Rule updates 2019.02.v1 (#551)

* Let cassandra write to /root/.cassandra * Add kubelet/kops to allowed_k8s_users
falcosecurity · Mar 9, 2019 · 28622e6 · 28622e6
1 parent 5740186
commit 28622e6
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -709,6 +709,12 @@
 - macro: kubectl_writing_state
   condition: (proc.name=kubectl and fd.name startswith /root/.kube)
 
+- macro: java_running_cassandra
+  condition: (proc.name=java and proc.cmdline contains "cassandra.jar")
+
+- macro: cassandra_writing_state
+  condition: (java_running_cassandra and fd.directory=/root/.cassandra)
+
 - rule: Write below binary dir
   desc: an attempt to write to any file below a set of binary directories
   condition: >
@@ -1047,6 +1053,7 @@
     and not maven_writing_groovy
     and not chef_writing_conf
     and not kubectl_writing_state
+    and not cassandra_writing_state
     and not known_root_conditions
   output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)"
   priority: ERROR

diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml
@@ -34,7 +34,7 @@
 
 # If you wish to restrict activity to a specific set of users, override/append to this list.
 - list: allowed_k8s_users
-  items: ["minikube", "minikube-user"]
+  items: ["minikube", "minikube-user", "kubelet", "kops"]
 
 - rule: Disallowed K8s User
   desc: Detect any k8s operation by users outside of an allowed set of users.