rule(Create Disallowed Pod): required_engine_version 5

rule(Create Privileged Pod): required_engine_version 5 rule(Create Sensitive Mount Pod): required_engine_version 5 rule(Create HostNetwork Pod): required_engine_version 5 rule(Pod Created in Kube Namespace): required_engine_version 5 rule(ClusterRole With Wildcard Created): required_engine_version 5 rule(ClusterRole With Write Privileges Created): required_engine_version 5 rule(ClusterRole With Pod Exec Created): required_engine_version 5 Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com> Signed-off-by: Lorenzo Fontana <lo@linux.com>
rules(Container Drift Detected (open+create)): specify that rule is only
2026-03-20 11:42:06 +00:00 · 2020-07-13 15:57:08 +02:00 · 2020-07-13 15:55:49 +02:00 · 2020-07-13 15:53:36 +02:00
3 changed files with 841 additions and 347 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -44,9 +44,17 @@
  items: ["vpa-recommender", "vpa-updater"]

 - list: allowed_k8s_users
-  items: [
-    "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
-    vertical_pod_autoscaler_users,
+  items:
+    [
+      "minikube",
+      "minikube-user",
+      "kubelet",
+      "kops",
+      "admin",
+      "kube",
+      "kube-proxy",
+      "kube-apiserver-healthcheck",
+      vertical_pod_autoscaler_users,
    ]

 - rule: Disallowed K8s User
@@ -115,6 +123,7 @@
  condition: ka.uri=/healthz

 - rule: Create Disallowed Pod
+  required_engine_version: 5
  desc: >
    Detect an attempt to start a pod with a container image outside of a list of allowed images.
  condition: kevt and pod and kcreate and not allowed_k8s_containers
@@ -124,6 +133,7 @@
  tags: [k8s]

 - rule: Create Privileged Pod
+  required_engine_version: 5
  desc: >
    Detect an attempt to start a pod with a privileged container
  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
@@ -137,6 +147,7 @@
    (ka.req.pod.volumes.hostpath intersects (/proc, /var/run/docker.sock, /, /etc, /root, /var/run/crio/crio.sock, /home/admin, /var/lib/kubelet, /var/lib/kubelet/pki, /etc/kubernetes, /etc/kubernetes/manifests))

 - rule: Create Sensitive Mount Pod
+  required_engine_version: 5
  desc: >
    Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
    Exceptions are made for known trusted images.
@@ -148,6 +159,7 @@

 # Corresponds to K8s CIS Benchmark 1.7.4
 - rule: Create HostNetwork Pod
+  required_engine_version: 5
  desc: Detect an attempt to start a pod using the host network.
  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
  output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
@@ -178,7 +190,7 @@

 - rule: Create/Modify Configmap With Private Credentials
  desc: >
-     Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
+    Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
  condition: kevt and configmap and kmodify and contains_private_credentials
  output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
  priority: WARNING
@@ -236,6 +248,7 @@

 # Detect any new pod created in the kube-system namespace
 - rule: Pod Created in Kube Namespace
+  required_engine_version: 5
  desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not trusted_pod
  output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
@@ -280,6 +293,7 @@
  tags: [k8s]

 - rule: ClusterRole With Wildcard Created
+  required_engine_version: 5
  desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
  output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
@@ -292,6 +306,7 @@
    (ka.req.role.rules.verbs intersects (create, update, patch, delete, deletecollection))

 - rule: ClusterRole With Write Privileges Created
+  required_engine_version: 5
  desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
  condition: kevt and (role or clusterrole) and kcreate and writable_verbs
  output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
@@ -300,6 +315,7 @@
  tags: [k8s]

 - rule: ClusterRole With Pod Exec Created
+  required_engine_version: 5
  desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
  condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
  output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
@@ -462,20 +478,26 @@
  source: k8s_audit
  tags: [k8s]

-
 # This macro disables following rule, change to k8s_audit_never_true to enable it
 - macro: allowed_full_admin_users
  condition: (k8s_audit_always_true)

 # This list includes some of the default user names for an administrator in several K8s installations
 - list: full_admin_k8s_users
-  items: ["admin", "kubernetes-admin",  "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
+  items:
+    [
+      "admin",
+      "kubernetes-admin",
+      "kubernetes-admin@kubernetes",
+      "kubernetes-admin@cluster.local",
+      "minikube-user",
+    ]

-# This rules detect an operation triggered by an user name that is 
-# included in the list of those that are default administrators upon 
-# cluster creation. This may signify a permission setting too broader. 
-# As we can't check for role of the user on a general ka.* event, this 
-# may or may not be an administrator. Customize the full_admin_k8s_users 
+# This rules detect an operation triggered by an user name that is
+# included in the list of those that are default administrators upon
+# cluster creation. This may signify a permission setting too broader.
+# As we can't check for role of the user on a general ka.* event, this
+# may or may not be an administrator. Customize the full_admin_k8s_users
 # list to your needs, and activate at your discrection.

 # # How to test:
@@ -525,7 +547,7 @@
  output: >
    K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
    namespace=%ka.target.namespace)
-  source: k8s_audit    
+  source: k8s_audit
  priority: WARNING
  tags: [k8s, network]

@@ -571,4 +593,3 @@
  priority: WARNING
  source: k8s_audit
  tags: [k8s]
-
--- a/test/rules/k8s_audit/allow_nginx_container.yaml
+++ b/test/rules/k8s_audit/allow_nginx_container.yaml
@@ -1,3 +1,2 @@
 - macro: allowed_k8s_containers
  condition: (ka.req.pod.containers.image.repository in (nginx))
-