github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-28 15:47:25 +00:00
Code Issues Projects Releases Wiki Activity

rule(macro trusted_logging_images): Let azure-npm image write to /var/log

Browse Source 
"The Azure's NPM is a a daemonset that supports network policies as
defined by the Kubernetes policy specification."

Example event:

---
Log files were tampered (user=root command=azure-npm
file=/var/log/iptables.conf CID1 image=mcr.microsoft.com/containernetworking/azure-npm)
---

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm 2020-05-20 09:38:12 -07:00 committed by poiana
parent acb3f94786
commit fa3d2eb473
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/falco_rules.yaml
View File

@ -2438,7 +2438,8 @@
- macro: trusted_logging_images
condition: (container.image.repository endswith "splunk/fluentd-hec" or
container.image.repository endswith "fluent/fluentd-kubernetes-daemonset" or
container.image.repository endswith "openshift3/ose-logging-fluentd")
container.image.repository endswith "openshift3/ose-logging-fluentd" or
container.image.repository endswith "containernetworking/azure-npm")
- rule: Clear Log Activities
desc: Detect clearing of critical log files