mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
414c9a0eed
* Add additional allowed files below root. These are related to node.js apps. * Let yum-config-mana(ger) write to rpm database. * Let gugent write to (root) + GuestAgent.log vRA7 Guest Agent writes to GuestAgent.log with a cwd of root. * Let cron-start write to pam_env.conf * Add additional root files and directories All seen in legitimate cases. * Let nginx run aws s3 cp Possibly seen as a part of consul deployments and/or openresty. * Add rule for disallowed ssh connections New rule "Disallowed SSH Connection" detects ssh connection attempts other than those allowed by the macro allowed_ssh_hosts. The default version of the macro allows any ssh connection, so the rule never triggers by default. The macro could be overridden in a local/user rules file, though. * Detect contacting NodePort svcs in containers New rule "Unexpected K8s NodePort Connection" detects attempts to contact K8s NodePort services (i.e. ports >=30000) from within containers. It requires overridding a macro nodeport_containers which specifies a set of containers that are allowed to use these port ranges. By default every container is allowed.