github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-26 22:57:24 +00:00
Code Issues Projects Releases Wiki Activity

refactor: add k8saudit plugin and adapt config, tests, and rulesets

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce 2022-04-22 07:49:39 +00:00 committed by poiana
parent b91ff34b97
commit 67d2fe45a5
8 changed files with 197 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cmake/modules/plugins.cmake
View File

@ -19,6 +19,18 @@ if(NOT DEFINED PLUGINS_COMPONENT_NAME)
set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins")
endif()
# todo(jasondellaluce): switch this to a stable version once this plugin gets
# released with a 1.0.0 required plugin api version
ExternalProject_Add(
k8saudit-plugin
URL "https://download.falco.org/plugins/dev/k8saudit-0.1.0-0.0.0-0%2Bd2cfa30-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
URL_HASH "SHA256=9de10ff23f926d98bbcccc6b25f2a8eaf7d9713041eaeb07b4838caa12fbfc94"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND "")
install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
# todo(jasondellaluce): switch this to a stable version once this plugin gets
# released with a 1.0.0 required plugin api version
ExternalProject_Add(

7
falco.yaml
View File

@ -44,6 +44,12 @@ rules_file:
# init_config/open_params for the cloudtrail plugin, see the README at
# https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md.
plugins:
- name: k8saudit
library_path: libk8saudit.so
init_config:
maxEventBytes: 1048576
sslCertificate: /etc/falco/falco.pem
open_params: "http://:9765/k8s-audit"
- name: cloudtrail
library_path: libcloudtrail.so
init_config: ""
@ -218,7 +224,6 @@ stdout_output:
webserver:
enabled: true
listen_port: 8765
k8s_audit_endpoint: /k8s-audit
k8s_healthz_endpoint: /healthz
ssl_enabled: false
ssl_certificate: /etc/falco/falco.pem

10
rules/k8s_audit_rules.yaml
View File

@ -1,5 +1,5 @@
#
# Copyright (C) 2019 The Falco Authors.
# Copyright (C) 2022 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@ -14,7 +14,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
- required_engine_version: 2
- required_engine_version: 11
- required_plugin_versions:
- name: k8saudit
version: 0.1.0
- name: json
version: 0.2.2
# Like always_true/always_false, but works with k8s audit events
- macro: k8s_audit_always_true

29
test/confs/plugins/k8s_audit.yaml Normal file
View File

@ -0,0 +1,29 @@
#
# Copyright (C) 2022 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
stdout_output:
enabled: true
plugins:
- name: k8saudit
library_path: BUILD_DIR/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so
init_config: ""
open_params: "" # to be filled out by each test case
- name: json
library_path: BUILD_DIR/json-plugin-prefix/src/json-plugin/libjson.so
init_config: ""
load_plugins: [k8saudit, json]

202
test/falco_k8s_audit_tests.yaml
View File

@ -25,7 +25,8 @@ trace_files: !mux
- ./rules/k8s_audit/engine_v4/allow_only_apache_container.yaml
detect_counts:
- Create Disallowed Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
compat_engine_v4_create_allowed_pod:
detect: False
@ -33,7 +34,8 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
- ./rules/k8s_audit/engine_v4/allow_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
compat_engine_v4_create_privileged_pod:
detect: True
@ -43,7 +45,8 @@ trace_files: !mux
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
detect_counts:
- Create Privileged Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
compat_engine_v4_create_privileged_trusted_pod:
detect: False
@ -52,14 +55,16 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
compat_engine_v4_create_unprivileged_pod:
detect: False
rules_file:
- ../rules/falco_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
compat_engine_v4_create_hostnetwork_pod:
detect: True
@ -69,7 +74,8 @@ trace_files: !mux
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
detect_counts:
- Create HostNetwork Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
compat_engine_v4_create_hostnetwork_trusted_pod:
detect: False
@ -78,7 +84,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
user_outside_allowed_set:
detect: True
@ -89,7 +96,8 @@ trace_files: !mux
- ./rules/k8s_audit/allow_namespace_foo.yaml
detect_counts:
- Disallowed K8s User: 1
trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
user_in_allowed_set:
detect: False
@ -99,7 +107,8 @@ trace_files: !mux
- ./rules/k8s_audit/allow_namespace_foo.yaml
- ./rules/k8s_audit/allow_user_some-user.yaml
- ./rules/k8s_audit/disallow_kactivity.yaml
trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
create_disallowed_pod:
detect: True
@ -110,7 +119,8 @@ trace_files: !mux
- ./rules/k8s_audit/allow_only_apache_container.yaml
detect_counts:
- Create Disallowed Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
create_allowed_pod:
detect: False
@ -118,7 +128,8 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/allow_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
create_privileged_pod:
detect: True
@ -128,7 +139,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Create Privileged Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
create_privileged_no_secctx_1st_container_2nd_container_pod:
detect: True
@ -138,7 +150,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Create Privileged Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
create_privileged_2nd_container_pod:
detect: True
@ -148,7 +161,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Create Privileged Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json
create_privileged_trusted_pod:
detect: False
@ -156,14 +170,16 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
create_unprivileged_pod:
detect: False
rules_file:
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
create_unprivileged_trusted_pod:
detect: False
@ -171,7 +187,8 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
create_sensitive_mount_pod:
detect: True
@ -181,7 +198,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Create Sensitive Mount Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
create_sensitive_mount_2nd_container_pod:
detect: True
@ -191,7 +209,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Create Sensitive Mount Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json
create_sensitive_mount_trusted_pod:
detect: False
@ -199,14 +218,16 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
create_unsensitive_mount_pod:
detect: False
rules_file:
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
create_unsensitive_mount_trusted_pod:
detect: False
@ -214,7 +235,8 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
create_hostnetwork_pod:
detect: True
@ -224,7 +246,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Create HostNetwork Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
create_hostnetwork_trusted_pod:
detect: False
@ -232,14 +255,16 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
create_nohostnetwork_pod:
detect: False
rules_file:
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
create_nohostnetwork_trusted_pod:
detect: False
@ -247,7 +272,8 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
create_nodeport_service:
detect: True
@ -258,7 +284,8 @@ trace_files: !mux
- ./rules/k8s_audit/disallow_kactivity.yaml
detect_counts:
- Create NodePort Service: 1
trace_file: trace_files/k8s_audit/create_nginx_service_nodeport.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_service_nodeport.json
create_nonodeport_service:
detect: False
@ -266,7 +293,8 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/disallow_kactivity.yaml
trace_file: trace_files/k8s_audit/create_nginx_service_nonodeport.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_service_nonodeport.json
create_configmap_private_creds:
detect: True
@ -277,7 +305,8 @@ trace_files: !mux
- ./rules/k8s_audit/disallow_kactivity.yaml
detect_counts:
- Create/Modify Configmap With Private Credentials: 6
trace_file: trace_files/k8s_audit/create_configmap_sensitive_values.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_configmap_sensitive_values.json
create_configmap_no_private_creds:
detect: False
@ -285,7 +314,8 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/disallow_kactivity.yaml
trace_file: trace_files/k8s_audit/create_configmap_no_sensitive_values.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_configmap_no_sensitive_values.json
anonymous_user:
detect: True
@ -295,7 +325,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Anonymous Request Allowed: 1
trace_file: trace_files/k8s_audit/anonymous_creates_namespace_foo.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/anonymous_creates_namespace_foo.json
pod_exec:
detect: True
@ -305,7 +336,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Attach/Exec Pod: 1
trace_file: trace_files/k8s_audit/exec_pod.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/exec_pod.json
pod_attach:
detect: True
@ -315,7 +347,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Attach/Exec Pod: 1
trace_file: trace_files/k8s_audit/attach_pod.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/attach_pod.json
namespace_outside_allowed_set:
detect: True
@ -326,7 +359,8 @@ trace_files: !mux
- ./rules/k8s_audit/allow_user_some-user.yaml
detect_counts:
- Create Disallowed Namespace: 1
trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
namespace_in_allowed_set:
detect: False
@ -335,7 +369,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/allow_namespace_foo.yaml
- ./rules/k8s_audit/disallow_kactivity.yaml
trace_file: trace_files/k8s_audit/minikube_creates_namespace_foo.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/minikube_creates_namespace_foo.json
create_pod_in_kube_system_namespace:
detect: True
@ -345,7 +380,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Pod Created in Kube Namespace: 1
trace_file: trace_files/k8s_audit/create_pod_kube_system_namespace.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_pod_kube_system_namespace.json
create_pod_in_kube_public_namespace:
detect: True
@ -355,7 +391,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Pod Created in Kube Namespace: 1
trace_file: trace_files/k8s_audit/create_pod_kube_public_namespace.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_pod_kube_public_namespace.json
create_serviceaccount_in_kube_system_namespace:
detect: True
@ -365,7 +402,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Service Account Created in Kube Namespace: 1
trace_file: trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json
create_serviceaccount_in_kube_public_namespace:
detect: True
@ -375,7 +413,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Service Account Created in Kube Namespace: 1
trace_file: trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json
system_clusterrole_deleted:
detect: True
@ -385,7 +424,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- System ClusterRole Modified/Deleted: 1
trace_file: trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json
system_clusterrole_modified:
detect: True
@ -395,7 +435,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- System ClusterRole Modified/Deleted: 1
trace_file: trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json
attach_cluster_admin_role:
detect: True
@ -405,7 +446,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- Attach to cluster-admin Role: 1
trace_file: trace_files/k8s_audit/attach_cluster_admin_role.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/attach_cluster_admin_role.json
create_cluster_role_wildcard_resources:
detect: True
@ -415,7 +457,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- ClusterRole With Wildcard Created: 1
trace_file: trace_files/k8s_audit/create_cluster_role_wildcard_resources.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_wildcard_resources.json
create_cluster_role_wildcard_verbs:
detect: True
@ -425,7 +468,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- ClusterRole With Wildcard Created: 1
trace_file: trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json
create_writable_cluster_role:
detect: True
@ -435,7 +479,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- ClusterRole With Write Privileges Created: 1
trace_file: trace_files/k8s_audit/create_cluster_role_write_privileges.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_write_privileges.json
create_pod_exec_cluster_role:
detect: True
@ -445,7 +490,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- ClusterRole With Pod Exec Created: 1
trace_file: trace_files/k8s_audit/create_cluster_role_pod_exec.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_pod_exec.json
create_deployment:
detect: True
@ -455,7 +501,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Deployment Created: 1
trace_file: trace_files/k8s_audit/create_deployment.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_deployment.json
delete_deployment:
detect: True
@ -465,7 +512,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Deployment Deleted: 1
trace_file: trace_files/k8s_audit/delete_deployment.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_deployment.json
create_service:
detect: True
@ -475,7 +523,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Service Created: 1
trace_file: trace_files/k8s_audit/create_service.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_service.json
delete_service:
detect: True
@ -485,7 +534,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Service Deleted: 1
trace_file: trace_files/k8s_audit/delete_service.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_service.json
create_configmap:
detect: True
@ -495,7 +545,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s ConfigMap Created: 1
trace_file: trace_files/k8s_audit/create_configmap.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_configmap.json
delete_configmap:
detect: True
@ -505,7 +556,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s ConfigMap Deleted: 1
trace_file: trace_files/k8s_audit/delete_configmap.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_configmap.json
create_namespace:
detect: True
@ -517,7 +569,8 @@ trace_files: !mux
- ./rules/k8s_audit/allow_user_some-user.yaml
detect_counts:
- K8s Namespace Created: 1
trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
delete_namespace:
detect: True
@ -527,7 +580,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Namespace Deleted: 1
trace_file: trace_files/k8s_audit/delete_namespace_foo.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_namespace_foo.json
create_serviceaccount:
detect: True
@ -537,7 +591,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Serviceaccount Created: 1
trace_file: trace_files/k8s_audit/create_serviceaccount.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_serviceaccount.json
delete_serviceaccount:
detect: True
@ -547,7 +602,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Serviceaccount Deleted: 1
trace_file: trace_files/k8s_audit/delete_serviceaccount.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_serviceaccount.json
create_clusterrole:
detect: True
@ -557,7 +613,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Role/Clusterrole Created: 1
trace_file: trace_files/k8s_audit/create_clusterrole.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_clusterrole.json
delete_clusterrole:
detect: True
@ -567,7 +624,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Role/Clusterrole Deleted: 1
trace_file: trace_files/k8s_audit/delete_clusterrole.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_clusterrole.json
create_clusterrolebinding:
detect: True
@ -577,7 +635,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Role/Clusterrolebinding Created: 1
trace_file: trace_files/k8s_audit/create_clusterrolebinding.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_clusterrolebinding.json
delete_clusterrolebinding:
detect: True
@ -587,7 +646,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Role/Clusterrolebinding Deleted: 1
trace_file: trace_files/k8s_audit/delete_clusterrolebinding.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_clusterrolebinding.json
create_secret:
detect: True
@ -597,7 +657,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Secret Created: 1
trace_file: trace_files/k8s_audit/create_secret.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_secret.json
# Should *not* result in any event as the secret rules skip service account token secrets
create_service_account_token_secret:
@ -606,7 +667,8 @@ trace_files: !mux
rules_file:
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/create_service_account_token_secret.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_service_account_token_secret.json
create_kube_system_secret:
detect: False
@ -614,7 +676,8 @@ trace_files: !mux
rules_file:
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/create_kube_system_secret.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_kube_system_secret.json
delete_secret:
detect: True
@ -624,16 +687,18 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml
detect_counts:
- K8s Secret Deleted: 1
trace_file: trace_files/k8s_audit/delete_secret.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_secret.json
fal_01_003:
detect: False
detect_level: INFO
exit_status: 1
rules_file:
- ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/fal_01_003.json
stderr_contains: 'Could not read k8s audit event line #1, "{"kind": 0}": Data not recognized as a k8s audit event, stopping'
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/fal_01_003.json
stderr_contains: 'data not recognized as a k8s audit event'
json_pointer_correct_parse:
detect: True
@ -642,4 +707,5 @@ trace_files: !mux
- ./rules/k8s_audit/single_rule_with_json_pointer.yaml
detect_counts:
- json_pointer_example: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json

12
test/rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
View File

@ -257,7 +257,7 @@
- rule: ClusterRole With Wildcard Created
desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources contains '"*"' or ka.req.role.rules.verbs contains '"*"')
condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
priority: WARNING
source: k8s_audit
@ -265,11 +265,11 @@
- macro: writable_verbs
condition: >
(ka.req.role.rules.verbs contains create or
ka.req.role.rules.verbs contains update or
ka.req.role.rules.verbs contains patch or
ka.req.role.rules.verbs contains delete or
ka.req.role.rules.verbs contains deletecollection)
(ka.req.role.rules.verbs intersects (create) or
ka.req.role.rules.verbs intersects (update) or
ka.req.role.rules.verbs intersects (patch) or
ka.req.role.rules.verbs intersects (delete) or
ka.req.role.rules.verbs intersects (deletecollection))
- rule: ClusterRole With Write Privileges Created
desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions

2
userspace/engine/falco_engine_version.h
View File

@ -21,4 +21,4 @@ limitations under the License.
// This is the result of running "falco --list -N | sha256sum" and
// represents the fields supported by this version of Falco. It's used
// at build time to detect a changed set of fields.
#define FALCO_FIELDS_CHECKSUM "77c4c549181b8aac1b9698c0101ac61acb5b2faede84a2c4fecb34834c6de2b9"
#define FALCO_FIELDS_CHECKSUM "a557747a209f2d16e90a3324d84d56c02cf54d000b6e3ee44598413f19885fcc"

1
userspace/engine/rule_loader.cpp
View File

@ -724,6 +724,7 @@ void rule_loader::compile_rule_infos(
set<uint16_t> evttypes = { ppm_event_type::PPME_PLUGINEVENT_E };
if(rule.source == falco_common::syscall_source)
{
evttypes.clear();
filter_evttype_resolver().evttypes(ast, evttypes);
if ((evttypes.empty() || evttypes.size() > 100)
&& r.warn_evttypes)