||
|
fields: ka.req.pod.containers.image.repository
|
||||||
|
comps: in
|
||||||
|
values: [falco_sensitive_mount_images]
|
||||||
output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
|
output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -153,7 +172,12 @@
|
|||||||
# Corresponds to K8s CIS Benchmark 1.7.4
|
# Corresponds to K8s CIS Benchmark 1.7.4
|
||||||
- rule: Create HostNetwork Pod
|
- rule: Create HostNetwork Pod
|
||||||
desc: Detect an attempt to start a pod using the host network.
|
desc: Detect an attempt to start a pod using the host network.
|
||||||
condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
|
condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true)
|
||||||
|
exceptions:
|
||||||
|
- name: image_repos
|
||||||
|
fields: ka.req.pod.containers.image.repository
|
||||||
|
comps: in
|
||||||
|
values: [falco_hostnetwork_images]
|
||||||
output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -166,6 +190,9 @@
|
|||||||
desc: >
|
desc: >
|
||||||
Detect an attempt to start a service with a NodePort service type
|
Detect an attempt to start a service with a NodePort service type
|
||||||
condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
|
condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
|
||||||
|
exceptions:
|
||||||
|
- name: services
|
||||||
|
fields: [ka.target.namespace, ka.target.name]
|
||||||
output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
|
output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -184,6 +211,9 @@
|
|||||||
desc: >
|
desc: >
|
||||||
Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
|
Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
|
||||||
condition: kevt and configmap and kmodify and contains_private_credentials
|
condition: kevt and configmap and kmodify and contains_private_credentials
|
||||||
|
exceptions:
|
||||||
|
- name: configmaps
|
||||||
|
fields: [ka.target.namespace, ka.req.configmap.name]
|
||||||
output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
|
output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -194,6 +224,10 @@
|
|||||||
desc: >
|
desc: >
|
||||||
Detect any request made by the anonymous user that was allowed
|
Detect any request made by the anonymous user that was allowed
|
||||||
condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
|
condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
|
||||||
|
exceptions:
|
||||||
|
- name: user_names
|
||||||
|
fields: ka.user.name
|
||||||
|
comps: in
|
||||||
output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
|
output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -207,6 +241,10 @@
|
|||||||
# events to be stateful, so it could know if a container named in an
|
# events to be stateful, so it could know if a container named in an
|
||||||
# attach request was created privileged or not. For now, we have a
|
# attach request was created privileged or not. For now, we have a
|
||||||
# less severe rule that detects attaches/execs to any pod.
|
# less severe rule that detects attaches/execs to any pod.
|
||||||
|
#
|
||||||
|
# For the same reason, you can't use things like image names/prefixes,
|
||||||
|
# as the event that creates the pod (which has the images) is a
|
||||||
|
# separate event than the actual exec/attach to the pod.
|
||||||
|
|
||||||
- macro: user_known_exec_pod_activities
|
- macro: user_known_exec_pod_activities
|
||||||
condition: (k8s_audit_never_true)
|
condition: (k8s_audit_never_true)
|
||||||
@ -215,6 +253,10 @@
|
|||||||
desc: >
|
desc: >
|
||||||
Detect any attempt to attach/exec to a pod
|
Detect any attempt to attach/exec to a pod
|
||||||
condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
|
condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
|
||||||
|
exceptions:
|
||||||
|
- name: user_names
|
||||||
|
fields: ka.user.name
|
||||||
|
comps: in
|
||||||
output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
|
output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
|
||||||
priority: NOTICE
|
priority: NOTICE
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -224,10 +266,14 @@
|
|||||||
condition: (k8s_audit_never_true)
|
condition: (k8s_audit_never_true)
|
||||||
|
|
||||||
# Only works when feature gate EphemeralContainers is enabled
|
# Only works when feature gate EphemeralContainers is enabled
|
||||||
|
# Definining empty exceptions just to avoid warnings. There isn't any
|
||||||
|
# great exception for this kind of object, as you'd expect the images
|
||||||
|
# to vary wildly.
|
||||||
- rule: EphemeralContainers Created
|
- rule: EphemeralContainers Created
|
||||||
desc: >
|
desc: >
|
||||||
Detect any ephemeral container created
|
Detect any ephemeral container created
|
||||||
condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
|
condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
|
||||||
|
exceptions:
|
||||||
output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
|
output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
|
||||||
priority: NOTICE
|
priority: NOTICE
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -239,7 +285,12 @@
|
|||||||
|
|
||||||
- rule: Create Disallowed Namespace
|
- rule: Create Disallowed Namespace
|
||||||
desc: Detect any attempt to create a namespace outside of a set of known namespaces
|
desc: Detect any attempt to create a namespace outside of a set of known namespaces
|
||||||
condition: kevt and namespace and kcreate and not ka.target.name in (allowed_namespaces)
|
condition: kevt and namespace and kcreate
|
||||||
|
exceptions:
|
||||||
|
- name: services
|
||||||
|
fields: ka.target.name
|
||||||
|
comps: in
|
||||||
|
values: [allowed_namespaces]
|
||||||
output: Disallowed namespace created (user=%ka.user.name ns=%ka.target.name)
|
output: Disallowed namespace created (user=%ka.user.name ns=%ka.target.name)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -279,15 +330,16 @@
|
|||||||
k8s_image_list
|
k8s_image_list
|
||||||
]
|
]
|
||||||
|
|
||||||
- macro: allowed_kube_namespace_pods
|
|
||||||
condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
|
|
||||||
ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
|
|
||||||
|
|
||||||
# Detect any new pod created in the kube-system namespace
|
# Detect any new pod created in the kube-system namespace
|
||||||
- rule: Pod Created in Kube Namespace
|
- rule: Pod Created in Kube Namespace
|
||||||
desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
|
desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
|
||||||
condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
|
condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public)
|
||||||
output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||||
|
exceptions:
|
||||||
|
- name: images
|
||||||
|
fields: ka.req.pod.containers.image.repository
|
||||||
|
comps: in
|
||||||
|
values: [user_allowed_kube_namespace_image_list, allowed_kube_namespace_image_list]
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
tags: [k8s]
|
tags: [k8s]
|
||||||
@ -302,6 +354,9 @@
|
|||||||
- rule: Service Account Created in Kube Namespace
|
- rule: Service Account Created in Kube Namespace
|
||||||
desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
|
desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
|
||||||
condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
|
condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
|
||||||
|
exceptions:
|
||||||
|
- name: accounts
|
||||||
|
fields: [ka.target.namespace, ka.target.name]
|
||||||
output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
|
output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -314,6 +369,9 @@
|
|||||||
desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
|
desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
|
||||||
condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
|
condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
|
||||||
not ka.target.name in (system:coredns, system:managed-certificate-controller)
|
not ka.target.name in (system:coredns, system:managed-certificate-controller)
|
||||||
|
exceptions:
|
||||||
|
- name: roles
|
||||||
|
fields: [ka.target.namespace, ka.target.name]
|
||||||
output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
|
output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -324,6 +382,10 @@
|
|||||||
- rule: Attach to cluster-admin Role
|
- rule: Attach to cluster-admin Role
|
||||||
desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
|
desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
|
||||||
condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin
|
condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin
|
||||||
|
exceptions:
|
||||||
|
- name: subjects
|
||||||
|
fields: ka.req.binding.subjects
|
||||||
|
comps: in
|
||||||
output: Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects)
|
output: Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -332,6 +394,10 @@
|
|||||||
- rule: ClusterRole With Wildcard Created
|
- rule: ClusterRole With Wildcard Created
|
||||||
desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
|
desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
|
||||||
condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
|
condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
|
||||||
|
exceptions:
|
||||||
|
- name: roles
|
||||||
|
fields: ka.target.name
|
||||||
|
comps: in
|
||||||
output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
|
output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -344,6 +410,10 @@
|
|||||||
- rule: ClusterRole With Write Privileges Created
|
- rule: ClusterRole With Write Privileges Created
|
||||||
desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
|
desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
|
||||||
condition: kevt and (role or clusterrole) and kcreate and writable_verbs
|
condition: kevt and (role or clusterrole) and kcreate and writable_verbs
|
||||||
|
exceptions:
|
||||||
|
- name: roles
|
||||||
|
fields: ka.target.name
|
||||||
|
comps: in
|
||||||
output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
|
output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
|
||||||
priority: NOTICE
|
priority: NOTICE
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -352,6 +422,10 @@
|
|||||||
- rule: ClusterRole With Pod Exec Created
|
- rule: ClusterRole With Pod Exec Created
|
||||||
desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
|
desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
|
||||||
condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
|
condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
|
||||||
|
exceptions:
|
||||||
|
- name: roles
|
||||||
|
fields: ka.target.name
|
||||||
|
comps: in
|
||||||
output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
|
output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -363,12 +437,16 @@
|
|||||||
- macro: consider_activity_events
|
- macro: consider_activity_events
|
||||||
condition: (k8s_audit_always_true)
|
condition: (k8s_audit_always_true)
|
||||||
|
|
||||||
|
# Activity events don't have exceptions. They do define an empty
|
||||||
|
# exceptions property just to avoid warnings when loading rules.
|
||||||
|
|
||||||
- macro: kactivity
|
- macro: kactivity
|
||||||
condition: (kevt and consider_activity_events)
|
condition: (kevt and consider_activity_events)
|
||||||
|
|
||||||
- rule: K8s Deployment Created
|
- rule: K8s Deployment Created
|
||||||
desc: Detect any attempt to create a deployment
|
desc: Detect any attempt to create a deployment
|
||||||
condition: (kactivity and kcreate and deployment and response_successful)
|
condition: (kactivity and kcreate and deployment and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s Deployment Created (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s Deployment Created (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -377,6 +455,7 @@
|
|||||||
- rule: K8s Deployment Deleted
|
- rule: K8s Deployment Deleted
|
||||||
desc: Detect any attempt to delete a deployment
|
desc: Detect any attempt to delete a deployment
|
||||||
condition: (kactivity and kdelete and deployment and response_successful)
|
condition: (kactivity and kdelete and deployment and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s Deployment Deleted (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s Deployment Deleted (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -385,6 +464,7 @@
|
|||||||
- rule: K8s Service Created
|
- rule: K8s Service Created
|
||||||
desc: Detect any attempt to create a service
|
desc: Detect any attempt to create a service
|
||||||
condition: (kactivity and kcreate and service and response_successful)
|
condition: (kactivity and kcreate and service and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -393,6 +473,7 @@
|
|||||||
- rule: K8s Service Deleted
|
- rule: K8s Service Deleted
|
||||||
desc: Detect any attempt to delete a service
|
desc: Detect any attempt to delete a service
|
||||||
condition: (kactivity and kdelete and service and response_successful)
|
condition: (kactivity and kdelete and service and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -401,6 +482,7 @@
|
|||||||
- rule: K8s ConfigMap Created
|
- rule: K8s ConfigMap Created
|
||||||
desc: Detect any attempt to create a configmap
|
desc: Detect any attempt to create a configmap
|
||||||
condition: (kactivity and kcreate and configmap and response_successful)
|
condition: (kactivity and kcreate and configmap and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s ConfigMap Created (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s ConfigMap Created (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -409,6 +491,7 @@
|
|||||||
- rule: K8s ConfigMap Deleted
|
- rule: K8s ConfigMap Deleted
|
||||||
desc: Detect any attempt to delete a configmap
|
desc: Detect any attempt to delete a configmap
|
||||||
condition: (kactivity and kdelete and configmap and response_successful)
|
condition: (kactivity and kdelete and configmap and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s ConfigMap Deleted (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s ConfigMap Deleted (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -417,6 +500,7 @@
|
|||||||
- rule: K8s Namespace Created
|
- rule: K8s Namespace Created
|
||||||
desc: Detect any attempt to create a namespace
|
desc: Detect any attempt to create a namespace
|
||||||
condition: (kactivity and kcreate and namespace and response_successful)
|
condition: (kactivity and kcreate and namespace and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s Namespace Created (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s Namespace Created (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -425,6 +509,7 @@
|
|||||||
- rule: K8s Namespace Deleted
|
- rule: K8s Namespace Deleted
|
||||||
desc: Detect any attempt to delete a namespace
|
desc: Detect any attempt to delete a namespace
|
||||||
condition: (kactivity and non_system_user and kdelete and namespace and response_successful)
|
condition: (kactivity and non_system_user and kdelete and namespace and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s Namespace Deleted (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s Namespace Deleted (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -433,6 +518,7 @@
|
|||||||
- rule: K8s Serviceaccount Created
|
- rule: K8s Serviceaccount Created
|
||||||
desc: Detect any attempt to create a service account
|
desc: Detect any attempt to create a service account
|
||||||
condition: (kactivity and kcreate and serviceaccount and response_successful)
|
condition: (kactivity and kcreate and serviceaccount and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s Serviceaccount Created (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s Serviceaccount Created (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -441,6 +527,7 @@
|
|||||||
- rule: K8s Serviceaccount Deleted
|
- rule: K8s Serviceaccount Deleted
|
||||||
desc: Detect any attempt to delete a service account
|
desc: Detect any attempt to delete a service account
|
||||||
condition: (kactivity and kdelete and serviceaccount and response_successful)
|
condition: (kactivity and kdelete and serviceaccount and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s Serviceaccount Deleted (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s Serviceaccount Deleted (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -449,6 +536,7 @@
|
|||||||
- rule: K8s Role/Clusterrole Created
|
- rule: K8s Role/Clusterrole Created
|
||||||
desc: Detect any attempt to create a cluster role/role
|
desc: Detect any attempt to create a cluster role/role
|
||||||
condition: (kactivity and kcreate and (clusterrole or role) and response_successful)
|
condition: (kactivity and kcreate and (clusterrole or role) and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -457,6 +545,7 @@
|
|||||||
- rule: K8s Role/Clusterrole Deleted
|
- rule: K8s Role/Clusterrole Deleted
|
||||||
desc: Detect any attempt to delete a cluster role/role
|
desc: Detect any attempt to delete a cluster role/role
|
||||||
condition: (kactivity and kdelete and (clusterrole or role) and response_successful)
|
condition: (kactivity and kdelete and (clusterrole or role) and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -465,6 +554,7 @@
|
|||||||
- rule: K8s Role/Clusterrolebinding Created
|
- rule: K8s Role/Clusterrolebinding Created
|
||||||
desc: Detect any attempt to create a clusterrolebinding
|
desc: Detect any attempt to create a clusterrolebinding
|
||||||
condition: (kactivity and kcreate and clusterrolebinding and response_successful)
|
condition: (kactivity and kcreate and clusterrolebinding and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -473,6 +563,7 @@
|
|||||||
- rule: K8s Role/Clusterrolebinding Deleted
|
- rule: K8s Role/Clusterrolebinding Deleted
|
||||||
desc: Detect any attempt to delete a clusterrolebinding
|
desc: Detect any attempt to delete a clusterrolebinding
|
||||||
condition: (kactivity and kdelete and clusterrolebinding and response_successful)
|
condition: (kactivity and kdelete and clusterrolebinding and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -481,6 +572,7 @@
|
|||||||
- rule: K8s Secret Created
|
- rule: K8s Secret Created
|
||||||
desc: Detect any attempt to create a secret. Service account tokens are excluded.
|
desc: Detect any attempt to create a secret. Service account tokens are excluded.
|
||||||
condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
|
condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -489,6 +581,7 @@
|
|||||||
- rule: K8s Secret Deleted
|
- rule: K8s Secret Deleted
|
||||||
desc: Detect any attempt to delete a secret Service account tokens are excluded.
|
desc: Detect any attempt to delete a secret Service account tokens are excluded.
|
||||||
condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
|
condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
|
||||||
|
exceptions:
|
||||||
output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
|
||||||
priority: INFO
|
priority: INFO
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -507,6 +600,7 @@
|
|||||||
- rule: All K8s Audit Events
|
- rule: All K8s Audit Events
|
||||||
desc: Match all K8s Audit Events
|
desc: Match all K8s Audit Events
|
||||||
condition: kall
|
condition: kall
|
||||||
|
exceptions:
|
||||||
output: K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj)
|
output: K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj)
|
||||||
priority: DEBUG
|
priority: DEBUG
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -539,6 +633,10 @@
|
|||||||
and non_system_user
|
and non_system_user
|
||||||
and ka.user.name in (full_admin_k8s_users)
|
and ka.user.name in (full_admin_k8s_users)
|
||||||
and not allowed_full_admin_users
|
and not allowed_full_admin_users
|
||||||
|
exceptions:
|
||||||
|
- name: user_names
|
||||||
|
fields: ka.user.name
|
||||||
|
comps: in
|
||||||
output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
|
output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -572,6 +670,9 @@
|
|||||||
desc: Detect any attempt to create an ingress without TLS certification.
|
desc: Detect any attempt to create an ingress without TLS certification.
|
||||||
condition: >
|
condition: >
|
||||||
(kactivity and kcreate and ingress and response_successful and not ingress_tls)
|
(kactivity and kcreate and ingress and response_successful and not ingress_tls)
|
||||||
|
exceptions:
|
||||||
|
- name: ingresses
|
||||||
|
fields: [ka.target.namespace, ka.target.name]
|
||||||
output: >
|
output: >
|
||||||
K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
|
K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
|
||||||
namespace=%ka.target.namespace)
|
namespace=%ka.target.namespace)
|
||||||
@ -602,7 +703,11 @@
|
|||||||
and kcreate
|
and kcreate
|
||||||
and response_successful
|
and response_successful
|
||||||
and not allow_all_k8s_nodes
|
and not allow_all_k8s_nodes
|
||||||
and not ka.target.name in (allowed_k8s_nodes)
|
exceptions:
|
||||||
|
- name: nodes
|
||||||
|
fields: ka.target.name
|
||||||
|
comps: in
|
||||||
|
values: [allowed_k8s_nodes]
|
||||||
output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
|
output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
|
||||||
priority: ERROR
|
priority: ERROR
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -616,7 +721,11 @@
|
|||||||
and kcreate
|
and kcreate
|
||||||
and not response_successful
|
and not response_successful
|
||||||
and not allow_all_k8s_nodes
|
and not allow_all_k8s_nodes
|
||||||
and not ka.target.name in (allowed_k8s_nodes)
|
exceptions:
|
||||||
|
- name: nodes
|
||||||
|
fields: ka.target.name
|
||||||
|
comps: in
|
||||||
|
values: [allowed_k8s_nodes]
|
||||||
output: Node not in allowed list tried unsuccessfully to join the cluster (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
|
output: Node not in allowed list tried unsuccessfully to join the cluster (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user