-
Notifications
You must be signed in to change notification settings - Fork 82
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
update(plugins/k8saudit): update
required_plugin_versions in ruleset
Signed-off-by: Leonardo Grasso <[email protected]>
- Loading branch information
Showing
1 changed file
with
169 additions
and
129 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
| # | ||
| # Copyright (C) 2023 The Falco Authors. | ||
| # Copyright (C) 2025 The Falco Authors. | ||
| # | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
|
|
@@ -19,17 +19,19 @@ | |
| - required_engine_version: 15 | ||
|
|
||
| - required_plugin_versions: | ||
| - name: k8saudit | ||
| version: 0.7.0 | ||
| alternatives: | ||
| - name: k8saudit-eks | ||
| version: 0.4.0 | ||
| - name: k8saudit-gke | ||
| version: 0.1.0 | ||
| - name: k8saudit-ovh | ||
| version: 0.1.0 | ||
| - name: json | ||
| version: 0.7.0 | ||
| - name: k8saudit | ||
| version: 0.7.0 | ||
| alternatives: | ||
| - name: k8saudit-aks | ||
| version: 0.1.0 | ||
| - name: k8saudit-eks | ||
| version: 0.4.0 | ||
| - name: k8saudit-gke | ||
| version: 0.1.0 | ||
| - name: k8saudit-ovh | ||
| version: 0.1.0 | ||
| - name: json | ||
| version: 0.7.0 | ||
|
|
||
| # Like always_true/always_false, but works with k8s audit events | ||
| - macro: k8s_audit_always_true | ||
|
|
@@ -59,68 +61,95 @@ | |
| items: ["vpa-recommender", "vpa-updater"] | ||
|
|
||
| - list: allowed_k8s_users | ||
| items: [ | ||
| "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck", | ||
| "kubernetes-admin", | ||
| vertical_pod_autoscaler_users, | ||
| cluster-autoscaler, | ||
| "system:addon-manager", | ||
| "cloud-controller-manager", | ||
| "system:kube-controller-manager" | ||
| items: | ||
| [ | ||
| "minikube", | ||
| "minikube-user", | ||
| "kubelet", | ||
| "kops", | ||
| "admin", | ||
| "kube", | ||
| "kube-proxy", | ||
| "kube-apiserver-healthcheck", | ||
| "kubernetes-admin", | ||
| vertical_pod_autoscaler_users, | ||
| cluster-autoscaler, | ||
| "system:addon-manager", | ||
| "cloud-controller-manager", | ||
| "system:kube-controller-manager", | ||
| ] | ||
|
|
||
| - list: eks_allowed_k8s_users | ||
| items: [ | ||
| "eks:node-manager", | ||
| "eks:certificate-controller", | ||
| "eks:fargate-scheduler", | ||
| "eks:k8s-metrics", | ||
| "eks:authenticator", | ||
| "eks:cluster-event-watcher", | ||
| "eks:nodewatcher", | ||
| "eks:pod-identity-mutating-webhook", | ||
| "eks:cloud-controller-manager", | ||
| "eks:vpc-resource-controller", | ||
| "eks:addon-manager", | ||
| items: | ||
| [ | ||
| "eks:node-manager", | ||
| "eks:certificate-controller", | ||
| "eks:fargate-scheduler", | ||
| "eks:k8s-metrics", | ||
| "eks:authenticator", | ||
| "eks:cluster-event-watcher", | ||
| "eks:nodewatcher", | ||
| "eks:pod-identity-mutating-webhook", | ||
| "eks:cloud-controller-manager", | ||
| "eks:vpc-resource-controller", | ||
| "eks:addon-manager", | ||
| ] | ||
|
|
||
| - list: k8s_audit_sensitive_mount_images | ||
| items: [ | ||
| falcosecurity/falco, docker.io/falcosecurity/falco, public.ecr.aws/falcosecurity/falco, | ||
| docker.io/sysdig/sysdig, sysdig/sysdig, | ||
| gcr.io/google_containers/hyperkube, | ||
| gcr.io/google_containers/kube-proxy, docker.io/calico/node, | ||
| docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul, | ||
| docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout, | ||
| docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter, | ||
| amazon/amazon-ecs-agent, prom/node-exporter, amazon/cloudwatch-agent | ||
| ] | ||
| items: | ||
| [ | ||
| falcosecurity/falco, | ||
| docker.io/falcosecurity/falco, | ||
| public.ecr.aws/falcosecurity/falco, | ||
| docker.io/sysdig/sysdig, | ||
| sysdig/sysdig, | ||
| gcr.io/google_containers/hyperkube, | ||
| gcr.io/google_containers/kube-proxy, | ||
| docker.io/calico/node, | ||
| docker.io/rook/toolbox, | ||
| docker.io/cloudnativelabs/kube-router, | ||
| docker.io/consul, | ||
| docker.io/datadog/docker-dd-agent, | ||
| docker.io/datadog/agent, | ||
| docker.io/docker/ucp-agent, | ||
| docker.io/gliderlabs/logspout, | ||
| docker.io/netdata/netdata, | ||
| docker.io/google/cadvisor, | ||
| docker.io/prom/node-exporter, | ||
| amazon/amazon-ecs-agent, | ||
| prom/node-exporter, | ||
| amazon/cloudwatch-agent, | ||
| ] | ||
|
|
||
| - list: k8s_audit_privileged_images | ||
| items: [ | ||
| falcosecurity/falco, docker.io/falcosecurity/falco, public.ecr.aws/falcosecurity/falco, | ||
| docker.io/calico/node, calico/node, | ||
| docker.io/cloudnativelabs/kube-router, | ||
| docker.io/docker/ucp-agent, | ||
| docker.io/mesosphere/mesos-slave, | ||
| docker.io/rook/toolbox, | ||
| docker.io/sysdig/sysdig, | ||
| gcr.io/google_containers/kube-proxy, | ||
| gcr.io/google-containers/startup-script, | ||
| gcr.io/projectcalico-org/node, | ||
| gke.gcr.io/kube-proxy, | ||
| gke.gcr.io/gke-metadata-server, | ||
| gke.gcr.io/netd-amd64, | ||
| gke.gcr.io/watcher-daemonset, | ||
| gcr.io/google-containers/prometheus-to-sd, | ||
| registry.k8s.io/ip-masq-agent-amd64, | ||
| registry.k8s.io/kube-proxy, | ||
| registry.k8s.io/prometheus-to-sd, | ||
| quay.io/calico/node, | ||
| sysdig/sysdig, | ||
| registry.k8s.io/dns/k8s-dns-node-cache, | ||
| mcr.microsoft.com/oss/kubernetes/kube-proxy | ||
| ] | ||
| items: | ||
| [ | ||
| falcosecurity/falco, | ||
| docker.io/falcosecurity/falco, | ||
| public.ecr.aws/falcosecurity/falco, | ||
| docker.io/calico/node, | ||
| calico/node, | ||
| docker.io/cloudnativelabs/kube-router, | ||
| docker.io/docker/ucp-agent, | ||
| docker.io/mesosphere/mesos-slave, | ||
| docker.io/rook/toolbox, | ||
| docker.io/sysdig/sysdig, | ||
| gcr.io/google_containers/kube-proxy, | ||
| gcr.io/google-containers/startup-script, | ||
| gcr.io/projectcalico-org/node, | ||
| gke.gcr.io/kube-proxy, | ||
| gke.gcr.io/gke-metadata-server, | ||
| gke.gcr.io/netd-amd64, | ||
| gke.gcr.io/watcher-daemonset, | ||
| gcr.io/google-containers/prometheus-to-sd, | ||
| registry.k8s.io/ip-masq-agent-amd64, | ||
| registry.k8s.io/kube-proxy, | ||
| registry.k8s.io/prometheus-to-sd, | ||
| quay.io/calico/node, | ||
| sysdig/sysdig, | ||
| registry.k8s.io/dns/k8s-dns-node-cache, | ||
| mcr.microsoft.com/oss/kubernetes/kube-proxy, | ||
| ] | ||
|
|
||
| - rule: Disallowed K8s User | ||
| desc: Detect any k8s operation by users outside of an allowed set of users. | ||
|
|
@@ -234,16 +263,17 @@ | |
| # These container images are allowed to run with hostnetwork=true | ||
| # TODO: Remove k8s.gcr.io reference after 01/Dec/2023 | ||
| - list: k8s_audit_hostnetwork_images | ||
| items: [ | ||
| gcr.io/google-containers/prometheus-to-sd, | ||
| gcr.io/projectcalico-org/typha, | ||
| gcr.io/projectcalico-org/node, | ||
| gke.gcr.io/gke-metadata-server, | ||
| gke.gcr.io/kube-proxy, | ||
| gke.gcr.io/netd-amd64, | ||
| registry.k8s.io/ip-masq-agent-amd64, | ||
| registry.k8s.io/prometheus-to-sd | ||
| ] | ||
| items: | ||
| [ | ||
| gcr.io/google-containers/prometheus-to-sd, | ||
| gcr.io/projectcalico-org/typha, | ||
| gcr.io/projectcalico-org/node, | ||
| gke.gcr.io/gke-metadata-server, | ||
| gke.gcr.io/kube-proxy, | ||
| gke.gcr.io/netd-amd64, | ||
| registry.k8s.io/ip-masq-agent-amd64, | ||
| registry.k8s.io/prometheus-to-sd, | ||
| ] | ||
|
|
||
| # Corresponds to K8s CIS Benchmark 1.7.4 | ||
| - rule: Create HostNetwork Pod | ||
|
|
@@ -299,7 +329,7 @@ | |
| - rule: Create/Modify Configmap With Private Credentials | ||
| desc: > | ||
| Detect creating/modifying a configmap containing a private credential (aws key, password, etc.) | ||
| Detect creating/modifying a configmap containing a private credential (aws key, password, etc.) | ||
| condition: kevt and configmap and kmodify and contains_private_credentials | ||
| output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb resource=%ka.target.resource configmap=%ka.req.configmap.name) | ||
| priority: WARNING | ||
|
|
@@ -393,30 +423,32 @@ | |
|
|
||
| # TODO: Remove k8s.gcr.io reference after 01/Dec/2023 | ||
| - list: allowed_kube_namespace_image_list | ||
| items: [ | ||
| gcr.io/google-containers/prometheus-to-sd, | ||
| gcr.io/projectcalico-org/node, | ||
| gke.gcr.io/addon-resizer, | ||
| gke.gcr.io/heapster, | ||
| gke.gcr.io/gke-metadata-server, | ||
| registry.k8s.io/ip-masq-agent-amd64, | ||
| registry.k8s.io/kube-apiserver, | ||
| gke.gcr.io/kube-proxy, | ||
| gke.gcr.io/netd-amd64, | ||
| gke.gcr.io/watcher-daemonset, | ||
| registry.k8s.io/addon-resizer, | ||
| registry.k8s.io/prometheus-to-sd, | ||
| registry.k8s.io/k8s-dns-dnsmasq-nanny-amd64, | ||
| registry.k8s.io/k8s-dns-kube-dns-amd64, | ||
| registry.k8s.io/k8s-dns-sidecar-amd64, | ||
| registry.k8s.io/metrics-server-amd64, | ||
| kope/kube-apiserver-healthcheck, | ||
| k8s_image_list | ||
| ] | ||
| items: | ||
| [ | ||
| gcr.io/google-containers/prometheus-to-sd, | ||
| gcr.io/projectcalico-org/node, | ||
| gke.gcr.io/addon-resizer, | ||
| gke.gcr.io/heapster, | ||
| gke.gcr.io/gke-metadata-server, | ||
| registry.k8s.io/ip-masq-agent-amd64, | ||
| registry.k8s.io/kube-apiserver, | ||
| gke.gcr.io/kube-proxy, | ||
| gke.gcr.io/netd-amd64, | ||
| gke.gcr.io/watcher-daemonset, | ||
| registry.k8s.io/addon-resizer, | ||
| registry.k8s.io/prometheus-to-sd, | ||
| registry.k8s.io/k8s-dns-dnsmasq-nanny-amd64, | ||
| registry.k8s.io/k8s-dns-kube-dns-amd64, | ||
| registry.k8s.io/k8s-dns-sidecar-amd64, | ||
| registry.k8s.io/metrics-server-amd64, | ||
| kope/kube-apiserver-healthcheck, | ||
| k8s_image_list, | ||
| ] | ||
|
|
||
| - macro: allowed_kube_namespace_pods | ||
| condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or | ||
| ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list)) | ||
| condition: | ||
| (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or | ||
| ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list)) | ||
|
|
||
| # Detect any new pod created in the kube-system namespace | ||
| - rule: Pod Created in Kube Namespace | ||
|
|
@@ -431,31 +463,32 @@ | |
| items: [] | ||
|
|
||
| - list: known_sa_list | ||
| items: [ | ||
| coredns, | ||
| coredns-autoscaler, | ||
| cronjob-controller, | ||
| daemon-set-controller, | ||
| deployment-controller, | ||
| disruption-controller, | ||
| endpoint-controller, | ||
| endpointslice-controller, | ||
| endpointslicemirroring-controller, | ||
| generic-garbage-collector, | ||
| horizontal-pod-autoscaler, | ||
| job-controller, | ||
| namespace-controller, | ||
| node-controller, | ||
| persistent-volume-binder, | ||
| pod-garbage-collector, | ||
| pv-protection-controller, | ||
| pvc-protection-controller, | ||
| replicaset-controller, | ||
| resourcequota-controller, | ||
| root-ca-cert-publisher, | ||
| service-account-controller, | ||
| statefulset-controller | ||
| ] | ||
| items: | ||
| [ | ||
| coredns, | ||
| coredns-autoscaler, | ||
| cronjob-controller, | ||
| daemon-set-controller, | ||
| deployment-controller, | ||
| disruption-controller, | ||
| endpoint-controller, | ||
| endpointslice-controller, | ||
| endpointslicemirroring-controller, | ||
| generic-garbage-collector, | ||
| horizontal-pod-autoscaler, | ||
| job-controller, | ||
| namespace-controller, | ||
| node-controller, | ||
| persistent-volume-binder, | ||
| pod-garbage-collector, | ||
| pv-protection-controller, | ||
| pvc-protection-controller, | ||
| replicaset-controller, | ||
| resourcequota-controller, | ||
| root-ca-cert-publisher, | ||
| service-account-controller, | ||
| statefulset-controller, | ||
| ] | ||
|
|
||
| - macro: trusted_sa | ||
| condition: (ka.target.name in (known_sa_list, user_known_sa_list)) | ||
|
|
@@ -474,8 +507,9 @@ | |
| # normal operation. | ||
| - rule: System ClusterRole Modified/Deleted | ||
| desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system | ||
| condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and | ||
| not ka.target.name in (system:coredns, system:managed-certificate-controller) | ||
| condition: | ||
| kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and | ||
| not ka.target.name in (system:coredns, system:managed-certificate-controller) | ||
| output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name resource=%ka.target.resource ns=%ka.target.namespace action=%ka.verb) | ||
| priority: WARNING | ||
| source: k8s_audit | ||
|
|
@@ -700,7 +734,7 @@ | |
| source: k8s_audit | ||
| tags: [k8s] | ||
|
|
||
| - rule: K8s Secret Get Unsuccessfully Tried | ||
| - rule: K8s Secret Get Unsuccessfully Tried | ||
| desc: > | ||
| Detect an unsuccessful attempt to get the secret. Service account tokens are excluded. | ||
| condition: > | ||
|
|
@@ -730,14 +764,20 @@ | |
| source: k8s_audit | ||
| tags: [k8s] | ||
|
|
||
|
|
||
| # This macro disables following rule, change to k8s_audit_never_true to enable it | ||
| - macro: allowed_full_admin_users | ||
| condition: (k8s_audit_always_true) | ||
|
|
||
| # This list includes some of the default user names for an administrator in several K8s installations | ||
| - list: full_admin_k8s_users | ||
| items: ["admin", "kubernetes-admin", "kubernetes-admin@kubernetes", "[email protected]", "minikube-user"] | ||
| items: | ||
| [ | ||
| "admin", | ||
| "kubernetes-admin", | ||
| "kubernetes-admin@kubernetes", | ||
| "[email protected]", | ||
| "minikube-user", | ||
| ] | ||
|
|
||
| # This rules detect an operation triggered by an user name that is | ||
| # included in the list of those that are default administrators upon | ||
|
|
||