Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positives in GKE #439

Closed
dagi3d opened this issue Oct 8, 2018 · 1 comment
Closed

False positives in GKE #439

dagi3d opened this issue Oct 8, 2018 · 1 comment

Comments

@dagi3d
Copy link

dagi3d commented Oct 8, 2018

Hi,
I was testing Falco in a GKE cluster and it seems that with the default rules configuration some false positives are triggered, some by performing ordinary actions and others are triggered from time to time with no intervention from my side:

I periodically get a bunch of notifications(~80x) similar to this:

16:06:27.084969768: Error File below / or /root opened for writing (user=root command=kubectl get scalingpolicies -n kube-system fluentd-gcp-scaling-policy parent=kubectl file=/root/.kube/cache/discovery/10.7.240.1_443/v1/serverresources.json.668007090 program=kubectl) k8s.pod=fluentd-gcp-scaler-7c5db745fc-k6mw9 container=d0ab88949b4c

After patching a deployment to restart the pods, I get several notifications(~10x) with a message similar to:

16:02:48.552970029: Notice Namespace change (setns) by unexpected program (user=root command=bridge  parent=bridge k8s.pod=<NA> container=host)

If I ssh to any machine of my GCP project, it seems that the keys are also added to the GKE nodes and therefore an additional alert is triggered:

Error File below a monitored directory opened for writing (user=root command=google_accounts /usr/bin/google_accounts_daemon file=/home/borja/.ssh/authorized_keys parent=systemd pcmdline=systemd  gparent=<NA>) k8s.pod=<NA> container=host

It was tested using latest version form the master branch and only change made was in falco.yml to send the alerts to Slack
mstemm added a commit that referenced this issue Nov 5, 2018
@mstemm
Fix GKE/Istio false positives
4d1aa40 
- Allow kubectl to write below /root/.kube
- Allow loopback/bridge (e.g. /home/kubernetes/bin/) to setns.
- Let istio pilot-agent write to /etc/istio.
- Let google_accounts(_daemon) write user .ssh files.
- Add /health as an allowed file below /.

This fixes #439.
@mstemm
Copy link
Contributor

mstemm commented Nov 5, 2018

Thanks for the report, I've made the necessary rule changes to address these FPs. If you'd like to try them out, they're currently on the rule-updates-2018-11.v1 branch. Otherwise. We'll probably merge them in the next week or two.

mstemm added a commit that referenced this issue Nov 5, 2018
@mstemm
Fix GKE/Istio false positives
f05ecf6 
- Allow kubectl to write below /root/.kube
- Allow loopback/bridge (e.g. /home/kubernetes/bin/) to setns.
- Let istio pilot-agent write to /etc/istio.
- Let google_accounts(_daemon) write user .ssh files.
- Add /health as an allowed file below /.

This fixes #439.
mstemm added a commit that referenced this issue Nov 9, 2018
@mstemm
Fix GKE/Istio false positives
896e390 
- Allow kubectl to write below /root/.kube
- Allow loopback/bridge (e.g. /home/kubernetes/bin/) to setns.
- Let istio pilot-agent write to /etc/istio.
- Let google_accounts(_daemon) write user .ssh files.
- Add /health as an allowed file below /.

This fixes #439.
@mstemm mstemm closed this as completed in c6169e1 Nov 9, 2018
@AlexDCraig AlexDCraig mentioned this issue May 1, 2020
Closed
leogr pushed a commit to falcosecurity/rules that referenced this issue Dec 21, 2022
@mstemm
Rule updates 2018 11.v1 (#455)
2a3d70f 
* Add sensitive mount of mouting to /var/lib/kubelet*

* Fix GKE/Istio false positives

- Allow kubectl to write below /root/.kube
- Allow loopback/bridge (e.g. /home/kubernetes/bin/) to setns.
- Let istio pilot-agent write to /etc/istio.
- Let google_accounts(_daemon) write user .ssh files.
- Add /health as an allowed file below /.

This fixes falcosecurity/falco#439.

* Improve ufw/cloud-init exceptions

Tie them to both the program and the file being written.

Also move the cloud-init exception to monitored_directory.
leogr pushed a commit to falcosecurity/rules that referenced this issue Dec 21, 2022
@mstemm
Rule updates 2018 11.v1 (#455)
3bf5847 
* Add sensitive mount of mouting to /var/lib/kubelet*

* Fix GKE/Istio false positives

- Allow kubectl to write below /root/.kube
- Allow loopback/bridge (e.g. /home/kubernetes/bin/) to setns.
- Let istio pilot-agent write to /etc/istio.
- Let google_accounts(_daemon) write user .ssh files.
- Add /health as an allowed file below /.

This fixes falcosecurity/falco#439.

* Improve ufw/cloud-init exceptions

Tie them to both the program and the file being written.

Also move the cloud-init exception to monitored_directory.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dagi3d @mstemm