github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-17 15:28:18 +00:00
Code Issues Projects Releases Wiki Activity

Reduce FPs related to Kubernetes.

Browse Source 
The new privileged falco rule was noisy when running kubernetes, which
can run privileged. Add it to the trusted_containers list.

Also eliminate a couple spurious warnings related to spawning shells in
containers.
This commit is contained in:
Mark Stemm
2016-09-14 13:53:59 -07:00
parent 4fc2870c59
commit a0b26def13
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
rules/falco_rules.yaml
View File

@@ -275,7 +275,7 @@
priority: WARNING priority: WARNING
- macro: trusted_containers - macro: trusted_containers
condition: (container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig) condition: (container.image startswith sysdig/agent or container.image startswith sysdig/falco or container.image startswith sysdig/sysdig or container.image startswith gcr.io/google_containers/hyperkube)
- rule: File Open by Privileged Container - rule: File Open by Privileged Container
desc: Any open by a privileged container. Exceptions are made for known trusted images. desc: Any open by a privileged container. Exceptions are made for known trusted images.
@@ -305,7 +305,7 @@
- rule: Run shell in container - rule: Run shell in container
desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded. desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.
condition: spawned_process and container and shell_procs and proc.pname exists and not proc.pname in (shell_binaries, docker_binaries, initdb, pg_ctl) condition: spawned_process and container and shell_procs and proc.pname exists and not proc.pname in (shell_binaries, docker_binaries, initdb, pg_ctl, awk, apache2)
output: "Shell spawned in a container other than entrypoint (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)" output: "Shell spawned in a container other than entrypoint (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
priority: WARNING priority: WARNING