# # Copyright (C) 2016-2018 The Falco Authors. # # This file is part of falco. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # trace_files: !mux privileged_detect_k8s_audit: detect: True detect_level: WARNING detect_counts: - "PSP no_privileged Violation (privileged) K8s Audit": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/privileged.yaml trace_file: trace_files/psp/privileged.json privileged_detect_syscall: detect: True detect_level: WARNING detect_counts: - "PSP no_privileged Violation (privileged) System Activity": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/privileged.yaml trace_file: trace_files/psp/privileged.scap privileged_no_detect: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/privileged.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json host_pid_detect: detect: True detect_level: WARNING detect_counts: - "PSP no_host_pid Violation (hostPID)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/host_pid.yaml trace_file: trace_files/psp/host_pid.json host_pid_no_detect: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/host_pid.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json host_ipc_detect: detect: True detect_level: WARNING detect_counts: - "PSP no_host_ipc Violation (hostIPC)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/host_ipc.yaml trace_file: trace_files/psp/host_ipc.json host_ipc_no_detect: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/host_ipc.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json host_network_detect: detect: True detect_level: WARNING detect_counts: - "PSP no_host_network Violation (hostNetwork)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/host_network.yaml trace_file: trace_files/psp/host_network.json host_network_no_detect: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/host_network.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json host_network_ports_detect: detect: True detect_level: WARNING detect_counts: - "PSP host_ports_100_200_only Violation (hostPorts)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/host_network_ports.yaml trace_file: trace_files/psp/host_network_ports.json host_network_ports_no_detect: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/host_network_ports.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json volumes_detect: detect: True detect_level: WARNING detect_counts: - "PSP only_secret_volumes Violation (volumes)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/volumes.yaml trace_file: trace_files/psp/mount_etc_using_host_path.json volumes_no_detect: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/volumes.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json allowed_host_paths_detect: detect: True detect_level: WARNING detect_counts: - "PSP only_mount_host_usr Violation (allowedHostPaths)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/allowed_host_paths.yaml trace_file: trace_files/psp/mount_etc_using_host_path.json allowed_host_paths_no_detect: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/allowed_host_paths.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json allowed_flex_volumes_detect: detect: True detect_level: WARNING detect_counts: - "PSP only_lvm_cifs_flex_volumes Violation (allowedFlexVolumes)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/flex_volumes.yaml trace_file: trace_files/psp/flex_volumes.json allowed_flex_volumes_no_detect: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/flex_volumes.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json fs_group_must_run_as_with_unset: detect: True detect_level: WARNING detect_counts: - "PSP fs_group_must_run_as_30 Violation (fsGroup)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/fs_group_must_run_as.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json fs_group_must_run_as: detect: True detect_level: WARNING detect_counts: - "PSP fs_group_must_run_as_30 Violation (fsGroup)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/fs_group_must_run_as.yaml trace_file: trace_files/psp/fs_group.json fs_group_may_run_as: detect: True detect_level: WARNING detect_counts: - "PSP fs_group_may_run_as_30 Violation (fsGroup)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/fs_group_may_run_as.yaml trace_file: trace_files/psp/fs_group.json fs_group_may_run_as_with_unset: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/fs_group_may_run_as.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json fs_group_run_as_any: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/fs_group_run_as_any.yaml trace_file: trace_files/psp/fs_group.json fs_group_run_as_any_with_unset: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/fs_group_run_as_any.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json read_only_root_fs_detect: detect: True detect_level: WARNING detect_counts: - "PSP read_only_root_fs Violation (readOnlyRootFilesystem) K8s Audit": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/read_only_root_fs.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json read_only_root_fs_detect_syscall: detect: True detect_level: WARNING detect_counts: - "PSP read_only_root_fs Violation (readOnlyRootFilesystem) System Activity": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/read_only_root_fs.yaml trace_file: trace_files/psp/write_tmp_test.scap read_only_root_fs_no_detect: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/read_only_root_fs.yaml trace_file: trace_files/psp/read_only_root_fs.json user_must_run_as_with_unset: detect: True detect_level: WARNING detect_counts: - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/user_must_run_as.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json user_must_run_as_detect: detect: True detect_level: WARNING detect_counts: - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/user_must_run_as.yaml trace_file: trace_files/psp/run_as_user_1000_container.json user_must_run_as_detect_syscall: detect: True detect_level: WARNING detect_counts: - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) System Activity": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/user_must_run_as.yaml trace_file: trace_files/psp/run_as_user_65534_container.scap user_must_run_as_not_detect: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/user_must_run_as.yaml trace_file: trace_files/psp/run_as_user_30_container.json user_must_run_as_detect_sec_ctx: detect: True detect_level: WARNING detect_counts: - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/user_must_run_as.yaml trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json user_must_run_as_not_detect_sec_ctx: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/user_must_run_as.yaml trace_file: trace_files/psp/run_as_user_30_sec_ctx.json user_must_run_as_detect_both: detect: True detect_level: WARNING detect_counts: - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/user_must_run_as.yaml trace_file: trace_files/psp/run_as_user_30_sec_ctx_1000_container.json user_must_run_as_not_detect_both: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/user_must_run_as.yaml trace_file: trace_files/psp/run_as_user_1000_sec_ctx_30_container.json user_must_run_as_non_root_detect: detect: True detect_level: WARNING detect_counts: - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/user_must_run_as_non_root.yaml trace_file: trace_files/psp/run_as_user_0_container.json user_must_run_as_non_root_detect_syscall: detect: True detect_level: WARNING detect_counts: - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) System Activity": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/user_must_run_as_non_root.yaml trace_file: trace_files/psp/run_as_user_0_container.scap user_must_run_as_non_root_no_detect: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/user_must_run_as_non_root.yaml trace_file: trace_files/psp/run_as_user_1000_container.json user_must_run_as_non_root_detect_sec_ctx: detect: True detect_level: WARNING detect_counts: - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/user_must_run_as_non_root.yaml trace_file: trace_files/psp/run_as_user_0_sec_ctx.json user_must_run_as_non_root_no_detect_sec_ctx: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/user_must_run_as_non_root.yaml trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json user_must_run_as_non_root_detect_both: detect: True detect_level: WARNING detect_counts: - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/user_must_run_as_non_root.yaml trace_file: trace_files/psp/run_as_user_1000_sec_ctx_0_container.json user_must_run_as_non_root_no_detect_both: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/user_must_run_as_non_root.yaml trace_file: trace_files/psp/run_as_user_0_sec_ctx_1000_container.json group_must_run_as_with_unset: detect: True detect_level: WARNING detect_counts: - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/group_must_run_as.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json group_must_run_as_detect: detect: True detect_level: WARNING detect_counts: - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/group_must_run_as.yaml trace_file: trace_files/psp/run_as_group_1000_container.json group_must_run_as_detect_syscall: detect: True detect_level: WARNING detect_counts: - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) System Activity": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/group_must_run_as.yaml trace_file: trace_files/psp/run_as_user_65534_container.scap group_must_run_as_not_detect: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/group_must_run_as.yaml trace_file: trace_files/psp/run_as_group_30_container.json group_must_run_as_detect_sec_ctx: detect: True detect_level: WARNING detect_counts: - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/group_must_run_as.yaml trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json group_must_run_as_not_detect_sec_ctx: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/group_must_run_as.yaml trace_file: trace_files/psp/run_as_group_30_sec_ctx.json group_must_run_as_detect_both: detect: True detect_level: WARNING detect_counts: - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/group_must_run_as.yaml trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json group_must_run_as_not_detect_both: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/group_must_run_as.yaml trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json group_may_run_as_with_unset: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/group_may_run_as.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json group_may_run_as_detect: detect: True detect_level: WARNING detect_counts: - "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/group_may_run_as.yaml trace_file: trace_files/psp/run_as_group_1000_container.json group_may_run_as_not_detect: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/group_may_run_as.yaml trace_file: trace_files/psp/run_as_group_30_container.json group_may_run_as_detect_sec_ctx: detect: True detect_level: WARNING detect_counts: - "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/group_may_run_as.yaml trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json group_may_run_as_not_detect_sec_ctx: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/group_may_run_as.yaml trace_file: trace_files/psp/run_as_group_30_sec_ctx.json group_may_run_as_detect_both: detect: True detect_level: WARNING detect_counts: - "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/group_may_run_as.yaml trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json group_may_run_as_not_detect_both: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/group_may_run_as.yaml trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json supplemental_groups_must_run_as_with_unset: detect: True detect_level: WARNING detect_counts: - "PSP supplemental_groups_must_run_as_30 Violation (supplementalGroups=MustRunAs)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/supplemental_groups_must_run_as_30_40.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json supplemental_groups_must_run_as_no_overlap: detect: True detect_level: WARNING detect_counts: - "PSP supplemental_groups_must_run_as_30 Violation (supplementalGroups=MustRunAs)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/supplemental_groups_must_run_as_30_40.yaml trace_file: trace_files/psp/supplemental_groups_10_20.json supplemental_groups_must_run_as_partial_overlap: detect: True detect_level: WARNING detect_counts: - "PSP supplemental_groups_must_run_as_30_10 Violation (supplementalGroups=MustRunAs)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/supplemental_groups_must_run_as_30_40_10_15.yaml trace_file: trace_files/psp/supplemental_groups_10_20.json supplemental_groups_must_run_as_overlap: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/supplemental_groups_must_run_as_10_20.yaml trace_file: trace_files/psp/supplemental_groups_10_20.json supplemental_groups_must_run_as_overlap_multiple_ranges: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/supplemental_groups_must_run_as_10_40_10_20.yaml trace_file: trace_files/psp/supplemental_groups_10_20.json supplemental_groups_may_run_as_with_unset: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/supplemental_groups_may_run_as_30_40.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json supplemental_groups_may_run_as_no_overlap: detect: True detect_level: WARNING detect_counts: - "PSP supplemental_groups_may_run_as_30 Violation (supplementalGroups=MayRunAs)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/supplemental_groups_may_run_as_30_40.yaml trace_file: trace_files/psp/supplemental_groups_10_20.json supplemental_groups_may_run_as_partial_overlap: detect: True detect_level: WARNING detect_counts: - "PSP supplemental_groups_may_run_as_30_10 Violation (supplementalGroups=MayRunAs)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/supplemental_groups_may_run_as_30_40_10_15.yaml trace_file: trace_files/psp/supplemental_groups_10_20.json supplemental_groups_may_run_as_overlap: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/supplemental_groups_may_run_as_10_20.yaml trace_file: trace_files/psp/supplemental_groups_10_20.json supplemental_groups_may_run_as_overlap_multiple_ranges: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/supplemental_groups_may_run_as_10_40_10_20.yaml trace_file: trace_files/psp/supplemental_groups_10_20.json privilege_escalation_privilege_escalation_detect: detect: True detect_level: WARNING detect_counts: - "PSP no_privilege_escalation Violation (allowPrivilegeEscalation)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/privilege_escalation.yaml trace_file: trace_files/psp/privilege_escalation.json allowed_capabilities_detect: detect: True detect_level: WARNING detect_counts: - "PSP allow_capability_sys_nice Violation (allowedCapabilities)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/allowed_capabilities.yaml trace_file: trace_files/psp/capability_add_sys_time.json allowed_capabilities_no_detect: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/allowed_capabilities.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json allowed_capabilities_match: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/allowed_capabilities.yaml trace_file: trace_files/psp/capability_add_sys_nice.json allowed_proc_mount_types_detect: detect: True detect_level: WARNING detect_counts: - "PSP allow_default_proc_mount_type Violation (allowedProcMountTypes)": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/allowed_proc_mount_types.yaml trace_file: trace_files/psp/proc_mount_type_unmasked.json allowed_proc_mount_types_no_detect: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/allowed_proc_mount_types.yaml trace_file: trace_files/psp/create_vanilla_nginx_deployment.json allowed_proc_mount_types_match: detect: False rules_file: [] conf_file: confs/psp.yaml psp_file: psps/allowed_proc_mount_types.yaml trace_file: trace_files/psp/proc_mount_type_default.json psp_name_with_dashes: detect: True detect_level: WARNING detect_counts: - "PSP no_privileged Violation (privileged) System Activity": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/privileged_name_with_dashes.yaml trace_file: trace_files/psp/privileged.scap psp_name_with_spaces: detect: True detect_level: WARNING detect_counts: - "PSP no_privileged Violation (privileged) System Activity": 1 rules_file: [] conf_file: confs/psp.yaml psp_file: psps/privileged_name_with_spaces.yaml trace_file: trace_files/psp/privileged.scap