github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-31 22:28:22 +00:00
Code Issues Projects Releases Wiki Activity

rules: use list of Falco containers instead of repeating them

Browse Source 
Signed-off-by: Oscar Utbult <oscar.utbult@gmail.com>
This commit is contained in:
Oscar Utbult
2022-11-14 16:45:05 +01:00
committed by poiana
parent 6ea233dd75
commit b17d513251
1 changed files with 22 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
rules/falco_rules.yaml
View File

@@ -1844,18 +1844,31 @@
registry.access.redhat.com/sematext/agent, registry.access.redhat.com/sematext/agent,
registry.access.redhat.com/sematext/logagent] registry.access.redhat.com/sematext/logagent]
# Falco containers
- list: falco_containers
items:
- falcosecurity/falco
- docker.io/falcosecurity/falco
- public.ecr.aws/falcosecurity/falco
# Falco no driver containers
- list: falco_no_driver_containers
items:
- falcosecurity/falco-no-driver
- docker.io/falcosecurity/falco-no-driver
- public.ecr.aws/falcosecurity/falco-no-driver
# These container images are allowed to run with --privileged and full set of capabilities # These container images are allowed to run with --privileged and full set of capabilities
- list: falco_privileged_images - list: falco_privileged_images
items: [ items: [
falco_containers,
docker.io/calico/node, docker.io/calico/node,
calico/node, calico/node,
docker.io/cloudnativelabs/kube-router, docker.io/cloudnativelabs/kube-router,
docker.io/docker/ucp-agent, docker.io/docker/ucp-agent,
docker.io/falcosecurity/falco,
docker.io/mesosphere/mesos-slave, docker.io/mesosphere/mesos-slave,
docker.io/rook/toolbox, docker.io/rook/toolbox,
docker.io/sysdig/sysdig, docker.io/sysdig/sysdig,
falcosecurity/falco,
gcr.io/google_containers/kube-proxy, gcr.io/google_containers/kube-proxy,
gcr.io/google-containers/startup-script, gcr.io/google-containers/startup-script,
gcr.io/projectcalico-org/node, gcr.io/projectcalico-org/node,
@@ -1867,7 +1880,6 @@
k8s.gcr.io/ip-masq-agent-amd64, k8s.gcr.io/ip-masq-agent-amd64,
k8s.gcr.io/kube-proxy, k8s.gcr.io/kube-proxy,
k8s.gcr.io/prometheus-to-sd, k8s.gcr.io/prometheus-to-sd,
public.ecr.aws/falcosecurity/falco,
quay.io/calico/node, quay.io/calico/node,
sysdig/sysdig, sysdig/sysdig,
sematext_images, sematext_images,
@@ -1896,8 +1908,8 @@
# host filesystem. # host filesystem.
- list: falco_sensitive_mount_images - list: falco_sensitive_mount_images
items: [ items: [
falco_containers,
docker.io/sysdig/sysdig, sysdig/sysdig, docker.io/sysdig/sysdig, sysdig/sysdig,
docker.io/falcosecurity/falco, falcosecurity/falco, public.ecr.aws/falcosecurity/falco,
gcr.io/google_containers/hyperkube, gcr.io/google_containers/hyperkube,
gcr.io/google_containers/kube-proxy, docker.io/calico/node, gcr.io/google_containers/kube-proxy, docker.io/calico/node,
docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul, docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
@@ -2409,18 +2421,17 @@
condition: > condition: >
(container.image.repository in (gcr.io/google_containers/hyperkube-amd64, (container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
gcr.io/google_containers/kube2sky, gcr.io/google_containers/kube2sky,
docker.io/sysdig/sysdig, docker.io/falcosecurity/falco, docker.io/sysdig/sysdig, sysdig/sysdig,
sysdig/sysdig, falcosecurity/falco,
fluent/fluentd-kubernetes-daemonset, prom/prometheus, fluent/fluentd-kubernetes-daemonset, prom/prometheus,
falco_containers,
falco_no_driver_containers,
ibm_cloud_containers, ibm_cloud_containers,
public.ecr.aws/falcosecurity/falco, velero/velero, velero/velero,
quay.io/jetstack/cert-manager-cainjector, weaveworks/kured, quay.io/jetstack/cert-manager-cainjector, weaveworks/kured,
quay.io/prometheus-operator/prometheus-operator, quay.io/prometheus-operator/prometheus-operator,
k8s.gcr.io/ingress-nginx/kube-webhook-certgen, quay.io/spotahome/redis-operator, k8s.gcr.io/ingress-nginx/kube-webhook-certgen, quay.io/spotahome/redis-operator,
registry.opensource.zalan.do/acid/postgres-operator, registry.opensource.zalan.do/acid/postgres-operator-ui, registry.opensource.zalan.do/acid/postgres-operator, registry.opensource.zalan.do/acid/postgres-operator-ui,
rabbitmqoperator/cluster-operator, rabbitmqoperator/cluster-operator)
falcosecurity/falco-no-driver, docker.io/falcosecurity/falco-no-driver,
public.ecr.aws/falcosecurity/falco-no-driver)
or (k8s.ns.name = "kube-system")) or (k8s.ns.name = "kube-system"))
- macro: k8s_api_server - macro: k8s_api_server
@@ -2872,7 +2883,7 @@
condition: (evt.type in (sendto, sendmsg, connect) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other))) condition: (evt.type in (sendto, sendmsg, connect) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
- macro: trusted_images_query_miner_domain_dns - macro: trusted_images_query_miner_domain_dns
condition: (container.image.repository in (docker.io/falcosecurity/falco, falcosecurity/falco, public.ecr.aws/falcosecurity/falco)) condition: (container.image.repository in (falco_containers))
# The rule is disabled by default. # The rule is disabled by default.
# Note: falco will send DNS request to resolve miner pool domain which may trigger alerts in your environment. # Note: falco will send DNS request to resolve miner pool domain which may trigger alerts in your environment.