feat(mounts): update list of sensitive paths from Falco, adds contain…

…erd (#463)
Shopify · Aug 11, 2022 · df0fd92 · df0fd92
1 parent b3342d7
commit df0fd92
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 16 deletions.
diff --git a/auditors/mounts/mounts.go b/auditors/mounts/mounts.go
@@ -16,8 +16,8 @@ const (
 	SensitivePathsMounted = "SensitivePathsMounted"
 )
 
-// DefaultSensitivePaths is the default list of sensitive mount paths (from Falco rule: https://github.com/falcosecurity/falco/blob/master/rules/k8s_audit_rules.yaml#L155)
-var DefaultSensitivePaths = []string{"/proc", "/var/run/docker.sock", "/", "/etc", "/root", "/var/run/crio/crio.sock", "/home/admin", "/var/lib/kubelet", "/var/lib/kubelet/pki", "/etc/kubernetes", "/etc/kubernetes/manifests"}
+// DefaultSensitivePaths is the default list of sensitive mount paths (from Falco rule: https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml#L1945)
+var DefaultSensitivePaths = []string{"/proc", "/var/run/docker.sock", "/", "/etc", "/root", "/var/run/crio/crio.sock", "/run/containerd/containerd.sock", "/home/admin", "/var/lib/kubelet", "/var/lib/kubelet/pki", "/etc/kubernetes", "/etc/kubernetes/manifests"}
 
 const overrideLabelPrefix = "allow-host-path-mount-"
 

diff --git a/config/config.yaml b/config/config.yaml
@@ -29,4 +29,4 @@ auditors:
         cpu: "750m"
         memory: "500m"
     mounts:
-        denyPathsList: ["/proc", "/var/run/docker.sock", "/", "/etc", "/root", "/var/run/crio/crio.sock", "/home/admin", "/var/lib/kubelet", "/var/lib/kubelet/pki", "/etc/kubernetes", "/etc/kubernetes/manifests"]
+        denyPathsList: ["/proc", "/var/run/docker.sock", "/", "/etc", "/root", "/var/run/crio/crio.sock", "/run/containerd/containerd.sock", /home/admin", "/var/lib/kubelet", "/var/lib/kubelet/pki", "/etc/kubernetes", "/etc/kubernetes/manifests"]
diff --git a/docs/auditors/mounts.md b/docs/auditors/mounts.md
@@ -18,19 +18,21 @@ Also see [Global Flags](/README.md#global-flags)
 
 #### Default sensitive host paths list
 
-| Host path                 | Description                                                                              |
-| :------------------------ | :--------------------------------------------------------------------------------------- |
-| /proc                     |  Pseudo-filesystem which provides an interface to kernel data structures                                                  |
-| /var/run/docker.sock      |  Unix socket used to communicate with Docker daemon                                   |
-| /                         |  Filesystem's root |
-| /etc                      |  Directory that usually contains all system related configurations files         |
-| /root                     |  Home directory of the `root` user                                             |
-| /var/run/crio/crio.sock   |  Unix socket used to communicate with the CRI-O Container Engine                                                 |
-| /home/admin               |  Home directory of the `admin` user        |
-| /var/lib/kubelet          |  Directory for Kublet-related configuration                                                             |
-| /var/lib/kubelet/pki      |  Directory containing the certificate and private key of the kublet                                                               |
-| /etc/kubernetes           |  Directory containing Kubernetes related configuration              |
-| /etc/kubernetes/manifests |  Directory containing manifest of Kubernetes components                                                         |
+| Host path                       | Description                                                             |
+| :------------------------------ | :---------------------------------------------------------------------- |
+| /proc                           | Pseudo-filesystem which provides an interface to kernel data structures |
+| /                               | Filesystem's root                                                       |
+| /etc                            | Directory that usually contains all system related configurations files |
+| /root                           | Home directory of the `root` user                                       |
+| /var/run/docker.sock            | Unix socket used to communicate with Docker daemon                      |
+| /var/run/crio/crio.sock         | Unix socket used to communicate with the CRI-O Container Engine         |
+| /run/containerd/containerd.sock | Unix socket used to communicate with the Containerd container runtime   |
+| /home/admin                     | Home directory of the `admin` user                                      |
+| /var/lib/kubelet                | Directory for Kublet-related configuration                              |
+| /var/lib/kubelet/pki            | Directory containing the certificate and private key of the kublet      |
+| /etc/kubernetes                 | Directory containing Kubernetes related configuration                   |
+| /etc/kubernetes/manifests       | Directory containing manifest of Kubernetes components                  |
+
 
 ## Examples