github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-26 22:57:24 +00:00
Code Issues Projects Releases Wiki Activity

refactor: add k8saudit plugin and adapt config, tests, and rulesets

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce 2022-04-22 07:49:39 +00:00 committed by poiana
parent b91ff34b97
commit 67d2fe45a5
8 changed files with 197 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cmake/modules/plugins.cmake
View File

@ -19,6 +19,18 @@ if(NOT DEFINED PLUGINS_COMPONENT_NAME)
set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins") set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins")
endif() endif()
# todo(jasondellaluce): switch this to a stable version once this plugin gets
# released with a 1.0.0 required plugin api version
ExternalProject_Add(
k8saudit-plugin
URL "https://download.falco.org/plugins/dev/k8saudit-0.1.0-0.0.0-0%2Bd2cfa30-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
URL_HASH "SHA256=9de10ff23f926d98bbcccc6b25f2a8eaf7d9713041eaeb07b4838caa12fbfc94"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND "")
install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
# todo(jasondellaluce): switch this to a stable version once this plugin gets # todo(jasondellaluce): switch this to a stable version once this plugin gets
# released with a 1.0.0 required plugin api version # released with a 1.0.0 required plugin api version
ExternalProject_Add( ExternalProject_Add(

7
falco.yaml
View File

@ -44,6 +44,12 @@ rules_file:
# init_config/open_params for the cloudtrail plugin, see the README at # init_config/open_params for the cloudtrail plugin, see the README at
# https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md. # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md.
plugins: plugins:
- name: k8saudit
library_path: libk8saudit.so
init_config:
maxEventBytes: 1048576
sslCertificate: /etc/falco/falco.pem
open_params: "http://:9765/k8s-audit"
- name: cloudtrail - name: cloudtrail
library_path: libcloudtrail.so library_path: libcloudtrail.so
init_config: "" init_config: ""
@ -218,7 +224,6 @@ stdout_output:
webserver: webserver:
enabled: true enabled: true
listen_port: 8765 listen_port: 8765
k8s_audit_endpoint: /k8s-audit
k8s_healthz_endpoint: /healthz k8s_healthz_endpoint: /healthz
ssl_enabled: false ssl_enabled: false
ssl_certificate: /etc/falco/falco.pem ssl_certificate: /etc/falco/falco.pem

10
rules/k8s_audit_rules.yaml
View File

@ -1,5 +1,5 @@
# #
# Copyright (C) 2019 The Falco Authors. # Copyright (C) 2022 The Falco Authors.
# #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
@ -14,7 +14,13 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
# #
- required_engine_version: 2 - required_engine_version: 11
- required_plugin_versions:
- name: k8saudit
version: 0.1.0
- name: json
version: 0.2.2
# Like always_true/always_false, but works with k8s audit events # Like always_true/always_false, but works with k8s audit events
- macro: k8s_audit_always_true - macro: k8s_audit_always_true

29
test/confs/plugins/k8s_audit.yaml Normal file
View File

@ -0,0 +1,29 @@
#
# Copyright (C) 2022 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
stdout_output:
enabled: true
plugins:
- name: k8saudit
library_path: BUILD_DIR/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so
init_config: ""
open_params: "" # to be filled out by each test case
- name: json
library_path: BUILD_DIR/json-plugin-prefix/src/json-plugin/libjson.so
init_config: ""
load_plugins: [k8saudit, json]

202
test/falco_k8s_audit_tests.yaml
View File

@ -25,7 +25,8 @@ trace_files: !mux
- ./rules/k8s_audit/engine_v4/allow_only_apache_container.yaml - ./rules/k8s_audit/engine_v4/allow_only_apache_container.yaml
detect_counts: detect_counts:
- Create Disallowed Pod: 1 - Create Disallowed Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
compat_engine_v4_create_allowed_pod: compat_engine_v4_create_allowed_pod:
detect: False detect: False
@ -33,7 +34,8 @@ trace_files: !mux
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
- ./rules/k8s_audit/engine_v4/allow_nginx_container.yaml - ./rules/k8s_audit/engine_v4/allow_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
compat_engine_v4_create_privileged_pod: compat_engine_v4_create_privileged_pod:
detect: True detect: True
@ -43,7 +45,8 @@ trace_files: !mux
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
detect_counts: detect_counts:
- Create Privileged Pod: 1 - Create Privileged Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
compat_engine_v4_create_privileged_trusted_pod: compat_engine_v4_create_privileged_trusted_pod:
detect: False detect: False
@ -52,14 +55,16 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml - ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
compat_engine_v4_create_unprivileged_pod: compat_engine_v4_create_unprivileged_pod:
detect: False detect: False
rules_file: rules_file:
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
compat_engine_v4_create_hostnetwork_pod: compat_engine_v4_create_hostnetwork_pod:
detect: True detect: True
@ -69,7 +74,8 @@ trace_files: !mux
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
detect_counts: detect_counts:
- Create HostNetwork Pod: 1 - Create HostNetwork Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
compat_engine_v4_create_hostnetwork_trusted_pod: compat_engine_v4_create_hostnetwork_trusted_pod:
detect: False detect: False
@ -78,7 +84,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml - ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
user_outside_allowed_set: user_outside_allowed_set:
detect: True detect: True
@ -89,7 +96,8 @@ trace_files: !mux
- ./rules/k8s_audit/allow_namespace_foo.yaml - ./rules/k8s_audit/allow_namespace_foo.yaml
detect_counts: detect_counts:
- Disallowed K8s User: 1 - Disallowed K8s User: 1
trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
user_in_allowed_set: user_in_allowed_set:
detect: False detect: False
@ -99,7 +107,8 @@ trace_files: !mux
- ./rules/k8s_audit/allow_namespace_foo.yaml - ./rules/k8s_audit/allow_namespace_foo.yaml
- ./rules/k8s_audit/allow_user_some-user.yaml - ./rules/k8s_audit/allow_user_some-user.yaml
- ./rules/k8s_audit/disallow_kactivity.yaml - ./rules/k8s_audit/disallow_kactivity.yaml
trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
create_disallowed_pod: create_disallowed_pod:
detect: True detect: True
@ -110,7 +119,8 @@ trace_files: !mux
- ./rules/k8s_audit/allow_only_apache_container.yaml - ./rules/k8s_audit/allow_only_apache_container.yaml
detect_counts: detect_counts:
- Create Disallowed Pod: 1 - Create Disallowed Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
create_allowed_pod: create_allowed_pod:
detect: False detect: False
@ -118,7 +128,8 @@ trace_files: !mux
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/allow_nginx_container.yaml - ./rules/k8s_audit/allow_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
create_privileged_pod: create_privileged_pod:
detect: True detect: True
@ -128,7 +139,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- Create Privileged Pod: 1 - Create Privileged Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
create_privileged_no_secctx_1st_container_2nd_container_pod: create_privileged_no_secctx_1st_container_2nd_container_pod:
detect: True detect: True
@ -138,7 +150,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- Create Privileged Pod: 1 - Create Privileged Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
create_privileged_2nd_container_pod: create_privileged_2nd_container_pod:
detect: True detect: True
@ -148,7 +161,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- Create Privileged Pod: 1 - Create Privileged Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json
create_privileged_trusted_pod: create_privileged_trusted_pod:
detect: False detect: False
@ -156,14 +170,16 @@ trace_files: !mux
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml - ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
create_unprivileged_pod: create_unprivileged_pod:
detect: False detect: False
rules_file: rules_file:
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
create_unprivileged_trusted_pod: create_unprivileged_trusted_pod:
detect: False detect: False
@ -171,7 +187,8 @@ trace_files: !mux
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml - ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
create_sensitive_mount_pod: create_sensitive_mount_pod:
detect: True detect: True
@ -181,7 +198,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- Create Sensitive Mount Pod: 1 - Create Sensitive Mount Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
create_sensitive_mount_2nd_container_pod: create_sensitive_mount_2nd_container_pod:
detect: True detect: True
@ -191,7 +209,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- Create Sensitive Mount Pod: 1 - Create Sensitive Mount Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json
create_sensitive_mount_trusted_pod: create_sensitive_mount_trusted_pod:
detect: False detect: False
@ -199,14 +218,16 @@ trace_files: !mux
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml - ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
create_unsensitive_mount_pod: create_unsensitive_mount_pod:
detect: False detect: False
rules_file: rules_file:
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
create_unsensitive_mount_trusted_pod: create_unsensitive_mount_trusted_pod:
detect: False detect: False
@ -214,7 +235,8 @@ trace_files: !mux
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml - ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
create_hostnetwork_pod: create_hostnetwork_pod:
detect: True detect: True
@ -224,7 +246,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- Create HostNetwork Pod: 1 - Create HostNetwork Pod: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
create_hostnetwork_trusted_pod: create_hostnetwork_trusted_pod:
detect: False detect: False
@ -232,14 +255,16 @@ trace_files: !mux
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml - ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
create_nohostnetwork_pod: create_nohostnetwork_pod:
detect: False detect: False
rules_file: rules_file:
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
create_nohostnetwork_trusted_pod: create_nohostnetwork_trusted_pod:
detect: False detect: False
@ -247,7 +272,8 @@ trace_files: !mux
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml - ./rules/k8s_audit/trust_nginx_container.yaml
trace_file: trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
create_nodeport_service: create_nodeport_service:
detect: True detect: True
@ -258,7 +284,8 @@ trace_files: !mux
- ./rules/k8s_audit/disallow_kactivity.yaml - ./rules/k8s_audit/disallow_kactivity.yaml
detect_counts: detect_counts:
- Create NodePort Service: 1 - Create NodePort Service: 1
trace_file: trace_files/k8s_audit/create_nginx_service_nodeport.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_service_nodeport.json
create_nonodeport_service: create_nonodeport_service:
detect: False detect: False
@ -266,7 +293,8 @@ trace_files: !mux
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/disallow_kactivity.yaml - ./rules/k8s_audit/disallow_kactivity.yaml
trace_file: trace_files/k8s_audit/create_nginx_service_nonodeport.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_service_nonodeport.json
create_configmap_private_creds: create_configmap_private_creds:
detect: True detect: True
@ -277,7 +305,8 @@ trace_files: !mux
- ./rules/k8s_audit/disallow_kactivity.yaml - ./rules/k8s_audit/disallow_kactivity.yaml
detect_counts: detect_counts:
- Create/Modify Configmap With Private Credentials: 6 - Create/Modify Configmap With Private Credentials: 6
trace_file: trace_files/k8s_audit/create_configmap_sensitive_values.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_configmap_sensitive_values.json
create_configmap_no_private_creds: create_configmap_no_private_creds:
detect: False detect: False
@ -285,7 +314,8 @@ trace_files: !mux
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/disallow_kactivity.yaml - ./rules/k8s_audit/disallow_kactivity.yaml
trace_file: trace_files/k8s_audit/create_configmap_no_sensitive_values.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_configmap_no_sensitive_values.json
anonymous_user: anonymous_user:
detect: True detect: True
@ -295,7 +325,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- Anonymous Request Allowed: 1 - Anonymous Request Allowed: 1
trace_file: trace_files/k8s_audit/anonymous_creates_namespace_foo.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/anonymous_creates_namespace_foo.json
pod_exec: pod_exec:
detect: True detect: True
@ -305,7 +336,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- Attach/Exec Pod: 1 - Attach/Exec Pod: 1
trace_file: trace_files/k8s_audit/exec_pod.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/exec_pod.json
pod_attach: pod_attach:
detect: True detect: True
@ -315,7 +347,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- Attach/Exec Pod: 1 - Attach/Exec Pod: 1
trace_file: trace_files/k8s_audit/attach_pod.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/attach_pod.json
namespace_outside_allowed_set: namespace_outside_allowed_set:
detect: True detect: True
@ -326,7 +359,8 @@ trace_files: !mux
- ./rules/k8s_audit/allow_user_some-user.yaml - ./rules/k8s_audit/allow_user_some-user.yaml
detect_counts: detect_counts:
- Create Disallowed Namespace: 1 - Create Disallowed Namespace: 1
trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
namespace_in_allowed_set: namespace_in_allowed_set:
detect: False detect: False
@ -335,7 +369,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/allow_namespace_foo.yaml - ./rules/k8s_audit/allow_namespace_foo.yaml
- ./rules/k8s_audit/disallow_kactivity.yaml - ./rules/k8s_audit/disallow_kactivity.yaml
trace_file: trace_files/k8s_audit/minikube_creates_namespace_foo.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/minikube_creates_namespace_foo.json
create_pod_in_kube_system_namespace: create_pod_in_kube_system_namespace:
detect: True detect: True
@ -345,7 +380,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- Pod Created in Kube Namespace: 1 - Pod Created in Kube Namespace: 1
trace_file: trace_files/k8s_audit/create_pod_kube_system_namespace.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_pod_kube_system_namespace.json
create_pod_in_kube_public_namespace: create_pod_in_kube_public_namespace:
detect: True detect: True
@ -355,7 +391,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- Pod Created in Kube Namespace: 1 - Pod Created in Kube Namespace: 1
trace_file: trace_files/k8s_audit/create_pod_kube_public_namespace.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_pod_kube_public_namespace.json
create_serviceaccount_in_kube_system_namespace: create_serviceaccount_in_kube_system_namespace:
detect: True detect: True
@ -365,7 +402,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- Service Account Created in Kube Namespace: 1 - Service Account Created in Kube Namespace: 1
trace_file: trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json
create_serviceaccount_in_kube_public_namespace: create_serviceaccount_in_kube_public_namespace:
detect: True detect: True
@ -375,7 +413,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- Service Account Created in Kube Namespace: 1 - Service Account Created in Kube Namespace: 1
trace_file: trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json
system_clusterrole_deleted: system_clusterrole_deleted:
detect: True detect: True
@ -385,7 +424,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- System ClusterRole Modified/Deleted: 1 - System ClusterRole Modified/Deleted: 1
trace_file: trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json
system_clusterrole_modified: system_clusterrole_modified:
detect: True detect: True
@ -395,7 +435,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- System ClusterRole Modified/Deleted: 1 - System ClusterRole Modified/Deleted: 1
trace_file: trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json
attach_cluster_admin_role: attach_cluster_admin_role:
detect: True detect: True
@ -405,7 +446,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- Attach to cluster-admin Role: 1 - Attach to cluster-admin Role: 1
trace_file: trace_files/k8s_audit/attach_cluster_admin_role.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/attach_cluster_admin_role.json
create_cluster_role_wildcard_resources: create_cluster_role_wildcard_resources:
detect: True detect: True
@ -415,7 +457,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- ClusterRole With Wildcard Created: 1 - ClusterRole With Wildcard Created: 1
trace_file: trace_files/k8s_audit/create_cluster_role_wildcard_resources.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_wildcard_resources.json
create_cluster_role_wildcard_verbs: create_cluster_role_wildcard_verbs:
detect: True detect: True
@ -425,7 +468,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- ClusterRole With Wildcard Created: 1 - ClusterRole With Wildcard Created: 1
trace_file: trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json
create_writable_cluster_role: create_writable_cluster_role:
detect: True detect: True
@ -435,7 +479,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- ClusterRole With Write Privileges Created: 1 - ClusterRole With Write Privileges Created: 1
trace_file: trace_files/k8s_audit/create_cluster_role_write_privileges.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_write_privileges.json
create_pod_exec_cluster_role: create_pod_exec_cluster_role:
detect: True detect: True
@ -445,7 +490,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- ClusterRole With Pod Exec Created: 1 - ClusterRole With Pod Exec Created: 1
trace_file: trace_files/k8s_audit/create_cluster_role_pod_exec.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_pod_exec.json
create_deployment: create_deployment:
detect: True detect: True
@ -455,7 +501,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- K8s Deployment Created: 1 - K8s Deployment Created: 1
trace_file: trace_files/k8s_audit/create_deployment.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_deployment.json
delete_deployment: delete_deployment:
detect: True detect: True
@ -465,7 +512,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- K8s Deployment Deleted: 1 - K8s Deployment Deleted: 1
trace_file: trace_files/k8s_audit/delete_deployment.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_deployment.json
create_service: create_service:
detect: True detect: True
@ -475,7 +523,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- K8s Service Created: 1 - K8s Service Created: 1
trace_file: trace_files/k8s_audit/create_service.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_service.json
delete_service: delete_service:
detect: True detect: True
@ -485,7 +534,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- K8s Service Deleted: 1 - K8s Service Deleted: 1
trace_file: trace_files/k8s_audit/delete_service.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_service.json
create_configmap: create_configmap:
detect: True detect: True
@ -495,7 +545,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- K8s ConfigMap Created: 1 - K8s ConfigMap Created: 1
trace_file: trace_files/k8s_audit/create_configmap.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_configmap.json
delete_configmap: delete_configmap:
detect: True detect: True
@ -505,7 +556,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- K8s ConfigMap Deleted: 1 - K8s ConfigMap Deleted: 1
trace_file: trace_files/k8s_audit/delete_configmap.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_configmap.json
create_namespace: create_namespace:
detect: True detect: True
@ -517,7 +569,8 @@ trace_files: !mux
- ./rules/k8s_audit/allow_user_some-user.yaml - ./rules/k8s_audit/allow_user_some-user.yaml
detect_counts: detect_counts:
- K8s Namespace Created: 1 - K8s Namespace Created: 1
trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
delete_namespace: delete_namespace:
detect: True detect: True
@ -527,7 +580,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- K8s Namespace Deleted: 1 - K8s Namespace Deleted: 1
trace_file: trace_files/k8s_audit/delete_namespace_foo.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_namespace_foo.json
create_serviceaccount: create_serviceaccount:
detect: True detect: True
@ -537,7 +591,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- K8s Serviceaccount Created: 1 - K8s Serviceaccount Created: 1
trace_file: trace_files/k8s_audit/create_serviceaccount.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_serviceaccount.json
delete_serviceaccount: delete_serviceaccount:
detect: True detect: True
@ -547,7 +602,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- K8s Serviceaccount Deleted: 1 - K8s Serviceaccount Deleted: 1
trace_file: trace_files/k8s_audit/delete_serviceaccount.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_serviceaccount.json
create_clusterrole: create_clusterrole:
detect: True detect: True
@ -557,7 +613,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- K8s Role/Clusterrole Created: 1 - K8s Role/Clusterrole Created: 1
trace_file: trace_files/k8s_audit/create_clusterrole.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_clusterrole.json
delete_clusterrole: delete_clusterrole:
detect: True detect: True
@ -567,7 +624,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- K8s Role/Clusterrole Deleted: 1 - K8s Role/Clusterrole Deleted: 1
trace_file: trace_files/k8s_audit/delete_clusterrole.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_clusterrole.json
create_clusterrolebinding: create_clusterrolebinding:
detect: True detect: True
@ -577,7 +635,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- K8s Role/Clusterrolebinding Created: 1 - K8s Role/Clusterrolebinding Created: 1
trace_file: trace_files/k8s_audit/create_clusterrolebinding.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_clusterrolebinding.json
delete_clusterrolebinding: delete_clusterrolebinding:
detect: True detect: True
@ -587,7 +646,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- K8s Role/Clusterrolebinding Deleted: 1 - K8s Role/Clusterrolebinding Deleted: 1
trace_file: trace_files/k8s_audit/delete_clusterrolebinding.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_clusterrolebinding.json
create_secret: create_secret:
detect: True detect: True
@ -597,7 +657,8 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- K8s Secret Created: 1 - K8s Secret Created: 1
trace_file: trace_files/k8s_audit/create_secret.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_secret.json
# Should *not* result in any event as the secret rules skip service account token secrets # Should *not* result in any event as the secret rules skip service account token secrets
create_service_account_token_secret: create_service_account_token_secret:
@ -606,7 +667,8 @@ trace_files: !mux
rules_file: rules_file:
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/create_service_account_token_secret.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_service_account_token_secret.json
create_kube_system_secret: create_kube_system_secret:
detect: False detect: False
@ -614,7 +676,8 @@ trace_files: !mux
rules_file: rules_file:
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/create_kube_system_secret.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_kube_system_secret.json
delete_secret: delete_secret:
detect: True detect: True
@ -624,16 +687,18 @@ trace_files: !mux
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
detect_counts: detect_counts:
- K8s Secret Deleted: 1 - K8s Secret Deleted: 1
trace_file: trace_files/k8s_audit/delete_secret.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_secret.json
fal_01_003: fal_01_003:
detect: False detect: False
detect_level: INFO exit_status: 1
rules_file: rules_file:
- ../rules/falco_rules.yaml - ../rules/falco_rules.yaml
- ../rules/k8s_audit_rules.yaml - ../rules/k8s_audit_rules.yaml
trace_file: trace_files/k8s_audit/fal_01_003.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
stderr_contains: 'Could not read k8s audit event line #1, "{"kind": 0}": Data not recognized as a k8s audit event, stopping' addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/fal_01_003.json
stderr_contains: 'data not recognized as a k8s audit event'
json_pointer_correct_parse: json_pointer_correct_parse:
detect: True detect: True
@ -642,4 +707,5 @@ trace_files: !mux
- ./rules/k8s_audit/single_rule_with_json_pointer.yaml - ./rules/k8s_audit/single_rule_with_json_pointer.yaml
detect_counts: detect_counts:
- json_pointer_example: 1 - json_pointer_example: 1
trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json

12
test/rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
View File

@ -257,7 +257,7 @@
- rule: ClusterRole With Wildcard Created - rule: ClusterRole With Wildcard Created
desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources contains '"*"' or ka.req.role.rules.verbs contains '"*"') condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules) output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
priority: WARNING priority: WARNING
source: k8s_audit source: k8s_audit
@ -265,11 +265,11 @@
- macro: writable_verbs - macro: writable_verbs
condition: > condition: >
(ka.req.role.rules.verbs contains create or (ka.req.role.rules.verbs intersects (create) or
ka.req.role.rules.verbs contains update or ka.req.role.rules.verbs intersects (update) or
ka.req.role.rules.verbs contains patch or ka.req.role.rules.verbs intersects (patch) or
ka.req.role.rules.verbs contains delete or ka.req.role.rules.verbs intersects (delete) or
ka.req.role.rules.verbs contains deletecollection) ka.req.role.rules.verbs intersects (deletecollection))
- rule: ClusterRole With Write Privileges Created - rule: ClusterRole With Write Privileges Created
desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions

2
userspace/engine/falco_engine_version.h
View File

@ -21,4 +21,4 @@ limitations under the License.
// This is the result of running "falco --list -N | sha256sum" and // This is the result of running "falco --list -N | sha256sum" and
// represents the fields supported by this version of Falco. It's used // represents the fields supported by this version of Falco. It's used
// at build time to detect a changed set of fields. // at build time to detect a changed set of fields.
#define FALCO_FIELDS_CHECKSUM "77c4c549181b8aac1b9698c0101ac61acb5b2faede84a2c4fecb34834c6de2b9" #define FALCO_FIELDS_CHECKSUM "a557747a209f2d16e90a3324d84d56c02cf54d000b6e3ee44598413f19885fcc"

1
userspace/engine/rule_loader.cpp
View File

@ -724,6 +724,7 @@ void rule_loader::compile_rule_infos(
set<uint16_t> evttypes = { ppm_event_type::PPME_PLUGINEVENT_E }; set<uint16_t> evttypes = { ppm_event_type::PPME_PLUGINEVENT_E };
if(rule.source == falco_common::syscall_source) if(rule.source == falco_common::syscall_source)
{ {
evttypes.clear();
filter_evttype_resolver().evttypes(ast, evttypes); filter_evttype_resolver().evttypes(ast, evttypes);
if ((evttypes.empty() || evttypes.size() > 100) if ((evttypes.empty() || evttypes.size() > 100)
&& r.warn_evttypes) && r.warn_evttypes)