Tests for creating/deleting secrets rules

Add test to verify new rules for creating/deleting secrets. New trace files for creating a secret/deleting a secret, and test cases that verify that the rules trigger. Two additional test cases/traces file tracks creating a service account token secret/kube-system secret and ensures that the rules do *not* trigger. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-07-31 22:16:49 +00:00 · 2020-04-17 10:12:44 -07:00 · 2020-04-17 10:12:44 -07:00 · 9af7c7fd59
commit 9af7c7fd59
parent 026965bc6a
5 changed files with 42 additions and 0 deletions
--- a/test/falco_k8s_audit_tests.yaml
+++ b/test/falco_k8s_audit_tests.yaml
@ -576,3 +576,40 @@ trace_files: !mux
    detect_counts:
      - K8s Role/Clusterrolebinding Deleted: 1
    trace_file: trace_files/k8s_audit/delete_clusterrolebinding.json
+
+  create_secret:
+    detect: True
+    detect_level: INFO
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ../rules/k8s_audit_rules.yaml
+    detect_counts:
+      - K8s Secret Created: 1
+    trace_file: trace_files/k8s_audit/create_secret.json
+
+  # Should *not* result in any event as the secret rules skip service account token secrets
+  create_service_account_token_secret:
+    detect: False
+    detect_level: INFO
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ../rules/k8s_audit_rules.yaml
+    trace_file: trace_files/k8s_audit/create_service_account_token_secret.json
+
+  create_kube_system_secret:
+    detect: False
+    detect_level: INFO
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ../rules/k8s_audit_rules.yaml
+    trace_file: trace_files/k8s_audit/create_kube_system_secret.json
+
+  delete_secret:
+    detect: True
+    detect_level: INFO
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ../rules/k8s_audit_rules.yaml
+    detect_counts:
+      - K8s Secret Deleted: 1
+    trace_file: trace_files/k8s_audit/delete_secret.json
--- a/test/trace_files/k8s_audit/create_kube_system_secret.json
+++ b/test/trace_files/k8s_audit/create_kube_system_secret.json
@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"263db4e4-f0bb-41b4-913d-c03815f49be5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/kube-system/secrets","verb":"create","user":{"username":"admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kubeadm/v1.16.2 (linux/amd64) kubernetes/c97fe50","objectRef":{"resource":"secrets","namespace":"kube-system","name":"bootstrap-token-ne7bxu","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"bootstrap-token-ne7bxu","namespace":"kube-system","creationTimestamp":null},"data":{"auth-extra-groups":"c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=","expiration":"MjAyMC0wMy0yNVQxMTo1Mzo0OS0wNzowMA==","token-id":"bmU3Ynh1","token-secret":"eGNwcGRha3Z1cTJ6d3Eycw==","usage-bootstrap-authentication":"dHJ1ZQ==","usage-bootstrap-signing":"dHJ1ZQ=="},"type":"bootstrap.kubernetes.io/token"},"responseObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"bootstrap-token-ne7bxu","namespace":"kube-system","selfLink":"/api/v1/namespaces/kube-system/secrets/bootstrap-token-ne7bxu","uid":"799b20e8-a196-4061-9a55-d8c76ab092df","resourceVersion":"161","creationTimestamp":"2020-03-24T18:53:49Z"},"data":{"auth-extra-groups":"c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=","expiration":"MjAyMC0wMy0yNVQxMTo1Mzo0OS0wNzowMA==","token-id":"bmU3Ynh1","token-secret":"eGNwcGRha3Z1cTJ6d3Eycw==","usage-bootstrap-authentication":"dHJ1ZQ==","usage-bootstrap-signing":"dHJ1ZQ=="},"type":"bootstrap.kubernetes.io/token"},"requestReceivedTimestamp":"2020-03-24T18:53:49.023018Z","stageTimestamp":"2020-03-24T18:53:49.025530Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
--- a/test/trace_files/k8s_audit/create_secret.json
+++ b/test/trace_files/k8s_audit/create_secret.json
@ -0,0 +1,2 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"c07ab0e2-9b07-4cc6-8e3b-91ac69586a1f","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/sysdig-agent/secrets","verb":"create","user":{"username":"minikube-user","groups":["system:masters","system:authenticated"]},"sourceIPs":["10.0.2.15"],"userAgent":"kubectl/v1.13.3 (linux/amd64) kubernetes/721bfa7","objectRef":{"resource":"secrets","namespace":"sysdig-agent","name":"sysdig-agent","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"sysdig-agent","creationTimestamp":null},"data":{"access-key":"MzFiNGQ0YjctMDAyNi00YzI3LWJiMGItNDk5ZDZkZjg1ZGJi"},"type":"Opaque"},"responseObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"sysdig-agent","namespace":"sysdig-agent","selfLink":"/api/v1/namespaces/sysdig-agent/secrets/sysdig-agent","uid":"9c812531-09bd-11ea-a1f9-08002719228f","resourceVersion":"830","creationTimestamp":"2019-11-18T04:40:56Z"},"data":{"access-key":"MzFiNGQ0YjctMDAyNi00YzI3LWJiMGItNDk5ZDZkZjg1ZGJi"},"type":"Opaque"},"requestReceivedTimestamp":"2019-11-18T04:40:56.739299Z","stageTimestamp":"2019-11-18T04:40:56.741993Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
+
--- a/test/trace_files/k8s_audit/create_service_account_token_secret.json
+++ b/test/trace_files/k8s_audit/create_service_account_token_secret.json
--- a/test/trace_files/k8s_audit/delete_secret.json
+++ b/test/trace_files/k8s_audit/delete_secret.json
@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"39ca37c2-1e47-4ca9-a719-646688a4cea4","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/tes/secrets/default-token-lmq4v","verb":"delete","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.12 (linux/amd64) kubernetes/a8b5220/tokens-controller","objectRef":{"resource":"secrets","namespace":"tes","name":"default-token-lmq4v","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Success","code":200},"requestObject":{"kind":"DeleteOptions","apiVersion":"v1","preconditions":{"uid":"ac540c76-09c2-11ea-a1f9-08002719228f"}},"responseObject":{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Success","details":{"name":"default-token-lmq4v","kind":"secrets","uid":"ac540c76-09c2-11ea-a1f9-08002719228f"}},"requestReceivedTimestamp":"2019-11-18T05:17:20.899988Z","stageTimestamp":"2019-11-18T05:17:20.904826Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}
				`@ -0,0 +1 @@`
				{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"263db4e4-f0bb-41b4-913d-c03815f49be5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/kube-system/secrets","verb":"create","user":{"username":"admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kubeadm/v1.16.2 (linux/amd64) kubernetes/c97fe50","objectRef":{"resource":"secrets","namespace":"kube-system","name":"bootstrap-token-ne7bxu","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"bootstrap-token-ne7bxu","namespace":"kube-system","creationTimestamp":null},"data":{"auth-extra-groups":"c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=","expiration":"MjAyMC0wMy0yNVQxMTo1Mzo0OS0wNzowMA==","token-id":"bmU3Ynh1","token-secret":"eGNwcGRha3Z1cTJ6d3Eycw==","usage-bootstrap-authentication":"dHJ1ZQ==","usage-bootstrap-signing":"dHJ1ZQ=="},"type":"bootstrap.kubernetes.io/token"},"responseObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"bootstrap-token-ne7bxu","namespace":"kube-system","selfLink":"/api/v1/namespaces/kube-system/secrets/bootstrap-token-ne7bxu","uid":"799b20e8-a196-4061-9a55-d8c76ab092df","resourceVersion":"161","creationTimestamp":"2020-03-24T18:53:49Z"},"data":{"auth-extra-groups":"c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=","expiration":"MjAyMC0wMy0yNVQxMTo1Mzo0OS0wNzowMA==","token-id":"bmU3Ynh1","token-secret":"eGNwcGRha3Z1cTJ6d3Eycw==","usage-bootstrap-authentication":"dHJ1ZQ==","usage-bootstrap-signing":"dHJ1ZQ=="},"type":"bootstrap.kubernetes.io/token"},"requestReceivedTimestamp":"2020-03-24T18:53:49.023018Z","stageTimestamp":"2020-03-24T18:53:49.025530Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
				`@ -0,0 +1,2 @@`
				{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"c07ab0e2-9b07-4cc6-8e3b-91ac69586a1f","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/sysdig-agent/secrets","verb":"create","user":{"username":"minikube-user","groups":["system:masters","system:authenticated"]},"sourceIPs":["10.0.2.15"],"userAgent":"kubectl/v1.13.3 (linux/amd64) kubernetes/721bfa7","objectRef":{"resource":"secrets","namespace":"sysdig-agent","name":"sysdig-agent","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"sysdig-agent","creationTimestamp":null},"data":{"access-key":"MzFiNGQ0YjctMDAyNi00YzI3LWJiMGItNDk5ZDZkZjg1ZGJi"},"type":"Opaque"},"responseObject":{"kind":"Secret","apiVersion":"v1","metadata":{"name":"sysdig-agent","namespace":"sysdig-agent","selfLink":"/api/v1/namespaces/sysdig-agent/secrets/sysdig-agent","uid":"9c812531-09bd-11ea-a1f9-08002719228f","resourceVersion":"830","creationTimestamp":"2019-11-18T04:40:56Z"},"data":{"access-key":"MzFiNGQ0YjctMDAyNi00YzI3LWJiMGItNDk5ZDZkZjg1ZGJi"},"type":"Opaque"},"requestReceivedTimestamp":"2019-11-18T04:40:56.739299Z","stageTimestamp":"2019-11-18T04:40:56.741993Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}